[squid-users] Squid with a Active Directory authentification and JAVA client don't authentifie
Hi i have a big problems with my proxy serveur : With IE, that's work very good, but all java appli don't authentifie ! he restart a box with login/password anyone have this problems ? thanks
[squid-users] Editing squid.conf
By the way, if I change/edit any of the setting at the squid.conf, for the new setting to take effect, DO I have to run any command or just restart the squid? If need command, what are the commands I have to run? Please advise. TQ. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] Editing squid.conf
By the way, if I change/edit any of the setting at the squid.conf, for the new setting to take effect, DO I have to run any command or just restart the squid? If need command, what are the commands I have to run? % squid -k reconfigure M.
Re: [squid-users] Squid with a Active Directory authentification and JAVA client don't authentifie
Hi i have a big problems with my proxy serveur : With IE, that's work very good, but all java appli don't authentifie ! he restart a box with login/password anyone have this problems ? - The java applet may not support transferring auth. credentials to SQUID. As a workaround you may edit squid.conf, to run applets without authentication. I think this can be done based, on mime type acl or something equivalent. Don't remember exactly for the moment. M.
Re: [squid-users] Editing squid.conf
Thank you, that means I don't have to restart the squid , rite? --- Mark Elsen [EMAIL PROTECTED] wrote: By the way, if I change/edit any of the setting at the squid.conf, for the new setting to take effect, DO I have to run any command or just restart the squid? If need command, what are the commands I have to run? % squid -k reconfigure M. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] Editing squid.conf
Thank you, that means I don't have to restart the squid , rite? Rite. M.
RE: [squid-users] proxy.pac
tis 2006-04-18 klockan 20:42 +0200 skrev Joost de Heer: I think it uses the cached proxy.pac. Yes, but it is almost trivial to make the cached proxy.pac instruct the browser to go direct when not connected to the office network. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] Authorisation helper error message tracing
ons 2006-04-19 klockan 08:34 +0100 skrev Holton, Euan: As asked in the OP, is there a debug_level parameter that can be used to trace requests sent to authenticator helper processes? None of the candidates in debug-sections.txt seem quite right, unless section 28 is the one. I would use debug_options ALL,1 33,2 84,5 29,9 33 == client request processing. Will give you the requested URL making it easier to correlate with access.log. 84 == communication with helpers 29 == authenticators (ntlm/basic/digest etc..) Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] rss reader error
1145369792.263 31 172.16.11.60 TCP_DENIED/407 2143 GET http://www.01net.com/rss/dossiersentreprise.xml - NONE/- text/html Why i have 'NONE/' for the user? You don't. You have a - (no username known). The NONE/- is the hierarchy column.. The username is between the URL and the hierarchy column. I use basic ntlm authentication and i enter the good username in the proxy configuration in RSSreader. Looks to me like RSSreader isn't sending the username. Maybe it gets confused by the proxy also announcing NTLM support? I deactivate ntlm support and it works fine. Is there a solution to configure squid to send basic authentication support for some IP/range? Regards Henrik
Re: [squid-users] Re: Squid + NTLM and TCP_DENIED for each request
tis 2006-04-18 klockan 20:45 +0200 skrev Joost de Heer: That's NTLM handshaking, it's normal behaviour. Blame MS for creating a crappy implementation of the authentication mechanism. Will get better the day we can switch to use Kerberos/SPNEGO authentication.. but unfortunately not yet sufficiently supported in any of the involved components (browers, Squid, Samba) to be deployed seriously.. The Squid side of things is available in Squid-3, or as a patch to 2.5 at devel.squid-cache.org. The Samba side is available in Samba-4, and the MSIE browser side of things is available in the next Windows version.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Refreshing files in the squid cache on a regular basis?
