RE: [squid-users] Reverse proxy redirector
>> For some reason it is not. It is changing the http to https but >> changing the rest to what ever the value of httpd_accel in the >> squid.conf file. When ever I change that value I get redirected to the >> changed value which is the back end server and bypasses the proxy. Any >> ideas on what I could try? >If your squid.conf is set up to accelerate using internally URLs pointing >directly to the backend server then this is what the redirector will see. >You then have two options >a) Clean up your reverse proxy setup to not use the backend server >address. See numerous posts on the subject mentioning /etc/hosts etc.. I tried finding the other posts about the hosts file but none really relate to what I'm trying to do. I changed my squid.conf file and removed references to the backend server (httpd_accel_host and TheOriginServer) and used the public URL that points to squid. In the host file I mapped that public URL to the internal IP address of the backend server. This is what I get in the access.log: 1107379531.406 19 x.x.x.154 TCP_MISS/302 156 GET http://squid.xxx.net/ - NONE/- - Not sure what I'm missing >b) Modify the redirector to rewrite back to the public URL when sending >the redirect. Tried this too but seems like it is an endless loop. The public URL points to squid. Isn't the redirector processed before squid does its magic? Therefore wouldn't the redirector continuously redirect the client to squid? I must be missing something.
RE: [squid-users] FATAL: Received Segment Violation...dying.
> > My squid box works fine for the last 2 months. But this morning, it's > down. I got this piece in the cache.log: > > >... http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.19 M.
[squid-users] Problem with applet files embedded within html???
Hello, I am using squid 2.5 Stable 7 together with the digest authentication from Squid Pre 3. It appears that everything seems to run successfully so long as there are no applets within the page. All the authentication proceeds smoothly. However when I request pages with java applets within, I get a TCP_DENIED message in the squid.log file. If I remove the acl requiring 'password authentication', then these pages are successfully retrieved. I have tested this a number of times and get repeatable results. Does anyone know what could be happening? Below is an excerpt from the squid.log file Thanks Glenn Baptista 1107409966.241 1 192.168.2.4 TCP_DENIED/407 1720 GET http://www.axis.com/ - NONE/- text/html 1107409981.217 9545 192.168.2.4 TCP_MISS/200 25480 GET http://www.axis.com/ glenn DIRECT/212.209.10.247 text/html 1107409983.131 5225 192.168.2.4 TCP_MISS/200 6198 GET http://www.axis.com/css/axis_style.css glenn DIRECT/212.209.10.247 text/css 1107409983.801669 192.168.2.4 TCP_MISS/200 5170 GET http://www.axis.com/css/rtab_style.css glenn DIRECT/212.209.10.247 text/css 1107409985.991 2189 192.168.2.4 TCP_MISS/200 11680 GET http://www.axis.com/css/new_basic_style.css glenn DIRECT/212.209.10.247 text/css 1107409988.893 2902 192.168.2.4 TCP_MISS/200 4513 GET http://www.axis.com/css/rbox_style.css glenn DIRECT/212.209.10.247 text/css 1107409989.534641 192.168.2.4 TCP_MISS/200 383 GET http://www.axis.com/graphics/blank.gif glenn DIRECT/212.209.10.247 image/gif 1107409989.994 1033 192.168.2.4 TCP_MISS/200 1346 GET http://www.axis.com/images/logos/axis_logo_70x29px.gif glenn DIRECT/212.209.10.247 image/gif 1107409990.123588 192.168.2.4 TCP_MISS/200 382 GET http://www.axis.com/templates/images/blank.gif glenn DIRECT/212.209.10.247 image/gif 1107409990.481487 192.168.2.4 TCP_MISS/200 382 GET http://www.axis.com/templates/img/blank.gif glenn DIRECT/212.209.10.247 image/gif 1107409991.823 2845 192.168.2.4 TCP_MISS/200 10863 GET http://www.axis.com/img/banners/dome_text.gif glenn DIRECT/212.209.10.247 image/gif 1107409992.292 2168 192.168.2.4 TCP_MISS/200 3547 GET http://www.axis.com/img/hospital.jpg glenn DIRECT/212.209.10.247 image/jpeg 1107409992.412589 192.168.2.4 TCP_MISS/200 392 GET http://www.axis.com/templates/images/blank_8x20.gif glenn DIRECT/212.209.10.247 image/gif 1107409993.066654 192.168.2.4 TCP_MISS/200 1187 GET http://www.axis.com/templates/img/find_small.gif glenn DIRECT/212.209.10.247 image/gif 1107409993.428 1135 192.168.2.4 TCP_MISS/200 4531 GET http://www.axis.com/img/security_th.jpg glenn DIRECT/212.209.10.247 image/jpeg 1107409993.514448 192.168.2.4 TCP_MISS/200 601 GET http://www.axis.com/images/logos/logo_triangle.gif glenn DIRECT/212.209.10.247 image/gif 1107409993.814 3332 192.168.2.4 TCP_MISS/200 1830 GET http://www.axis.com/img/axis_1650.jpg glenn DIRECT/212.209.10.247 image/jpeg 1107409994.097584 192.168.2.4 TCP_MISS/200 409 GET http://www.axis.com/graphics/rbox/top_line_100x5px.gif glenn DIRECT/212.209.10.247 image/gif 1107409994.404591 192.168.2.4 TCP_MISS/200 388 GET http://www.axis.com/graphics/rbox/top_right_corner_5x5px.gif glenn DIRECT/212.209.10.247 image/gif 1107409994.704606 192.168.2.4 TCP_MISS/200 525 GET http://www.axis.com/templates/images/border_top.gif glenn DIRECT/212.209.10.247 image/gif 1107409994.826 1398 192.168.2.4 TCP_MISS/200 388 GET http://www.axis.com/graphics/rbox/top_left_corner_5x5px.gif glenn DIRECT/212.209.10.247 image/gif 1107409995.034630 192.168.2.4 TCP_MISS/200 382 GET http://www.axis.com/templates/images/mainbg.gif glenn DIRECT/212.209.10.247 