[squid-users] pix+squid problem
my Squid server machine had two interfaces eth0 for LAN eth1 connected directly to router for internet access. In my current scenarion my Squid box has only one NIC and it is behind PIX firewall , its local ip 172.16.100.12 is mapped with real ip so that it can get internet access. So its internet and interanet communication is held vi signle LAN card. On pix there is ni filter for pix. So is there any special configuration to be made at PIX end so that it should allow squid to work in transparent mode. Regards Linux Cablez __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] I have Squid 2.5 stable 14 running on a Linux box using the WCCPv1.
what trouble ? have you enabled proxying for "https" in your browser. Quoting Keith Owen <[EMAIL PROTECTED]>: > I have Squid 2.5 stable 14 running on a Linux box using the WCCPv1. > This setup seems to be having troubles with e-mail websites (ex > mail.yahoo.com & hotmail.com) If anyone can offer suggestions that > would be appreciated. > > > > -- Peter Collins Wasenda Network Administrator IT Division, Corporate Services Uganda Revenue Authority P.O. Box 7279, Kampala Tel: (041)334474,334535 Mob: 0752-996477 --- This message was sent using IMP, the Internet Messaging Program.
[squid-users] can use include syntax in the squid.conf
hello,list I have manage a Hierarchical squid group.and change the squid.conf sometimes.But them squid.conf only have little different.so I want lead the changed command in another file ,like squid.conf.local ,and I include this file in squid.conf. But the squid.conf con't do this, have another good solution . -- Huang Mingyou
[squid-users] Squid 2.5 / OpenSuse 10.1/ WCCPv1 /Cisco Router 3620
I'm trying to get a transparent proxy set up using the following configuration: Squid is 2.5STABLE14 (compiled from source, with --enable-linux-netfilter) Linux is OpenSuse 10.1, which is Kernel 2.6.16, installed from the released CDs, no custom kernel stuff. Router is Cisco 3620 with IOS Version 12.2(15)T17. I'm almost there, but even though my router and Squid box see each other and are communicating (I see you / here I am packets are going through, and good news in the 'sho ip wccp'), I'm missing something, I believe in the iptables or ip tunnel configuration, based on the Squid WIKI. "The most common problem people have is that the router and cache are talking to each other and traffic is being redirected from the router but the traffic decapsulation process is either broken or (as is almost always the case) misconfigured. This is often a case of your traffic rewriting rules on your cache not being applied correctly" I've been beating my head against this for a week now, and can't find the problem. (NOTE: I can use the squid cache by configuring my browser manually for a proxy.) Here's my config info. Perhaps someone wiser could point me in a direction to try? -- OpenSuse 10.1 x86 (Kernel 2.6.16) (installed from downloaded CDs, no kernel customization) Cisco 3620 with IOS Version 12.2(15)T17 Squid squid-2.5.STABLE14 built from source with '--enable-linux-netfilter' Instructions I'm following: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy (I've actually been using several sources, but the link above seems pretty definitive.) Relevant IPs: 172.16.1.254 (the internal router port, where both squid and the clients reside) 172.16.50.254 (router port that points to the outside world) 172.16.1.171 (squid host, has only a single interface) squid.conf (relevant stuff): http_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on wccp_router 172.16.1.254 Linux config stuff echo `1` > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 ip tunnel add wccp0 mode gre remote 172.16.1.254 local 172.16.1.171 dev eth0 ip addr add 172.16.1.171/24 dev wccp0 ip link set wccp0 up Cisco router stuff config t ip wccp version 1 ip wccp web-cache redirect-list 150 access-list 150 permit tcp host 172.16.1.45 any access-list 150 deny tcp any any config t int eth1/2 (the 172.16.50.254 interface) ip wccp web-cache redirect-list 150 (I want to get squid working on a test workstation, before I point everyone to it) Wade Guidry, MCSE, Network+ Systems Manager, Coastal Resource Sharing Network 503.801.2073 [EMAIL PROTECTED] http://crsn.beachbooks.org
[squid-users] I have Squid 2.5 stable 14 running on a Linux box using the WCCPv1.
I have Squid 2.5 stable 14 running on a Linux box using the WCCPv1. This setup seems to be having troubles with e-mail websites (ex mail.yahoo.com & hotmail.com) If anyone can offer suggestions that would be appreciated.
