Re: [squid-users] Negative
On Tue, 11 Jan 2005, Houssam Melhem wrote: My squid.conf is here http://platinum-sy.net/hsm/squid.conf well cache_mem was 2048, too big! i set cache_mem to 1024, and decreased the cache_dir size and negative values disappeared and the cached object in memory remain in memory all the time. i guess it is related to cache_mem not cache_dir so i will set cache_dir size to the original value Make sure to read the FAQ on memory usage. Regards Henrik
[squid-users] Beginners Question: First Configuration Squid on Firewall host
Hello. My very first attempt with Squid was halfway a success and failure;), When I try to open a www page, I get the following error: ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://www.amazon.de/ The following error was encountered: Forwarding Denied. This cache will not forward your request because it is trying to enforce a sibling relationship. Perhaps the client at 192.168.2.4 is a cache which has been misconfigured. If someone would be so nice to have a look at my config file to help me with the first start, it would be nice. Squid runs on a linux host with Firewall and DSL (PPPoE) connection which gets its IP by DHCP. It has 3 Nics, one for the PPPoE, a second for an internal subnet which has an additional NAT Router in between and a third nic for the DMZ but on this subnet I get a simple timeout when opening a www page. I would be glad if I could get at least my non-DMZ subnet connected to the internet, the DMZ subnet then will be similar. Later on I will try to configure squid as reverse proxy, becourse I have a pgsql database on the internet which I wasn't able to secure by chrooting so a reverse proxying squid would help me preventing keeping intrusion attempts out. So my network looks like this: Workstation -- (192.168.1.3)NAT-Router (192.168.2.4) -- (192.168.2.199)LinuxHost -- DSL I paste the Network section of my config file: Thank you very much for any help! # NETWORK OPTIONS # - # TAG: http_port # Usage: port # hostname:port # 1.2.3.4:port #Default: # http_port 192.168.3.199:3128 # http_port 192.168.2.199:3128 http_port 3128 # TAG: https_port #Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] #Default: # none # TAG: ssl_unclean_shutdown # #Default: ssl_unclean_shutdown off # TAG: icp_port #Default: # icp_port 3130 icp_port 0 # TAG: htcp_port # Note: This option is only available if Squid is rebuilt with the # --enable-htcp option #Default: # htcp_port 4827 # TAG: mcast_groups # # Usage: mcast_groups 239.128.16.128 224.0.1.20 # # By default, Squid doesn't listen on any multicast groups. #Default: # none # TAG: udp_incoming_address # TAG: udp_outgoing_address # udp_incoming_addressis used for the ICP socket receiving packets # from other caches. # udp_outgoing_addressis used for ICP packets sent out to other # caches. #Default: # udp_incoming_address 0.0.0.0 # udp_outgoing_address 255.255.255.255 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # - # TAG: cache_peer #Default: # none # TAG: cache_peer_domain #Default: # none # TAG: neighbor_type_domain # usage: neighbor_type_domain neighbor parent|sibling domain domain ... #Default: # none # TAG: icp_query_timeout (msec) #Default: icp_query_timeout 0 # TAG: maximum_icp_query_timeout (msec) #Default: maximum_icp_query_timeout 2000 # TAG: mcast_icp_query_timeout (msec) #Default: mcast_icp_query_timeout 2000 # TAG: dead_peer_timeout (seconds) #Default: dead_peer_timeout 10 seconds # TAG: hierarchy_stoplist #We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # TAG: no_cache # You must use the word 'DENY' to indicate the ACL names which should # NOT be cached. #We recommend you to use the following two lines. acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY
Re: [squid-users] Re: Re: Problem Blocking msn messenger
Hi. in addition to above try using MSN messenger type application/x-msnmsgrp2p and also block access from desired src IPs to loginnet.passport.com|net:443 hope this will help you . On Fri, 07 Jan 2005 14:19:11 -0500, Adam Aube [EMAIL PROTECTED] wrote: Ow Mun Heng wrote: On Thu, 2005-01-06 at 05:52, Adam Aube wrote: Carlos Simbaña wrote: 1. I am trying to block msn messenger Could you post all your acl and http_access lines, and detail what station IP address you are testing from? It might be a misconfiguration elsewhere. I don't see why you have to use squid to do such things. Squid is a proxy. It does not proxy MSN messengers Squid does not proxy MSN messenger directly. However, most IM applications (MSN included) support tunneling their protocol over HTTP. So even if the OP blocks the MSN messenger ports at the firewall, users can still configure MSN messenger to tunnel the protocol through Squid. Adam -- Nasir Mahmood Systems Administrator.
