[squid-users] Logo shading
I really like squid logo, but it looks dreadful on white. I'm sure this has been done before, but I decided to add a little shading myself: http://proxy.gubkin.ru/myports/squid-shade.png http://proxy.gubkin.ru/myports/squid-shade.xcf http://proxy.gubkin.ru/myports/squid-shade-small.png I understand that the big png version weighs 3 times more than the original gif, but to me it looks much better - and on any background, not just black or white. Taking into account that the squid-cache.org home page is probably cached for the builk of its viewers, extra 20K do not seem to be an issue. Mirror: http://proxy.campus.gubkin.ru/pics/squid-shade.png http://proxy.campus.gubkin.ru/pics/squid-shade.xcf http://proxy.campus.gubkin.ru/pics/squid-shade-small.png
[squid-users] ACL Problem
i'm using Squid NT 2.5 stable 6.i configured the acl acl blocklist url_regex -i c:\squid\etc\blocked1.txt http_access deny blocklist in the blocked1.txt i just suppose to block yahoo.com i wrote yahoo,and yahoo.com. and www.yahoo.com but it don't block it in all the ways i've used can anybody tell me how to block a site ??? -- Thanks Best Regards a.$.im
[squid-users] Doku and question: Squid + squid_ldap_auth + Tru64
== Some hints for installing squid_ldap_auth (squid 2.5 Stable 12) on Tru64 5.1A == (1) Install OpenLDAP IAEOLDAP590installed OpenLDAP 2.0.23 (Directory Services) (2) Squid: make configure cd /usr/local/squid-2.5.STABLE12 ./configure --enable-auth=ntlm,basic \ --enable-external-acl-helpers=winbind_group,ldap_group \ --enable-basic-auth-helpers=winbind,LDAP \ --enable-ntlm-auth-helpers=winbind \ --prefix=/usr/local/squid (3) find out the location of the file ldap.h On my machine directory /usr/internet/openldap/include copy all files of this directory to /usr/local/squid-2.5.STABLE12/helpers/external_acl/ldap_group edit /usr/local/squid-2.5.STABLE12/helpers/external_acl/ldap_group/Makefile: LIBS = -L/usr/internet/openldap/lib -lldap -llber find out the location of the file libldap.so On my machine directory /usr/internet/openldap/lib copy all files *.so of this directory to /usr/lib (4) Squid: make all make install - Now squid_ldap_auth is running well. It would be nice if someone can give me sone hints how I can test squid_ldap_auth interactive without squid. I tried: /usr/local/squid/libexec/squid_ldap_auth \ -b o=LOCATION \ -h ip \ -D cn=adminuseer,cn=Users,dc=emea,dc=zf-world,dc=com \ -w password of adminuser \ -b dc=emea,dc=zf-world,dc=com -f sAMAccountName=%s and entered usernameblankpassword miller secret In all cases this leads to squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials' ERR Success Question 1: Something wrong with the syntax above? Question 2: Is it ok to enter usernameblankpassword ? Werner Rost
Re: [squid-users] Need some advice on configuration
On Thu, Jan 26, 2006 at 02:03:44PM -0800, Jeremy Utley wrote: Greetings to the list! I'm very new to Squid configuration, and have been trying to research how to do this, but have ended up running in circles, so I'm coming to the list with this - hopefully someone out there has done something similar before, and can point me into the right direction, or perhaps We have a very similar setup to what you describe. Squid acting as a reverse proxy or http accelerator. We use regular dns on the squid servers but setup an /etc/hosts file to direct squid to the backend origin web servers for each vhost. We also use a software load balancer as we have multiple backend servers that each vhost can be served from. (http://www.inlab.de/balance) You could also use a redirector. Using name based vhosts is fine as long as you set: httpd_accel_uses_host_header on To prevent proxying for sites other than your own you use a dst acl, ie: acl ourips dst 127.0.0.0/8 http_access deny !ourips http_access allow ourips where ourips lists the ips of your backend servers or where your balance/redirector is. Squid 3 has an extra feature of directing requests to your origin servers using the cache_peer origin directive but this is not advisable to put into production yet. Theres no need for balance or a redirector if you only have one web server per vhost. Squid is very flexible as a reverse proxy. The only issue you may have is using wildcard domains, as you cannot do this in /etc/hosts. -- Michael
Re: [squid-users] ACL Problem
On Friday 27 January 2006 12:07, asim hafeez wrote: i'm using Squid NT 2.5 stable 6.i configured the acl acl blocklist url_regex -i c:\squid\etc\blocked1.txt http_access deny blocklist in the blocked1.txt i just suppose to block yahoo.com i wrote yahoo,and yahoo.com. and www.yahoo.com but it don't block it in all the ways i've used These are not really proper regular expressions. can anybody tell me how to block a site ??? See if you are better off with dst or dstdomain type ACLs. Regular expressions can be useful but you should know how to write them properly. (Just like some people still seem to believe that a regular expression of sex will block all the porn sites. sigh) Kindly Christoph -- Never trust a system administrator who wears a tie and suit.