Re: [squid-users] blocking based on reply headers
A wellknown example would be blocking wmf of reply content acl blocked_contdisp rep_header Content-Disposition -i \.wmf http_reply_access deny blocked_contdisp http_reply_access allow all On 6/12/06, Leonardo Rodrigues Magalhães <[EMAIL PROTECTED]> wrote: Hello Guys, Is it possible to have ACLs based on arbitrary responde headers ? In my case, i would like to have some blocking on Content-Disposition: reply header ... -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it -- Mehdi Sarmadi
Re: [squid-users] DNSBL Redirector
Ive got it... external_acl_type dnsbl children=10 %DST %SRC %IDENT %METHOD /usr/local/bin/dnsbl_redir2 acl policy external dnsbl http_access allow rede10 policy http_access allow rede200-1 policy http_access allow rede200-2 policy I dont want to use url_regex regarding performance issues. Im using a DNS Black-List that is much faster. Thanks On 6/12/06, "Luís Fernando C. Talora" <[EMAIL PROTECTED]> wrote: Instead of using redirectores, I use "deny_info" on squid.conf (much easier), as follows: - # Declaration of the ACL for Pornography acl porn url_regex -i "/etc/squid/lists/porn.url" # Redirection to 10.0.0.10 deny_info http://10.0.0.10/proxy/?cat=porn&url=%s porn # Blocking access to porn (user will be redirected to the link above) http_access deny all porn - It rocks! Regards, Luis Talora Luiz Henrique Ozaki escreveu: > Hi, > > Im using a DNSBL redirector that denies some sites redirecting to a > warning page. > How can I make denied sites from the redirector to get logged in the > access.log as denied ?? > > Im using dnsbl on redirect_program ( http://www.frws.com/squid_block/). > > Is it possible to use external_acl_type with this redirector with a > little modification making this 'redirector' like the squid ACLs ? > Like when got a denied, gets a squid denied message and get logged in > access.log. > -- []'s Luiz Henrique Ozaki
[squid-users] blocking based on reply headers
Hello Guys, Is it possible to have ACLs based on arbitrary responde headers ? In my case, i would like to have some blocking on Content-Disposition: reply header ... -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it
Re: [squid-users] DNSBL Redirector
Instead of using redirectores, I use "deny_info" on squid.conf (much easier), as follows: - # Declaration of the ACL for Pornography acl porn url_regex -i "/etc/squid/lists/porn.url" # Redirection to 10.0.0.10 deny_info http://10.0.0.10/proxy/?cat=porn&url=%s porn # Blocking access to porn (user will be redirected to the link above) http_access deny all porn - It rocks! Regards, Luis Talora Luiz Henrique Ozaki escreveu: Hi, Im using a DNSBL redirector that denies some sites redirecting to a warning page. How can I make denied sites from the redirector to get logged in the access.log as denied ?? Im using dnsbl on redirect_program ( http://www.frws.com/squid_block/). Is it possible to use external_acl_type with this redirector with a little modification making this 'redirector' like the squid ACLs ? Like when got a denied, gets a squid denied message and get logged in access.log.
[squid-users] DNSBL Redirector
Hi, Im using a DNSBL redirector that denies some sites redirecting to a warning page. How can I make denied sites from the redirector to get logged in the access.log as denied ?? Im using dnsbl on redirect_program ( http://www.frws.com/squid_block/). Is it possible to use external_acl_type with this redirector with a little modification making this 'redirector' like the squid ACLs ? Like when got a denied, gets a squid denied message and get logged in access.log. -- []'s Luiz Henrique Ozaki
[squid-users] Log redirector output
Hi all, I'd like to log the redirector output to the access.log. The main objective is to add information about the redirector actions to the reports generated from squid access.log. For example, if the redirector returns: http://newpage.tld 10.1.1.1/- - GET info1 info2 info3 ... infoX I'd like to log info1 to infoX. How can I do that? Can anyone gives me some guidelines for squid 2.5? Thanks a lot for your help, Jean-Francois
[squid-users] pb of re-authentication with squid
We have a squid with "nsca" authenfication installed. We click to a link on a extrenal web server which must reveal a "login" pop up (login and password). Without squid, it works well : a "login" windows appears. With Squid, we get a "authorization required" message (error 401) and no "login" windows appears. As if squid seemed to supply automatically the credentialsand wrong credentials of course Someone has a idea of the probleme? We have tested with differents brownsers (IE6 or Firefox): it's the same Many thanks
