Re: [squid-users] FTP upload problems.
Hmm. Seems like "yafc" works fine, while flashxp truncates the files ! Why ? > Hello > > We are the experiences some problems with the squid server, running 2.5.9. > When we are uploading files the files become empty. > > Why is this happening, and what is the fix? > > thanks. > > >
[squid-users] Script help
Hi all, This is not a direct squid question, however I know that someone can help on my problem. I am a System / Network Administrator and not to familiar with scripting, I want to create a simple script that automatically copy any log file on a cumulative form. Let say for example I want to copy my dhcp.leases to dhcp.leases_062205 for today, and for tommorow it should be dhcp.leases_062305 and so on. My ovjective is to do this daily or weekly or monthly automatically Thank you very much, Wennie
[squid-users] FTP
Hello all, I m in confisuing state ri88 now , infect i am unable to open FTP sites on my Lan even i havn't restrict them in squid-box, i am also using PIX too in my network, i think i should allow some query on PIX Am i right or wrong .if wrong then let me know how could i solve this problem. thankx
Re: [squid-users] p2p app through http_tunnel
Arianto C Nugroho wrote: Hi ... I need to be able to block p2p applications that are running through a http_tunnel .. Is there any ACL that could specify this kind of behavior ?? Thanks Before oops.. sorry .. my bad .. I accidently allowed "http_connect" connection in my squid server .. i've close it now and problem solved ... smime.p7s Description: S/MIME Cryptographic Signature
Re: [squid-users] Proxied JSP pages load in Firefox/Safari but not IE?
On 6/9/05, Christian Bell <[EMAIL PROTECTED]> wrote: > One of our users is trying to access JSP pages over HTTPS (assume > https://foo.com/foo.jsp). Do these pages require cookies? > When the page is accessed through the proxy with Internet Explorer > (Win32), a blank page is rendered (and a subsequent View Source > reveals only skeletal HTML, no content). When the page is accessed > WITHOUT the proxy in Internet Explorer, the page is rendered > correctly. If you manually define the proxy server address and port in Windows control panel instead of using a PAC, does the page render correctly? > When the page is accessed through the proxy with either > Firefox (Win32 or Mac) or a different browser like Safari, the page is > rendered correctly. BTW, there's a totally unrelated PAC bug in Safari on Tiger, see Full-Disclosure for details. > Tailing the access.log file confirms that in all cases, the requests > are going through Squid (2.5S9). The proxy setup between the browsers > is identical (issued via a PAC), and all other web pages and sites > load fine in Internet Explorer through the proxy. The only problem is > this one JSP-driven site. > > I've searched Google and the squid-users archives, but have come up > empty-handed. Any ideas? Depending on how complex your PAC is and how the page is constructed, there are a few different bugs related to MSIE 6 that might produce the results you see. The key question here is whether the blank page is what is being sent by the JSP, or is something IE is doing internally. You might be able to tell based on the byte count returned from the HTTPS server to the client? Microsoft documents mention bugs relating to cookies, cross-frame scripting, etc, generally these are side-effects of the new security and privacy controls included in recent IE6 patches -- if setting privacy to "low" fixes the problem, you've triggered one of these. Kevin Kadow
[squid-users] squid use of HTTP/1.1
To Whom It May Concern: I need to find out if there are any versions of squid which support HTTP1.1. If not, is there a reason that it's not supported? Also, does anyone know when squid will support HTTP1.1? Thank you, Sean
Re: [squid-users] Squid swapping text/html for text/plain?