[squid-users] Squid proxy and outlook express
I am using Fedora Linux Server and using Squid proxy for internet on my network. However, i am unable to configure any mail client (Outlook Express etc.) in network clients.. Can somebody help me? -- Salihou B. Boukari P.O.Box AD 1088 Adisadel Cape Coast Ghana (West Africa) Tel:+233 244816987
Re: [squid-users] Squid proxy and outlook express
On 27.01 13:57, Salihou B. Boukari wrote: I am using Fedora Linux Server and using Squid proxy for internet on my network. However, i am unable to configure any mail client (Outlook Express etc.) in network clients.. Can somebody help me? Squid is a HTTP proxy, you can not cache mail in it. Only webmails but they are often set up not to bne cached. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Where do you want to go to die? [Microsoft]
Re: [squid-users] Squid proxy and outlook express
Hello Matus. Thanks for you reply.But i have a concern.Don't you think there should be a way to bypass the proxy for the outlook express to be able to send and receice email trhought the same internet connection.All the Windows clients can actually browse on the net throught the proxy.But those that use outlook express can not get connected. Hope to read soon.Thanks On 1/27/06, Matus UHLAR - fantomas [EMAIL PROTECTED] wrote: On 27.01 13:57, Salihou B. Boukari wrote: I am using Fedora Linux Server and using Squid proxy for internet on my network. However, i am unable to configure any mail client (Outlook Express etc.) in network clients.. Can somebody help me? Squid is a HTTP proxy, you can not cache mail in it. Only webmails but they are often set up not to bne cached. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Where do you want to go to die? [Microsoft] -- Salihou B. Boukari P.O.Box AD 1088 Adisadel Cape Coast Ghana (West Africa) Tel:+233 244816987
Re: [squid-users] Squid proxy and outlook express
On Fri, Jan 27, 2006 at 03:34:40PM +, Salihou B. Boukari wrote: Thanks for you reply.But i have a concern.Don't you think there should be a way to bypass the proxy for the outlook express to be able to send and receice email trhought the same internet connection.All the Windows clients can actually browse on the net throught the proxy.But those that use outlook express can not get connected. You have misunderstood what squid can do for you. It is not responsible for proxying mail traffic whether that be smtp/pop/imap or anything else. Your outlook clients should have the hostname/ip address of the mail servers they wish to use, not the the ip of the squid server, and it is the responsibility of your internet gateway/router to get packets out to them and back. squid is not a general purpose proxy/router/gateway/firewall like microsoft isa server or similar. -- Michael
Re: [squid-users] Squid with SquidGuard
Actually No. (groan...) 2006/01/26 22:00:56| helperOpenServers: Starting 5 'squidGuard' processes 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. 2006/01/26 22:00:56| WARNING: Cannot run '/usr/local/squidguard/bin/squidGuard' process. (From cache.log after reboot with /usr/sbin/squid in rc.local) Sigh... - Try the online test again : root # /usr/sbin/squid OK ? M.