[squid-users] how to do this
hello, I have some destination domains which I have allowed to localusers like this nasir.com nasir123.com nasir123.net nasirgr8.com nasirgr8.net and I have 172.16.0.0/24 pool to allow that only these domains should be opened. I have put following in my squid.conf acl nasir src 172.16.0.0/255.255.0.0 acl nasir_locals dstdomain url_regex -i /usr/local/squid/nasirlocals http_access deny nasir !nasir_locals http_access allow nasir File: /usr/local/squid/nasirlocals .nasir.com .nasir123.com .nasir123.net .nasirgr8.com .nasirgr8.net -- Now everything works fine,, except that when the user writes nasir.com in the Explorer , the browser never goes anywhere and stops, but when they write www.nasir.com they are given the desired page. I tried to put this in my FILE :/usr/local/squid/nasirlocals nasir.com nasir123.com nasir123.net nasirgr8.com nasirgr8.net and after this I was not able to open any subdomain for any of the above TLD's,neither www.nasir.com nor yahoo.nasir.com What I want is that I want the users be able to browse any subdomain of the listen domain TLD's in my file either with subdomain or not. Also I can't put .nasir.com and nasir.com in the nasirlocals file ,,a s I get errors of the parent domain when I do squid -k reconfigure Any idea.? -- Nasir Mahmood Systems Administrator.
RE: [squid-users] Help proxying Sun Java while using 'ident required'
Yes, I figured the Sun VM was not working with ident. What I am trying to do now is bypass the ident required for anything the Sun VM would be doing. How do I do this? As you can see by my ACLs, I have attempted to match that traffic and allow it with no ident, but to no avail. We have a couple of web sites we need access to which now require the Sun VM to be used, and my only option is to set these people to completely bypass the proxy, which I really do not want to do. Brian E. Conklin, MCP+I, MCSE Director of Information Services Mason General Hospital -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Monday, January 10, 2005 6:34 PM To: Brian E. Conklin Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Help proxying Sun Java while using 'ident required' On Mon, 10 Jan 2005, Brian E. Conklin wrote: I am having an issue with the Sun Java VM and Squid. Squid won't proxy any applets running in a browser while our 'ident required' ACL is active. If I deactivate the 'ident required' ACL, the applets work fine in the Sun Java VM. However, if I switch my browser to use Microsoft's Java VM, the applets work correctly with the 'ident required' ACL active. Very odd. ident is completely separate from HTTP. Maybe there is something the Sun VM does which confuses your ident server on the client station? Regards Henrik ===Mason General Hospital 901 Mt. View Drive PO Box 1668 Shelton, WA 98584 http://www.masongeneral.com (360) 426-1611 === This message is intended for the sole use of the individual and entity to whom it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the addressee nor authorized to receive for the addressee, you are hereby notified that you may not use, copy, disclose or distribute to anyone this message or any information contained in the message. If you have received this message in error, please immediately notify the sender and delete the message. Thank you.
