[squid-users] Seamless bandwidth monitor

[Paul Matthews]

I’m looking at setting up a certain megabit download limit on my users,
I’m currently using squid as my proxy server and I was wondering if
there was any way of doing this seamlessly? Such as once a user has
passed his/her limit when he visited the internet he is redirected to a
web page explaining that he/her has surpassed there bandwidth for the
month.

[squid-users] A little trouble with ntlm_auth

[Michael St. Laurent]

Hi all,

I'm having trouble getting ntlm_auth working with the
"--require-membership-of=" option.  I did rebuild the Samba RPM so that it
had the --enable-auth="ntlm,basic" and
--enable-external-acl-helpers="wbinfo_group" settings.  The command line
test for the squid-2.5-basic protocol returns an "OK".  The one using the
squid-2.5-ntlmssp protocol returns what looks like a line that should be
going to a log file and then a "BH".  Any time that I add the
--require-membership parameter to the ntlm_auth line in my squid.conf file
it fails every time.  Below are the config lines I'm using:

# Experimental Domain Authentication
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
--require-membership-of=MERCURY\WebAccess
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic --require-membership-of=MERCURY\WebAccess
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers

-- 
Michael St. Laurent
Hartwell Corporation

[squid-users] multiple campuses/branches setup

[Joshua Morgan]

hi there,

at the moment i am trying to find a way to implement squid as a
standard proxy cache for multiple campuses/branches.

Each campus or branch may have 1 or more users with the same username, and
they may have conflicting access control lists.

can someone please shed a little light on how i could run one instance
of squid to serve these two campus/branches and still have conflicting
acls, and two users with the same username?

thanks

RE: [squid-users] winbind --with-winbind-auth-challenge

[Paul Matthews]

[EMAIL PROTECTED] /]# wbinfo -a mydomain\\myusername%mypassword
plaintext password authentication succeeded
challenge/response password authentication succeeded

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: Thursday, 29 September 2005 4:47
To: Paul Matthews
Cc: Squid Users
Subject: RE: [squid-users] winbind --with-winbind-auth-challenge



On Thu, 29 Sep 2005, Paul Matthews wrote:

> What is step 6? I have the squid FAQ up
>
> http://www.squid-cache.org/Doc/FAQ/FAQ-23.html
>
> and I see 23 & 23.1 but I'm not sure what step your talking about, as far
as
> I can tell I've done everything.

Squid FAQ 23.5 How do I use the Winbind authenticators?
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5>

subsection "Test Samba's winbindd".

Regards
Henrik

Re: [squid-users] Error in STABLE11

[Awie]

Henrik,

I will use the version 2.5S11 + new patches and I will report the progress.

Thx & Rgds,

Awie

- Original Message - 
From: "Awie" <[EMAIL PROTECTED]>
To: "Henrik Nordstrom" <[EMAIL PROTECTED]>
Cc: "Squid-users" 
Sent: Friday, September 30, 2005 04:26
Subject: Re: [squid-users] Error in STABLE11


> > If this works better for you then I'd like to take a closer look at what
> > may differ between your system and the other systems this patch was
tested
> > on.
> >
> > Regards
> > Henrik
>
> Thanks Henrik.
>
> I got a new result by doing test.
>
> Perhaps the question is "Why do I need squid -k shutdown?"
>
> Sometimes, Squid cannot run after system booting (put Squid in rc.local).
No
> webcache running checked by netstat -a, but system claims that Squid is
> exist when I try to load Squid (running but not serving). After shutting
> down Squid and load manually, it can run well. The problem (could not
> shutdown Squid) is a trouble.
>
> The result, in both tests (patched and un-patched) Squid can be shutted
down
> nicely when the webcache service exist in netstat -a. I think the problem
of
> cannot shutdown Squid is only happen in case the problem happen (running
but
> not serving). However, Squid 2.5S10 (without patches) can be shutted down
in
> any condition.
>
> Thx & Rgds,
>
> Awie
>
>
>

Re: [squid-users] Error in STABLE11

[Awie]

> If this works better for you then I'd like to take a closer look at what
> may differ between your system and the other systems this patch was tested
> on.
>
> Regards
> Henrik

Thanks Henrik.

I got a new result by doing test.

Perhaps the question is "Why do I need squid -k shutdown?"