On Tue, 21 Jun 2005, Pedro Pessoa wrote: 1119379558.719 3921 192.168.1.100 TCP_MISS/200 13178 GET http://angulosolido.pt/index.html - DIRECT/195.23.112.199 text/plain [Host: angulosolido.pt\r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0\r\nAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\nProxy-Connection: keep-alive\r\n] [HTTP/1.1 200 OK\r\nDate: Tue, 21 Jun 2005 18:45:56 GMT\r\nServer: Apache-AdvancedExtranetServer/2.0.50 (Mandrakelinux/7.2.101mdk) mod_perl/1.99_16 Perl/v5.8.5 PHP/4.3.8\r\nETag: "1000d1-31fa-c17fccc0"\r\nAccept-Ranges: bytes\r\nLast-Modified: Tue, 14 Jun 2005 00:31:23 GMT\r\nContent-Length: 12794\r\nContent-Type: text/plain\r\nAge: 27776\r\nKeep-Alive: timeout=15, max=100\r\nConnection: Keep-Alive\r\n\r] Any thoughts? Broken web server, returning text/plain content-type if the request has a Cache-Control: max-age header but no Pragma: no-cache header. GET /index.html HTTP/1.0 Host: angulosolido.pt Cache-Control: max-age=259200 returns text/plain GET /index.html HTTP/1.0 Host: angulosolido.pt or GET /index.html HTTP/1.0 Host: angulosolido.pt Cache-Control: max-age=259200 Pragma: no-cache returns text/html.. not Squids fault, it just happens to trigger the quite obscure webserver bug. Regards Henrik
Re: [squid-users] Limiting users access with squid
Hi, At 10.31 21/06/2005, Ian Bert Tusil wrote: Ive setup Squid and ntlm authentication using ntlm_auth. Id like to limit the user's access some sites depending on their group, how do i do that? any sites you can refer? For group authorization you can use wbinfo_group.pl on Samba 3 or winbind_group on Samba 2. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] authenticate users in squidnt with win2000server
Hi, At 09.28 21/06/2005, Joaquim Roca wrote: Hi I'm using SquidNT (windows version) under windows2000Server. If I block webpages through urlname, Squid works but if I want to use the username to block or not to block doesn't work. I would like to autheticate users in SquidNT using the Active Directory in Windows2000Server. How to do it ??? Thank you See the following: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 (Samba 3 section) Change ntlm_auth with win32_ntlm_auth.exe. For group authorization you can use win32_check_group.exe. The documentation of both helpers is already in the Squid for Windows binary distribution. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] digest authentication error
Hi, At 18.49 21/06/2005, kido wrote: hi, again! I tried like u told me: ./configure --enable-basic-auth-helpers=NCSA --enable-err-languages=Romanian --enable-arp-acl --enable-digest-auth-helpers=password --enable-auth="basic digest" make make install I left this lines uncommented: auth_param digest program /usr/local/squid/libexec/digest_pw_auth and commented the one responsible for basic auth still, it does not work...:( when I run squid -NCd1 , the program started OK, but after a few seconds I get the following error: 2005/06/21 19:31:39| authenticateDecodeAuth: Unsupported or unconfigured proxy-auth scheme, 'Basic ZmxvYXJlMzp2ZWNpbjM=' 2005/06/21 19:31:39| authenticateDecodeAuth: Unsupported or unconfigured proxy-auth scheme, 'Basic ZmxvYXJlMzp2ZWNpbjM=' 2005/06/21 19:31:47| authenticateDecodeAuth: Unsupported or unconfigured proxy-auth scheme, 'Basic Z2FiaTpnYWJp' what have I done wrong this time? :(( With what browser ? This is correct if you are using an user agent (= Browser) that cannot support digest authentication because only digest is enabled in your configuration. But you can use both basic and digest authentication at the same time. The browser will select the strongest supported in the following order: Digest NTLM (not in your config) Basic So, try leaving both digest and basic authentication enabled. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
[squid-users] NTLM auth and Java applets
I have squid-2.5.STABLE3-6.3E.8 (RedHat ES 3 RPM) configured to do NTLM authentication using winbind. This works great, however, Java applets prompt for a login, but never accept it. Is there a way to get Java applets to work? They work fine through the old proxy that does basic authentication with LDAP. Here's my config: http_port 8080 icp_port 0 cache_peer 127.0.0.1 parent 2543 7 proxy-only no-query no-netdb-exchange login=*:nopassword default cache_mem 64 MB maximum_object_size 25600 KB cache_dir aufs /var/spool/squid 500 16 256 auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 25 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 30 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 10 auth_param basic realm Web Proxy auth_param basic credentialsttl 2 hours acl allow_url dstdomain "/etc/squid/squidbypass.txt" http_access allow allow_url external_acl_type nt_group ttl=0 concurrency=5 %LOGIN /usr/lib/squid/wbinfo_group.pl acl internetusers external nt_group internet http_access allow internetusers half_closed_clients off acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl winbind proxy_auth REQUIRED http_access deny manager http_access allow localhost http_access deny all http_reply_access allow all forwarded_for off never_direct allow all Thanks, ~M
Re: [squid-users] Squid swapping text/html for text/plain?