RE: [squid-users] Download Limit
Dear, I am using Linux BOX. I am using RHEL#4. and using Squid. Tell me how it could possible. Regards SQuid B0y --- Moshe Beeri <[EMAIL PROTECTED]> wrote: > But then a file download will be still posiable, > Try to do it by controlling it from the router, if > your router supports > QoS. > > > -Original Message- > > From: Tristan Linnenbank [mailto:[EMAIL PROTECTED] > > > Sent: Monday, June 12, 2006 11:41 AM > > To: cable linux > > Cc: squid-users@squid-cache.org; > [EMAIL PROTECTED] > > Subject: Re: [squid-users] Download Limit > > > > Maybe you could write a daemon that parses the > access.log and > > counts the bytes used per ip-address. Once the > bytes used per > > ip-address exceeds the limit set by you, you could > add the > > ip-address to a kind of 'black list'. > > > > Write a redirector that checks the blacklist. If > the > > source-ip address is in the blacklist, redirect > the user to a > > page showing 'bandwidth exceeded'. If the user is > not in the > > blacklist, don't redirect the URL. > > > > Or skip the redirector and use ACL's using the > external black > > list file. > > > > I'm just a newbie to squid so this might be bad > practice... > > > > cable linux wrote: > > > Dear All Folks, > > > > > > I want to ask one question which is that, is > there a way to > > set 150MB > > > to per ip address. lets suppose > > > > > > i have below ip address i want to assign 150MB > per day though squid. > > > > > > > > > 192.168.3.11 > > > 192.168.3.12 > > > 192.168.3.13 > > > 192.168.3.14 > > > 192.168.3.15 > > > 192.168.3.16 > > > > > > i have below ip address i want to assign 450MB > per day > > > > > > though squid. > > > > > > 192.168.3.200 > > > 192.168.3.201 > > > > > > Is there way to do this thing with or squid or > any other software > > > requires for that purpose. > > > > > > Waiting for Quick Response. > > > > > > Regards > > > Cablez > > > > > > > > > > __ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam > protection around > > > http://mail.yahoo.com > > > > > > > -- > > Tristan Linnenbank > > Hyves / Startphone Ltd > > Herengracht 252 > > 1016 BV Amsterdam > > tel. 06-10810969 > > msn. [EMAIL PROTECTED] > > > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[squid-users] Selective .dll block
hi. i've been running squid with dansguardian for a while, works really well. however, some people here need to use ebay and as i have dll files blocked at dans it won't work properly. as dans doesn't have an exception list for filetype, i thought about controlling them with the squid instance dans 'sits on'. my question is- how do i create an acl to ban .dll files, but allow the one necessary .dll file through? (ebayisapi.dll) is it possible to do with a single acl, or will i need to create an 'ok' acl followed by a 'not ok' acl? :-) tia john ___ Join Excite! - http://www.excite.com The most personalized portal on the Web!
[squid-users] Authentication on loading an Internet Shortcut
Since switching to Squid for our proxy, some of our users are experiencing the following problem: When Internet Explorer is not yet loaded and authentication with Squid (using basic authentication) has therefore not yet been performed by the client, opening an Internet Shortcut from their Windows desktop pops up an authentication dialogue. Immediately after authenticating, an error is displayed as attached below. This error only occurs for shortcuts to certain sites (ASP related perhaps?) and not all client workstations experience the problem even though the shortcuts are the same. It's been witnessed on Windows 98 and Windows XP workstations, but not all XP workstations encounter the problem. After getting this error, refreshing Internet Explorer loads the page with no errors. Also, if the user's Internet Explorer is already loaded and authenticated with Squid, then opening the desktop shortcut does not produce an error. Has anyone else experienced a problem similar to this? Is it a known problem? Is there a resolution? Many thanks, Philip Hachey
[squid-users] make[1]: *** [cf_parser.h] Floating point exception