tis 2006-04-18 klockan 12:51 -0800 skrev Chris Robertson: export http_proxy=http://username:[EMAIL PROTECTED]:3128/ wget -O /dev/null --input-file=/path/to/file/of/imageURLs or you could use squidclient.. squidclient -H Cache-Control: max-age=0\\n -s -u username -w password URL_to_refresh The max-age=0 thingy is to force a cache revalidation. It is also possible to use the -r option but this will force a reload of the object even if it hasn't changed on the web server. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Working with ACL
Henrik, Below is our squid config. Sorry to ask stupid question again, where should the lines go to and if I have few internet sites to be allowed, can I still use acl dstdomain? Will these implementation affect other remote offices that have internet access? Thanks again. Rgds, Jerry acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 #acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 1-65535 acl Safe_ports port 1-65535 acl NAI dstdom_regex \.nai.com$ #acl aggressivedomain url_regex -i c:/squid/etc/blacklists/aggressive/domains #http_access deny aggressivedomain #acl proxydomain url_regex -i c:/squid/etc/auth/proxy/domains #http_access allow proxydomain #acl warezdomain url_regex -i c:/squid/etc/blacklists/warez/domains #http_access deny warezdomain acl usrgrp src c:/squid/etc/auth/usersgrp.acl acl usrgrp2 proxy_auth_regex -i c:/squid/etc/auth/usersgrp2.acl acl PASSWORD proxy_auth REQUIRED #http_access deny all PASSWORD http_access deny usrgrp2 http_access allow all PASSWORD http_access allow usrgrp # purge bad objects; command ex. client -m PURGE http://www.bad.com/; acl purgemethod method PURGE http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports #http_access deny to_localhost #http_access deny websites http_access deny www.yahoo.com #http_access allow all password #http_access allow NAI all http_access allow purgemethod localhost http_access deny purgemethod #http_access allow Safe_ports !SUBNETS #http_access allow Safe_ports SUBNETS PASSWORD # And finally deny all other access to this proxy http_access deny all miss_access allow all From: Henrik Nordstrom [EMAIL PROTECTED] To: jerry khoo [EMAIL PROTECTED] CC: squid-users@squid-cache.org Subject: Re: [squid-users] Working with ACL Date: Mon, 17 Apr 2006 15:36:29 +0200 mån 2006-04-17 klockan 10:10 + skrev jerry khoo: implement on one of the remote site,example site 192.168.1.x The requirement is to block 80% of users from accessing internet, but allow them to go to some few internet site. The remaining 20% can access internet. But all 100% can access our intranet sites. Being new to squid, can someone give some example of the ACL configuration to achieve this type of requirement or it can't be done at all? Many thanks in advance to all the expert out there. What you need to remember to implement this is that http_access is an ordered list of rules. The first matching rule applies to the request. Then use the src and dstdomain acls to define who may go where (or not).. acl siteX src 192.168.1.0/24 acl allowed_sites dstdomain ... http_access allow siteX allowed_sites http_access deny siteX just before where you allow the rest of the users general access.. Regards Henrik signature.asc
[squid-users] Proxy Forward Question?
I have an Internet Security and acceleration server running at one of my sites what I would like to do is forward the request from that server to a squid server. However The IAS server uses Active directory for authentication and then squid server uses LDAP as it's authentication backend. When I try to forward the IAS server it just keeps asking for a username and password. How do I get the squid server to accept the credentials or at least just allow the IAS server through without asking for credentials. Carinus -- This e-mail and its contents are subject to the South African Medical Research Council e-mail legal notice available at http://www.mrc.ac.za/about/EmailLegalNotice.htm
Re: [squid-users] rss reader error
On Wed, 2006-04-19 at 12:53 +0200, Guillaume wrote: I deactivate ntlm support and it works fine. Is there a solution to configure squid to send basic authentication support for some IP/range? No, it's a process-wide all-or-nothing setting. Only way to do that would be to run two squids and use proxy.pac logic to let the client decide which one to use. Kinkie
RE: [squid-users] Authorisation helper error message tracing
As asked in the OP, is there a debug_level parameter that can be used to trace requests sent to authenticator helper processes? None of the candidates in debug-sections.txt seem quite right, unless section 28 is the one. I would use debug_options ALL,1 33,2 84,5 29,9 33 == client request processing. Will give you the requested URL making it easier to correlate with access.log. 84 == communication with helpers 29 == authenticators (ntlm/basic/digest etc..) Regards Henrik Thank you very much Henrik. Greatly appreciated! Regards Euan
[squid-users] SquidNT: running 2 instance of squid on the same server.