image/gif 1107409995.220517 192.168.2.4 TCP_MISS/200 410 GET http://www.axis.com/templates/images/vert_line.gif glenn DIRECT/212.209.10.247 image/gif 1107409998.959 9978 192.168.2.4 TCP_MISS/200 6257 GET http://www.axis.com/img/banners/dome_image.jpg glenn DIRECT/212.209.10.247 image/jpeg 110741.853892 192.168.2.4 TCP_MISS/200 388 GET http://www.axis.com/graphics/rbox/bottom_left_corner_5x5px.gif glenn DIRECT/212.209.10.247 image/gif 110741.926664 192.168.2.4 TCP_MISS/200 388 GET http://www.axis.com/graphics/rbox/bottom_right_corner_5x5px.gif glenn DIRECT/212.209.10.247 image/gif 1107410004.111 3853 192.168.2.4 TCP_MISS/200 409 GET http://www.axis.com/graphics/rbox/bottom_line_100x5px.gif glenn DIRECT/212.209.10.247 image/gif 1107410050.099 3530 192.168.2.4 TCP_MISS/200 1237 GET http://mygateman.com.au/reqlogin glenn DIRECT/61.11.12.49 - 1107410050.346180 192.168.2.4 TCP_MISS/200 1133 GET http://61.11.12.49/favicon.ico glenn DIRECT/61.11.12.49 - 1107410050.517 2 192.168.2.4 TCP_DENIED/407 1777 GET http://61.11.12.49/web/ClientApplet.jar - NONE/- text/html 1107410050.671 1 192.168.2.4 TCP_DENIED/407 1777 GET http://61.11.12.49/web/ClientApplet.jar - NONE/- text/html 1107410050.754 0 192.168.2.4 TCP_DENIED/407 1780 GET http://61.11.12.49/web/c
[squid-users] squid with Windows 2003 group filtering problem
Please some one check my config and help me in sorting this problme..of squid and windows 2003 group filtering .. Regards, Srinivasa Chary - Original Message - From: "Srinivasa Chary" <[EMAIL PROTECTED]> To: Sent: Monday, January 31, 2005 4:34 PM Subject: [squid-users] squid with Windows 2003 group filtering problem > Hi All, > > I am getting problem when doing group filtering using from windows 2003 > server. > I am using squid-2.5.STABLE3 and samba-3.0.0 > > i am able to authenticate all the users perfectly with out group > varification, when i want to do group filtering it is not applying . can > some help me in implimenting the group filtering in squid using windows 2003 > group. > > The below are the configuration details of my squid, wbinfo_grou and samba > files. > > Squid.conf: > > http_port 3128 > cache_effective_user squid > cache_effective_group squid > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY > refresh_pattern ^ftp: 144020% 10080 > refresh_pattern ^gopher:14400% 1440 > refresh_pattern . 0 20% 4320 > visible_hostname NTSP1 > debug_options ALL,1 32,2 28,9 > > auth_param ntlm program > /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 5 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes > auth_param basic program > /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > > external_acl_type NT_global_group %LOGIN /etc/squid/wbinfo_group.pl > > acl AllowedNTUsers external NT_global_group "/etc/squid/allowedntgroups" > acl LoggedInUsers proxy_auth REQUIRED > > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 563 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > > http_access allow AllowedNTUsers > http_access allow LoggedInUsers > http_access deny !AllowedNTUsers > http_access deny !LoggedInUsers > > > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access deny all > > http_reply_access allow all > icp_access allow all > coredump_dir /var/cache/squid > cache_dir ufs /var/cache/squid 100 16 256 > cache_access_log /var/log/squid/access.log > cache_log /var/log/squid/cache.log > cache_store_log /var/log/squid/store.log > > === > > smb.conf > > [global] > workgroup = WK3 > netbios name = WK3 > realm = WK3.SERVER > security = ads > encrypt passwords = yes > password server = digital.wk3.server > # separate domain and username with /, like DOMAIN/username > winbind separator = / > # use UIDs from 1 to 2 for domain users > idmap uid = 1-2 > idmap gid = 1-2 > # allow enumeration of winbind users and groups > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > > == > wbinfo_group.pl > > # external_acl uses shell style lines in it's protocol > #require 'shellwords.pl'; > > # Disable output buffering > $|=1; > > sub debug { > # Uncomment this to enable debugging > #print STDERR "@_\n"; > } > > # > # Check if a user belongs to a group > # > sub check { > local($user, $group) = @_; > $groupSID = `/usr/bin/wbinfo -n "$group"`; > #because the new wbinfo -n returns also the group number > #we do the following > $groupSID = substr($groupSID,0,index($groupSID," ",0)); > $groupGID = `/usr/bin/wbinfo -Y $groupSID`; > chop $groupGID; > &debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID- > \nGID: -$groupGID-"); > #return 'OK' if(`/usr/bin/wbinfo -r \Q$user\E` =~ /^$groupGID$/m); > $groupmem = `/usr/bin/wbinfo -r $user`; > if ($groupmem) { >$groupchk = ($groupmem =~ /^$groupGID$/m); >if ($groupchk) { >return 'OK'; >} > } > return 'ERR'; > } > > # > # Main loop > # > while () { > chop; > &debug ("Got $_ from squid"); > #H1 was added by holger > @H1=split(/\s+/, $_); > #printf ("User:%s\n",$H1[0]); > #printf ("Group:%s\n",$H1[1]); > $user = $H1[0]; > $group = $
[squid-users] cache_dir becoming small
Hi all fellows, I have had cache_dir size is becoming smaller day by day. why? how can I fix it? thanks, Daniel Navarro Maracay, Venezuela www.csaragua.com/ecodiver _ Do You Yahoo!? Información de Estados Unidos y América Latina, en Yahoo! Noticias. Visítanos en http://noticias.espanol.yahoo.com
[squid-users] FATAL: Received Segment Violation...dying.