[squid-users] Squid + LDAP installation issues
Hello List, I've searched through the FAQ's, the list and the Internet and have not found an answer yet. Hope someone outhere can help Background: squid-2.5.STABLE5-4.fc2.2, source RPM modified to only accept LDAP authentication below are the modified lines in the squid.spec file --enable-external-acl-helpers=ip_user,ldap_group,unix_group, \ --enable-auth=basic,ldap \ --enable-basic-auth-helpers=LDAP,NCSA, \ (I left NCSA authentication due to the nature of error messages) Downloaded the Squid Ldap Authentication Module After the download I untarred it, cd to directory, make and cp to /etc/squid On squid.conf i add the following line without acl's so far just for the sake of watching if it works authenticate_program /etc/squid/ldap_auth, but get the following error. parseConfigFile: line 16 unrecognized: 'authenticate_program /etc/squid/ldap_auth' What the heck i thought, let try the tar ball. Downloaded squid-2.5.STABLE7, compiled it with --enable-basic-auth-helpers=LDAP,NCSA, modified squid.conf with the same line as above authenticate_program /etc/squid/ldap_auth Same error, I'm running out of ideas here and I think I followed all the instructions on the FAQ and the few www resources avaibale. If you have any thoughts on this, please share, or if you have some www resources they are welcome as well. Best regards! Ricardo I walk alone, not because I'm lost, but because I want to... -- __o _`\,_ (-)/ (-) Ricardo López Urrutia WCSP Benology -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.10 - Release Date: 10/01/2005
RE: [squid-users] Help proxying Sun Java while using 'ident required'
On Tue, 11 Jan 2005, Brian E. Conklin wrote: Yes, I figured the Sun VM was not working with ident. What I am trying to do now is bypass the ident required for anything the Sun VM would be doing. How do I do this? As you can see by my ACLs, I have attempted to match that traffic and allow it with no ident, but to no avail. You may be able to match it by a browser acl. Enable log_mime_hdrs to have access to all the header information in access.log. Regards Henrik
[squid-users] Poor performance and errors with Squid 3.0
I installed squid-3.0-PRE3-20050111 as a vanilla web proxy. I changed http_port, http_access (allow all), and visible_host from the default configuration. The performance with this setup is extremely poor. I can generally access simple web pages reasonably quickly, but some complex web pages, such as cnn.com and zdnet.com front pages take forever to load, 5 minutes or more. Also, images are randomly broken, even on small pages such as the google.com front page and for example on slashdot.org, but not all images, only some. This happens with the above squid version compiled with no option, but also with the options that the Fedora Core 3 RPMs use: --exec_prefix=/usr \ --bindir=%{_sbindir} \ --libexecdir=%{_libdir}/squid \ --localstatedir=/var \ --sysconfdir=/etc/squid \ --enable-poll \ --enable-snmp \ --enable-removal-policies=heap,lru \ --enable-storeio=null,ufs \ --enable-ssl \ --with-openssl=/usr/kerberos \ --enable-delay-pools \ --enable-linux-netfilter \ --with-pthreads \ --enable-ntlm-auth-helpers=SMB,winbind \ --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group\ --enable-auth=basic,ntlm \ --with-winbind-auth-challenge \ --enable-useragent-log \ --enable-referer-log \ --disable-dependency-tracking \ --enable-cachemgr-hostname=localhost \ --disable-ident-lookups \ --enable-truncate \ --enable-underscores \ --datadir=%{_datadir} \ --enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,winbind\ I even tried increasing all the memory options significantly, to no avail. The machine has plenty of idle memory and CPU. Using the squid version supplied with Fedora Core 3, squid-2.5.STABLE6, using the same configuration changes, I can surf quickly across all sites without errors. Does anyone have an idea what might cause this misbehavior?
Re: [squid-users] solved Beginners Question: First Configuration Squid on Firewall host
It seems that setting miss_access deny all to miss_access allow all solves my problem. So now I can delve deeper into proxying with squid :) Greetings, Robert Welz
[squid-users] page can not be displayed problem with wccp2