After another discution, i would like to create two squid server on the same server. I create 2 different tree with different parameters i can run the first, but when i try to load the second, i have the following error displayed: 2006/04/19 16:15:50| Squid is already running! Process ID 1596 I had in squid.conf this line (in each squid.conf file): pid_filename c:/squid_basic/var/logs/squid.pid (with different path for each one) And i have always the same error, reporting that squid is always running... Is there a possibility to deactivate this check on squid start? And (more important) can i execute many proxy on the same computer? ... guillaume ...
RE: [squid-users] SquidNT: running 2 instance of squid on the same server.
After another discution, i would like to create two squid server on the same server. I create 2 different tree with different parameters i can run the first, but when i try to load the second, i have the following error displayed: 2006/04/19 16:15:50| Squid is already running! Process ID 1596 I had in squid.conf this line (in each squid.conf file): pid_filename c:/squid_basic/var/logs/squid.pid (with different path for each one) And i have always the same error, reporting that squid is always running... Is there a possibility to deactivate this check on squid start? And (more important) can i execute many proxy on the same computer? I currently run two proxies. One for transparency and one for auth. It's definitely possible. 1) double check the pid file location/name 2) Make sure subsequent instances of squid use the -f option.
RE: [squid-users] SquidNT: running 2 instance of squid on the same server.
After another discution, i would like to create two squid server on the same server. I create 2 different tree with different parameters i can run the first, but when i try to load the second, i have the following error displayed: 2006/04/19 16:15:50| Squid is already running! Process ID 1596 I had in squid.conf this line (in each squid.conf file): pid_filename c:/squid_basic/var/logs/squid.pid (with different path for each one) And i have always the same error, reporting that squid is always running... Is there a possibility to deactivate this check on squid start? And (more important) can i execute many proxy on the same computer? I currently run two proxies. One for transparency and one for auth. It's definitely possible. 1) double check the pid file location/name 2) Make sure subsequent instances of squid use the -f option. Also, for SquidNT, make sure that both have different NT Service names. See squid\docs\win32-relnotes.html and carefully read the information on the -n switch. Regards Euan
RE: [squid-users] Re: Squid + NTLM and TCP_DENIED for each request
Thanks for the feedback. Apparently it's going to take a lot of different components to fix NTLM. Toan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 19, 2006 3:54 AM To: [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Re: Squid + NTLM and TCP_DENIED for each request tis 2006-04-18 klockan 20:45 +0200 skrev Joost de Heer: That's NTLM handshaking, it's normal behaviour. Blame MS for creating a crappy implementation of the authentication mechanism. Will get better the day we can switch to use Kerberos/SPNEGO authentication.. but unfortunately not yet sufficiently supported in any of the involved components (browers, Squid, Samba) to be deployed seriously.. The Squid side of things is available in Squid-3, or as a patch to 2.5 at devel.squid-cache.org. The Samba side is available in Samba-4, and the MSIE browser side of things is available in the next Windows version.. Regards Henrik
RE: [squid-users] HTTPS Web SITE TIMEOUT