Here it is: 1119379558.719 3921 192.168.1.100 TCP_MISS/200 13178 GET http://angulosolido.pt/index.html - DIRECT/195.23.112.199 text/plain [Host: angulosolido.pt\r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0\r\nAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\nProxy-Connection: keep-alive\r\n] [HTTP/1.1 200 OK\r\nDate: Tue, 21 Jun 2005 18:45:56 GMT\r\nServer: Apache-AdvancedExtranetServer/2.0.50 (Mandrakelinux/7.2.101mdk) mod_perl/1.99_16 Perl/v5.8.5 PHP/4.3.8\r\nETag: "1000d1-31fa-c17fccc0"\r\nAccept-Ranges: bytes\r\nLast-Modified: Tue, 14 Jun 2005 00:31:23 GMT\r\nContent-Length: 12794\r\nContent-Type: text/plain\r\nAge: 27776\r\nKeep-Alive: timeout=15, max=100\r\nConnection: Keep-Alive\r\n\r] Any thoughts? Thanks, Pedro Pessoa
Re: [squid-users] digest authentication error
hi, again! I tried like u told me: ./configure --enable-basic-auth-helpers=NCSA --enable-err-languages=Romanian --enable-arp-acl --enable-digest-auth-helpers=password --enable-auth="basic digest" make make install I left this lines uncommented: auth_param digest program /usr/local/squid/libexec/digest_pw_auth and commented the one responsible for basic auth still, it does not work...:( when I run squid -NCd1 , the program started OK, but after a few seconds I get the following error: 2005/06/21 19:31:39| authenticateDecodeAuth: Unsupported or unconfigured proxy-auth scheme, 'Basic ZmxvYXJlMzp2ZWNpbjM=' 2005/06/21 19:31:39| authenticateDecodeAuth: Unsupported or unconfigured proxy-auth scheme, 'Basic ZmxvYXJlMzp2ZWNpbjM=' 2005/06/21 19:31:47| authenticateDecodeAuth: Unsupported or unconfigured proxy-auth scheme, 'Basic Z2FiaTpnYWJp' what have I done wrong this time? :(( - Original Message - From: "Serassio Guido" <[EMAIL PROTECTED]> To: "kido" <[EMAIL PROTECTED]>; "squid" Sent: Tuesday, June 21, 2005 9:22 AM Subject: Re: [squid-users] digest authentication error Hi, At 21.51 20/06/2005, kido wrote: hi! I'm using squid 2.5 ; basic authentication (ncsa) works just fine. I tried to improve the authentication scheme, chosing digest. So, I entered: squid-2.5.STABLE10/helpers/digest_auth/ and did make && make install then I uncommented the following line in squid.conf. auth_param digest program /usr/local/squid/libexec/digest_pw_auth /usr/local/squid/etc/digpass I preserved the same acls as with basic_auth: acl parola proxy_auth REQUIRED When I restart squid, an error occurs, telling me that sheme "digest" is unknown. I reconfigured squid with --enable-digest-auth-helpers=password option. Rebuild. Same error :( Any ideas? How do I enable digest authentication? thanks! You need too the --enable-auth="basic digest" configure option. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Strange problem with NTLM_AUTH
Hey There, I had this problem often and it was caused due to slow winbind responses or winbind hanging. Try to tune winbind!! Look if things like wbinfo -u/g/m perform fast -> winbind was often hanging cause it tried to talk to trusted domains-controllers (which often are not needed => allow trusted domains off). I had used 30 ntlm_auth processes before to not cause squid to restart under load, after tunning winbind 5 of them are enough right now according to the stats in cachemgr.cgi cheers. Roman > Hi all; > We have Squid 2.5.STABLE9 running with 30 ntlm_auth helpers Version 3.0.10-1.fc3. The problem is that on the squid´s cachemgr.cgi->NTLM User Authenticator Stats is possible to verify that the ntlm_auth processes are slowly having the flag R (Reserved or Deferred) set and never being used again (the number of requests stops and the time starts growing). This problem goes until there is no more ntlm_auth process available and squid restarts itself, restarting all ntlm_auth too. After the restart, everything is goes back to normal and the problem slowly repeats. We detected that the R flag appears more agressively if the domain controller > is under more load (like running a backup script). > Well, the questions are: > 1- What does the flag reserved mean? > 2- Any ideas why the R flag is spreading throught all the ntlm_auth processes, like processes 11 and 12 below (you can see the 11 and 12 are locked for a long time and process 13 is receiving more requests ? > > # FD PID # Requests Flags TimeOffset Request > 1 8 8656475909 R 10.140 0 (none) 2 9 8657632482 0.093 0 (none) 3 10 8658363615 0.412 0 (none) 4 11 865964199 R 311498.132 0 (none) 5 12 866033142 R 311497.891 0 (none) 6 13 8661121226 0.932 0 (none) 7 14 866258971 0.913 0 (none) (...) > > > Just for the record, I originally have sent this message to the SAMBA list, and Andrew Bartlett (NTLM_AUTH coder) replyed me as below: "It might be that we need to have a better way to have ntlm_auth tell Squid that there is a problem now, but it might go away (previous helper designs had to be restarted for that to happen, but ntlm_auth can recover on it's own). > > Andrew Bartlett" > > Any help is greatly appreciated; > Best regards; > > Rafael Sarres de Almeida > Seção de Gerenciamento de Rede > Superior Tribunal de Justiça > Tel: (61) 319-9342 > > >