Hi there! I'm having a problem trying to compile squid 2.5STABLE14 on SuSE 9.1 and am getting the floating point error. Someone mentions this same problem here: http://www.squid-cache.org/mail-archive/squid-users/200410/0028.html together with a sort of resolution, but I don't really know what to set LD_ASSUME_KERNEL to. I've tried export LD_ASSUME_KERNEL=2.6.5 and that doesn't make any difference. Any idea why I'm getting this error? Thanks, Chris
[squid-users] Re: R: [squid-users] AD and Single Sign On
does the username work when you enter it ? Quoting "Franco, Battista" <[EMAIL PROTECTED]>: > Yes it is. > > > > -Messaggio originale- > Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Inviato: lunedì 12 giugno 2006 15.01 > A: Franco, Battista > Cc: squid-users@squid-cache.org > Oggetto: Re:[squid-users] AD and Single Sign On > > Is that computer on your windows domain ? > > Quoting "Franco, Battista" <[EMAIL PROTECTED]>: > > > Hello > > I configured squid and samba but (from a client with MS IE 6) when i > > tried to connect to internet the pop-up with a request of username and > > password appears. > > More info below: > > > > # wbinfo -t > > checking the trust secret via RPC calls succeeded # wbinfo -a > > mydom\\user%password plaintext password authentication succeeded > > challenge/response password authentication succeeded # > > /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic > > Mydom+user password > > [2006/06/12 14:52:07, 3] utils/ntlm_auth.c:check_plaintext_auth(292) > > NT_STATUS_OK: Success (0x0) > > OK > > # > > > > > > > > Smb.conf is: > > > > > >netbios name = aa1pxysav00 > >realm = ZA.IF.ATCSG.NET > >workgroup = ZA > >security = ADS > >password server = server.mydom.com > >encrypt passwords = yes > >log level = 3 passdb:5 auth:10 winbind:5 > >idmap uid = 1-2 > >template shell = /bin/false > >winbind enum users = yes > >winbind uid = 1-2 > >winbind gid = 1-2 > >winbind separator = + > >winbind use default domain = yes > > ... > > > > > > > > Squid.conf is: > > > > auth_param ntlm program /usr/bin/ntlm_auth > > --helper-protocol=squid-2.5-ntlmssp > > auth_param ntlm children 30 > > auth_param ntlm max_challenge_reuses 0 auth_param ntlm > > max_challenge_lifetime 2 minutes # ntlm_auth from Samba 3 supports > > NTLM NEGOTIATE packet auth_param ntlm use_ntlm_negotiate on auth_param > > basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic > > auth_param basic children 5 auth_param basic realm Squid proxy-caching > > web server auth_param basic credentialsttl 2 hours auth_param basic > > casesensitive off > > acl AuthorizedUsers proxy_auth REQUIRED http_access allow all > > AuthorizedUsers > > cache_peer proxy.xxx.com parent 8080 0 proxy-only default > > > > -- > > > > Access.log > > > > 1150117192.969364 10.239.57.34 TCP_MISS/200 4388 GET > > http://www.google.it/ username DEFAULT_PARENT/proxy.xxx.com text/html > > 1150117223.316 24100 10.239.57.34 TCP_MISS/503 1384 GET > > http://www.google.it/imghp? username NONE/- text/html > > > > > > > > Could you help me? > > > > > > > > -Messaggio originale- > > Da: Jakob Curdes [mailto:[EMAIL PROTECTED] > > Inviato: venerdì 9 giugno 2006 14.44 > > A: Franco, Battista > > Cc: squid-users@squid-cache.org > > Oggetto: Re: [squid-users] AD and Single Sign On > > > > Franco, Battista schrieb: > > > > >Hello > > > > > >I used a squid 2.5 stable 9 on fedora code 4. > > > > > >My windows domain is an AD 2003. > > > > > >Is it possibile to configure my squid to work as "single sign on" so > > >users will not need to put username and password when accessing to > > >internet? > > > > > >How do i do it? > > > > > > > > > > > > > > > > > See > > > > http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication > > > > Hope this helps, > > > > Jakob Curdes > > > > Hint for the FAQ admins : the keyword NTLM or AD does not show up > > anywhere in the content list, myabe it would be a good idea to shift > > one of the headlines a little - this question keeps getting asked again and > again. > > > > Jakob Curdes > > > > > > > -- > Peter Collins Wasenda > Network Administrator > IT Division, Corporate Services > Uganda Revenue Authority > P.O. Box 7279, Kampala > > Tel: (041)334474,334535 > Mob: 0752-996477 > > --- > > > > This message was sent using IMP, the Internet Messaging Program. > > -- Peter Collins Wasenda Network Administrator IT Division, Corporate Services Uganda Revenue Authority P.O. Box 7279, Kampala Tel: (041)334474,334535 Mob: 0752-996477 --- This message was sent using IMP, the Internet Messaging Program.