The web site is www.equifax.com.br , but the problem only happens after I authenticate in the site and try to access an specific url (https://novoequifaxpessoal.equifax.com.br/PessoalPlusWeb/login.jsp). The result is always the same: novoequifaxpessoal.equifax.com.br:443 (60) Connection timed out/ Here's what is shown in the access.log file: 1145466458.378445 XX.XXX.XX.XX TCP_DENIED/407 1901 CONNECT novoequifaxpessoal.equifax.com.br:443 - NONE/- text/html 1145466459.524591 XX.XXX.XX.XX TCP_DENIED/407 2089 CONNECT novoequifaxpessoal.equifax.com.br:443 - NONE/- text/html 1145466465.724 6200 XX.XXX.XX.XX TCP_MISS/200 4441 CONNECT novoequifaxpessoal.equifax.com.br:443 XXX\barrosr DIRECT/200.142.202.182 - 1145466465.770 2 XX.XXX.XX.XX TCP_DENIED/407 1901 CONNECT novoequifaxpessoal.equifax.com.br:443 - NONE/- text/html 1145466465.783 9 XX.XXX.XX.XX TCP_DENIED/407 2089 CONNECT novoequifaxpessoal.equifax.com.br:443 - NONE/- text/html 1145466465.999215 XX.XXX.XX.XX TCP_MISS/200 3576 CONNECT novoequifaxpessoal.equifax.com.br:443 XXX\barrosr DIRECT/200.142.202.182 - 1145466466.078 19 XX.XXX.XX.XX TCP_DENIED/407 1901 CONNECT novoequifaxpessoal.equifax.com.br:443 - NONE/- text/html 1145466466.109 22 XX.XXX.XX.XX TCP_DENIED/407 2089 CONNECT novoequifaxpessoal.equifax.com.br:443 - NONE/- text/html 1145466466.316202 XX.XXX.XX.XX TCP_MISS/200 3587 CONNECT novoequifaxpessoal.equifax.com.br:443 XXX\barrosr DIRECT/200.142.202.182 - 1145466466.323 2 XX.XXX.XX.XX TCP_DENIED/407 1901 CONNECT novoequifaxpessoal.equifax.com.br:443 - NONE/- text/html 1145466466.334 7 XX.XXX.XX.XX TCP_DENIED/407 2089 CONNECT novoequifaxpessoal.equifax.com.br:443 - NONE/- text/html 1145466526.011 59676 XX.XXX.XX.XX TCP_MISS/503 0 CONNECT novoequifaxpessoal.equifax.com.br:443 XXX\barrosr DIRECT/200.142.202.182 - After the last TCP_MISS/503 I got the (60) timeout message. Here's what it's shown in cache.log: [2006/04/19 14:06:04, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[barrosr] domain=[XXX] workstation=[XXX] len1=24 len2=24 [2006/04/19 14:06:04, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319) NTLMSSP Sign/Seal - Initialising with flags: [2006/04/19 14:06:04, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x20088215 Is there anythign else I can provide ? Thanks, Rodrigo -Original Message- From: Mark Elsen [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 19, 2006 1:32 AM To: Rodrigo Barros Cc: squid-users@squid-cache.org Subject: Re: [squid-users] HTTPS Web SITE TIMEOUT Hi All, I've been searching google for a while and couldn't find a solution for my problem, so if this has already been posted here sorry. I'm running Squid 2.5.10 with ntlm authentication, and I have this ssl web site that does not connect. The only error message I get is (60) Connection timed out . If I bypass the proxy and go straight to the web site, I can succesfully access the resource. Any ideas? - What's the URL of the site ? - access.log entry when this is tried ? - Anything further in cache.log ? M.
Re: [squid-users] Squid with a Active Directory authentification and JAVA client don't authentifie
Mark Elsen a écrit : Hi i have a big problems with my proxy serveur : With IE, that's work very good, but all java appli don't authentifie ! he restart a box with login/password anyone have this problems ? - The java applet may not support transferring auth. credentials to SQUID. As a workaround you may edit squid.conf, to run applets without authentication. I think this can be done based, on mime type acl or something equivalent. Don't remember exactly for the moment. M. Very thanks for your help, doi you have a exemple for accept java without authentification ? i am not expert in squid
[squid-users] Weird username?
