[squid-users] [Fwd: Regarding Ldap+Squid]
Original Message Subject: [Fwd: Regarding Ldap+Squid] From:Selvam E. [EMAIL PROTECTED] Date:Mon, May 23, 2005 12:33 pm To: squid-users@squid-cache.org -- Original Message Subject: Regarding Ldap+Squid From:Selvam E. [EMAIL PROTECTED] Date:Mon, May 23, 2005 12:21 pm To: squid-users@squid-cache.org Cc: Henrik Nordstrom [EMAIL PROTECTED] -- Hi, I am configure squid.conf with following setting for ldap authentication. auth_param basic program /usr/lib/squid/squid_ldap_auth -b dc=quest,dc=com -D 'cn=Manager,dc=quest,dc=com' -w z -h 192.168.1.1 #auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/password auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl mynet proxy_auth REQUIRED acl badDomains dstdomain /etc/squid/baddomains acl badIPs dst /etc/squid/badips http_access allow localhost deny_info ERR_BAD_DOMAIN badDomains deny_info ERR_BAD_DOMAIN badIPs http_access deny badDomains http_access deny badIPs #http_access allow mynet #http_access deny all http_access allow all but iam unable to get authentication from LDAP. Please help me. Regards, Selvam E. Linux Administrator, First Advantage Quest Research Mumbai Malad (W) India
[squid-users] Customize the representation of URL in the error message of browser
I'm using squid2.5STABLE4. And I'm using upper proxy server than squid server. browser → squid → upper proxy → Web server When I fail to access, I get error messages in browser. In error message URL is described like below. NONE://10.72.43.56:8181http://nonexist-domain.com/ 10.72.43.56 is IP address of upper proxy server. 8181 is port number of upper proxy server. "http://nonexist-domain.com/" is URL I requested. I don't want to represent the part of "NONE://10.72.43.56:8181". I want to represent only "http://nonexist-domain.com/". Can I customize the representation of URL like above.
Re: [squid-users] SSL redirect questions
On 22.05 12:35, Discussion Lists wrote: I have some general questions about reverse-proxying SSL. 1. What is the best way to do it using Squid: a. Do a straight redirect from port 443 to port 443 from server to server with no certificate presented from the firewall, but rather from the server that the connection is redirected to (is this even possible with Squid?). b. Redirect port 443 to port 80 on the destination server(s), and use the firewall to present each of the certificates. Are you talking about reverse-proxying or redirecting? when reverse proxying, you do not redirect anything. If redirecting, you do not care about certificates. what I understand under reverse ssl proxy is that squid listens for SSL requests on port 443 and forwards plain HTTP requests to HTTP server. There is of course possibility to forward https requests with different key/certificate, but It has meaning only in some special cases. 2. If the answer is B, I have several backend SSL servers, all of which I want to redirect connections to. why? Why do you want push one level of servers before backends? This is an aspect of proxying/reverse-proxying where my knowledge is weak, maybe some of you have some suggestions. I do not understand why do you need reverse proxying at all... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK]
[squid-users] squid 2.5 - ipf transparent proxy - FreeBSD 5.3-p13
Hello Squid users, I upgraded my Squid 2.5 STABLE9 to STABLE10, I used the --enable-ipf-transparent make arg for transparent proxying with ipf (version 3.4.35 on FreeBSD 5.3-p13 system). I used the same squid.conf which I have been using in STABLE9 (without any problems). Starting squid STABLE10 is no problem. No errors in cache.log, with squid -k parse also no problems. But when a client starts browsing, the squid process is exited with signal 6 and a core dump. This is a fragment of /var/log/messages: May 21 11:28:26 appelstroop kernel: pid 699 (squid), uid 100: exited on signal 6 (core dumped) This is what the cache.log of squid says: 2005/05/21 11:28:29| Starting Squid Cache version 2.5.STABLE10 for i386-portbld-freebsd5.3... 2005/05/21 11:28:29| Process ID 720 2005/05/21 11:28:29| With 3520 file descriptors available 2005/05/21 11:28:29| DNS Socket created at 0.0.0.0, port 60013, FD 5 2005/05/21 11:28:29| Adding nameserver 217.194.109.15 from squid.conf 2005/05/21 11:28:29| Adding nameserver 217.194.96.10 from squid.conf 2005/05/21 11:28:29| Adding nameserver 217.194.97.13 from squid.conf 2005/05/21 11:28:29| Unlinkd pipe opened on FD 10 2005/05/21 11:28:29| Swap maxSize 256 KB, estimated 196923 objects 2005/05/21 11:28:29| Target number of buckets: 9846 2005/05/21 11:28:29| Using 16384 Store buckets 2005/05/21 11:28:29| Max Mem size: 8192 KB 2005/05/21 11:28:29| Max Swap size: 256 KB 2005/05/21 11:28:29| Rebuilding storage in /cache (CLEAN) 2005/05/21 11:28:29| Using Least Load store dir selection 2005/05/21 11:28:29| Set Current Directory to /cache 2005/05/21 11:28:29| Loaded Icons. 