[squid-users] R: [squid-users] AD and Single Sign On
Yes it is. -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Inviato: lunedì 12 giugno 2006 15.01 A: Franco, Battista Cc: squid-users@squid-cache.org Oggetto: Re:[squid-users] AD and Single Sign On Is that computer on your windows domain ? Quoting "Franco, Battista" <[EMAIL PROTECTED]>: > Hello > I configured squid and samba but (from a client with MS IE 6) when i > tried to connect to internet the pop-up with a request of username and > password appears. > More info below: > > # wbinfo -t > checking the trust secret via RPC calls succeeded # wbinfo -a > mydom\\user%password plaintext password authentication succeeded > challenge/response password authentication succeeded # > /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic > Mydom+user password > [2006/06/12 14:52:07, 3] utils/ntlm_auth.c:check_plaintext_auth(292) > NT_STATUS_OK: Success (0x0) > OK > # > > > > Smb.conf is: > > >netbios name = aa1pxysav00 >realm = ZA.IF.ATCSG.NET >workgroup = ZA >security = ADS >password server = server.mydom.com >encrypt passwords = yes >log level = 3 passdb:5 auth:10 winbind:5 >idmap uid = 1-2 >template shell = /bin/false >winbind enum users = yes >winbind uid = 1-2 >winbind gid = 1-2 >winbind separator = + >winbind use default domain = yes > ... > > > > Squid.conf is: > > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 30 > auth_param ntlm max_challenge_reuses 0 auth_param ntlm > max_challenge_lifetime 2 minutes # ntlm_auth from Samba 3 supports > NTLM NEGOTIATE packet auth_param ntlm use_ntlm_negotiate on auth_param > basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic > auth_param basic children 5 auth_param basic realm Squid proxy-caching > web server auth_param basic credentialsttl 2 hours auth_param basic > casesensitive off > acl AuthorizedUsers proxy_auth REQUIRED http_access allow all > AuthorizedUsers > cache_peer proxy.xxx.com parent 8080 0 proxy-only default > > -- > > Access.log > > 1150117192.969364 10.239.57.34 TCP_MISS/200 4388 GET > http://www.google.it/ username DEFAULT_PARENT/proxy.xxx.com text/html > 1150117223.316 24100 10.239.57.34 TCP_MISS/503 1384 GET > http://www.google.it/imghp? username NONE/- text/html > > > > Could you help me? > > > > -Messaggio originale- > Da: Jakob Curdes [mailto:[EMAIL PROTECTED] > Inviato: venerdì 9 giugno 2006 14.44 > A: Franco, Battista > Cc: squid-users@squid-cache.org > Oggetto: Re: [squid-users] AD and Single Sign On > > Franco, Battista schrieb: > > >Hello > > > >I used a squid 2.5 stable 9 on fedora code 4. > > > >My windows domain is an AD 2003. > > > >Is it possibile to configure my squid to work as "single sign on" so > >users will not need to put username and password when accessing to > >internet? > > > >How do i do it? > > > > > > > > > > > See > > http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication > > Hope this helps, > > Jakob Curdes > > Hint for the FAQ admins : the keyword NTLM or AD does not show up > anywhere in the content list, myabe it would be a good idea to shift > one of the headlines a little - this question keeps getting asked again and > again. > > Jakob Curdes > > -- Peter Collins Wasenda Network Administrator IT Division, Corporate Services Uganda Revenue Authority P.O. Box 7279, Kampala Tel: (041)334474,334535 Mob: 0752-996477 --- This message was sent using IMP, the Internet Messaging Program.