Hey all, Using NTLM auth. I just set up sarg and noticed weird usernames. So, I looked in my squid log, in case they were being parsed weird and I see this: 1145472531.457 0 127.0.0.1 TCP_CLIENT_REFRESH_MISS/200 4569 GET http://server44/squid-reports/ TlRMTVNTUAACB gAGADA1gokg7p5ruRq8NyYAAFgAWAA2QwBUAEcAAgAGAEMAVABHAAEAE ABTAEUAUgBWAEUAUgA0ADQABAAOAGMAdABnAC4AYwBvAG 0AAwAgAHMAZQByAHYAZQByADQANAAuAGMAdABnAC4AYwBvAG0AAA== NONE/- text/html 1145472531.487 3 127.0.0.1 TCP_CLIENT_REFRESH_MISS/200 7502 GET http://server44/squid-reports/images/sarg.png jg authier NONE/- image/png That looks like NTLM garbage.. Can anyone confirm what is in my log file, and if it's expected? Squid Cache: Version 3.0-PRE3-20060414
RE: [squid-users] Advice on private keys and SSL
That is exactly what I needed to know. Thank you very much! -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Saturday, April 15, 2006 1:11 PM To: Discussion Lists Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Advice on private keys and SSL lör 2006-04-15 klockan 10:07 -0700 skrev Discussion Lists: Obviously I would want different certificates for different domains. BUT would I want to have a different key for each certificate? Lets put it this way: Normaly you have one key per certificate, and also generate a new key each time the certificate is renewed, and there is no reason not to. I know of only a single situation where one would consider using the same key for multiple certificates and it's if using an RSA accelerator which can not handle multiple keys. But given the fact that even entry level RSA accelerator chips for SSL doesn't have any practical restrictions on the number of RSA keys I doubt you will run into such situation.. Similarly I know of only one situation where one would like to keep the same key on a certificate renewal and it's if the key is somehow recorded into restricted hardware and not easy to change. So while it is true that technically you can use the same key for all certificates if you want to generally it's best to use unique keys per certificate. Regards Henrik
RE: [squid-users] ldap squid auth
tis 2006-04-18 klockan 22:11 +0530 skrev Remy Almeida: Hi As per you instruction I upgraded to 2.5stable13 till now squid have not crashed but is get some message don't know what it is check the last 2 lines or error message ERROR MESSAGE 2006/04/18 22:04:30| Starting Squid Cache version 2.5.STABLE13 for x86_64-redhat 2006/04/18 22:04:30| Process ID 29013 2006/04/18 22:04:30| With 1024 file descriptors available 2006/04/18 22:04:30| DNS Socket created at 0.0.0.0, port 47138, FD 5 2006/04/18 22:04:30| Adding nameserver 172.27.1.1 from /etc/resolv.conf 2006/04/18 22:04:30| Adding nameserver 61.1.65.65 from /etc/resolv.conf 2006/04/18 22:04:30| helperOpenServers: Starting 20 'ldap_auth' processes free(): invalid pointer 0x5032f0! free(): invalid pointer 0x504130! What does those last 2 lines means? A bug somewhere which needs to be killed. If this is a Linux/glibc based system you can try the following which should allow identifying the bug: Set the envirnoment variable MALLOC_CHECK_ to 2 while running Squid under gdb. Should trap the error. gdb /path/to/sbin/squid set env MALLOC_CHECK_ = 2 handle SIGPIPE pass noprint nostop run -DNYCd3 [wait for crash/alert] backtrace but it could also be a bug in ldap_auth.. Btw, why are you using ldap_auth instead of the official squid_ldap_auth distributed with Squid? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] HTTPS Web SITE TIMEOUT
ons 2006-04-19 klockan 14:18 -0300 skrev Rodrigo Barros: The web site is www.equifax.com.br , but the problem only happens after I authenticate in the site and try to access an specific url (https://novoequifaxpessoal.equifax.com.br/PessoalPlusWeb/login.jsp). 1145466465.724 6200 XX.XXX.XX.XX TCP_MISS/200 4441 CONNECT novoequifaxpessoal.equifax.com.br:443 XXX\barrosr DIRECT/200.142.202.182 - 1145466465.999215 XX.XXX.XX.XX TCP_MISS/200 3576 CONNECT novoequifaxpessoal.equifax.com.br:443 XXX\barrosr DIRECT/200.142.202.182 - 1145466466.316202 XX.XXX.XX.XX TCP_MISS/200 3587 CONNECT novoequifaxpessoal.equifax.com.br:443 XXX\barrosr DIRECT/200.142.202.182 - 1145466526.011 59676 XX.XXX.XX.XX TCP_MISS/503 0 CONNECT novoequifaxpessoal.equifax.com.br:443 XXX\barrosr DIRECT/200.142.202.182 - After the last TCP_MISS/503 I got the (60) timeout message. Very odd, but it looks like the site blacklisted you for some reason, no longer accepting connections from your proxy. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Weird username?