List, Squid with WCCP2 on Free BSD 5.2.1 was configured with CISCO 7204 router. The router is able to detect squid cache on wccp2 I can see the access log moving with HIT MISS. I don't find any problem with cache memory access list setting in squid.conf. The problem we are facing is like we get page can not be displayed error while accessing any site. The problem gets resolved the movement refresh button on the browser is clicked. We have tested it with various browsers found the same problem. Some times we have to refresh twice to get the page. Quick response will be highly appreciated. Regards, Milind NOTHING IS IMPOSSIBLE, Because Impossible itself says - I'M POSSIBLE
RE: [squid-users] what is dot
-Original Message- From: BusyBoy [mailto:[EMAIL PROTECTED] Sent: Monday, January 10, 2005 9:17 PM To: squid-users@squid-cache.org Subject: [squid-users] what is dot hello I have some destination domains which I have allowed to localusers like this nasir.com nasir123.com nasir123.net nasirgr8.com nasirgr8.net and I have 172.16.0.0/24 pool to allow that only these domains should be opened. I have put following in my squid.conf acl nasir src 172.16.0.0/255.255.0.0 acl nasir_locals dstdomain url_regex -i /usr/local/squid/nasirlocals I would change the second line to: acl nasir_locals dstdomain /usr/local/squid/nasirlocals as you have no need of regular expression matching. http_access deny nasir !nasir_locals http_access allow nasir And I would change these lines to: http_access allow nasir nasir_locals http_access deny nasir Which will allow the nasir network scope to surf to domains included in the nasir_locals file, and deny them from surfing anywhere else. File: /usr/local/squid/nasirlocals .nasir.com .nasir123.com .nasir123.net .nasirgr8.com .nasirgr8.net -- This looks good, if you use just a dstdomain acl. Now everything works fine,, except that when the user writes nasir.com in the Explorer , the browser never goes anywhere and stops, but when they write www.nasir.com they are given the desired page. I tried to put this in my FILE :/usr/local/squid/nasirlocals nasir.com nasir123.com nasir123.net nasirgr8.com nasirgr8.net and after this I was not able to open any subdomain for any of the above TLD's,neither www.nasir.com nor yahoo.nasir.com What I want is that I want the users be able to browse any subdomain of the listen domain TLD's in my file either with subdomain or not. Also I can't put .nasir.com and nasir.com in the nasirlocals file ,,a s I get errors of the parent domain when I do squid -k reconfigure Any idea.? For a dstdomain acl, .nasir.com will match both nasir.com and subdomain.nasir.com. -- Nasir Mahmood Systems Administrator. Chris
RE: [squid-users] Squid, sarg and incorrect shutdown
-Original Message- From: Davide Marzaloni [mailto:[EMAIL PROTECTED] Sent: Monday, January 10, 2005 10:52 PM To: squid-users@squid-cache.org Subject: [squid-users] Squid, sarg and incorrect shutdown Hi everyone. I'm experiencing a recently-discovered problem with my setup: - Slackware 1.0 - kernel 2.4.26 - squid-2.5.STABLE6-20040907 - ncsa_auth authentication squid module - sarg-1.4.1 Every night at 2:00AM the following script is started by cron: [SNIP] The 'killall squid' command took some time to complete, but it seems to be correctly completed within the sleep-time. I have an older RedHat box running Squid with a reliable stop method: tries=0 while ps aux | grep '^squid' /dev/null ; do killall squid /dev/null sleep 1 tries=`expr $tries + 1` if [ $tries -gt 45 ] ; then killall -9 squid /dev/null fi done For those that don't read shell script, it tells squid to shut down, waits 45 seconds (enough time for connections to close) and then (if it hasn't shut down on its own) kills it. Works quite well, is reliable, and won't take more time then it needs. Furthermore I noticed the squid-logs_xxx-tgz file is very small, like no logs were correctly saved by the squid process, for 6 days (the same period within I experienced the 'no running copy' message ) Tonight this script has worked perfectly (I will check next nights), but I'm worried about this 'pre-problem signal': is there anyone experiencing the same problem (incorrect shutdown) and found a solution? Out of curiosity, why aren't you using the squid -k rotate? Then you can move all files with a .0 extension to another directory and compress them there. That way you would be certain not to remove things like the swap.log or pid file. *shrug* Bye Davide Chris
[squid-users] Empty Access.log