[squid-users] Re:[squid-users] AD and Single Sign On
Is that computer on your windows domain ? Quoting "Franco, Battista" <[EMAIL PROTECTED]>: > Hello > I configured squid and samba but (from a client with MS IE 6) when i tried to > connect to internet the pop-up with a request of username and password > appears. > More info below: > > # wbinfo -t > checking the trust secret via RPC calls succeeded > # wbinfo -a mydom\\user%password > plaintext password authentication succeeded > challenge/response password authentication succeeded > # /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic > Mydom+user password > [2006/06/12 14:52:07, 3] utils/ntlm_auth.c:check_plaintext_auth(292) > NT_STATUS_OK: Success (0x0) > OK > # > > > > Smb.conf is: > > >netbios name = aa1pxysav00 >realm = ZA.IF.ATCSG.NET >workgroup = ZA >security = ADS >password server = server.mydom.com >encrypt passwords = yes >log level = 3 passdb:5 auth:10 winbind:5 >idmap uid = 1-2 >template shell = /bin/false >winbind enum users = yes >winbind uid = 1-2 >winbind gid = 1-2 >winbind separator = + >winbind use default domain = yes > ... > > > > Squid.conf is: > > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 30 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes # ntlm_auth from Samba 3 > supports NTLM NEGOTIATE packet auth_param ntlm use_ntlm_negotiate on > auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic > auth_param basic children 5 auth_param basic realm Squid proxy-caching web > server auth_param basic credentialsttl 2 hours auth_param basic casesensitive > off > acl AuthorizedUsers proxy_auth REQUIRED > http_access allow all AuthorizedUsers > > cache_peer proxy.xxx.com parent 8080 0 proxy-only default > > -- > > Access.log > > 1150117192.969364 10.239.57.34 TCP_MISS/200 4388 GET > http://www.google.it/ username DEFAULT_PARENT/proxy.xxx.com text/html > 1150117223.316 24100 10.239.57.34 TCP_MISS/503 1384 GET > http://www.google.it/imghp? username NONE/- text/html > > > > Could you help me? > > > > -Messaggio originale- > Da: Jakob Curdes [mailto:[EMAIL PROTECTED] > Inviato: venerdì 9 giugno 2006 14.44 > A: Franco, Battista > Cc: squid-users@squid-cache.org > Oggetto: Re: [squid-users] AD and Single Sign On > > Franco, Battista schrieb: > > >Hello > > > >I used a squid 2.5 stable 9 on fedora code 4. > > > >My windows domain is an AD 2003. > > > >Is it possibile to configure my squid to work as "single sign on" so > >users will not need to put username and password when accessing to > >internet? > > > >How do i do it? > > > > > > > > > > > See > > http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication > > Hope this helps, > > Jakob Curdes > > Hint for the FAQ admins : the keyword NTLM or AD does not show up anywhere in > the content list, myabe it would be a good idea to shift one of the headlines > a little - this question keeps getting asked again and again. > > Jakob Curdes > > -- Peter Collins Wasenda Network Administrator IT Division, Corporate Services Uganda Revenue Authority P.O. Box 7279, Kampala Tel: (041)334474,334535 Mob: 0752-996477 --- This message was sent using IMP, the Internet Messaging Program.
[squid-users] R: [squid-users] R: [squid-users] AD and Single Sign On
Hello I configured squid and samba but (from a client with MS IE 6) when i tried to connect to internet the pop-up with a request of username and password appears. More info below: # wbinfo -t checking the trust secret via RPC calls succeeded # wbinfo -a mydom\\user%password plaintext password authentication succeeded challenge/response password authentication succeeded # /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic Mydom+user password [2006/06/12 14:52:07, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) OK # Smb.conf is: netbios name = aa1pxysav00 realm = ZA.IF.ATCSG.NET workgroup = ZA security = ADS password server = server.mydom.com encrypt passwords = yes log level = 3 passdb:5 auth:10 winbind:5 idmap uid = 1-2 template shell = /bin/false winbind enum users = yes winbind uid = 1-2 winbind gid = 1-2 winbind separator = + winbind use default domain = yes ... Squid.conf is: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes # ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet auth_param ntlm use_ntlm_negotiate on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl AuthorizedUsers proxy_auth REQUIRED http_access allow all AuthorizedUsers cache_peer proxy.xxx.com parent 8080 0 proxy-only default -- Access.log 1150117192.969364 10.239.57.34 TCP_MISS/200 4388 GET http://www.google.it/ username DEFAULT_PARENT/proxy.xxx.com text/html 1150117223.316 24100 10.239.57.34 TCP_MISS/503 1384 GET http://www.google.it/imghp? username NONE/- text/html Could you help me? -Messaggio originale- Da: Jakob Curdes [mailto:[EMAIL PROTECTED] Inviato: venerdì 9 giugno 2006 14.44 A: Franco, Battista Cc: squid-users@squid-cache.org Oggetto: Re: [squid-users] AD and Single Sign On Franco, Battista schrieb: >Hello > >I used a squid 2.5 stable 9 on fedora code 4. > >My windows domain is an AD 2003. > >Is it possibile to configure my squid to work as "single sign on" so >users will not need to put username and password when accessing to >internet? > >How do i do it? > > > > > See http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication Hope this helps, Jakob Curdes Hint for the FAQ admins : the keyword NTLM or AD does not show up anywhere in the content list, myabe it would be a good idea to shift one of the headlines a little - this question keeps getting asked again and again. Jakob Curdes