[squid-users] Strange problem with NTLM_AUTH
Hi all; We have Squid 2.5.STABLE9 running with 30 ntlm_auth helpers Version 3.0.10-1.fc3. The problem is that on the squid´s cachemgr.cgi->NTLM User Authenticator Stats is possible to verify that the ntlm_auth processes are slowly having the flag R (Reserved or Deferred) set and never being used again (the number of requests stops and the time starts growing). This problem goes until there is no more ntlm_auth process available and squid restarts itself, restarting all ntlm_auth too. After the restart, everything is goes back to normal and the problem slowly repeats. We detected that the R flag appears more agressively if the domain controller is under more load (like running a backup script). Well, the questions are: 1- What does the flag reserved mean? 2- Any ideas why the R flag is spreading throught all the ntlm_auth processes, like processes 11 and 12 below (you can see the 11 and 12 are locked for a long time and process 13 is receiving more requests ? # FD PID # Requests Flags TimeOffset Request 1 8 8656475909 R 10.140 0 (none) 2 9 8657632482 0.093 0 (none) 3 10 8658363615 0.412 0 (none) 4 11 865964199 R 311498.132 0 (none) 5 12 866033142 R 311497.891 0 (none) 6 13 8661121226 0.932 0 (none) 7 14 866258971 0.913 0 (none) (...) Just for the record, I originally have sent this message to the SAMBA list, and Andrew Bartlett (NTLM_AUTH coder) replyed me as below: "It might be that we need to have a better way to have ntlm_auth tell Squid that there is a problem now, but it might go away (previous helper designs had to be restarted for that to happen, but ntlm_auth can recover on it's own). Andrew Bartlett" Any help is greatly appreciated; Best regards; Rafael Sarres de Almeida Seção de Gerenciamento de Rede Superior Tribunal de Justiça Tel: (61) 319-9342
RE: [squid-users] Spyware....bleh
Thanks Henrik, I opened a new bug (1329) this morning. I have also reopened a couple that were slated as fixed. However, they may all be tied together. Here is the content from the last bug report opened. They may all be unrelated. However I find it interesting that it happens at a time that either a known spyware site has tried to be accessed, or that it is a site containing javascript. Thanks in advance. Received the following stack trace on a crash this morning. Running Squid Cache version 3.0-PRE3-20050609 on Linux Fedora Core 3. 2005/06/21 09:56:07| assertion failed: pconn.cc:145: "i >= 0" Detaching after fork from child process 2806. Detaching after fork from child process 2807. Detaching after fork from child process 2808. Detaching after fork from child process 2809. Detaching after fork from child process 2810. Detaching after fork from child process 2811. Program received signal SIGABRT, Aborted. [Switching to Thread -1208232256 (LWP 2803)] 0x009777a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 #0 0x009777a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 #1 0x009b87d5 in raise () from /lib/tls/libc.so.6 #2 0x009ba149 in abort () from /lib/tls/libc.so.6 #3 0x08081ccb in xassert (msg=0x80fdc2a "i >= 0", file=0x80fdc21 "pconn.cc", line=145) at debug.cc:524 #4 0x080b1aa9 in pconnRemoveFD (p=0xb7d8b2a0, fd=134) at pconn.cc:145 #5 0x080b1b2a in pconnTimeout (fd=134, data=0xb7d8b2a0) at pconn.cc:167 #6 0x0807e75d in checkTimeouts () at comm.cc:2257 #7 0x08080889 in comm_select (msec=776) at comm_poll.cc:477 #8 0x080aacc7 in main (argc=2, argv=0xbffd8d84) at main.cc:1159 This last sites visited before this happened were: "172.20.17.33":;"-":;"172.18.10.200":;1119103179:;2005-06-18 09:59:39:619:;0:;"-":;"-":;"407":;"GET":;"http://dellsupport.dellfix.com /agent/security/status.txt":;"1.0":;2419:;"text/html":;"TCP_DENIED" "172.20.17.33":;"-":;"172.18.10.200":;1119103179:;2005-06-18 09:59:39:642:;0:;"-":;"-":;"407":;"GET":;"http://dellsupport.dellfix.com /agent/security/pub.crt":;"1.0":;2424:;"text/html":;"TCP_DENIED" "172.20.25.132":;"64.46.197.156":;"172.18.10.200":;1119269399:;2005-06-2 0 08:09:59:391:;73:;"-":;"-":;"304":;"GET":;"http://l8wt0m0p.rsodm20.smsrs m.com/lawson/portal/images/edge3rt.gif":;"1.0":;288:;"-":;"TCP_MISS" "172.18.9.138":;"204.95.15.98":;"172.18.10.200":;1119280199:;2005-06-20 11:09:59:390:;25:;"username":;"username":;"304":;"GET":;"http://alt.coxn ewsweb.com/ajc/js/homepage/skyboxes.flash.js":;"1.0":;339:;"text/plain": ;"TCP_MISS" "172.20.25.22":;"-":;"172.18.10.200":;1119362379:;2005-06-21 09:59:39:983:;2:;"-":;"-":;"407":;"POST":;"http://reports.hotbar.com/rep orts/hotbar/4.0/HbRpt.dll":;"1.0":;4161:;"text/html":;"TCP_DENIED" Added information: Whenever I see a crash (no matter what crash bug I see)it always seems to be preceeded by either a site that is known spyware or a site with javascript in it. I don't know it that helps. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Saturday, June 18, 2005 6:09 AM To: Sam Reynolds Cc: Squid Users Subject: RE: [squid-users] Spywarebleh Yes, and here you need to follow what is said in the FAQ to get any further. A stack trace is required. Regards Henrik On Fri, 17 Jun 2005, Sam Reynolds wrote: > Does this help shed light? > > FATAL: Received Segment Violation...dying. > 2005/06/17 11:21:31| storeDirWriteCleanLogs: Starting... > 2005/06/17 11:21:31| WARNING: Closing open FD 16 > 2005/06/17 11:21:31| Finished. Wrote 0 entries. > 2005/06/17 11:21:31| Took 0.0 seconds ( 0.0 entries/sec). > CPU Usage: 21.284 seconds = 10.293 user + 10.990 sys > Maximum Resident Size: 0 KB > Page faults with physical i/o: 0 > Memory usage for squid via mallinfo(): >total space in arena: 13700 KB >Ordinary blocks:13148 KB 37 blks >Small blocks: 0 KB 0 blks >Holding blocks: 7344 KB 42 blks >Free Small blocks: 0 KB >Free Ordinary blocks: 551 KB >Total in use: 20492 KB 150% >Total free: 551 KB 4%
[squid-users] squid authentication pop up.
Hi, I am trying to monitor a security system webcam through port 80 and it is working fine over the internet BUT if I try to access the site behind the squid proxy server the authentiction pop up will not come up. But from a PC connected to the internet(no squid) it works fine. It seems like the pop up is being canceled. Does some one has a cue of what could be the problem. here is the IP 195.158.110.252 please I need help as I really need to solve it regards Daniel
[squid-users] squid 3 as a reverse proxy
Hi, Experimenting with Squid 3, I've setup an accelerating Proxy for some web servers/sites. >From squid.conf: http_port squid_ip:80 vhost https_port squid_ip:443cert=/path/to/cert/cert.crt \ key=/path/to/key/key.key vhost ssl_unclean_shutdown on sslproxy_flags DONT_VERIFY_PEER redirect_rewrites_host_header off redirect_program /usr/bin/jesred redirect_children 10 acl all src 0.0.0.0/0.0.0.0 http_reply_access allow all http_access allow all >From jesred.rules: regexi ^https://squid-ip/tst/(.*) http://server-ip/\1 This configuration gives the client the following error: While trying to retrieve the URL: https://squid_ip/tst The following error was encountered: Unable to forward this request at this time. And from the cache.log: 2005/06/21 15:32:29| Failed to select source for 'https://squid_ip/tst' 2005/06/21 15:32:29| always_direct = 0 2005/06/21 15:32:29|never_direct = 0 2005/06/21 15:32:29|timedout = 0 What's going wrong in here? Regards, tuukka
[squid-users] squid problem
Hi all, Since I change to squid-2.5.10_1 i have some problems with my freebsd box (5.4-RELEASE-p1). Any ideas? Some error messages in access.log: ... 1119359221.420 0 192.168.100.158 TCP_DENIED/400 1937 GET error:pf-open-failed - NONE/- text/html 1119359221.476 0 192.168.100.158 TCP_DENIED/400 1864 GET error:pf-open-failed - NONE/- text/html 1119359231.865 0 192.168.100.158 TCP_DENIED/400 1916 GET error:pf-open-failed - NONE/- text/html 1119359236.353 2 192.168.100.158 TCP_DENIED/400 1912 GET error:pf-open-failed - NONE/- text/html ... Thanks
Re: [squid-users] crazy delay pools
Yes, I could, but the whole point of this approach is to limit only the download of specific files and leave the browsing to full speed, so no, I can't use cbq/htb or any other qdisc. What do you mean by DAP PORTS? DAP connects to the proxy server like a regular browser connecting to a proxy server ( IE, firefox, opera, etc.), so maybe you are confusing things a bit or maybe I did not understood you correctly. Alex - Original Message - From: "ashkan almaspour" <[EMAIL PROTECTED]> To: "Alex" <[EMAIL PROTECTED]> Sent: Tuesday, June 21, 2005 10:55 AM Subject: Re: [squid-users] crazy delay pools you can use cbq for DAP Ports to limit download. On 6/21/05, Alex <[EMAIL PROTECTED]> wrote: Hi guys, I have a very annoying problem and maybe someone here might be able to help me. Here's the thing: I have squid setup with delay pools in the following config: acl files urlpath_regex -i "/etc/squid/files" delay_pools 3 delay_class 1 3 delay_class 2 3 delay_class 3 3 delay_parameters 1 -1/-1 -1/-1 8192/8192 delay_parameters 2 -1/-1 -1/-1 4096/4096 delay_parameters 3 -1/-1 -1/-1 16384/16384 delay_access 1 deny nolimit delay_access 1 deny clients-32k delay_access 1 deny clients-128k delay_access 1 allow files delay_access 1 deny all delay_access 2 deny clients-64k delay_access 2 deny clients-128k delay_access 2 deny nolimit delay_access 2 allow files delay_access 2 deny all delay_access 3 deny nolimit delay_access 3 deny clients-64k delay_access 3 deny clients-32k delay_access 