Hi , I have a problem. I have squid 2.5 stable 6 with squidGuard and each week the access.log file is empty. but logrotate is cofigurated to rotate in 1 month, my configuration file for squid is: #debug_options ALL,2 33,2 28,9 http_port 3128 icp_port 3130 hierarchy_stoplist cgi-bin ? mime_table /home/etc/squid/mime.conf log_mime_hdrs on acl ServerHTTPS urlpath_regex https://* https:// https acl QUERY urlpath_regex cgi-bin ? acl SercureHTTP dstdomain https://* https:// https acl all src 0.0.0.0/0.0.0.0 acl noPagesCache url_regex /home/etc/squid/cachePages acl NoDownloadIP src '/home/etc/squid/noDownloads_src' always_direct allow noPagesCache no_cache deny noPagesCache QUERY ServerHTTPS SercureHTTP #icon_directory /usr/local/squid/share/icons acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 81 1 acl Safe_ports port 21 70 80 81 210 280 443 488 563 591 777 1025-65535 acl CONNECT method CONNECT acl noDownloads urlpath_regex '/home/etc/squid/noDownloads_dst' #no_cache deny all #always_direct allow all maximum_object_size 1024 KB minimum_object_size 4 KB ftp_sanitycheck on hosts_file /home/etc/hosts cache_mem 16 MB ftp_passive on ftp_user [EMAIL PROTECTED] cache_mgr [EMAIL PROTECTED] header_access Accept-Encoding deny all cache_peer 127.0.0.1 parent 8080 0 no-query default acl ftp proto FTP always_direct allow CONNECT always_direct allow ftp never_direct allow all visible_hostname 200.107.35.36 acl interfaces dst 200.107.35.36 192.168.1.3 172.16.0.1 200.63.230.52 http_access allow interfaces auth_param basic program /usr/lib/squid/pam_auth -1 auth_param basic children 1 auth_param basic realm Squid proxy-caching web server acl usuarios proxy_auth REQUIRED http_access allow usuarios #Opciones DNS dns_nameservers 127.0.0.1 63.84.236.34 delay_pools 1 delay_class 1 1 delay_access 1 allow all delay_parameters 1 -1/-1 redirect_program /usr/local/bin/squidGuard -c /home/etc/squid/squidGuard.conf http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny NoDownloadIP noDownloads half_closed_clients off server_persistent_connections off client_persistent_connections off icp_access allow all cache_replacement_policy heap GDSF memory_replacement_policy heap GDSF cache_dir diskd /var/spool/squid 1600 16 256 cache_swap_low 60 cache_swap_high 70 cache_store_log none log_fqdn off http_access allow all logfile_rotate 0 log_icp_queries off buffered_logs off emulate_httpd_log off log_ip_on_direct off log_mime_hdrs off cache_effective_user squid cache_effective_group squid dns_timeout 10 minutes negative_ttl 10 minutes request_timeout 600 seconds connect_timeout 90 seconds extension_methods SEARCH SUBSCRIBE searchrequest ie_refresh on prefer_direct on error_directory /home/etc/squid/errors/en/ request_header_max_size 5 KB extension_methods SEARCH SUBSCRIBE PROPFIND PROPATCH MKCOL POLL BCOPY BPROPPATCH and my logrotate.d/squid configuration file is: /var/log/squid/access.log { monthly rotate 1 compress notifempty missingok nosharedscripts copytruncate } in crond i don't have any squid -k rotate Thanks Carlos
[squid-users] filtering/proxy options?
I am looking at implementing a proxy/filtering server and would like some recommendations on the direction to take. I wish to do the filtering on an IP basis with a transparent proxy. IE: specify what IPs are to have filtering enabled and what options for that IP are enabled/etc. Can squid do this? Could anyone point me in the right direction in order to get something like this implemented? I am a developer and fully understand and am well accustomed with RTFM'ingbut would like some direction. Can anyone point me the right way? Basically I would just like to know what packages/software would be needed to accomplish this...the routing/etc I can already take care of. Thanks in advance Sincerely, Jon Newman
RE: [squid-users] filtering/proxy options?
Completely not Squid related, but the 8e6 technologies R3000 does this exactly (and fairly well). I'm not affiliated with 8e6 in any way. My company just uses a fail over pair for this very purpose. Chris -Original Message- From: Jon Newman [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 11, 2005 12:05 PM To: squid-users@squid-cache.org Subject: [squid-users] filtering/proxy options? I am looking at implementing a proxy/filtering server and would like some recommendations on the direction to take. I wish to do the filtering on an IP basis with a transparent proxy. IE: specify what IPs are to have filtering enabled and what options for that IP are enabled/etc. Can squid do this? Could anyone point me in the right direction in order to get something like this implemented? I am a developer and fully understand and am well accustomed with RTFM'ingbut would like some direction. Can anyone point me the right way? Basically I would just like to know what packages/software would be needed to accomplish this...the routing/etc I can already take care of. Thanks in advance Sincerely, Jon Newman
RE: [squid-users] filtering/proxy options?