Re: [squid-users] Download Limit
Why would it still be possible to download a file? The squid doesn't allow you to make connections to the web when you're on the blacklist in the case of using ACL's and it redirects to another page in the case of the redirector. I have to admit that there are some flaws: - if you are a few bytes next to the limit, you would be still able to do just 1 download (but that could be a large file) since you can only update on the base of requests that are _done_. - i assume squid in a transparant proxy situation Moshe Beeri wrote: But then a file download will be still posiable, Try to do it by controlling it from the router, if your router supports QoS. -Original Message- From: Tristan Linnenbank [mailto:[EMAIL PROTECTED] Sent: Monday, June 12, 2006 11:41 AM To: cable linux Cc: squid-users@squid-cache.org; [EMAIL PROTECTED] Subject: Re: [squid-users] Download Limit Maybe you could write a daemon that parses the access.log and counts the bytes used per ip-address. Once the bytes used per ip-address exceeds the limit set by you, you could add the ip-address to a kind of 'black list'. Write a redirector that checks the blacklist. If the source-ip address is in the blacklist, redirect the user to a page showing 'bandwidth exceeded'. If the user is not in the blacklist, don't redirect the URL. Or skip the redirector and use ACL's using the external black list file. I'm just a newbie to squid so this might be bad practice... cable linux wrote: Dear All Folks, I want to ask one question which is that, is there a way to set 150MB to per ip address. lets suppose i have below ip address i want to assign 150MB per day though squid. 192.168.3.11 192.168.3.12 192.168.3.13 192.168.3.14 192.168.3.15 192.168.3.16 i have below ip address i want to assign 450MB per day though squid. 192.168.3.200 192.168.3.201 Is there way to do this thing with or squid or any other software requires for that purpose. Waiting for Quick Response. Regards Cablez __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [squid-users] Download Limit
But then a file download will be still posiable, Try to do it by controlling it from the router, if your router supports QoS. > -Original Message- > From: Tristan Linnenbank [mailto:[EMAIL PROTECTED] > Sent: Monday, June 12, 2006 11:41 AM > To: cable linux > Cc: squid-users@squid-cache.org; [EMAIL PROTECTED] > Subject: Re: [squid-users] Download Limit > > Maybe you could write a daemon that parses the access.log and > counts the bytes used per ip-address. Once the bytes used per > ip-address exceeds the limit set by you, you could add the > ip-address to a kind of 'black list'. > > Write a redirector that checks the blacklist. If the > source-ip address is in the blacklist, redirect the user to a > page showing 'bandwidth exceeded'. If the user is not in the > blacklist, don't redirect the URL. > > Or skip the redirector and use ACL's using the external black > list file. > > I'm just a newbie to squid so this might be bad practice... > > cable linux wrote: > > Dear All Folks, > > > > I want to ask one question which is that, is there a way to > set 150MB > > to per ip address. lets suppose > > > > i have below ip address i want to assign 150MB per day though squid. > > > > > > 192.168.3.11 > > 192.168.3.12 > > 192.168.3.13 > > 192.168.3.14 > > 192.168.3.15 > > 192.168.3.16 > > > > i have below ip address i want to assign 450MB per day > > > > though squid. > > > > 192.168.3.200 > > 192.168.3.201 > > > > Is there way to do this thing with or squid or any other software > > requires for that purpose. > > > > Waiting for Quick Response. > > > > Regards > > Cablez > > > > > > __ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > > > > -- > Tristan Linnenbank > Hyves / Startphone Ltd > Herengracht 252 > 1016 BV Amsterdam > tel. 06-10810969 > msn. [EMAIL PROTECTED] >
Re: [squid-users] tproxy on real ip problem
Paweł Staszewski wrote: hello: squid-box: 194.6.246.251 on eth0 client: 194.6.246.25 settings: http_port 194.6.246.251:8080 transparent linux_tproxy on tproxy_port 0 iptables -t tproxy -A PREROUTING -p tcp -i eth0 --dport 80 -j TPROXY --on-port 8080 And i can't spoof my client ipaddress I always go from 194.6.246.251 any suggestions ?? debug: 2006/06/12 13:31:22| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:22| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN 2006/06/12 13:31:23| tproxy ip=194.6.246.25,0x19f606c2,port=0 ERROR ASSIGN
[squid-users] tproxy on real ip problem
hello: squid-box: 194.6.246.251 on eth0 client: 194.6.246.25 settings: http_port 194.6.246.251:8080 transparent linux_tproxy on tproxy_port 0 iptables -t tproxy -A PREROUTING -p tcp -i eth0 --dport 80 -j TPROXY --on-port 8080 And i can't spoof my client ipaddress I always go from 194.6.246.251 any suggestions ??