My squid box works fine for the last 2 months. But this morning, it's down. I got this piece in the cache.log: cache.log 2005/02/03 10:17:15| WARNING: Forwarding loop detected for: GET /images/web3_pic1.gif HTTP/1.0^M Accept: */*^M Referer: http://y.sina.com.cn/^M Accept-Language: zh-cn^M Accept-Encoding: gzip, deflate^M User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)^M Host: y.sina.com.cn^M Cookie: UNIPROINFO=sz:1024x768||dp:32||ac:Mozilla||an:Microsoft Internet Explorer||av:4.0 (compatible, MSIE 6.0, Windows NT 5.0)||cpu:x86||pf:Win32||jv:1.3||ct:lan||lg:zh-cn||tz:-8; UNIPROPATH=|*||pid:1-5-1-0-5753773|news.sina.com.cn/w/2005-02-03/05105027373s.shtml|st:0|et:1107396589437||hp:N|*|; UNIPROCT=71-0-0:5|1-4-5:1|62-1-1:1|42-4-3:1|42-0-0:1|31-5-9:2|31-7-8:1|1-6-4:1|1-6-3:1|1-4-2:1|59-68-4036:5|1-6-0:1|1-5-1:2; FINA_VISITED_S=sh01|é??¤??êy; VISITED_STOCK=sh igamex_cookie=1; sina_cookie_enable=yes; bbsviewtype=1^M Via: 1.1 GreenCache-2100.gforce.cn/6: (squid/2.5.STABLE7), 1.0 GreenCache-2100.gforce.cn/5: (squid/2.5.STABLE7)^M X-Forwarded-For: unknown, unknown^M Cache-Control: max-age=7776000, only-if-cached^M ^M 2005/02/03 10:19:15| storeAufsOpenDone: (2) No such file or directory 2005/02/03 10:19:15|/cache/0D/CC/000DCC1B 2005/02/03 10:19:37| storeAufsOpenDone: (2) No such file or directory 2005/02/03 10:19:37|/cache/05/7F/00057FB3 2005/02/03 10:19:37| storeAufsOpenDone: (2) No such file or directory 2005/02/03 10:19:37|/cache/05/7F/00057F4B 2005/02/03 10:19:37| storeAufsOpenDone: (2) No such file or directory 2005/02/03 10:19:37|/cache/05/83/000583B6 2005/02/03 10:19:37| storeAufsOpenDone: (2) No such file or directory 2005/02/03 10:19:37|/cache/05/7F/00057FA0 2005/02/03 10:20:22| storeAufsOpenDone: (2) No such file or directory 2005/02/03 10:20:22|/cache/01/BB/0001BBA1 2005/02/03 10:21:30| storeAufsOpenDone: (2) No such file or directory 2005/02/03 10:21:30|/cache/06/71/000671AF 2005/02/03 10:22:11| sslReadServer: FD 68: read failure: (104) Connection reset by peer 2005/02/03 10:23:01| storeAufsOpenDone: (2) No such file or directory 2005/02/03 10:23:01|/cache/08/DE/0008DE32 2005/02/03 10:25:33| storeAufsOpenDone: (2) No such file or directory 2005/02/03 10:25:33|/cache2/00/00/0020 (squid)[0x475781] /lib64/tls/libpthread.so.0[0x2a958d2fa0] (squid)[0x44f942] (squid)(__strtod_internal+0x7b8)[0x4041c0] (squid)[0x426e1a] (squid)[0x425582] (squid)[0x428c41] (squid)[0x4254eb] (squid)[0x429467] (squid)[0x42af06] (squid)[0x44ff4a] /lib64/tls/libc.so.6(__libc_start_main+0xee)[0x2a95eaf1ae] (squid)(regcomp+0x72)[0x403cea] FATAL: Received Segment Violation...dying. -- End -- When I type 'ps -A | grep squid', I can see the process is still there, and I can telnet the port squid serves, but I can't browse any web pages. Can somebody tell me what's the matter with it? -- System informatio - - AMD Opteron 248 * 2 - S2882 Thunder K8s Pro - RAM 1GB - 2 SCSI Seagate 10k for RAID-0 # uname -a Linux NGate 2.4.21-20.EL.NGate #2 SMP Mon Nov 8 13:26:37 CST 2004 i686 athlon i386 GNU/Linux # /usr/local/squid/sbin/squid -v Squid Cache: Version 2.5.STABLE7 configure options: --prefix=/usr/local/squid --with-aufs-threads=32 --with-pthreads --with-aio --with-dl --enable-storeio=ufs,aufs,diskd --enable-removal-policies=lru,heap --enable-kill-parent-hack --enable-snmp --enable-poll --disable-ident-lookups --disable-hostname-checks --enable-underscores --enable-stacktraces --enable-dl-malloc --enable-wccpv2 # cat /usr/local/squid/etc/squid.conf visible_hostname NGate.com hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? .cgi .pl .php .asp .cfm no_cache deny QUERY refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i .gif 144090% 129600 reload-into-ims refresh_pattern -i .swf 144090% 129600 reload-into-ims refresh_pattern -i .jpg 144090% 129600 reload-into-ims refresh_pattern -i .bmp 144090% 129600 reload-into-ims refresh_pattern -i .pdf090% 129600 reload-into-ims refresh_pattern -i .zip090% 129600 reload-into-ims refresh_pattern -i .rar090% 129600 reload-into-ims refresh_pattern -i .exe090% 129600 reload-into-ims refresh_pattern . 120% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 acl CONNECT method CONNECT http_access allow manager localhost http_access allow CONNECT SSL_ports http_access deny !Safe_ports http_access deny to_localhost http_access allow all acl snmppublic snmp_community public snmp_access allow snmppubli
Re: [squid-users] upgrading Squid 2.5S3 to 2.5S7 broke RealVideo
On Tue, 1 Feb 2005 23:20:34 +0100 (CET), Hendrik wrote: >>On Mon, 31 Jan 2005 [EMAIL PROTECTED] wrote: >> We recently upgraded our Squid server from a Sun Ultra60 running >> Solaris 2.8 to a Sun V240 running Solaris 2.9. I also took the >> opportunity to upgrade Squid from 2.5STABLE3 to 2.5STABLE7. Now our >> streaming video (Real Media) no longer works (it hangs). > >Please verify that it really is the Squid upgrade and not the OS upgrade >causing your problems. You can easily do this by either run the new >Squid version on your old server or the old Squid version on your new >server.. Thanks for the great idea Hendrik. I installed each version that wasn't already tehre on the other server on a different port so I have both versions running on each server. What we found was that either *all* versions work for a user or they all *don't* work. So I've misidentified the problem and apologize for that. However we've narrowed the problem down to a particular site's Real Media archives: http://www2.courtinfo.ca.gov/cjer/aoctv/archives.htm. The older files (e.g. April 13, May 11th, etc.) are RealMedia and fail to load for a user. Users for whom these files fail can view other RealVideo files like from ABC.com, Real.com themselves etc. hence we think it is this sites use or configuration of RealMedia. For users who can't view the files there is a crazy work-around: if we allow that user to unproxy themselves and then grab even the beginning of a RealMedia TV program, then it works. And then, here is the kicker, the user can go back to using the proxy and ALL the other files load/view fine for that user after that (i.e. even one's he/she has never viewed). So I suspect there is some kind of initial handshake problem. Our webmaster is in contact with the site owners (and their 3rd party content provider) to see if maybe they are doing some side-band stuff. Our contact said that they use port 80 to serve the content but may use port 1964 to setup communication so I put that in the list of http ports squid accepts, restarted squid and still it fails for users who have never unproxied as a work-around. Again, once they unproxy for even just the start of one RealMedia TV program, then they can go back to being proxied. The WindowsMedia files (the newer dates at the above site) all play fine. So I suspect it is a port problem but don't know how to fix it. We've eliminated the firewall as the culprit because the (internal access only) DEV squid proxy now has wide open access (any/any) for connecting to the outside and it still fails there, even with port 1964 added to the accepted http ports. So I apologize for misidentifying the problem. We are working with the site but they don't have much info/help so I was hoping someone here might have encountered something similar - info or a pointer to a previous thread where this is discussed/fixed would be much appreciated. thanks all, Adam
Re: [squid-users] Limit on AD group membership
Jason Ide wrote: What do you mean by using squid_ldap_group ? Is this to replace wbinfo_group.pl ? How do I use squid_ldap_group ? Thanks Jason Jason, squid_ldap_group does a lookup on security groups directly through an LDAP query to the domain controller. It is certainly worth a shot. Check out the man pages for squid_ldap_group and the list archives; you'll definitely find out enough information to get you going with squid_ldap_group instead. Regards, Oliver Try with squid_ldap_group for test group memberships. It's works better. regards, diegows El jue, 03-02-2005 a las 09:10 +1100, Jason Ide escribió: Hi can you post the question to squid users group (please read it and find if it is clear enough) We are using squid 2.5 and Samba suit 3.0.3 in conjunction with Active Directory and NTLM authentication. We also are using authorisation process for users based on active directory group membership. We have noticed that if user is a member of more 60-70 groups, squid/samba cannot determine his group membership. So as the result user is denied on squid proxy. If we limit number of the groups for the user to 40-50, the problem is solved. Does anyone know about any limitations in regards of group membership on Samba 3.0.3?
Re: [squid-users] Limit on AD group membership
What do you mean by using squid_ldap_group ? Is this to replace wbinfo_group.pl ? How do I use squid_ldap_group ? Thanks Jason Try with squid_ldap_group for test group memberships. It's works better. regards, diegows El jue, 03-02-2005 a las 09:10 +1100, Jason Ide escribió: > Hi > > can you post the question to squid users group (please read it and find if > it is clear enough) > > We are using squid 2.5 and Samba suit 3.0.3 in conjunction with Active > Directory and NTLM authentication. > We also are using authorisation process for users based on active directory > group membership. > We have noticed that if user is a member of more 60-70 groups, > squid/samba cannot determine his group membership. > So as the result user is denied on squid proxy. > If we limit number of the groups for the user to 40-50, the problem is > solved. > Does anyone know about any limitations in regards of group membership on > Samba 3.0.3? > > Jason Ide KAZ Corporate I.T. - WAN KAZ Group Limited Email: [EMAIL PROTECTED] Tel 02-8263-2931 Mobile: 0413610481 A division of KAZ Group Limited visit our web site at www.kaz-group.com
Re: [squid-users] Re [squid-users] Squid NTLM authentication problem NT domain
On Wed, 2005-02-02 at 17:14 +0200, [EMAIL PROTECTED] wrote: > Hi again, > I have change permission on winbindd_privileged to: > > > drwxr-x---2 root squid 4096 Feb 2 09:33 > winbindd_privileged > now i don't have error: > #winbindd version 3.0.10 started. > # Copyright The Samba Team 2000-2004 > #[2005/02/02 09:11:10, 0] lib/util_sock.c:create_pipe_sock(1056) > #invalid permissions on socket directory > /usr/local/samba/var/locks/winbindd_privileged > #open_winbind_socket: Success > > but i still receive error messages in squid - cache.log: > 2005/02/02 14:52:57| helperStatefulOpenServers: Starting 30 > 'ntlm_auth' > processes > ntlm_auth: error opening config file /usr/local/samba/lib/smb.conf. > Error > was Invalid or incomplete multibyte or wide character This looks like a configuration error in smb.conf. You might want to check it using "testparm" or similar tools. kinkie
Re: [squid-users] auth questions / help
On Wed, 2 Feb 2005 [EMAIL PROTECTED] wrote: i did read the squid docu and google but it doesnt work. i use squid and have activate the webmin auth /etc/webmin/squid/squid-auth.pl with commandline auth_params (or so) basic programm ..pl /etc/webmin/squid/users. but i did never get a "question" like "username/passowrd" which setting i must set too? The Squid FAQ has a whole chapter on authentication, including detailed descriptions of how it works and several working examples. http://www.squid-cache.org/Doc/FAQ/FAQ-23.html In addition I would recommend reading the chapter on access controls as the two are closely related http://www.squid-cache.org/Doc/FAQ/FAQ-10.html Regards Henrik
RE: [squid-users] Reverse proxy redirector
On Wed, 2 Feb 2005, Brad Taylor wrote: For some reason it is not. It is changing the http to https but changing the rest to what ever the value of httpd_accel in the squid.conf file. When ever I change that value I get redirected to the changed value which is the back end server and bypasses the proxy. Any ideas on what I could try? If your squid.conf is set up to accelerate using internally URLs pointing directly to the backend server then this is what the redirector will see. You then have two options a) Clean up your reverse proxy setup to not use the backend server address. See numerous posts on the subject mentioning /etc/hosts etc.. b) Modify the redirector to rewrite back to the public URL when sending the redirect. Regards Henrik