Sometimes, Squid cannot run after system booting (put Squid in rc.local). No
webcache running checked by netstat -a, but system claims that Squid is
exist when I try to load Squid (running but not serving). After shutting
down Squid and load manually, it can run well. The problem (could not
shutdown Squid) is a trouble.

The result, in both tests (patched and un-patched) Squid can be shutted down
nicely when the webcache service exist in netstat -a. I think the problem of
cannot shutdown Squid is only happen in case the problem happen (running but
not serving). However, Squid 2.5S10 (without patches) can be shutted down in
any condition.

Thx & Rgds,

Awie

[squid-users] Request never times out

[Enrico Demarin (home)]

Hello Everyone,

I am testing a situation where squid takes a very long time to timeout :

http://autoconfig.mcilink.com/ieupdate/G4Secure1.ins

I Set :

read_timeout 30 seconds
request_timeout 30 seconds
pconn_timeout 60 seconds

But still the request stays stuck for more than 6 minutes.

Any help ?

- Enrico

[squid-users] "invalid header" error by https access

[Dominik Schmid]

Hello out there

When i try to access a https page with the  internet explorer and i'm 
currently not authorized, i get the invalid header error.
The request in the squid access.log shows, that the request is being 
sent in http protocol and not htttps...


Then when i try again to connect to the page, i am authorized and it works.
Firefox works fine without this error.

Squid version is a daily snapshot of the 2.5 version 10.

IE-Version is 5.5 or 6 SP1

I'm very happy for any ideas.

Thanks Dominik

Re: [squid-users] problem with follow_xff patch

[R.J. Baart]

Problem solved; no easy job. Henrik Nordstrom assumption was correct: 
bootstrap.sh should have been run. But my debian system did not have the 
correct autoconf and automake versions. After installing the correct (but old) 
autoconf and automake version I managed to compile a working debian 
package.

For those who are interested: mail me for a patched squid version 
2.5.STABLE10 suitable for debian sarge.

Met vriendelijke groet/Regards

Prompt
R.J. Baart
Kerkstraat 173
5261CW Vught
tel: +31 73 6567041
mailto:[EMAIL PROTECTED]

RE: [squid-users] Problems using Squid as an accelerator with htt ps

[Hirsch, Ben]

Thanks for the reply. Is this the patch I need:
http://devel.squid-cache.org/cgi-bin/diff2/ssl-2_5?s2_5 ?
I can not seem to find the configuration directive(s) I should be using. The
ones pertaining to CA's seem to apply to Squid's ability to verify the
client certificate.


Thanks,
Ben

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 28, 2005 10:59 PM
To: Hirsch, Ben
Cc: 'squid-users@squid-cache.org'
Subject: Re: [squid-users] Problems using Squid as an accelerator with
https




On Wed, 28 Sep 2005, Hirsch, Ben wrote:

> I have a valid certificate issued by Network Solutions that worked fine
with
> Apache 2.0.54. Under Squid 2.5.STABLE10, both MSIE and FireFox report that
> the certificate was issued by an unknown/untrusted CA.

Probably the certifiate requires a certificate chain. Certificate chains 
is not supported by Squid-2.5 but is available in Squid-3 or the SSL 
Update patch for 2.5 available from devel.squid-cache.org.

Regards
Henrik

Re: [squid-users] error in the test with wbinfo but authentication working with squid

[Henrik Nordstrom]

On Thu, 29 Sep 2005 [EMAIL PROTECTED] wrote:


bash-2.05# wbinfo -a domain\\bj%
plaintext password authentication failed
error code was NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc18c)
error messsage was: Trusted domain failure
Could not authenticate user domain\\bj% with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc18c)
error messsage was: Trusted domain failure
Could not authenticate user domain\\bj with challenge/response

still working with squid and ntlm auth


Odd indeed.


More info for me ?


Not my field. This is a Samba question, not a Squid question (nothing of 
Squid involved in the above).


Is your Samba version up to date?

Regards
Henrik

Re: [squid-users] error in the test with wbinfo but authentication working with squid

[Arno . STREULI]

and having that :

bash-2.05# wbinfo -a domain\\bj%
plaintext password authentication failed
error code was NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc18c)
error messsage was: Trusted domain failure
Could not authenticate user domain\\bj% with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc18c)
error messsage was: Trusted domain failure
Could not authenticate user domain\\bj with challenge/response

still working with squid and ntlm auth
More info for me ?
 here is the config of smb.conf (sorry I can't ask the samba mailing list
was never able to subscribe to it !?!?)