2005/05/21 11:28:29| Accepting HTTP connections at 0.0.0.0, port 8080, FD 12. 2005/05/21 11:28:29| Accepting ICP messages at 0.0.0.0, port 3130, FD 13. 2005/05/21 11:28:29| WCCP Disabled. 2005/05/21 11:28:29| Ready to serve requests. 2005/05/21 11:28:29| Done reading /cache swaplog (46 entries) 2005/05/21 11:28:29| Finished rebuilding storage from disk. 2005/05/21 11:28:29|46 Entries scanned 2005/05/21 11:28:29| 0 Invalid entries. 2005/05/21 11:28:29| 0 With invalid flags. 2005/05/21 11:28:29|46 Objects loaded. 2005/05/21 11:28:29| 0 Objects expired. 2005/05/21 11:28:29| 0 Objects cancelled. 2005/05/21 11:28:29| 0 Duplicate URLs purged. 2005/05/21 11:28:29| 0 Swapfile clashes avoided. 2005/05/21 11:28:29| Took 0.3 seconds ( 158.7 objects/sec). 2005/05/21 11:28:29| Beginning Validation Procedure 2005/05/21 11:28:29| Completed Validation Procedure 2005/05/21 11:28:29| Validated 46 Entries 2005/05/21 11:28:29| store_swap_size = 242k 2005/05/21 11:28:30| storeLateRelease: released 0 objects No problems at all, as you can see. I already recreated the cache files/dirs with squid -z, I checked the permissions, they are OK. Does somebody know how to solve this problem? Best regards, Martijn Broeders [EMAIL PROTECTED]
[squid-users] nt-auth and positive page list
Hello I have a few questions over squid. 1. How can i configure a positive page list in squid, so that users can only see pages of yahoo.com for example http://de.lottery.yahoo.com/index.html or http://de.finance.yahoo.com/ 2. Is it possible to use nt-authentication with squid? The Windows 2000 Workstation users should be authenticated through their windows logon names Thanks Gunnar
[squid-users] squid no ntlm_auth for certain IPs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Squid Users, I've set up squid using samba and ntlm_auth for user authentication. And everything works fine. Users with a valid Active Directory authentication can surf the web. Users without such authentication can't. just like i intended it to work. But now i am facing a problem. We have some users within our network who work on non-Active-Directory aware machines (MAC OS X, Linux, Solaris to give them names) now my question is: how can i allow access to the proxy cache for this certrain ip addresses (static ones) which those clients use? is there a way i let certain IPs simply baypass the ntlm_auth authentication? thanks for any advice! Daniel - -- please use my public key for secure message exchange. (http://www.jungschi-schaenzli.ch/damueller-pubkey.txt) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCkckSHVOZEZ1Kj70RAthyAKCWBLpmVZuiEpwjk7yv0JSaMFGzCQCgh7NF PQU5776DMRM23EBU3YbtaM8= =j9ag -END PGP SIGNATURE-
Re: [squid-users] squid no ntlm_auth for certain IPs
On Mon, 23 May 2005 10:14 pm, Daniel wrote: Hello Squid Users, I've set up squid using samba and ntlm_auth for user authentication. And everything works fine. Users with a valid Active Directory authentication can surf the web. Users without such authentication can't. just like i intended it to work. But now i am facing a problem. We have some users within our network who work on non-Active-Directory aware machines (MAC OS X, Linux, Solaris to give them names) now my question is: how can i allow access to the proxy cache for this certrain ip addresses (static ones) which those clients use? is there a way i let certain IPs simply baypass the ntlm_auth authentication? thanks for any advice! Daniel Hi Daniel, Configure a basic authenticator in squid.conf that authenticates with samba (winbind etc) then when they open a browser etc, they will be prompted for a user name and password. The user name should be in the for domain\userid where domain is the active directory domain their account belongs to. eg (exerpt from my squid.conf): ... auth_param basic children 5 auth_param basic casesensitive off auth_param basic realm Tell the user what they are authenticating to auth_param basic credentialsttl 2 hour # Next 2 lines are actually 1 in the config - they are wrapped by my mail # client in this example and indented manually for clarity. :) auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic ... (note the last two line are actually a single line) We use this dual-authentication scheme and it works well - it also means that browsers etc, that don't support NTLM authentication are supported. FWIW, KDE 3.4 and Konqueror now support NTLM (transparent) authentication if you configure the default user name and password in KDE's Control Center under Internet Network - Local Network Browsing. Once again, you'll need to use the domain\userid notation here too. If you don't set up these defaults with a valid account, it will fall-back to basic-auth. HTH, James