Well, transparent proxies are not allowed by the HTTP standard. Squid can be asked to work in a transparent mode, and does (for the most part) work. But there are occasional hiccups. Henrik Nordstrom (the squid developer most active on the list) is constantly telling people that using squid in transparent mode should only be done as a last resort. Squid is, however compatible with Cisco's WCCP (version 1, IIRC). With that said, Squid's ACLs are simply amazing. I don't know if there is anything (allowed by HTTP) they can't do. Time base, IP based, domain based, authentication base etc, it's all there. And if you find something that it can't do, it has a directive to use external acls, with very ACLs caching. It's quite flexible. As for filtering, I've heard (and read) good things about DansGuardian. Never used it myself, but there it is all the same. I also imagine there are downloadable files that you can use with squid for filtering. Others on the list might know more about this than I. Chris -Original Message- From: Jon Newman [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 11, 2005 12:36 PM To: Chris Robertson Subject: RE: [squid-users] filtering/proxy options? I wasn't sure it was something squid could do, thanks for the heads up. The R3000 doesn't have CLI access, which is something I would at minimum need...since I will be building a control interface to manage this. I know this is staying off topic as far as this list is concerned, but is there any other solution out there (possibly software only, as I would like to use my own hardware?). Thanks again... Jon Completely not Squid related, but the 8e6 technologies R3000 does this exactly (and fairly well). I'm not affiliated with 8e6 in any way. My company just uses a fail over pair for this very purpose. Chris -Original Message- From: Jon Newman [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 11, 2005 12:05 PM To: squid-users@squid-cache.org Subject: [squid-users] filtering/proxy options? I am looking at implementing a proxy/filtering server and would like some recommendations on the direction to take. I wish to do the filtering on an IP basis with a transparent proxy. IE: specify what IPs are to have filtering enabled and what options for that IP are enabled/etc. Can squid do this? Could anyone point me in the right direction in order to get something like this implemented? I am a developer and fully understand and am well accustomed with RTFM'ingbut would like some direction. Can anyone point me the right way? Basically I would just like to know what packages/software would be needed to accomplish this...the routing/etc I can already take care of. Thanks in advance Sincerely, Jon Newman
[squid-users] authentication problem with squid_ldap_group
Dear squid users, I need help about my authentifaction problem with squid_ldap_group. first i create a entry for squid_ldap_auth. i can login and i have web access and it works fine. auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b dc=mb,dc=local -D cn=squid,cn=users,dc=mb,dc=local -w secret1998 -f ((sAMAccountName=%s)(objectClass=Person)) -h 192.168.3.1 acl USERS proxy_auth REQUIRED http_access allow USERS in the next step i create this lines for my ldap group access. external_acl_type ldapgroup concurrency=15 %LOGIN /usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f ((cn=%g)(member=%u)) -F ((sAMAccountName=%s)(objectClass=Person)) -D cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1 acl ldapproxygroup external ldapgroup webaccess http_access allow ldapproxygroup i can login but i have no webaccess. i see the 407 error access denied in squid conf. when i execute heins:~ # /usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f ((cn=%g)(member=%u)) -F ((sAMAccountName=%s)(objectClass=Person)) -D cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1 cwm webaccess OK i get ok but the user cwm can´t use the proxy. Thank you for all the help. Best Regards Joachim
Re: [squid-users] authentication problem with squid_ldap_group
Joachim JS. Schuster wrote: Joachim JS. Schuster wrote: Dear squid users, I need help about my authentifaction problem with squid_ldap_group. first i create a entry for squid_ldap_auth. i can login and i have web access and it works fine. auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b dc=mb,dc=local -D cn=squid,cn=users,dc=mb,dc=local -w secret1998 -f ((sAMAccountName=%s)(objectClass=Person)) -h 192.168.3.1 acl USERS proxy_auth REQUIRED http_access allow USERS in the next step i create this lines for my ldap group access. external_acl_type ldapgroup concurrency=15 %LOGIN /usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f ((cn=%g)(member=%u)) -F ((sAMAccountName=%s)(objectClass=Person)) -D cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1 acl ldapproxygroup external ldapgroup webaccess http_access allow ldapproxygroup i can login but i have no webaccess. i see the 407 error access denied in squid conf. when i execute heins:~ # /usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f ((cn=%g)(member=%u)) -F ((sAMAccountName=%s)(objectClass=Person)) -D cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1 cwm webaccess OK i get ok but the user cwm can´t use the proxy. Can you quote some of the logs that shows the problem? Is the username in the logs exactly as you are typing it on the command line? What I am getting at is that it might have the domain name attached to the username in which case you need the -S option for squid_ldap_group. Regards, Oliver Sorry im am new in this list. On wich way i must contact you ? By your mail adresse or over a