ons 2006-04-19 klockan 16:22 -0400 skrev Jason Gauthier: Hey all, Using NTLM auth. I just set up sarg and noticed weird usernames. So, I looked in my squid log, in case they were being parsed weird and I see this: 1145472531.457 0 127.0.0.1 TCP_CLIENT_REFRESH_MISS/200 4569 GET http://server44/squid-reports/ TlRMTVNTUAACB gAGADA1gokg7p5ruRq8NyYAAFgAWAA2QwBUAEcAAgAGAEMAVABHAAEAE ABTAEUAUgBWAEUAUgA0ADQABAAOAGMAdABnAC4AYwBvAG 0AAwAgAHMAZQByAHYAZQByADQANAAuAGMAdABnAC4AYwBvAG0AAA== NONE/- text/html 1145472531.487 3 127.0.0.1 TCP_CLIENT_REFRESH_MISS/200 7502 GET http://server44/squid-reports/images/sarg.png jg authier NONE/- image/png That looks like NTLM garbage.. Indeed. Shouln't bee there. Squid Cache: Version 3.0-PRE3-20060414 Might explain a thing or two... Squid-3 is still very much beta and not quite ready for production use. But still it shouldn't give symptoms like the above... Current production release is Squid-2.5.STABLE13. Which NTLM helper are you using? It could also be a problem with the NTLM helper... Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Transparency and blocking other proxies
ons 2006-04-19 klockan 15:35 -0700 skrev [EMAIL PROTECTED]: Then can we use Shorewall + squid to accomplish this task? Yes, Shorewall like most other firewall products can be instructed to block all Internet access... If this is what you want to do is another question. You still have not specified why you want to block access to other proxies.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] How to make squid to handle more than 2GB log file
Hello, I am using squid 2.5.STABLE12 and it crashes when the log file reaches the more than 2GB limit. If I want have more than 2GB log file, What needs to be done? If there is any code changes needed, what should be the file that I shuould be looking into. Please let me know your ideas. Regards, -Balu. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] HTTPS Web SITE TIMEOUT
Any firewall rules in place upstream from the squid proxy? On 4/19/06, Rodrigo Barros [EMAIL PROTECTED] wrote: The web site is www.equifax.com.br , but the problem only happens after I authenticate in the site and try to access an specific url (https://novoequifaxpessoal.equifax.com.br/PessoalPlusWeb/login.jsp). The result is always the same: novoequifaxpessoal.equifax.com.br:443 (60) Connection timed out/ Here's what is shown in the access.log file: 1145466458.378445 XX.XXX.XX.XX TCP_DENIED/407 1901 CONNECT novoequifaxpessoal.equifax.com.br:443 - NONE/- text/html 1145466459.524591 XX.XXX.XX.XX TCP_DENIED/407 2089 CONNECT novoequifaxpessoal.equifax.com.br:443 - NONE/- text/html 1145466465.724 6200 XX.XXX.XX.XX TCP_MISS/200 4441 CONNECT novoequifaxpessoal.equifax.com.br:443 XXX\barrosr DIRECT/200.142.202.182 - 1145466465.770 2 XX.XXX.XX.XX TCP_DENIED/407 1901 CONNECT novoequifaxpessoal.equifax.com.br:443 - NONE/- text/html 1145466465.783 9 XX.XXX.XX.XX TCP_DENIED/407 2089 CONNECT novoequifaxpessoal.equifax.com.br:443 - NONE/- text/html 1145466465.999215 XX.XXX.XX.XX TCP_MISS/200 3576 CONNECT novoequifaxpessoal.equifax.com.br:443 XXX\barrosr DIRECT/200.142.202.182 - 1145466466.078 19 XX.XXX.XX.XX TCP_DENIED/407 1901 CONNECT novoequifaxpessoal.equifax.com.br:443 - NONE/- text/html 1145466466.109 22 XX.XXX.XX.XX TCP_DENIED/407 2089 CONNECT novoequifaxpessoal.equifax.com.br:443 - NONE/- text/html 1145466466.316202 XX.XXX.XX.XX TCP_MISS/200 3587 CONNECT novoequifaxpessoal.equifax.com.br:443 XXX\barrosr DIRECT/200.142.202.182 - 1145466466.323 2 XX.XXX.XX.XX TCP_DENIED/407 1901 CONNECT novoequifaxpessoal.equifax.com.br:443 - NONE/- text/html 1145466466.334 7 XX.XXX.XX.XX TCP_DENIED/407 2089 CONNECT novoequifaxpessoal.equifax.com.br:443 - NONE/- text/html 1145466526.011 59676 XX.XXX.XX.XX TCP_MISS/503 0 CONNECT novoequifaxpessoal.equifax.com.br:443 XXX\barrosr DIRECT/200.142.202.182 - After the last TCP_MISS/503 I got the (60) timeout message. Here's what it's shown in cache.log: [2006/04/19 14:06:04, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[barrosr] domain=[XXX] workstation=[XXX] len1=24 len2=24 [2006/04/19 14:06:04, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319) NTLMSSP Sign/Seal - Initialising with flags: [2006/04/19 