[global]
workgroup = D-CI3
server string = penelope proxy %v
security = DOMAIN
password server = 10.17.12.56 10.17.12.57
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
name resolve order = wins host
wins server = 10.17.12.9, 10.17.17.8
idmap uid = 1-2
idmap gid = 1-2

Arno Streuli




  
  Henrik Nordstrom  
  
  <[EMAIL PROTECTED]To:   [EMAIL PROTECTED] 
  
  org> cc:   
squid-users@squid-cache.org  
   Subject:  Re: [squid-users] 
error in the test with wbinfo but authentication working   
  29.09.2005 13:50  with squid  
  

  

  




On Thu, 29 Sep 2005 [EMAIL PROTECTED] wrote:

> bash-2.05# wbinfo -a domain\\bj%
> plaintext password authentication failed
> error code was NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc18c)
> error messsage was: Trusted domain failure
> Could not authenticate user domain\\bj% with plaintext password
>
> but if I use squid and ntlm_auth every thing is working fine !??!
> Any one can explain ?

Maybe the security policy of the domain does not allow plain text
authentication? But I would expect another error code if this was the
case..

Regards
Henrik






**
DISCLAIMER - E-MAIL
---
The information contained in this E-Mail is intended for the named
recipient(s). It may  contain certain  privileged and confidential
information, or  information  which  is  otherwise  protected from
disclosure. If  you  are  not the intended recipient, you must not
copy,distribute or take any action in reliance on this information
**

Re: [squid-users] problem with follow_xff patch

[Henrik Nordstrom]

On Thu, 29 Sep 2005, Ruud Baart wrote:


I know, but where did it go wrong, where to look for. That is the problem.

As far as I can see the configure.in file  is correct:


Is your configure file correct?

If not you need to run the bootstrap.sh script to have configure etc 
rebuilt from their sources (configure.in is the source of configure).


Regards
Henrik

Re: [squid-users] Basic load balancing with squid

[Henrik Nordstrom]

On Thu, 29 Sep 2005, Roberto Barbieri wrote:


I need to setup a squid proxy which should balance outgoing traffic
between two different internet connections.


This is best done by configuring the OS to route-balance the two links 
combined with policy routing to keep traffic bound to their selected link. 
The proxy will automatically benefit from the link balancing done by the 
OS.


I.e.

1. Configure policy routing routing traffic with a source IP of 
respective ISP out to that ISP no matter what. Most ADSL ISPs have 
filtering not allowing traffic with the "wrong" source IP on their link. 
If your ISPs does not have such filters then this step can be skipped, but 
I would recommend it in any case.


2. Configure the main default route to load balance between the two 
providers.



You can also play games with tcp_outgoing_address in squid.conf as an 
alternative to 2.


Regards
Henrik

Re: [squid-users] problem with follow_xff patch

[Ruud Baart]

I know, but where did it go wrong, where to look for. That is the problem.

As far as I can see the configure.in file  is correct:
follow_xff=1
AC_ARG_ENABLE(follow-x-forwarded-for,
[  --enable-follow-x-forwarded-for
  Enable support for following the X-Forwarded-For
  HTTP header to try to find the IP address of the
  original or indirect client when a request has
  been forwarded through other proxies.],
[ if test "$enableval" = "yes" ; then
echo "follow X-Forwarded-For enabled"
follow_xff=1
  fi
])
if test $follow_xff = 1; then
AC_DEFINE(FOLLOW_X_FORWARDED_FOR, 1, [Enable following X-Forwarded-For 
headers])
else
AC_DEFINE(FOLLOW_X_FORWARDED_FOR, 0)
fi