3 allow files delay_access 3 deny all contents of /etc/squid/files \.exe$ \.com$ \.mp3$ \.mp2$ \.vqf$ \.tbz$ \.tar$ \.gz$ \.bz2$ \.rpm$ and so on Basically what I need to do is limit the download of specific file types (by extension). This works for most of the users, but I get reports from various people that by using DAP (download accelerator) with "extreme acceleration speed" setting, the can override the limits that I impose. Why is this happening? I tested the setup with FlashGet, GetRight and other download managers, but only with DAP I have managed to get these unexpected results. I'm using squid-2.5.STABLE9-2 on a RH 9 Anybody knows why and maybe what I can do to stop this? Alex -- This message has been scanned for viruses and dangerous content by LG-Network(http://www.lgnet.ro), and is believed to be clean. -- This message has been scanned for viruses and dangerous content by LG-Network(http://www.lgnet.ro), and is believed to be clean. -- This message has been scanned for viruses and dangerous content by LG-Network(http://www.lgnet.ro), and is believed to be clean.
Re: [squid-users] squid for socks?
Clemens Wohlfart wrote: Hi, I had looked to the documentation from squid and to the internet. I found only the information, that squid can´t use for as a socks proxy. Is this right? Best Regard Clemens As you can see here: http://www.squid-cache.org/Doc/FAQ/FAQ-1.html#ss1.1 Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP data objects... And socks supports any protocol (not only FTP, Gopher, HTTP, HTTPS).
[squid-users] squid for socks?
Hi, I had looked to the documentation from squid and to the internet. I found only the information, that squid can´t use for as a socks proxy. Is this right? Best Regard Clemens
[squid-users] Anyone using the feature to test a group wuith NTLM or I'm the only one ? is that a bug ?
Hi, I try to find someone who know how to configure the wbinfo_group.pl as a external helper. I have squid 2.5 STABLE9 runing on solaris 8 and the authentication is working with a NT domain (the user auth is working fine) here is my config: ## basic auth auth_param basic program /opt/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ba sic auth_param basic children 64 auth_param basic credentialsttl 2 hours auth_param basic realm CAI Internet access control Gen\350ve ## NTLM auth auth_param ntlm program /opt/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntl mssp auth_param ntlm children 64 auth_param ntlm max_challenge_lifetime 30 minutes auth_param ntlm max_challenge_reuses 0 authenticate_cache_garbage_interval 10 minute authenticate_ttl 10 minute external_acl_type NT_global_group %LOGIN /opt/squid/libexec/wbinfo_group.pl acl techuser external NT_global_group D-CH-BI1\SurfeursWebCAICH-T acl webuser external NT_global_group D-CH-BI1\SurfeursWebCAICH D-CH-BI1\SurfeursWebCAICH-T http_access deny ftp !techuser http_access allow cai-auth webuser http_access deny all but that dosen't wokr the wbinfo_group.pl is only testing the first group, not the second or the third, here is the output of a test user: (he is member of SurfeursWebCAICH-T) here is the debug I have on cache.log Got d-ch-bi1\\bi9yj D-CH-BI1\\SurfeursWebCAICH D-CH-BI1\\SurfeursWebCAICH-T from squid User: -d-ch-bi1\bi9yj- Group: -D-CH-BI1\SurfeursWebCAICH- SID: -S-1-5-21-907243726-1387878072-1859928627-9560 Domain Group (2)- GID: -10013- Sending ERR to squid but if I do a wbinfo -r d-ch-bi1\\bi9yj here is my group: 1 10001 10002 10003 10004 10005 10006 10007 10008 10009 10010 10011 10012 so the wbinfo_group.pl only test the first group it receive from squid not the other. How can I make it work ? thanks for any help Arno ** DISCLAIMER - E-MAIL --- The information contained in this E-Mail is intended for the named recipient(s). It may contain certain privileged and confidential information, or information which is otherwise protected from disclosure. If you are not the intended recipient, you must not copy,distribute or take any action in reliance on this information **
[squid-users] Ftp problems using filezilla
Hi list, I have set up a squid proxy (V2.5) on debian (Linux 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux) and I am using it to give access to FTP servers for some users. I configured FileZilla on a windows based PC that has to upload files on some FTP servers. Connection is fine and as filezilla supports http proxy all is okay. The problem is that if I try to upload a file that is 350ko, only a part of it will be transferred. It doesn't matter what file size or type I send, or whatever the FTP server is, the uploaded files are always truncated. I tried passive or active mode, binary or ascii transfer etc... But I can't get things to work. Could you help me? Thanks in advance. Yannick
Re: [squid-users] ncsa_auth, disable users..