Re: [squid-users] Doku and question: Squid + squid_ldap_auth + Tru64
Response 1 : You have two -b option. Keep only this one : -b dc=emea,dc=zf-world,dc=com Is your ldap server accept simple connexions? Check password and your bind dn. Response 2 : Yes [EMAIL PROTECTED] a écrit : == Some hints for installing squid_ldap_auth (squid 2.5 Stable 12) on Tru64 5.1A == (1) Install OpenLDAP IAEOLDAP590installed OpenLDAP 2.0.23 (Directory Services) (2) Squid: make configure cd /usr/local/squid-2.5.STABLE12 ./configure --enable-auth=ntlm,basic \ --enable-external-acl-helpers=winbind_group,ldap_group \ --enable-basic-auth-helpers=winbind,LDAP \ --enable-ntlm-auth-helpers=winbind \ --prefix=/usr/local/squid (3) find out the location of the file ldap.h On my machine directory /usr/internet/openldap/include copy all files of this directory to /usr/local/squid-2.5.STABLE12/helpers/external_acl/ldap_group edit /usr/local/squid-2.5.STABLE12/helpers/external_acl/ldap_group/Makefile: LIBS = -L/usr/internet/openldap/lib -lldap -llber find out the location of the file libldap.so On my machine directory /usr/internet/openldap/lib copy all files *.so of this directory to /usr/lib (4) Squid: make all make install - Now squid_ldap_auth is running well. It would be nice if someone can give me sone hints how I can test squid_ldap_auth interactive without squid. I tried: /usr/local/squid/libexec/squid_ldap_auth \ -b o=LOCATION \ -h ip \ -D cn=adminuseer,cn=Users,dc=emea,dc=zf-world,dc=com \ -w password of adminuser \ -b dc=emea,dc=zf-world,dc=com -f sAMAccountName=%s and entered usernameblankpassword miller secret In all cases this leads to squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials' ERR Success Question 1: Something wrong with the syntax above? Question 2: Is it ok to enter usernameblankpassword ? Werner Rost
Re: [squid-users] Squid with SquidGuard
Mark Elsen wrote: - Try the online test again : root # /usr/sbin/squid OK ? M. Yeah That still works fine. Mark signature.asc Description: OpenPGP digital signature
[squid-users] Best Way to use Proxy Authentication
Hi all, I'm trying to find the best solution to authenticate Samba + Squid. I successfully configured winbindd and ntlm_auth. But I need to create acl's using group authentication. Which is the best solution? openLdap appears to be very difficult. :( Thanks in advance. Fernando Lujan
Re: AW: [squid-users] Squid with SquidGuard
[EMAIL PROTECTED] wrote: Suqid and squidguard work fine for me. There are 2 scripts: /sbin/init.d/squid (yep, OS is Tru64): case $1 in 'start') echo Starting SQUID ... nohup /sbin/init.d/squid_start ;; snip and /sbin/init.d/squid_start: #!/bin/sh su - squid -c '/usr/local/squid/sbin/squid -D' and an entry in /sbin/rc3.d: lrwxrwxrwx 1 root bin 15 Aug 20 2002 S99squid - ../init.d/squid Voila, this works. After a reboot squid and squidguard are running. Hope this helps a little bit. Werner Rost GMT-FIR - Netzwerk Well I had high hopes for this. I worked through it step-by-step changing the relevant file locations to match my system - even putting in some echo comments to trace where I was and, Hey Presto! It worked from the command line... Note: I had to change the /etc/rc.d/init.d/squid_start script to read su - squid --command=`/usr/sbin/squid -D` (with backticks) for it to work (Although I think the -D switch is unnecessary because, if I read my init.d/squid script correctly, it calls /etc/sysconfig/squid which sets it as default). So. Now I can run /sbin/service squid start and squid will start together with squidGuard. Full of hope, I rebooted (having first removed the entry from /etc/rc.d/rc.local). No joy... still the same error. To use the vernacular - This is doing my head in! Thanks and best regards Mark signature.asc Description: OpenPGP digital signature
[squid-users] NTLM auth helper problem
Samba 2.2.8a version squid 2.5.stable12 version winbind authentication is working in our NT4-style old domain (PDC is a Sa mba 2.2.8a too): wbinfo -a kdg+diak%123 plaintext authentication succeeded challenge/response authentication succeeded squid was build as in http://www.squid-cache.org/Doc/FAQ/FAQ-23.html with --enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind --enable-ntlm-auth-helpers=winbind without NTLM auth squid is working wb_auth helper is working: /usr/local/squid/libexec/wb_auth -d kdg+diak 123 winbindd result: 1 sending OK to squid but if i uncomment the auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 and squid -k reconfigure squid is freezing in cache.log: helperStatefulOpenServers: starting 5 'wb_ntlmauth' process WARNING: Cannot run '/usr/local/squid/libexec/wb_ntlmauth' WARNING: Cannot run '/usr/local/squid/libexec/wb_ntlmauth' WARNING: Cannot run '/usr/local/squid/libexec/wb_ntlmauth' etc. with debug level 9, the possible cause: connect FD 7: (110) Connection timed out comm_close: FD 7 commCallCloseHandlers: FD 7 fd_close FD 7 wb_ntlm_auth WARNING: Cannot run '/usr/local/squid/libexec/wb_ntlmauth' Our old squid server (version 2.5stabel3) is working perfectly. Maybe a ve rsion incompability? Or an iptables-issue? I thought maybe iptables is blocking some ports what squid needs? But what? What can I do? Many thanks Marietta _ Hírkereső.hu - Mindig friss hírek, toplisták, sztárpletykák. A legfontosabb 70 hírforrás közel 2.500 cikke naponta!Ha egy lapon akar sz mindent áttekinteni KLIKK IDE!