RE: [squid-users] SSL reverse-proxy questions (was redirect)
Okay, I'll just start over. First of all, I should never have used the term redirect That is more of a firewall term, and it should have been left out. All I want to do is reverse-proxy SSL connections, hopefully several of them. Each time you set up one of these connections, you have to add in a line similar to below into squid.conf: https_port 443 cert=/path/to/cert.cert key=/path/to/key.key accel your.site.name protocol http This will reverse-proxy any request for your.site.name from what I understand. But that is just one site. Suppose I have another site that I want available for SSL? Could I just add another line similar to the above, but for the second, third or more sites? Okay here's the second question. The above line is an example of how to reverse-proxy from SSL to http, or port 443, to port 80 right? Now, suppose I want to reverse-proxy several SSL connections, similar to above, but instead of changing from SSL to http, (443 - 80 as above) I am reverse-proxying straight SSL (443 - 443). Is this possible for multiple sites? If it is, is there some way that I could make it so I would not need a certificate on the firewall for each connection and just have the backend server handle certificate requests? Lastly, I found information on the internet about how to create your own certificates, but nothing about how to import them from somewhere else. Anyone know of any tutorials that deal with this? Thanks, Mark -Original Message- From: Matus UHLAR - fantomas [mailto:[EMAIL PROTECTED] Sent: Monday, May 23, 2005 2:55 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] SSL redirect questions On 22.05 12:35, Discussion Lists wrote: I have some general questions about reverse-proxying SSL. 1. What is the best way to do it using Squid: a. Do a straight redirect from port 443 to port 443 from server to server with no certificate presented from the firewall, but rather from the server that the connection is redirected to (is this even possible with Squid?). b. Redirect port 443 to port 80 on the destination server(s), and use the firewall to present each of the certificates. Are you talking about reverse-proxying or redirecting? when reverse proxying, you do not redirect anything. If redirecting, you do not care about certificates. what I understand under reverse ssl proxy is that squid listens for SSL requests on port 443 and forwards plain HTTP requests to HTTP server. There is of course possibility to forward https requests with different key/certificate, but It has meaning only in some special cases. 2. If the answer is B, I have several backend SSL servers, all of which I want to redirect connections to. why? Why do you want push one level of servers before backends? This is an aspect of proxying/reverse-proxying where my knowledge is weak, maybe some of you have some suggestions. I do not understand why do you need reverse proxying at all... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK]
RE: [squid-users] Multiple ISP setup
Wennie, I don't know of any way Squid can know about (or act upon) the conditions of external links, but it sounds like you might want to investigate squid delay pools. Again, if you use multiple boxes you have more options available. Regards Phil DG -Original Message- From: Wennie V. Lagmay [mailto:[EMAIL PROTECTED] Sent: 22 May 2005 06:03 To: Damian-Grint Philip; squid-users@squid-cache.org Cc: squidrunner team Subject: Re: [squid-users] Multiple ISP setup Hi Phi DG, BGP will be involved in the connection with the 2 ISP's, I will be enabling BGP to merge and balance traffic and as a backup to each other. my only concern is the cache/proxy server, since I need to define the cache_peer parents for each of 2 ISP's my question is, can squid knows that it has 2 ISP links and it should merge load balance the traffic (for example ISP 1 is 1 Mbps and ISP 2 is 1 Mbps) so can squid knows that the total bandwidth is 2 Mbps? second, If ISP 1 fails all traffic is redirected to ISP 2 automatically by BGP, so squid should also fetch object to ISP 2 with 1 Mbps bandwidth. I short can we configure squid to follow the routing activity? the router ang BGP routing will do the layer 1 to layer 4, and squid cache will ride on it? Thank you very much, Wennie - Original Message - From: Damian-Grint Philip [EMAIL PROTECTED] To: Wennie V. Lagmay [EMAIL PROTECTED]; squid-users@squid-cache.org Cc: squidrunner team [EMAIL PROTECTED] Sent: Saturday, May 21, 2005 8:07 PM Subject: RE: [squid-users] Multiple ISP setup Hi Wennie, I