Re: [squid-users] web access based on ldap groups
cipher wrote: Dear users, I just got squid authenticating through ldap, using squid_ldap_auth and everything is fine. Users can authenticate and no problems are showing up. Now i would like to know a way to give user permissions to different web accesses to different users. For example, i have this configuration: [...] acl block_word url_regex "/etc/squid/block_word" acl block_url url_regex "/etc/squid/block_url" acl block_domain dstdomain "/etc/squid/block_domain" acl block_dest_ip dst "/etc/squid/block_dest_ip" acl accept proxy_auth "/etc/squid/accept_user" acl forbidden proxy_auth "/etc/squid/forbidden_user" http_access allow accept block_word http_access allow accept block_domain http_access allow accept block_dest_ip http_access allow accept block_url http_access deny forbidden block_word http_access deny forbidden block_domain http_access deny forbidden block_dest_ip http_access deny forbidden block_url [...] What happened was that i was filtering web access through a text file called /etc/squid/accept_user and /etc/squid/forbidden_user, which had information about the users that were allowed or not allowed to have web access to the urls in the /etc/squid/block_url file for example. Now with ldap working i have two groups: -> proxy-allow -> proxy-deny I want to put users in those two groups, and the ideia is that users in the proxy-allow group will have web access to urls in the /etc/squid/block_url and users in the proxy-deny group will not have web access to those urls. I am aware that squid_ldap_group does the job but i am not really understanding how. I read through the archives and no answer to this issue was found. At least i wasn't able to see it. :) I already know that an external_acl_type acl is needed. I just haven't figured out how to tell squid.conf to go search on that groups and give access like it is meant to. Is there a chance someone could point in the right direction to get this working or maybe point me the archive where this issue is answered? Feel free to ask for more configuration information if you need to. Thanks a lot for reading this and in advance! squid_ldap_group operates very similarly to squid_ldap_auth. I assume you are already successfully getting the user login details and are authenticating the users. After that you just need an external_acl_type statement for the ldap checking such as this (forgive the long description, it's something I wrote up after I got it working so that it is understandable to some degree): external_acl_type ldap_group ttl=120 negative_ttl=120 %LOGIN /usr/lib/squid/squid_ldap_group -b cn=Users,dc=domain,dc=local -f "(&(cn=%g)(member=%u)(objectClass=group))" -B dc=domain,dc=local -F "samaccountname=%s" -S -R -D cn=ldapsearchuser,cn=Users,dc=domain,dc=local -w password -a find -s sub -h server.domain.local ldap_group is the type of external ACL we are using. ttl and negative_ttl are set to short intervals so that adding or removing a user from the authorised group doesn't incur a huge delay. %LOGIN is a standard parameter - it just passes the user details from the authenticator module -b is the Base DN for the security group in the AD. -f specifies how the user is to be found in the group. cn=%g will give you the group DN itself, member=%u finds the user by their DN, and objectClass=group is self explanatory. -B is the Base DN for the users. -F is used to specify the search filter for the users. Samaccountname is the parameter I search for since I found the browser sends the shortened version of the login name (instead of the full name or something). -S specifies that it should strip the domain name off the front of the username (since I was using NTLM and that passed the domain name) -R allows us to have users in multiple OUs. -D specifies the DN of a user authorised to perform LDAP searches on the AD. This I believe can be any user in the AD. -a specifies the search technique and may not be required -s specifies how to handle searching up the tree and defaults to sub anyway so is not really required. -h server.domain.local just specifies the domain controller that the LDAP query is performed on. Then you need acls to specify the groups you are checking for: acl AuthGroup external ldap_group Internet and http_access lines to actually allow those groups or whatever: http_access allow AuthGroup This is where you can get very creative (not something I have done...). Hope this helps (and is relatively correct - my explanations are probably not entirely accurate). Cheers, Oliver
Re: [squid-users] wccp problem after wccp_denial_of_service patch #1190
On Wed, 2 Feb 2005, sekchye goh wrote: 2005/02/01 17:38:10| Ignoring WCCP_I_SEE_YOU from 192.168.88.3 with non-positive number of caches Try if it helps changing the <= 0 test in the patch to just < 0. Regards Henrik
Re: [squid-users] Controlling remote squid ACLs
On Tue, 1 Feb 2005, tomlobato wrote: I need to make a interface for a net adm to manage remote squid ACLs. My scenario: 15 remote Linux gateways, each one runs on a different network. I know well how to work with squid, it's ACLs, Perl and C, but it's not clear for me what is the better option for implement such system. webmin includes a Squid module which may be helpful to you. Regards Henrik
[squid-users] Limit on AD group membership
Hi can you post the question to squid users group (please read it and find if it is clear enough) We are using squid 2.5 and Samba suit 3.0.3 in conjunction with Active Directory and NTLM authentication. We also are using authorisation process for users based on active directory group membership. We have noticed that if user is a member of more 60-70 groups, squid/samba cannot determine his group membership. So as the result user is denied on squid proxy. If we limit number of the groups for the user to 40-50, the problem is solved. Does anyone know about any limitations in regards of group membership on Samba 3.0.3?