14:06:04, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x20088215 Is there anythign else I can provide ? Thanks, Rodrigo -Original Message- From: Mark Elsen [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 19, 2006 1:32 AM To: Rodrigo Barros Cc: squid-users@squid-cache.org Subject: Re: [squid-users] HTTPS Web SITE TIMEOUT Hi All, I've been searching google for a while and couldn't find a solution for my problem, so if this has already been posted here sorry. I'm running Squid 2.5.10 with ntlm authentication, and I have this ssl web site that does not connect. The only error message I get is (60) Connection timed out . If I bypass the proxy and go straight to the web site, I can succesfully access the resource. Any ideas? - What's the URL of the site ? - access.log entry when this is tried ? - Anything further in cache.log ? M.
Re: [squid-users] Transparency and blocking other proxies
Quoting Henrik Nordstrom [EMAIL PROTECTED]: ons 2006-04-19 klockan 15:35 -0700 skrev [EMAIL PROTECTED]: Then can we use Shorewall + squid to accomplish this task? Yes, Shorewall like most other firewall products can be instructed to block all Internet access... If this is what you want to do is another question. You still have not specified why you want to block access to other proxies.. Regards Henrik If he is with a school system in the US he probably has to filter all internet traffic for content to insure the kiddies dont stumble on something bad, or get stalked in a chat room. Henrick is right though, Im not sure there is a good way to do it with a transparent proxy. Ive been thinking about using a radius server or NTLM (I think) and making everyone have a username and password to get to the internet. But, that would be quite a nightmare to set up. If I was running Novell, Id use bordermanager and Novells transparent proxy, so everyone would have to login to a server in order to do anything network wise. Unfortunately I have Apples Computers, Windows Computer and Linux so I cant yet use Novell. Keep us posted on what you find out. Im sure Im not the only network admin at a school that is curious how to keep kids (and teachers) from Skirting around the Internet filter. ddh -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools
Re: [squid-users] How to make squid to handle more than 2GB log file
Balu wrote: Hello, I am using squid 2.5.STABLE12 and it crashes when the log file reaches the more than 2GB limit. If I want have more than 2GB log file, What needs to be done? Check out the --with-large-files compile option. If there is any code changes needed, what should be the file that I shuould be looking into. Please let me know your ideas. Regards, -Balu. Chris
Re: [squid-users] How to make squid to handle more than 2GB log file
Does this option available for squid 2.5.STABLE12. If I enable the large file support will that squid can be used in prduction environment. Regards, -Balu. --- Chris Robertson [EMAIL PROTECTED] wrote: Balu wrote: Hello, I am using squid 2.5.STABLE12 and it crashes when the log file reaches the more than 2GB limit. If I want have more than 2GB log file, What needs to be done? Check out the --with-large-files compile option. If there is any code changes needed, what should be the file that I shuould be looking into. Please let me know your ideas. Regards, -Balu. Chris __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] Transparency and blocking other proxies
ons 2006-04-19 klockan 20:08 -0400 skrev Dwayne Hottinger: use Novell. Keep us posted on what you find out. Im sure Im not the only network admin at a school that is curious how to keep kids (and teachers) from Skirting around the Internet filter. As always the first line of defense is to have a clearly defined and enforceable policy of use. Without this you won't get anywhere as every measure you take will only encourage the determined to find ways around it. Second, have a proxy with suitable filters covering your back.. Third, make sure the computers are automatically configured by default to use the proxy to make it easy to your users to comply with the policy of use, and also acting as a reminder that there is a policy they have to abide to. Fourth, actively