> * On 29/09/05 13:00 +0200, Ruud Baart wrote:
> > I've made a new 2.5.STABLE10 squid and squid debian package. I took the 
> > debian  
> > unstable package as starting point and include the  follow_xff patch (see:  
> > http://squid.sourceforge.net/projects.html#follow_xff). 
> > After lots of efforts I managed to  build a new package. Furthermore I used 
> > a logging 
> > patch for xforward (see  
> > http://dansguardian.org/downloads/squidxforwardloggingpatch.txt) 
> > 
> > All seems to go well: 
> > squid -v
> > Squid Cache: Version 2.5.STABLE10
> > configure options:  --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin 
> > -- 
> > sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid 
> > -- 
> > localstatedir=/var/spool/squid --datadir=/usr/share/squid 
> > --enable-async-io -- 
> > with-pthreads --enable-storeio=ufs,aufs,diskd,null 
> > --enable-linux-netfilter --enable- 
> > arp-acl --enable-removal-policies=lru,heap --enable-snmp 
> > --enable-delay-pools -- 
> > enable-htcp --enable-poll --enable-cache-digests --enable-underscores 
> > --enable- 
> > referer-log --enable-useragent-log --enable-auth=basic,digest,ntlm 
> > --enable-carp -- 
> > with-large-files --enable-follow-x-forwarded-for i386-debian-linux
> >  
> > During the build there there are no errors and this message is in the log: 
> > follow X-Forwarded-For enabled
> > So I assume the --enable-follow-x-forwarded-for is working. 
> > 
> > After installing the new squid when I try to configure it in squid.conf: 
> > follow_x_forwarded_for allow localhost
> > I got an errormessage: 
> > ParseConfigFile: line 1911 unrecognized: 'follow_x_forwarded_for allow  
> > localhost'
> >  
> > What went wrong? Any ideas? 
> 
> 
> It means it did not successfully compile in those options.
> 
> -Wash
> 
> http://www.netmeister.org/news/learn2quote.html
> 
> --
> +==+
> |\  _,,,---,,_ | Odhiambo Washington<[EMAIL PROTECTED]>
> Zzz /,`.-'`'-.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
>|,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
>   '---''(_/--'  `-'\_) | GSM: +254 722 743223   +254 733 744121
> +==+
> The years of peak mental activity are undoubtedly between the ages of
> four and eighteen.  At four we know all the questions, at eighteen all
> the answers.
> 


Met vriendelijke groet/Regards,
Ruud Baart

Prompt, Kerkstraat 173
5261 CW Vught, Netherlands
Tel: +31 73 6567041
http://www.prompt.nl

[squid-users] Basic load balancing with squid

[Roberto Barbieri]

Hi guys,

I need to setup a squid proxy which should balance outgoing traffic
between two different internet connections.

The clients will access the proxy from his private (LAN) IP , then  
the proxy

should do some basic load balancing on outgoing traffic trough two
public (two ADSL from different providers) IP.

There is some specific squid module which can do this?
Any advice/hints is very welcome!

Thank you all

Roberto

Re: [squid-users] Squid, NTLM and Java (Authentication)

[Mark Elsen]

> Hello
>
> We have a squid proxy (Squid Cache: Version 2.5.STABLE9) on a
> Linux server (Linux hostname_of_server 2.4.19 #1 Fri Oct 4 18:36:11 EDT
> 2002 sparc64 GNU/Linux) which uses NTLM and Basic authentication
> (in this order) for access control.
> Web browsing w/ IE or Mozilla runs without any problem.
> Unfortunately a few of our customers try to use java applets or
> java applications which try to connect to the internet to.
> The users are prompted for username, password and domain. This
> means that NTLM scheme is used.
> This window appears again and again. The logfile of squid reports
> only 407 errors, but the credentials are correct.
> To find out what's wrong I sniffed the network connection.
> The only thing which looked strange to me was that the Java
> application doesn't send "Proxy-Connection: Keep-Alive". Other
> applications/browsers send this header information.
>
> Any ideas how to convice java to send this header or to
> reconfigure squid to be able to auth java applications.
>

 This has been discussed in the past. Basically if the JVM in the browser
does not support inhereting of browser credential , you run into this issue.
There is nothing you can do about this.
Perhaps as a workaround. Configure the http access rules in such
a manner that the java application can run unauthenticated w.r.t.
the proxy.

M.

Re: [squid-users] Squid, NTLM and Java (Authentication)

[Henrik Nordstrom]

On Thu, 29 Sep 2005, [ISO-8859-15] J?rg Sch?tter wrote:


Any ideas how to convice java to send this header or to
reconfigure squid to be able to auth java applications.


2.5.STABLE11 should avoid this problem by not advertising the NTLM support 
if the client does not support persistent connections.