[squid-users] web access based on ldap groups
Dear users, I just got squid authenticating through ldap, using squid_ldap_auth and everything is fine. Users can authenticate and no problems are showing up. Now i would like to know a way to give user permissions to different web accesses to different users. For example, i have this configuration: [...] acl block_word url_regex "/etc/squid/block_word" acl block_url url_regex "/etc/squid/block_url" acl block_domain dstdomain "/etc/squid/block_domain" acl block_dest_ip dst "/etc/squid/block_dest_ip" acl accept proxy_auth "/etc/squid/accept_user" acl forbidden proxy_auth "/etc/squid/forbidden_user" http_access allow accept block_word http_access allow accept block_domain http_access allow accept block_dest_ip http_access allow accept block_url http_access deny forbidden block_word http_access deny forbidden block_domain http_access deny forbidden block_dest_ip http_access deny forbidden block_url [...] What happened was that i was filtering web access through a text file called /etc/squid/accept_user and /etc/squid/forbidden_user, which had information about the users that were allowed or not allowed to have web access to the urls in the /etc/squid/block_url file for example. Now with ldap working i have two groups: -> proxy-allow -> proxy-deny I want to put users in those two groups, and the ideia is that users in the proxy-allow group will have web access to urls in the /etc/squid/block_url and users in the proxy-deny group will not have web access to those urls. I am aware that squid_ldap_group does the job but i am not really understanding how. I read through the archives and no answer to this issue was found. At least i wasn't able to see it. :) I already know that an external_acl_type acl is needed. I just haven't figured out how to tell squid.conf to go search on that groups and give access like it is meant to. Is there a chance someone could point in the right direction to get this working or maybe point me the archive where this issue is answered? Feel free to ask for more configuration information if you need to. Thanks a lot for reading this and in advance! *cipher* - Email Enviado utilizando o serviço MegaMail
Re: [squid-users] Blocking download video.
- Original Message - From: "Renato Policani" <[EMAIL PROTECTED]> To: Sent: Tuesday, February 01, 2005 9:25 PM Subject: [squid-users] Blocking download video. Hi everybody I am blocking video in configuration file named deny_music and in squidGuardian in blacklist/audio-video. But some users had discovered a way for download this extension using "?" before the extension. Exemple: http://www.xyz.com/video.wmv -> Squid block !! OK !! http://www.xyz.com/video.wmv? -> Squid don?t block.. Why ??? use acl deny_misic url_regex \.wmv\?.*$ http_access deny deny_music How can I block this ? Thanks, and apologize my poor english. Atenзгo: Esta mensagem foi enviada para uso exclusivo do(s) destinatбrios(s) acima identificado(s), podendo conter informaзхes e/ou documentos confidencias/privilegiados e seu sigilo й protegido por lei. Caso vocк tenha recebido por engano, por favor, informe o remetente e apague-a de seu sistema. Notificamos que й proibido por lei a sua retenзгo, disseminaзгo, distribuiзгo, cуpia ou uso sem expressa autorizaзгo do remetente. Opiniхes pessoais do remetente nгo refletem, necessariamente, o ponto de vista da CETIP, o qual й divulgado somente por pessoas autorizadas. Attention: This message was sent for exclusive use of the addressees above identified, being able to contain information and or privileged/confidential documents and law protects its secrecies. In case that you it has received for deceit, please, it informs the shipper and erases it of your system. We notify that law forbids its retention, dissemination, distribution, copy or use without express authorization. Personal opinions of the shipper do not reflect, necessarily, the point of view of the CETIP, which is only divulged by authorized people.
RE: [squid-users] Reverse proxy redirector
>> Thanks, the redirector works now but $url returns the back end server to >> the client, bypassing the squid proxy altogether. How can I prevent >> this? >Huh? This just sends back to the client a redirection HTTP message for >the same URL that it gave to the reverse proxy with https instead of >http. It shouldn't be sending anything else. For some reason it is not. It is changing the http to https but changing the rest to what ever the value of httpd_accel in the squid.conf file. When ever I change that value I get redirected to the changed value which is the back end server and bypasses the proxy. Any ideas on what I could try? > > I have a redirector setup on my reverse squid proxy to change all http > > requests to https. But it doesn't seem to be working. Here is the > > script: > > > > #!/usr/bin/perl > > $|=1; #Don't buffer output. > > > > while(<>) #Infinite loop. running as a daemon > > { > >$url=(split)[0]; > >$url=~ s/^http:/https:/; > >print "$url\n"; > > } > > > > See any reason why this will not redirect http to https? > > If you want to send a redirect to the client the script has to return > print "302:$url\n"; > > > Kinkie > >
RE: [squid-users] Reverse proxy redirector
Please don't top-quote. It makes threading harder to follow. On Wed, 2005-02-02 at 10:47 -0500, Brad Taylor wrote: > Thanks, the redirector works now but $url returns the back end server to > the client, bypassing the squid proxy altogether. How can I prevent > this? Huh? This just sends back to the client a redirection HTTP message for the same URL that it gave to the reverse proxy with https instead of http. It shouldn't be sending anything else. Kinkie > -Original Message- > From: Kinkie [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 02, 2005 3:19 AM > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Reverse proxy redirector > > On Tue, 2005-02-01 at 11:02 -0500, Brad Taylor wrote: > > I have a redirector setup on my reverse squid proxy to change all http > > requests to https. But it doesn't seem to be working. Here is the > > script: > > > > #!/usr/bin/perl > > $|=1; #Don't buffer output. > > > > while(<>) #Infinite loop. running as a daemon > > { > >$url=(split)[0]; > >$url=~ s/^http:/https:/; > >print "$url\n"; > > } > > > > See any reason why this will not redirect http to https? > > If you want to send a redirect to the client the script has to return > print "302:$url\n"; > > > Kinkie > >
Re: [squid-users] auth questions / help
hello if anyone other has idea or some docs urls etc for settup a htpasswd auth. squid pls mail it much thx !! bye richard
Re: [squid-users] where can I find help for sarg?