solved by changing the auth_param basic credentialsttl to a small "seconds" number :) > Hey > > We are using ncsa_auth to control usernames and passwords on the squid > server.. > > All users and passwords are located in a passwd file. In this we are > disabling users. One problem is that it only works when the session is > killed. > > Server restart, wrong password or user from the user. etc. > > Is it possible to get this change to work straight away somehow ? > > Thanks > >
[squid-users] ncsa_auth, disable users..
Hey We are using ncsa_auth to control usernames and passwords on the squid server.. All users and passwords are located in a passwd file. In this we are disabling users. One problem is that it only works when the session is killed. Server restart, wrong password or user from the user. etc. Is it possible to get this change to work straight away somehow ? Thanks
[squid-users] Authentication not accepted when forwarding requests to a parent proxy server
I have added the lines below to my squid conf file: cache peer parent 3128 0 no-query default acl all src 0.0.0.0/0.0.0.0 never_direct allow all With these lines added, the requests do appear to be directed to the parent proxy and the authentication window for the parent pops up. When the username and password are entered and OK is clicked, the authentication window pops up again. The user never gets past the authentication request. If I remove the 3 lines above, the local caching server works OK, without going through the authenticating parent.
[squid-users] Limiting users access with squid
Ive setup Squid and ntlm authentication using ntlm_auth. Id like to limit the user's access some sites depending on their group, how do i do that? any sites you can refer?
[squid-users] Squid restarts when accessing some webpages
Hey There, We are running Squid (squid-2.5.STABLE6-3.4E.9) on Centos 4.1. When accessing some web-pages the Squid restarts itself. I can reproduce this problem on different machines (PIII, P4, SMP) but cannot really find anything that helps me in the logs. Here the config we use: (I turn off the squidguard and the authentication for this testing -> it happens with and without!) debug_options ALL,2 #redirect_program /usr/bin/squidguard -c /etc/squid/squidguard.conf #redirect_children 4 cache_effective_user squid visible_hostname fw.ch.gemue.intern http_port 8080 tcp_outgoing_address 10.10.111.203 maximum_object_size 200 MB pipeline_prefetch on request_body_max_size 10 MB cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_dir aufs /var/spool/squid/ 9000 16 256 cache_store_log none cache_mem 64 MB #auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -d 4 #auth_param ntlm children 100 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 30 minutes #auth_param ntlm use_ntlm_negotiate on #auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic #auth_param basic children 5 #auth_param basic realm Squid proxy-caching web server #auth_param basic credentialsttl 2 hours #external_acl_type NT_global_group %LOGIN /usr/lib/squid/wbinfo_group.pl #cache_mgr [EMAIL PROTECTED] cachemgr_passwd hugo all coredump_dir /var/spool/squid acl UBS dstdomain .ubs.com acl ADOBE dstdomain .adobe.com acl SUVA dstdomain .suva.ch #acl FullAccess external NT_global_group InternetFull #acl SurfAccess external NT_global_group InternetWWW acl SurfAccess src 10.10.1.0/255.255.255.0 #acl AuthorizedUsers proxy_auth REQUIRED #acl Block_Attachment url_regex -i "/etc/squid/block_attachments.cfg" #acl Skype dst "/etc/squid/skype.ips" acl CONNECT method CONNECT acl QUERY urlpath_regex cgi-bin \? acl SSL_ports port 443 563 3 acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 3# https, snews acl Safe_ports port 488 # gss-http acl Safe_ports port 70 # gopher acl Safe_ports port 777 # multiling http acl Safe_ports port 80 # http acl Messenger dstdomain .msn.com acl Messenger dstdomain .messenger.hotmail.com acl Messenger dstdomain .google.com acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl manager proto cache_object hierarchy_stoplist cgi-bin ? no_cache deny QUERY http_access allow manager localhost http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow UBS http_access allow ADOBE http_access allow Messenger http_access allow SUVA http_access allow CONNECT UBS #http_access deny !AuthorizedUsers #http_access allow FullAccess #http_access deny Block_Attachment http_access allow SurfAccess http_access deny all http_access deny manager Attached I have the cache.log and access.log files tared'n'zipped of just the one request the crashes the proxy with debug=ALL,2. For testing I made this with http://bild.de (tested with IE and Mozilla -> here it is with Mozilla on Linux) Har anyone experienced similar behaviour and found some fix??? If there is more log-details needed I can easily provide it!!! cheers.Roman squidlogs.tar.bz2 Description: application/bzip
Re: [squid-users] no FTP proxy available?