may be getting the wrong end of the stick here, but It sounds like you are asking how to load-balance traffic to and from a single host (squid box) over two links that you only control on the near end, without touching the routers involved that's quite a challenge. One approach which has worked very well for me in the past is to use at least two squid boxes, each associated to an address that is preferred on separate links. You can then split your traffic across the two links by splitting your traffic across the two squid boxes. You could do this for proxy-configured clients by using a WPAD proxy script which returns different PROXY strings based on the ip address of the client, and for non-proxy-configured clients, by letting WCCP split the load (by destination address hashes I think) as long as both squid boxes register with the same intercepting router. If you can involve your BGP config engineer, then you will have more options - you can't talk about load balancing and redundancy without involving routing anyway - you split the inbound traffic from the outbound traffic and then talk about how you can influence the paths taken in each case. Regards Phi DG -Original Message- From: Wennie V. Lagmay [mailto:[EMAIL PROTECTED] Sent: Sat 21/05/2005 07:24 To: squid-users@squid-cache.org Cc: squidrunner team Subject: [squid-users] Multiple ISP setup How can I setup my squid to automatically connect and load balance from two or more ISP at the same time? Presently we are connected to ISP 1 so all clients are served by our proxy server through ISP 1, now we are about to have ISP 2 my question now is how can I configure my squid to use both ISP at the same time, when ISP 1 is down all request will be on ISP 2 and vice versa? The routing will be handle by our router configure for BGP, so my only concern is about squid. Thank you very much, Wennie __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ Confidentiality Notice This communication and the information it contains: (a) is intended for the person(s) or Organisation(s) named above and for no other persons or organisations and, (b) may be confidential, legally privileged and protected by law. Unauthorised use, copying or disclosure of any of it may be unlawful. When addressed to our clients any opinions or advice contained in this e-mail are subject to CCRE's terms and conditions of business notified to the client or expressed in the governing client engagement letter. If you receive this communication in error, please notify us immediately, destroy any copies and delete it from your computer system. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ Confidentiality Notice
[squid-users] How often are Squid deployments configured to require authentication?
Hi there, I'm curious how often those who deploy squid configure it to require user authentication. And what are the main reasons for requiring authentication? Any anecdotes or informed opinions would be helpful. Thank you. Regards, Mark Mark Romer Good Technology GoodLink Workgroup Edition [EMAIL PROTECTED] Tel: 650-430-1120
RE: [squid-users] FW: WCCP and Fedora 3 not working
Hi Omnia, I backed down to 2.6.8 only because the ip_wccp.c module in the squid faq was last modified to work with 2.6.8 and I was just being cautious - it may well work with later versions but I didn't have time to build, find problems and rebuild. Regards Philip DG -Original Message- From: Omnia Ibrahem [mailto:[EMAIL PROTECTED] Sent: 22 May 2005 10:40 To: Damian-Grint Philip; Nigel Oakley; squid-users@squid-cache.org Subject: Re: [squid-users] FW: WCCP and Fedora 3 not working Hii there, u mean that i cant make wccp work with kernel 2.6.9 , as u backed down to 2.6.8 to make it work. - Original Message - From: Damian-Grint Philip [EMAIL PROTECTED] To: Nigel Oakley [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Friday, May 20, 2005 7:15 PM Subject: RE: [squid-users] FW: WCCP and Fedora 3 not working Hi Nigel, I have just upgraded all my Redhat 7.2 Squid servers to Fedora FC3, and I have WCCP working fine. It sounds like you have the squid wccp bit done ok - that's what does the hello stuff. - check your output from debug ip icmp on your router - if you're getting protocol unreachable, the problem is your wccp interception at the kernel on your squid box. I backed the kernel down to 2.6.8, only because that is what the wccp module had been supposedly written for. You shouldn't need to play around with sysctl settings, although you might need to switch off ECN if on and your testing indicates a need. I've never used ip_gre, only the ip_wccp module: Download the ip_wccp.c module from the Squid FAQ into /var/tmp echo 'obj-m := ip_wccp.o' Makefile make -C /usr/src/linux M=$PWD