You can try this... #!/bin/bash #Get yesterday date YESTERDAY=$(date --date "1 day ago" +%d/%m/%Y) #Get 1 month ago date MONTHAGO=$(date --date "1 month ago" +%d/%m/%Y) /usr/sbin/sarg -o /var/www/html/squid/monthly -d $MONTHAGO-$YESTERDAY # > /dev/null 2>&1 /usr/sbin/squid -k rotate exit 0 I get it from http://sarg.mcl.ru/sarg.monthly --- Yong Bong Fong <[EMAIL PROTECTED]> wrote: > Dear all, > >I am currently using sarg to check on usage. > Wondering where can I > find help for sarg specific configuration? > > I just need to configure the sarg report to provide > monthly report for > all user's usage details etc. > Currently my report provides report in daily format, > but my boss wants > it in monthly format. My colleague however has his > as one report for 4 > days. > > But we just couldn't find the configuration to > change that report from > to display in other formats. > > Hope anyone can direct me to the appropriate help > site. > Thanks a lot, > > Regards > Yong > __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com
[squid-users] Re: storage rebuild slow with reiserfs
Martin Marji Cermak trimedia.cz> writes: > > Hello, > I have two 36 GB, 10 rpm scsi disk dedicated to Squid.2.5.STABLE7. > No raid.Adaptec 29320LP Ultra320 SCSI adapter, SEAGATE ST336607LW Our setup is quite different since we have 2 15krpm Disks configured as a stripe set and are using diskd... > 2005/02/01 16:12:38| 0 Swapfile clashes avoided. > 2005/02/01 16:12:38| Took 864.1 seconds (3441.4 objects/sec). However we had a power failure today and so squid was restarted, it took 168 seconds (18.022,9 obj/sec) for about 3 Million entries. The Squid partition is about 36 GB of Size. So that's quite different. From what I have learned in the past ReiserFS should be faster than ext3 when it comes to lots of small files in lots of dirs... Kind Regards Maik
Re: [squid-users] auth questions / help
hello renato can you explain me this liitle bit more (how this works) config settings etc`? thx
RE: [squid-users] Reverse proxy redirector
Thanks, the redirector works now but $url returns the back end server to the client, bypassing the squid proxy altogether. How can I prevent this? -Original Message- From: Kinkie [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 3:19 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Reverse proxy redirector On Tue, 2005-02-01 at 11:02 -0500, Brad Taylor wrote: > I have a redirector setup on my reverse squid proxy to change all http > requests to https. But it doesn't seem to be working. Here is the > script: > > #!/usr/bin/perl > $|=1; #Don't buffer output. > > while(<>) #Infinite loop. running as a daemon > { >$url=(split)[0]; >$url=~ s/^http:/https:/; >print "$url\n"; > } > > See any reason why this will not redirect http to https? If you want to send a redirect to the client the script has to return print "302:$url\n"; Kinkie
[squid-users] Re [squid-users] Squid NTLM authentication problem NT domain
Hi again, I have change permission on winbindd_privileged to: drwxr-x---2 root squid 4096 Feb 2 09:33 winbindd_privileged now i don't have error: #winbindd version 3.0.10 started. # Copyright The Samba Team 2000-2004 #[2005/02/02 09:11:10, 0] lib/util_sock.c:create_pipe_sock(1056) #invalid permissions on socket directory /usr/local/samba/var/locks/winbindd_privileged #open_winbind_socket: Success but i still receive error messages in squid - cache.log: 2005/02/02 14:52:57| helperStatefulOpenServers: Starting 30 'ntlm_auth' processes ntlm_auth: error opening config file /usr/local/samba/lib/smb.conf. Error was Invalid or incomplete multibyte or wide character . 2005/02/02 15:00:13| helperOpenServers: Starting 5 'ntlm_auth' processes ntlm_auth: error opening config file /usr/local/samba/lib/smb.conf. Error was Invalid or incomplete multibyte or wide character from ./squid -N -d1: FATAL: authenticateNTLMHandleReply: called with no result string without ntlm auth, only basic is asking me for use/password and result is: Too few basicauthenticator processes are running2005/02/02 14:59:01| Starting new helpers 2005/02/02 14:59:01| helperOpenServers: Starting 5 'ntlm_auth' processes 2005/02/02 14:59:12| WARNING: basicauthenticator #4 (FD 9) exited 2005/02/02 14:59:12| WARNING: basicauthenticator #5 (FD 10) exited error winbindd: ./winbindd -i winbindd version 3.0.10 started. Copyright The Samba Team 2000-2004 cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds i think i get stack on this. some suggestions? Nikolay
[squid-users] auth questions / help
hello i did read the squid docu and google but it doesnt work. i use squid and have activate the webmin auth /etc/webmin/squid/squid-auth.pl with commandline auth_params (or so) basic programm ..pl /etc/webmin/squid/users. but i did never get a "question" like "username/passowrd" which setting i must set too? thx
[squid-users] Incorporating MySQL Access Into Squid
I'm currently setting up a new Squid proxy server to replace an existing one. The current proxy utilises an ACL which connects to a MySQL database and extracts a number of allowed URLs from a table. The problem is, I'm having trouble replicating this behaviour in the new proxy. The current squid.conf file has a number of references to MySQL - including information regarding the name of the database, the user and password etc but when I include these statements in the new squid.conf file I receive a number of errors. Obviously, I need to add MySQL support but I am unsure as to how to do this. I've seen posts regarding a package called mysql_auth but I'm assuming it won't allow me to pull URLs from a database to add into an ACL. Any help would be greatly appreciated. DISCLAIMER ~~~ Heckmondwike Grammar School has students with ages ranging from 11 to 18. If you think this email is from a student then please show due sensitivity to their age in your reply, observing all current regulations in respect to communicating with a minor. This email does not represent the views of Heckmondwike Grammar School. The school, its staff and students cannot be held responsible for any views, words, comments or files contained within this message. Internet communications are not secure and therefore HGS does not accept legal responsibility for the contents of this message. If you are concerned about the content of this message, please forward the entire email to [EMAIL PROTECTED] and we will investigate. Please note that Heckmondwike Grammar School may intercept incoming and outgoing email communications. ~~~
Re: [squid-users] help on how to disable gopher:// requests.