squid-users@squid-cache.org ? The access.log entries: 1105494666.537 0 192.168.5.2 TCP_DENIED/407 2470 GET http://www.google.de/ - NONE/- text/html 1105494675.258 24 192.168.5.2 TCP_DENIED/403 2217 GET http://www.google.de/ cwm NONE/- text/html The username cwm ist correct. I can add more users to the webaccess. I checked all the new users with the comandline below and the test ist ok. /usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f ((cn=%g)(member=%u)) -F ((sAMAccountName=%s)(objectClass=Person)) -D cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1 Regards Joachim Sorry, my mail program doesn't automatically reply to the list - yes you should reply to the list unless you want to converse directly with one of the members. The only thing I could suggest is trying the -S parameter anyway. I don't know any really good ways to find out what is happening, unless you can write a test-program to replace squid_ldap_group that logs what options and input were passed to it. It either works or it doesn't! Regards, Oliver
Re: AW: [squid-users] authentication problem with squid_ldap_group
Joachim JS. Schuster wrote: -Ursprüngliche Nachricht- Von: Oliver Hookins [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 12. Januar 2005 01:07 An: squid-users@squid-cache.org Cc: Joachim JS. Schuster Betreff: Re: [squid-users] authentication problem with squid_ldap_group Joachim JS. Schuster wrote: Joachim JS. Schuster wrote: Dear squid users, I need help about my authentifaction problem with squid_ldap_group. first i create a entry for squid_ldap_auth. i can login and i have web access and it works fine. auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b dc=mb,dc=local -D cn=squid,cn=users,dc=mb,dc=local -w secret1998 -f ((sAMAccountName=%s)(objectClass=Person)) -h 192.168.3.1 acl USERS proxy_auth REQUIRED http_access allow USERS in the next step i create this lines for my ldap group access. external_acl_type ldapgroup concurrency=15 %LOGIN /usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f ((cn=%g)(member=%u)) -F ((sAMAccountName=%s)(objectClass=Person)) -D cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1 acl ldapproxygroup external ldapgroup webaccess http_access allow ldapproxygroup i can login but i have no webaccess. i see the 407 error access denied in squid conf. when i execute heins:~ # /usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f ((cn=%g)(member=%u)) -F ((sAMAccountName=%s)(objectClass=Person)) -D cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1 cwm webaccess OK i get ok but the user cwm can´t use the proxy. Can you quote some of the logs that shows the problem? Is the username in the logs exactly as you are typing it on the command line? What I am getting at is that it might have the domain name attached to the username in which case you need the -S option for squid_ldap_group. Regards, Oliver Sorry im am new in this list. On wich way i must contact you ? By your mail adresse or over a squid-users@squid-cache.org ? The access.log entries: 1105494666.537 0 192.168.5.2 TCP_DENIED/407 2470 GET http://www.google.de/ - NONE/- text/html 1105494675.258 24 192.168.5.2 TCP_DENIED/403 2217 GET http://www.google.de/ cwm NONE/- text/html The username cwm ist correct. I can add more users to the webaccess. I checked all the new users with the comandline below and the test ist ok. /usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f ((cn=%g)(member=%u)) -F ((sAMAccountName=%s)(objectClass=Person)) -D cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1 Regards Joachim Sorry, my mail program doesn't automatically reply to the list - yes you should reply to the list unless you want to converse directly with one of the members. The only thing I could suggest is trying the -S parameter anyway. I don't know any really good ways to find out what is happening, unless you can write a test-program to replace squid_ldap_group that logs what options and input were passed to it. It either works or it doesn't! Regards, Oliver Do you mean the -S (Strip NT domain from usernames)parameter ? Regards Joachim Yes. Oliver
[squid-users] Error
Hi guys, I am wondering if anyone knows what this error means exactly. Squid Parent: child process 1967 exited due to signal 6 Can anyone offer any assistance with this one ? Thanks in advance.
[squid-users] auth_param username rewrite
Hi pplz, I am a newbie to this list so be nice if none of this is making a lot of sense. I have a very large amount of customers which log into a squid farm (load balanced) and request authentication. I have no problems with this.. Currently a user must log in using a [EMAIL PROTECTED] to authenticate. This works fine but as time goes by I end up with a large amount of users wishing that they could drop the domain authentication from the auth request. I would like to do this but I have hit a brick wall in regards to how to handle multiple matching usernames (and passwords unfortunetly) without a domain. I have a structured list of ip addresses which match these domains but of course I cannot parse the %SRC to the auth_param. I was wondering if anybody had a solution which would include either. A) allowing %SRC to be passed with username password to the auth helper OR B) a way of rewriting the username passed to the helper to include the source.. eg username@%SRC password I might be looking at this wrong but all the things that I have looked at so far have said that squid will not pass any args to the auth helper at all. Any help/pointers/feedback would be great. Thanks Scott This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email.