Regards
Henrik

Re: [squid-users] error in the test with wbinfo but authentication working with squid

[Henrik Nordstrom]

On Thu, 29 Sep 2005 [EMAIL PROTECTED] wrote:


bash-2.05# wbinfo -a domain\\bj%
plaintext password authentication failed
error code was NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc18c)
error messsage was: Trusted domain failure
Could not authenticate user domain\\bj% with plaintext password

but if I use squid and ntlm_auth every thing is working fine !??!
Any one can explain ?


Maybe the security policy of the domain does not allow plain text 
authentication? But I would expect another error code if this was the 
case..


Regards
Henrik

Re: [squid-users] problem with follow_xff patch

[Odhiambo Washington]

* On 29/09/05 13:00 +0200, Ruud Baart wrote:
> I've made a new 2.5.STABLE10 squid and squid debian package. I took the 
> debian  
> unstable package as starting point and include the  follow_xff patch (see:  
> http://squid.sourceforge.net/projects.html#follow_xff). 
> After lots of efforts I managed to  build a new package. Furthermore I used a 
> logging 
> patch for xforward (see  
> http://dansguardian.org/downloads/squidxforwardloggingpatch.txt) 
> 
> All seems to go well: 
> squid -v
> Squid Cache: Version 2.5.STABLE10
> configure options:  --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin 
> -- 
> sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid -- 
> localstatedir=/var/spool/squid --datadir=/usr/share/squid 
> --enable-async-io -- 
> with-pthreads --enable-storeio=ufs,aufs,diskd,null 
> --enable-linux-netfilter --enable- 
> arp-acl --enable-removal-policies=lru,heap --enable-snmp 
> --enable-delay-pools -- 
> enable-htcp --enable-poll --enable-cache-digests --enable-underscores 
> --enable- 
> referer-log --enable-useragent-log --enable-auth=basic,digest,ntlm 
> --enable-carp -- 
> with-large-files --enable-follow-x-forwarded-for i386-debian-linux
>  
> During the build there there are no errors and this message is in the log: 
> follow X-Forwarded-For enabled
> So I assume the --enable-follow-x-forwarded-for is working. 
> 
> After installing the new squid when I try to configure it in squid.conf: 
> follow_x_forwarded_for allow localhost
> I got an errormessage: 
> ParseConfigFile: line 1911 unrecognized: 'follow_x_forwarded_for allow  
> localhost'
>  
> What went wrong? Any ideas? 


It means it did not successfully compile in those options.

-Wash

http://www.netmeister.org/news/learn2quote.html

--
+==+
|\  _,,,---,,_ | Odhiambo Washington<[EMAIL PROTECTED]>
Zzz /,`.-'`'-.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
   |,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
  '---''(_/--'  `-'\_) | GSM: +254 722 743223   +254 733 744121
+==+
The years of peak mental activity are undoubtedly between the ages of
four and eighteen.  At four we know all the questions, at eighteen all
the answers.

[squid-users] problem with follow_xff patch

[Ruud Baart]

I've made a new 2.5.STABLE10 squid and squid debian package. I took the debian  
unstable package as starting point and include the  follow_xff patch (see:  
http://squid.sourceforge.net/projects.html#follow_xff). 
After lots of efforts I managed to  build a new package. Furthermore I used a 
logging 
patch for xforward (see  
http://dansguardian.org/downloads/squidxforwardloggingpatch.txt) 

All seems to go well: 
squid -v
Squid Cache: Version 2.5.STABLE10
configure options:  --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin -- 
sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid -- 
localstatedir=/var/spool/squid --datadir=/usr/share/squid --enable-async-io 
-- 
with-pthreads --enable-storeio=ufs,aufs,diskd,null --enable-linux-netfilter 
--enable- 
arp-acl --enable-removal-policies=lru,heap --enable-snmp 
--enable-delay-pools -- 
enable-htcp --enable-poll --enable-cache-digests --enable-underscores 
--enable- 
referer-log --enable-useragent-log --enable-auth=basic,digest,ntlm 
--enable-carp -- 
with-large-files --enable-follow-x-forwarded-for i386-debian-linux
 
During the build there there are no errors and this message is in the log: 
follow X-Forwarded-For enabled
So I assume the --enable-follow-x-forwarded-for is working. 