V=1 modules cp ip_wccp.ko /lib/modules/2.6.8/kernel/net/ipv4 edit modules dep file (vi /lib/modules/2.6.8/modules.dep) and add the following line: /lib/modules/2.6.8/kernel/net/ipv4/ip_wccp.ko: modprobe ip_wccp Squid config fragment: wccp_version 4 wccp_router 10.129.110.251 snmp_port 3401 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on Cisco config: ip wccp web-cache redirect-list 100 ip wccp version 1 ip cef interface fa0/0 ! facing the firewall ip wccp web-cache redirect out no ip redirects ip route-cache same-interface interface fa0/1 ! facing the internal network ! don't classify internal traffic access-list 100 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 ! classify internet bound traffic access-list 100 permit 10.0.0.0 0.255.255.255 any access-list 100 deny ip any IPtables config: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT \ --to-port 3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT \ --to 127.0.0.1:3128 Hope that something in the above sorts your problem, otherwise let me know and I will send you my (tediously long) build log which I wrote for the non-linux guys here. Regards Philip Damian-Grint CCNP Infrastructure Team Business Systems IT Colliers CRE Tel. +44(0)20 7487 1928 Fax. +44(0)20 7487 1671 Confidentiality Notice This communication and the information it contains: (a) is intended for the person(s) or Organisation(s) named above and for no other persons or organisations and, (b) may be confidential, legally privileged and protected by law. Unauthorised use, copying or disclosure of any of it may be unlawful. When addressed to our clients any opinions or advice contained in this e-mail are subject to CCRE's terms and conditions of business notified to the client or expressed in the governing client engagement letter. If you receive this communication in error, please notify us immediately, destroy any copies and delete it from your computer system. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ Confidentiality Notice This communication and the information it contains: (a) is intended for the person(s) or Organisation(s) named above and for no other persons or organisations and, (b) may be confidential, legally privileged and protected by law. Unauthorised use, copying or disclosure of any of it may be unlawful. When addressed to our clients any opinions or advice contained in this e-mail are subject to CCRE's terms and conditions of business notified to the client or expressed in the governing client engagement letter. If you receive this communication in error, please notify us immediately, destroy any copies and delete it from your computer system.
Re: [squid-users] How often are Squid deployments configured to require authentication?
On 5/23/05, Mark Romer [EMAIL PROTECTED] wrote: I'm curious how often those who deploy squid configure it to require user authentication. And what are the main reasons for requiring authentication? AAA: Authentication, Authorization and Accounting. Are you who you claim to be? Do you have permission to use the proxy? Can we track back specific requests to an individual user? On a small home network without any official security policies, I can get away with being hyper-paranoid about personal privacy, restricting access to specific ether addresses (MAC) and turning off logging. On a slightly larger network with static IP addresses and trustworthy internal users, I keep logs for a few days (or weeks) and rely on the source IP for access control and logging. This is enough to be able to respond to RIAA/MPAA complaints and debug technical problems. In very large networks with dynamic IP addresses and many diverse LANS/WANS using DHCP servers not under centralized management, the IP address is not a reliable identifier, and user authentication may be necessary, or even a mandatory (regulatory, internal policy, etc) requirement. The only place I've ever actually used Squid with authentication was where the business had a need to have different policies apply to different users within the same DHCP scope; for example students might have more restrictive ACLs than teachers while a reception desk might only have access to Mapquest, OpenTable, and AnyWho. Kevin
[squid-users] only ICP queries coming
Dear all We have peering of wccp enabled caches running on Linux version 2.4.20 , using squid 2.5.STABLE 6 version. Earlier, everything was smooth. But recently I am facing a weird problem.The router detect the cache and also forwards the queries. But in the access log of one of the caches, I can see only ICP queries coming into. With it, when I turn on this cache server, I cannot browse most of the sites. May I know what might have gone wrong ?? Any ideas ?? Thanking you. Binaya