Re: [squid-users] SQUID DNS problems
mån 2006-06-12 klockan 09:50 +0200 skrev Falko Zurell: > I wonder why the operating system can correctly resolve all the > hostnames but the squid doesn't. Try from the command line dig +notcp host.that.fails Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Download Limit
Maybe you could write a daemon that parses the access.log and counts the bytes used per ip-address. Once the bytes used per ip-address exceeds the limit set by you, you could add the ip-address to a kind of 'black list'. Write a redirector that checks the blacklist. If the source-ip address is in the blacklist, redirect the user to a page showing 'bandwidth exceeded'. If the user is not in the blacklist, don't redirect the URL. Or skip the redirector and use ACL's using the external black list file. I'm just a newbie to squid so this might be bad practice... cable linux wrote: Dear All Folks, I want to ask one question which is that, is there a way to set 150MB to per ip address. lets suppose i have below ip address i want to assign 150MB per day though squid. 192.168.3.11 192.168.3.12 192.168.3.13 192.168.3.14 192.168.3.15 192.168.3.16 i have below ip address i want to assign 450MB per day though squid. 192.168.3.200 192.168.3.201 Is there way to do this thing with or squid or any other software requires for that purpose. Waiting for Quick Response. Regards Cablez __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Tristan Linnenbank Hyves / Startphone Ltd Herengracht 252 1016 BV Amsterdam tel. 06-10810969 msn. [EMAIL PROTECTED]
[squid-users] Download Limit
Dear All Folks, I want to ask one question which is that, is there a way to set 150MB to per ip address. lets suppose i have below ip address i want to assign 150MB per day though squid. 192.168.3.11 192.168.3.12 192.168.3.13 192.168.3.14 192.168.3.15 192.168.3.16 i have below ip address i want to assign 450MB per day though squid. 192.168.3.200 192.168.3.201 Is there way to do this thing with or squid or any other software requires for that purpose. Waiting for Quick Response. Regards Cablez __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[squid-users] SQUID DNS problems
Hello list, I got a strange problem with our squid server (squid 2.5.12 on linux) . We have a network with multiple subdomains. Lets say ads.domain.com and localtions.domain.com My squid host is a linux box with the correct /etc/resolv.conf settings. The machine itself can resolve all host names in our network. If i do a nslookup or host request I can resolve hosts on all our subdomains. But the squid can't resolve hosts in one of the subdomain (ads.domain.com). The domain it can't resolve in is a windows domain, served by MS DNS-Server. I wonder why the operating system can correctly resolve all the hostnames but the squid doesn't. I even entered all our DNS-Servers in the squid.conf but this doesn't helped. I even changed the default domain of the squid host to the ads.domain.com but this also doesn't resolved to problem. Does anyone has an idea on that? Thanks --- Falko Zurell Head of Application Management ___ I-D Media AG Fon: +49 (0) 30 - 259 47 - 357 Ohlauer Strasse 43 Fax: +49 (0) 30 - 259 47 - 111 D - 10999 Berlin mailto:[EMAIL PROTECTED] http://www.idmedia.com [ ICQ: 327004879 ] ___ Board: Regine Haschka-Helmer (CEO), Franz Klose (CFO) Chairman of the Supervisory Board: Christian A. Hufnagl Headquarter: Berlin, Place of Jurisdiction: Berlin HRB 76342 This message may contain confidential information and must not be copied, disclosed or used by anybody other than the intendee recipient. If you have received this message in error, please notify us immediately by reply e-mail and delete all records of the message from your computer. The views represented in this message are solely those of the author. Neither the author nor I-D Media AG accepts any liability for the contents of this message.
[squid-users] redirect
Hi there I am trying to redirect clients to a webpage of my choice when they first connect to my proxy. Ie instead of opening their own homepage when they open internet explorer my homepage should come up regardless of the setting in their internet options homepage. Can this be donein squid? Peter