[squid-users] Building with LFUDA replacement policy
I'm trying to build 2.5STABLE7 with LFUDA. The configure script suggests it is available, although there is no directory for LFUDA under src/repl. My configure line is as follows: ./configure --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid --enable-poll --enable-snmp --enable-removal-policies=heap,lru,lfuda --enable-storeio=aufs,coss,diskd,null,ufs --enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools --enable-linux-netfilter --with-pthreads --enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB,SASL,MSNT --enable-ntlm-auth-helpers=SMB,winbind --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group --enable-auth=basic,ntlm --with-winbind-auth-challenge --enable-useragent-log --enable-referer-log Sure enough my build fails at: make[4]: *** No rule to make target `liblfuda.a', needed by `all-am'. Stop. Nothing jumps out at me from searching the list archive for LFUDA. Does it still exist? Are you required to grab the LFUDA code from somewhere else? Do you configure Squid to use LFUDA in another way? There doesn't seem to be documentation suggesting anything other than what I am doing. Regards, Oliver
[squid-users] SHIRAZ-how to open smtp and pop
dear list, hi i recently installed redhat linux on my server but my users can't access smtp and pop mails. plz help me to enable pop and smtp ports that is 25 and 110. Thankyou best regards, Shiraz Gul Khan (03002061179) Onezero Inc. _ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger
[squid-users] SHIRAZ-how to cache all exe 10MB files for atleast 30 days...
hi list, i have 256kbps DSL bandwidth and 200 users. i am using redht 7.2 linux with default squid options (no compile). please tell me what and where i add or edit command in squid.conf to keep all downloaded files which is under 10MB and all .exe files in cache for atleast 30 days please help me. Thankyou best regards, Shiraz Gul Khan (03002061179) Onezero Inc. _ Want to block unwanted pop-ups? Download the free MSN Toolbar now! http://toolbar.msn.co.uk/
[squid-users] SHIRAZ-how to slow speed
hi list, i want to slow down all exe files which my users downloading. i have DSL 256kbps bandwidth and i have 200 users. i am using linux redhat 7.2 with default squid options.(no compile) Thankyou best regards, Shiraz Gul Khan (03002061179) Onezero Inc. _ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger
[squid-users] SHIRAZ-how to slow speed
hi list, i want to slow down all exe files which my users downloading. i have DSL 256kbps bandwidth and i have 200 users. i am using linux redhat 7.2 with default squid options.(no compile) Thankyou best regards, Shiraz Gul Khan (03002061179) Onezero Inc. _ Express yourself with cool new emoticons http://www.msn.co.uk/specials/myemo
RE: [squid-users] Error
Hi guys, I am wondering if anyone knows what this error means exactly. Squid Parent: child process 1967 exited due to signal 6 Can anyone offer any assistance with this one ? Thanks in advance. Depends on : OS/platform/version ? Kernel signals may have different meanings on different UNIX-es. On Linux you have : % man 7 signal for additional info. M.
RE: [squid-users] Building with LFUDA replacement policy
I'm trying to build 2.5STABLE7 with LFUDA. The configure script suggests it is available, although there is no directory for LFUDA under src/repl. My configure line is as follows: ./configure --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid --enable-poll --enable-snmp --enable-removal-policies=heap,lru,lfuda --enable-storeio=aufs,coss,diskd,null,ufs --enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools --enable-linux-netfilter --with-pthreads --enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB,SASL,MSNT --enable-ntlm-auth-helpers=SMB,winbind --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wb info_group,winbind_group --enable-auth=basic,ntlm --with-winbind-auth-challenge --enable-useragent-log --enable-referer-log Sure enough my build fails at: make[4]: *** No rule to make target `liblfuda.a', needed by `all-am'. Stop. Nothing jumps out at me from searching the list archive for LFUDA. Does it still exist? Are you required to grab the LFUDA code from somewhere else? Do you configure Squid to use LFUDA in another way? There doesn't seem to be documentation suggesting anything other than what I am doing. Lfuda is an option of the 'heap' replacement policies. So : --enable-removal-policies=heap will be sufficient to use it. BTW : do you need all these configure options ? Advise , use only those which you need. M.
RE: [squid-users] SHIRAZ-how to open smtp and pop
dear list, hi i recently installed redhat linux on my server but my users can't access smtp and pop mails. plz help me to enable pop and smtp ports that is 25 and 110. You are off topic. This list deals with SQUID issues. M.
RE: [squid-users] SHIRAZ-how to slow speed
hi list, i want to slow down all exe files which my users downloading. i have DSL 256kbps bandwidth and i have 200 users. i am using linux redhat 7.2 with default squid options.(no compile) Checkout the SQUID FAQ on delay pools. M.