> > hello, > there is "frox", which is intercepting (incorrectly called "transparent") > proxy that can redirect connections through another proxy as far as i know, frox does not support user authentication. to make that clear again. i must have authentication on the ftp proxy. an i found out, that no proxy in the unix world supports parent ftp proxies and user authentication. ftp-proxy supports user authentication but no parent proxies. frox suports parent but no user authentication. i'm looking already sme time for a proxy that supports both features but there is none. so i thought maybe squid could do the trick with a little tweaking the configuration. also because it would be possible to use the same user database. any expirences are welcome. > There are some applcation proxies - jftpgw, ftp-proxy, but I must warn you > that the FTP protocol does not support proxies like HTTP. That also means > that user-provided authentication at proxy level is impossible. > Teoretically you can authenticate using other protocols (maybe NTLM) that > authenticate using other channels than FTP connection. You need to check. i search already a lot and saw all this proxies. there is no need for http support. squid can do this. i only need an extra ftp proxy. but the problem is they all can't support parent und userauthentication in combination. > I hope I helped you a bit. > > > Is it possible to use squid for that? I know the documentation. > > Squid doesn't support ftp clients, but some clients support fetching files > via HTTP proxy. well, i checked that out and it seems that you have to find a client which then also supports this. are put's also supported over http? > > I have to use an ftp proxy before TrendMicro's Viruswall. > > > > intranet -> ftpproxy -> viruswall -> internet > > According to its documentation, frox supports scanning of downloaded files > for viruses. well, i don't will change the setup for scanning. setup is as intranet -> ftp proxy -> viruswall -> internet > it's not a problem, but you can't use ordinary FTP client - squid is HTTP > proxy so you'll need HTTP client. (maybe some FTP clients do have such > extensions) i tried an "good" ftp client. also gftp and both had problem with listing directories and uploading files. any hint on an graphical unix client that supports ftp over http with a parent proxy. or can someone give me an config example for FTP and squid using a different parent than for http. so i can try this out again. Frank -- Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie! Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl
[squid-users] FTP upload problems.
Hello We are the experiences some problems with the squid server, running 2.5.9. When we are uploading files the files become empty. Why is this happening, and what is the fix? thanks.
Re: [squid-users] no FTP proxy available?
On 20.06 16:02, Frank Wagner wrote: > i just want to make that clear. currently there seems to be no FTP proxy > available, which has user authentication and support for a partent proxies. hello, there is "frox", which is intercepting (incorrectly called "transparent") proxy that can redirect connections through another proxy There are some applcation proxies - jftpgw, ftp-proxy, but I must warn you that the FTP protocol does not support proxies like HTTP. That also means that user-provided authentication at proxy level is impossible. Teoretically you can authenticate using other protocols (maybe NTLM) that authenticate using other channels than FTP connection. You need to check. I hope I helped you a bit. > Is it possible to use squid for that? I know the documentation. Squid doesn't support ftp clients, but some clients support fetching files via HTTP proxy. > I have to use an ftp proxy before TrendMicro's Viruswall. > > intranet -> ftpproxy -> viruswall -> internet According to its documentation, frox supports scanning of downloaded files for viruses. > tell me if i'm wrong. but only squid has maybe the possibiliy to proxy ftp > with user authentication and parent proxy. so my question is, if i can > configure squid to do so? it's not a problem, but you can't use ordinary FTP client - squid is HTTP proxy so you'll need HTTP client. (maybe some FTP clients do have such extensions) > maybe some clients work good enough with squid and his ftp proxy > possibilities. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
[squid-users] authenticate users in squidnt with win2000server
Hi I'm using SquidNT (windows version) under windows2000Server. If I block webpages through urlname, Squid works but if I want to use the username to block or not to block doesn't work. I would like to autheticate users in SquidNT using the Active Directory in Windows2000Server. How to do it ??? Thank you
[squid-users] re:download cvs and patch squid?
I am having problems applying the icap patch to stable10 using: patch -p1 <../patchfile I get the below error: linux:~/software/squid-2.5.STABLE10 # patch -p1 < ./icap-2.5.patch patching file acconfig.h patching file configure.in Hunk #1 succeeded at 464 (offset 22 lines). Hunk #2 FAILED at 1850. Hunk #3 succeeded at 1908 with fuzz 1 (offset 44 lines). 1 out of 3 hunks FAILED -- saving rejects to file configure.in.rej can't find file to patch at input line 75 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -- |Index: squid/errors/list |diff -u squid/errors/list:1.1.1.1.146.1 squid/errors/list:1.1.1.1.182.2 |--- squid/errors/list:1.1.1.1.146.1Mon Jan 31 19:14:47 2005 |+++ squid/errors/list Mon Mar 7 13:28:01 2005