After installing the new squid when I try to configure it in squid.conf: 
follow_x_forwarded_for allow localhost
I got an errormessage: 
ParseConfigFile: line 1911 unrecognized: 'follow_x_forwarded_for allow  
localhost'
 
What went wrong? Any ideas? 

Met vriendelijke groet/Regards, 
Ruud Baart 

Prompt, Kerkstraat 173 
5261 CW Vught, Netherlands 
Tel: +31 73 6567041 
http://www.prompt.nl 

RE: [squid-users] Squid "stalling" downloads

[Henrik Nordstrom]

On Thu, 29 Sep 2005, Steven Sporen wrote:


Where can I find this patch?


http://www.squid-cache.org/Versions/v2/2.5/bugs/

Regards
Henrik

RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x

[Henrik Nordstrom]

On Thu, 29 Sep 2005, Dave Raven wrote:


How does this login=*:secret option work? I have set up two caches
and put the authentication on the bottom unit, setting a cache peer with
login=*:secret (intead of PASS) and it doesn't work? Well, it all works, but
with no username in the log file at the top...


The top proxy needs to have authentication configured in such manner that 
it accepts basic HTTP authentication with the password you have specified 
in the login= option in the child proxy.


Regards
Henrik

[squid-users] Squid, NTLM and Java (Authentication)

[Jörg Schütter]

Hello

We have a squid proxy (Squid Cache: Version 2.5.STABLE9) on a
Linux server (Linux hostname_of_server 2.4.19 #1 Fri Oct 4 18:36:11 EDT
2002 sparc64 GNU/Linux) which uses NTLM and Basic authentication
(in this order) for access control.
Web browsing w/ IE or Mozilla runs without any problem.
Unfortunately a few of our customers try to use java applets or
java applications which try to connect to the internet to.
The users are prompted for username, password and domain. This
means that NTLM scheme is used.
This window appears again and again. The logfile of squid reports
only 407 errors, but the credentials are correct.
To find out what's wrong I sniffed the network connection.
The only thing which looked strange to me was that the Java
application doesn't send "Proxy-Connection: Keep-Alive". Other
applications/browsers send this header information.

Any ideas how to convice java to send this header or to
reconfigure squid to be able to auth java applications.

-- cat squid.conf --
http_port 1.2.3.4:3128
icp_port 0
hierarchy_stoplist cgi-bin ?
acl all src 0.0.0.0/0.0.0.0
no_cache deny all
cache_store_log none
hosts_file /etc/hosts
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
--require-membership-of=S-1-1-11-11-1-1-1
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic 
--require-membership-of=S-1-1-11-11-1-1-1
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
request_body_max_size 10 MB
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern .   0   20% 4320
acl AuthorizedUsers proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443  # https, snews
acl Safe_ports port 80 8080 443 21  # http
acl purge method PURGE
acl CONNECT method CONNECT
acl our_networks src 10.0.0.0/255.0.0.0 172.16.0.0/255.240.0.0 
192.168.0.0/255.255.0.0
acl self dst 1.2.3.4/255.255.255.255
acl deny_dst dst "/etc/squid/squid_acl.deny_dst"
acl deny_dstdomain dstdomain "/etc/squid/squid_acl.deny_dstdomain"
acl deny_url_regex url_regex -i "/etc/squid/squid_acl.deny_url_regex"
acl allow_dst dst "/etc/squid/squid_acl.allow_dst"
acl allow_dstdomain dstdomain "/etc/squid/squid_acl.allow_dstdomain"
acl allow_dstdomain_kiosk dstdomain "/etc/squid/squid_acl.allow_dstdomain_kiosk"
acl allow_dstdom_regex dstdom_regex -i "/etc/squid/squid_acl.allow_dstdom_regex"
acl allow_dstdom_regex_kiosk dstdom_regex -i 
"/etc/squid/squid_acl.allow_dstdom_regex_kiosk"
acl allow_dst_url_regex url_regex -i "/etc/squid/squid_acl.allow_dst_url_regex"
acl allow_src src "/etc/squid/squid_acl.allow_src"
acl kiosk src 
...
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all allow_dst
http_access allow all allow_dstdomain
http_access allow all allow_dstdom_regex
http_access allow all allow_dst_url_regex
http_access allow localhost
http_access allow allow_src
http_access allow hsyvm01 ftp_nai
http_access allow allow_src_elster allow_dst_elster_url_regex
http_access allow wlse access-cisco
http_access deny all deny_url_regex
http_access deny all deny_dst
http_access deny all deny_dstdomain
http_access deny kiosk
http_access allow our_networks AuthorizedUsers Safe_ports
http_access allow our_networks AuthorizedUsers CONNECT SSL_ports
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr [EMAIL PROTECTED]
forwarded_for off
client_db off
offline_mode on
coredump_dir /var/spool/squid
pipeline_prefetch on
--- end of cat ---