monitor usage and go after the people who actively tries to violate the policy. Fith, if this isn't sufficient to keep things at bay, stop routing to the Internet, providing only the proxy access method. And finally, if that isn't sufficient, build a whitelist of allowed sites and block everything else.. Actually I might move the fifth up quite a bit in your situation, but I live in a country much more liberal on these matters and where freedom is considered very important, and where you can't sue someone only because you saw content you didn't like on their screen while walking by (there is actually a higher chance you could sue the one looking at your screen without asking I think). But also I do know several companies who are at the final stage above, and where trying to violate their policy might cost you your yob.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] limiting cache to memory only
comment every line stating cache_dir On 4/17/06, William Bohannan [EMAIL PROTECTED] wrote: Is there part in the config of squid to limit the cache just to memory and not the hard drive?? And to a certain size?? Thanks heaps William Ps also got the transparent bridge working - used shorewall with two simple rules REDIRECTloc 3128tcp 80 ACCEPT fw net tcp 80 -- ::DAMK::
Re: [squid-users] How to make squid to handle more than 2GB log file
On Wed, Apr 19, 2006, Balu wrote: Does this option available for squid 2.5.STABLE12. If I enable the large file support will that squid can be used in prduction environment. Yup! Adrian
[squid-users] squid-ldap hepl
I have recently started ldap authentication for squid and I get the following message 2006/04/20 09:05:00| WARNING: basicauthenticator #41 (FD 139) exited 2006/04/20 09:05:12| WARNING: basicauthenticator #42 (FD 140) exited 2006/04/20 09:05:47| WARNING: basicauthenticator #43 (FD 141) exited 2006/04/20 09:05:57| WARNING: Memory usage at 108 MB 2006/04/20 09:06:08| WARNING: basicauthenticator #44 (FD 142) exited 2006/04/20 09:06:15| WARNING: basicauthenticator #45 (FD 143) exited 2006/04/20 09:06:15| Too few basicauthenticator processes are running 2006/04/20 09:06:15| Starting new helpers 2006/04/20 09:06:15| helperOpenServers: Starting 90 'ldap_auth' processes free(): invalid pointer 0x504130! Can someone help me to rectify the error I tried to increase the helper from 20 to 50 and now 90 but still the same message I have around 900+ users
[squid-users] Squid dying
Hello, One of the squid proxy servers in our organisation is failing with the following error: fgets() failed! dying. errno=1 (Operation not permitted) [2006/04/20 09:18:06, 1] utils/ntlm_auth.c:manage_squid_request(1594) Squid will restart normally, after this. However it has happened more than once. the version and compile errors are as follows: Squid Cache: Version 2.5.STABLE13-20060313 configure options: --sysconfdir=/etc/squid --enable-dlmalloc --enable-gnuregex --enable-async-io --enable-snmp --disable-internal-dns --enable-ssl --with-openssl=/usr/local/ssl --enable-underscores --enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind --enable-ntlm-auth-helpers=winbind --enable-external-acl-helpers=winbind_group,wbinfo_group Chris Vaughan Department of Lands NSW Ph 612 92286884 *** This message is intended for the addressee named and may contain confidential information. If you are not the intended recipient, please delete it and notify the sender. Views expressed in this message are those of the individual sender, and are not necessarily the views of the Department of Lands. This email message has been swept by MIMEsweeper for the presence of computer viruses. *** BEGIN:VCARD VERSION:2.1 N:Vaughan;Chris FN:Chris Vaughan ([EMAIL PROTECTED]) ORG:Department of Lands;Information Management and Technology TITLE:Communications Administrator TEL;WORK;VOICE:(02) 9228-6884 TEL;CELL;VOICE:+61 (0401) 148061 TEL;WORK;FAX:(02) 9223-1271 ADR;WORK;ENCODING=QUOTED-PRINTABLE:;IMT;1 Prince Albert Rd=0D=0AQueens Square;Sydney;NSW;2000;Australia LABEL;WORK;ENCODING=QUOTED-PRINTABLE:IMT=0D=0A1 Prince Albert Rd=0D=0AQueens Square=0D=0ASydney, NSW 2000=0D=0AAu= stralia EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20050420T012204Z END:VCARD