Re: [squid-users] Need some advice on configuration
On 1/27/06, Michael Pye [EMAIL PROTECTED] wrote: We have a very similar setup to what you describe. Squid acting as a reverse proxy or http accelerator. We use regular dns on the squid servers but setup an /etc/hosts file to direct squid to the backend origin web servers for each vhost. We also use a software load balancer as we have multiple backend servers that each vhost can be served from. (http://www.inlab.de/balance) You could also use a redirector. Using name based vhosts is fine as long as you set: httpd_accel_uses_host_header on To prevent proxying for sites other than your own you use a dst acl, ie: acl ourips dst 127.0.0.0/8 http_access deny !ourips http_access allow ourips where ourips lists the ips of your backend servers or where your balance/redirector is. Squid 3 has an extra feature of directing requests to your origin servers using the cache_peer origin directive but this is not advisable to put into production yet. Theres no need for balance or a redirector if you only have one web server per vhost. Squid is very flexible as a reverse proxy. The only issue you may have is using wildcard domains, as you cannot do this in /etc/hosts. -- Michael Michael, thanks for your advice. After thinking about the problem a little more, I came to the same conclusions, with one addition - utilizing Squid's internal DNS resolver along with a private DNS server to provide the true ip's for the servers. I'm working on a proof-of-concept system right now. Thanks again, Jeremy
Re: [squid-users] Squid proxy and outlook express
Simplest solution: In our setup the default gateway IP issued by DHCP server is that of our ADSL router. All ports are blocked on the router's built-in firewall except 25 and 110 so that email is inrestricted. Nothing else gets through. To access the www, browsers are configured to use Squid as the http proxy. Outlook Express does use Internet Explorer settings, but doesn't use the proxy settings. It basically ignores those. regards, D.Radel . - Original Message - From: Salihou B. Boukari [EMAIL PROTECTED] To: squid-users@squid-cache.org Sent: Saturday, January 28, 2006 4:34 AM Subject: Re: [squid-users] Squid proxy and outlook express Hello Matus. Thanks for you reply.But i have a concern.Don't you think there should be a way to bypass the proxy for the outlook express to be able to send and receice email trhought the same internet connection.All the Windows clients can actually browse on the net throught the proxy.But those that use outlook express can not get connected. Hope to read soon.Thanks On 1/27/06, Matus UHLAR - fantomas [EMAIL PROTECTED] wrote: On 27.01 13:57, Salihou B. Boukari wrote: I am using Fedora Linux Server and using Squid proxy for internet on my network. However, i am unable to configure any mail client (Outlook Express etc.) in network clients.. Can somebody help me? Squid is a HTTP proxy, you can not cache mail in it. Only webmails but they are often set up not to bne cached. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Where do you want to go to die? [Microsoft] -- Salihou B. Boukari P.O.Box AD 1088 Adisadel Cape Coast Ghana (West Africa) Tel:+233 244816987
[squid-users] How to log users using ssh connection?
I am running squid Version 2.5 and have multiple users accessing squid via an ssh tunnelled connection. Each user is using a distinct ssh login account, so how can I differentiate which user is associated with each entry in the access logs? All log entries show 127.0.0.1 regardless of the user. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[squid-users] IOS 12.4(5) Squid 2.5.S12 - WCCP Weirdness Ensues
Hi there, I have spent three days beating my head against a problem that appears to be a case of dueling Cisco bugs. I recently swapped a router out, replacing a 3640 with IOS 12.2 and installing a 3845 with 12.4(5) SP Services. We had WCCP running for eternity without problem on the 3640, but WCCP died an ignoble death on the new router. It appears that WCCP would not work at all with ip cef enabled, but with ip cef disabled, various and sundry websites would not work - particularly websites requiring some form of authenticaion - Slashdot, Hotmail, different web forums, etc. It looks like the warring bugs are akin to CSCsb89463 (Symptoms: WCCP doesnt redirect packets with ip cef enabled --- Workaround: Disable cef with the global command 'no ip cef') and CSCdz36099 (Symptoms: Web sites that require authentication become unreachable --- Workaround: Ensure that CEF switching is enabled on the router). Cute, eh? Supposedly CSCsb89463 is fixed in 12.4(5) - but it seems pretty non-fixed to me. It seems the only way to get WCCP to work, and not fail on authenticating websites, is to force WCCP through a process switching path. I am doing this by adding a log statement to all of my redirect-list permit statements. This is obviously an undesireable solution for CPU reasons, and it has meant I have had to stop logging to a remote host. I am wondering if anyone has been through this with similar versions of IOS, and has either a) found a better workaround or b) found a happy working good version of 12.4 IOS. Cheers, Graham