regards
  Jörg Schütter
-- 
Global IT-Security & Mobility

Heraeus infosystems GmbH
Heraeusstr. 12-14
D-63450 Hanau

Phone:   +49 (0) 61 81 / 35 - 53 76
Fax: +49 (0) 61 81 / 35 16 - 53 76
E-Mail:  [EMAIL PROTECTED]

[squid-users] error in the test with wbinfo but authentication working with squid

[Arno . STREULI]

Hi,
I have some strange stuff in my config:
when I do some test with wbinfo on one of my proxy all test is ok (list of
trusted domain, list of user, group and check of the rpc key). But when I
try to test a use it dosen't work:

bash-2.05# wbinfo -a domain\\bj%
plaintext password authentication failed
error code was NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc18c)
error messsage was: Trusted domain failure
Could not authenticate user domain\\bj% with plaintext password

but if I use squid and ntlm_auth every thing is working fine !??!
Any one can explain ?
thanks

regards,


Arno Streuli


PS: I'm using solaris 8 and squid 2.5S9, and samba 3.0.14a



**
DISCLAIMER - E-MAIL
---
The information contained in this E-Mail is intended for the named
recipient(s). It may  contain certain  privileged and confidential
information, or  information  which  is  otherwise  protected from
disclosure. If  you  are  not the intended recipient, you must not
copy,distribute or take any action in reliance on this information
**

RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x

[Dave Raven]

Hello,
How does this login=*:secret option work? I have set up two caches
and put the authentication on the bottom unit, setting a cache peer with
login=*:secret (intead of PASS) and it doesn't work? Well, it all works, but
with no username in the log file at the top...

Any advice?

Thanks
Dave 

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: 28 September 2005 12:57 AM
To: Cole
Cc: 'Henrik Nordstrom'; 'Squid Users'
Subject: RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe
3.x

On Wed, 28 Sep 2005, Cole wrote:

> I understand SPNEGO to be the Kerberos Authentication Method that is 
> being built into the latest browsers? Like firefox and IE 5.5+?

Firefox has experimental SPNEGO support available. By default disabled from
what I have been told, but once enabled happily uses SPNEGO both to web
servers and proxies.

IE has support for SPNEGO to web servers only, not proxies. Why Microsoft
has not added SPNEGO support to proxy connections is a mystery that only
Microsoft can answer.

> The main problem stopping us from using ntlm is that we have multiple 
> levels of cache. The top level cache is responsible for user auth and 
> acls. According to your previous posts, this cannot be done with ntlm.

And it cannot be done with Negotiate either. Both share the same design
flaws causing breakage when run over HTTP compliant proxies.

In setups requiring NTLM of Negotiate authentication you need to run the
authentiction on the leaf caches closest to the client. With a little
tinkering you can then have the login (but not password) forwarded in the
proxy chain by using the login=*:secret cache_peer option if needed but this
is extra bonus. The simpler path is to allow requests from trusted child
caches without requiring authentication again.

> Thats why I was trying to use a Samba-3.x, but I used the wrong helper 
> obviously. Is there a specific Samba-3.x that I would have to use 
> here, that has SPNEGO built into it? Or are all the Samba-3.x SPNEGO
enabled?

The exact Samba versions needed to use SPNEGO over HTTP it still a bit
uncertain. From what it looks Samba 4 may be required at this time, but
maybe it works in current Samba-3.3.X as well.

Regards
Henrik

RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x

[Dave Raven]

Hello,
How does this login=*:secret option work? I have set up two caches
and put the authentication on the bottom unit, setting a cache peer with
login=*:secret (intead of PASS) and it doesn't work? Well, it all works, but
with no username in the log file at the top...

Any advice?