On Wed, 2 Feb 2005, Kinkie wrote: acl gopher url_regex ^gopher:// http_access deny gopher or more proper acl gopher proto gopher http_access deny gopher Regards Henrik
Re: [squid-users] Can not Browse this url since i update from squid2.5-stable6 to squid2.5-stable7 - Mail libre de virus.
On Tue, 1 Feb 2005 [EMAIL PROTECTED] wrote: Sorry for my poor English, but i am from Argentina .. so :) Usually my clients can browse this url http://www2.correoargentino.com.ar/scripts/tyt/tyt.pl?producto=TC&numero=366514830&pais=AR without any problem. Since i update to 2.5stable7 and later they can´t With 2.5.STABLE7 you can, but not if you apply the request_header patch. The reason is that this web application is broken and returns invalid HTTP responses HTTP/1.0 200 OK Server: Microsoft-IIS/3.0 Date: Wed, 02 Feb 2005 11:57:18 GMT 200 Ok Content-type: text/html The "200 Ok" line is not a valid HTTP header. Most likely a confused CGI script trying to set the HTTP status wrongly. Regards Henrik
[squid-users] [OT]: Trying to contact Murrah Boswell
Iìm trying to get in contact with Mr.Murrah Boswell but I've got problem with his email. As he wrote me after reading a message of mine on this ML I do hope he can read this message and email me! Sorry for the OT Marco Crucianelli
AW: [squid-users] Can not Browse this url since i update from squ id2.5-stable6 to squid2.5-stable7 - Mail libre de virus.
Works for me showing "Resultado de la consulta para la pieza: TC - 366514830". # sq version Squid Cache: Version 2.5.STABLE7 configure options: --enable-auth=ntlm,basic --enable-external-acl-helpers=winbi nd_group --enable-basic-auth-helpers=winbind --enable-ntlm-auth-helpers=winbind --prefix=/usr/local/squid --with-samba-sources=/usr/local/samba-2.2.5 # Mit freundlichem Gruß/Yours sincerely Werner Rost GMT-FIR - Netzwerk ZF Boge Elastmetall GmbH Friesdorfer Str. 175, 53175 Bonn, Deutschland/Germany Telefon/Phone +49 228 3825 - 420 Telefax/Fax +49 228 3825 - 398 [EMAIL PROTECTED] >-Ursprüngliche Nachricht- >Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] >Gesendet: Dienstag, 1. Februar 2005 18:27 >An: squid-users@squid-cache.org >Betreff: [squid-users] Can not Browse this url since i update >from squid2.5-stable6 to squid2.5-stable7 - Mail libre de virus. > > >Sorry for my poor English, but i am from Argentina .. so :) > >Usually my clients can browse this url >http://www2.correoargentino.com.ar/scripts/tyt/tyt.pl?producto= TC&numero=366514830&pais=AR without any problem. Since i update to 2.5stable7 and later they can´t I test installing again the stable6 with the same squid.conf and works again. Any idea it is welcome. Thanks! ** Gustavo M. Ortega **
Re: [squid-users] Simple feature request: "random" ACL
On Tue, 2005-02-01 at 09:58 -0700, Brett Glass wrote: > Everyone: > > I am helping some folks with a Squid cache setup and would like to request the > addition of a simple feature. > > What I need is an ACL type called "random" which would be of the form > > acl aclname random .66 Could you file the feature request in bugzilla? This way it won't be forgotten. Kinkie
[squid-users] where can I find help for sarg?
Dear all, I am currently using sarg to check on usage. Wondering where can I find help for sarg specific configuration? I just need to configure the sarg report to provide monthly report for all user's usage details etc. Currently my report provides report in daily format, but my boss wants it in monthly format. My colleague however has his as one report for 4 days. But we just couldn't find the configuration to change that report from to display in other formats. Hope anyone can direct me to the appropriate help site. Thanks a lot, Regards Yong
Re: [squid-users] help on how to disable gopher:// requests.
On Tue, 2005-02-01 at 20:38 -0800, [EMAIL PROTECTED] wrote: > %sysctl kern.version > kern.version: FreeBSD 5.3-STABLE #5: Tue Feb 1 20:36:42 PHT 2005 > [EMAIL PROTECTED]:/usr/obj/usr/src/sys/MMP > > squid/2.5.STABLE7 > > > > The proxy accepts gopher:// requests. , is there a way to disable this in > squid.conf i did search in > google lots of thesame post but i havent seen any possible or how the do it, > it just said: reconfigure your proxy so that it refuses gopher requests. > > and i did comment ' acl Safe_ports port 70 # gopher ' but during a > test in nessus scanner same results, it did nothing, i hope anyone can help > fixing this problem, thanks. acl gopher url_regex ^gopher:// http_access deny gopher Kinkie
Re: [squid-users] Reverse proxy redirector
On Tue, 2005-02-01 at 11:02 -0500, Brad Taylor wrote: > I have a redirector setup on my reverse squid proxy to change all http > requests to https. But it doesn't seem to be working. Here is the > script: > > #!/usr/bin/perl > $|=1; #Don't buffer output. > > while(<>) #Infinite loop. running as a daemon > { >$url=(split)[0]; >$url=~ s/^http:/https:/; >print "$url\n"; > } > > See any reason why this will not redirect http to https? If you want to send a redirect to the client the script has to return print "302:$url\n"; Kinkie