[squid-users] Squid not caching some addresses
I believe I know the answer to this, but want to ask the experts to make sure. In setting up and testing my new reverse-proxy cache (http accelerator), I noticed that when requesting URL's with a question mark in them: http://www.baz.com/index.php?foo=bar will not be cached. I noticed the QUERY acl in the default squid config file telling it not to cache those URL's, so I commented that out, however, even after doing so, all requests still get TCP_MISS in the access log. Is there some code that specifically excludes this type of URL even with the acl disabled? It's not really a problem one way or the other, just something I noticed as I was testing, and wanted to make sure I was seeing things right. Thanks in advance, Jeremy
Re: [squid-users] Squid not caching some addresses
I believe I know the answer to this, but want to ask the experts to make sure. In setting up and testing my new reverse-proxy cache (http accelerator), I noticed that when requesting URL's with a question mark in them: http://www.baz.com/index.php?foo=bar will not be cached. I noticed the QUERY acl in the default squid config file telling it not to cache those URL's, so I commented that out, however, even after doing so, all requests still get TCP_MISS in the access log. Is there some code that specifically excludes this type of URL even with the acl disabled? It's not really a problem one way or the other, just something I noticed as I was testing, and wanted to make sure I was seeing things right. - Verify those objects for possible other none caching reasons with : http://www.ircache.net/cgi-bin/cacheability.py M.
Re: [squid-users] How to log users using ssh connection?
On 1/27/06, spcatch55 [EMAIL PROTECTED] wrote: I am running squid Version 2.5 and have multiple users accessing squid via an ssh tunnelled connection. Each user is using a distinct ssh login account, so how can I differentiate which user is associated with each entry in the access logs? All log entries show 127.0.0.1 regardless of the user. The eigth column [of the log file] may contain the ident lookups for the requesting client. Since ident lookups have performance impact, the default configuration turns ident_loookups off. If turned off, or no ident information is available, a ``-'' will be logged. config: # acl ident_aware_hosts src 127.0.0.1/255.0.0.0 ident_lookup_access allow localhost then you need to enable an ident service for your computer I would recommend that you only bind the ident daemon to the looback interface. -- /Erik
Re: [squid-users] How to log users using ssh connection?
I am running squid Version 2.5 and have multiple users accessing squid via an ssh tunnelled connection. Each user is using a distinct ssh login account, so how can I differentiate which user is associated with each entry in the access logs? All log entries show 127.0.0.1 regardless of the user. Browsers don't support ssh logins to SQUID. You mean login for a remote secure webserver ? Note all that traffic between the browser , and ssl-based webserver is encrypted. SQUID only relays the connection using CONNECT, hence it can not log any meaningfull traffic. M.
Re: [squid-users] NTLM auth helper problem
WARNING: Cannot run '/usr/local/squid/libexec/wb_ntlmauth' WARNING: Cannot run '/usr/local/squid/libexec/wb_ntlmauth' WARNING: Cannot run '/usr/local/squid/libexec/wb_ntlmauth' ... Make sure that cache_effective_user , has execute permissions for this program. M.
Re: [squid-users] Squid not caching some addresses
On 1/27/06, Mark Elsen [EMAIL PROTECTED] wrote: - Verify those objects for possible other none caching reasons with : http://www.ircache.net/cgi-bin/cacheability.py M. Thanks for the URL, Mark! Looks like pages handled by mod_php do not provide Last-Modified headers properly, making the cache treat them as always stale. I didn't know about that site, but it's been duly bookmarked for the future! Jeremy
Re: [squid-users] How to log users using ssh connection?
The users use a windows ssh client (like PuTTY) to log into my linux server that runs squid. Their PuTTY is forwarding their port 3128 to my squid server (so port 3128 isnt visible through the firewall). Their browser is setup with a proxy of localhost port 3128. Is that the same scenario, where everything is encrypted and squid can't log anything more meaningful than 127.0.0.1 ? --- Mark Elsen [EMAIL PROTECTED] wrote: Browsers don't support ssh logins to SQUID. You mean login for a remote secure webserver ? Note all that traffic between the browser , and ssl-based webserver is encrypted. SQUID only relays the connection using CONNECT, hence it can not log any meaningfull traffic. M. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com