Thanks
Dave 

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: 28 September 2005 12:57 AM
To: Cole
Cc: 'Henrik Nordstrom'; 'Squid Users'
Subject: RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe
3.x

On Wed, 28 Sep 2005, Cole wrote:

> I understand SPNEGO to be the Kerberos Authentication Method that is 
> being built into the latest browsers? Like firefox and IE 5.5+?

Firefox has experimental SPNEGO support available. By default disabled from
what I have been told, but once enabled happily uses SPNEGO both to web
servers and proxies.

IE has support for SPNEGO to web servers only, not proxies. Why Microsoft
has not added SPNEGO support to proxy connections is a mystery that only
Microsoft can answer.

> The main problem stopping us from using ntlm is that we have multiple 
> levels of cache. The top level cache is responsible for user auth and 
> acls. According to your previous posts, this cannot be done with ntlm.

And it cannot be done with Negotiate either. Both share the same design
flaws causing breakage when run over HTTP compliant proxies.

In setups requiring NTLM of Negotiate authentication you need to run the
authentiction on the leaf caches closest to the client. With a little
tinkering you can then have the login (but not password) forwarded in the
proxy chain by using the login=*:secret cache_peer option if needed but this
is extra bonus. The simpler path is to allow requests from trusted child
caches without requiring authentication again.

> Thats why I was trying to use a Samba-3.x, but I used the wrong helper 
> obviously. Is there a specific Samba-3.x that I would have to use 
> here, that has SPNEGO built into it? Or are all the Samba-3.x SPNEGO
enabled?

The exact Samba versions needed to use SPNEGO over HTTP it still a bit
uncertain. From what it looks Samba 4 may be required at this time, but
maybe it works in current Samba-3.3.X as well.

Regards
Henrik

Re: [squid-users] HTCP question

[Matteo Villari]

Henrik Nordstrom ha scritto:


On Wed, 28 Sep 2005, Matteo Villari wrote:


Hi all! I'm afraid that my question is a little bit off topic.
I've read in Duane Wessels "Squid: The definitive guide" that the 
only HTCP opcode, supported by Squid, is TST. I'd like to know if 
things are changed since January 2004, when the book was published.



No changes in this area that I am aware of.

Regards
Henrik


Thank you.

[squid-users] [SOLVED] Re: [squid-users] Detailed Logs

[John Halfpenny]

Ah yes I didn't see that one. :-)



Seems to have done the trick nicely, thanks very much for replying!



John



 --- On Wed 09/28, Robert Borkowski < [EMAIL PROTECTED] > wrote:

From: Robert Borkowski [mailto: [EMAIL PROTECTED]

To: [EMAIL PROTECTED]

 Cc: squid-users@squid-cache.org

Date: Wed, 28 Sep 2005 12:08:05 -0400

Subject: Re: [squid-users] Detailed Logs



John Halfpenny wrote:> Hi All.> > I've installed a squid server 
which ties in nicely with Winbind, we have set the logging to be httpd emulated 
but have found it to be considerably less detailed than the old ISA server we 
had in place.> > For example, a user search on google images doesn't 
log as much info as we would like (the search query for one thing!). Is there a 
way I can turn up the logging detail to allow me to see this kind of 
information?> > TIA> > JohnHere's a config option to 
try:NAME: strip_query_termsTYPE: onoffDEFAULT: on 
By default, Squid strips query terms from requested URLs before 
logging.  This protects your user's privacy.-- Robert Borkowski

___
Join Excite! - http://www.excite.com
The most personalized portal on the Web!

Re: [squid-users] MSN Time

[Brent Clark]

Martin Kobele wrote:

acl msntime time M T W H F A 11:59-12:59
acl msntime time M T W H F A 16:59-18:59
acl msnp rep_mime_type ^application/x-msn-messenger$
acl msnq req_mime_type ^application/x-msn-messenger$

http_reply_access allow msnp msntime
http_reply_access allow msnq msntime
http_reply_access deny msnq
http_reply_access deny msnp


AHH, I cant believe I didnt think of this. (YES im stupid)

Thanks Martin.

Regards
Brent Clark

Re: [squid-users] Pls Remove my ID

[lst_hoe01]

Zitat von Mukunthan D <[EMAIL PROTECTED]>:


Pls Remove my ID


In every mailheader from this list :

List-Post: 
List-Help: 
List-Unsubscribe: 
List-Subscribe: 


Regards

Andreas