Re: [squid-users] Group ACLs
Luís Fernando C. Talora wrote: Hum, I see now... And how would the acl line to group those ACLs into one be like? Hello Fernando, You can try with following acl acl usr_sites dstdomain site1, site2, site 3... (or) acl usr_sites dstdomain /path/to/sitesfile -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Does squid admits ubiquity?
[EMAIL PROTECTED] wrote: Hello, i use squid with ncsa_auth to identify my users, but i have a problem whith the accounts; how to prevent users to connect themselves on different machines with the same account at the same time? I don't know if i was clear I've tried to use at the same time the same accounts on different machine and it was possible. I need to prevent it, because postal police couldn't believe in ubiquity.. Hello Davide, You can try with acl aclname max_user_ip [-s] number directive in squid.conf. -- Thanks, Visolve Squid Team, http://squid.visolve.com
Re: [squid-users] Does squid admits ubiquity?
Il giorno mer, 28-06-2006 alle 16:29 +0530, Visolve Squid ha scritto: [EMAIL PROTECTED] wrote: Hello, i use squid with ncsa_auth to identify my users, but i have a problem whith the accounts; how to prevent users to connect themselves on different machines with the same account at the same time? I don't know if i was clear I've tried to use at the same time the same accounts on different machine and it was possible. I need to prevent it, because postal police couldn't believe in ubiquity.. Hello Davide, You can try with acl aclname max_user_ip [-s] number directive in squid.conf. I tried but nothing seems to be changed... May it depends on the position of acl in the acl section? Or maybe on the position of the relative http_access string? Thanks, i'll try again...i'm posting my acl and http_access sections, anyway.. acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl onlyonce max_user_ip 1 acl no_exe urlpath_regex \.[eE][xX][eE] acl gator browser Gator/5.0 acl baobaristi src 127.0.0.1 acl password proxy_auth REQUIRED http_access deny onlyonce http_access deny no_exe http_access allow password http_access allow baobaristi http_access deny gator
Re: [squid-users] Squid Server with Yahoo Messenger
it wont work until you add nating for these ports ( if your clinets are on private ips) or use proxy setting in yahoo msn messenger can read I.E's proxy setting but yahoo messenger wont be On 6/28/06, Foo Kok Chian Kelvin NCS [EMAIL PROTECTED] wrote: Hi, I have install squid server with NTLM windows authentication. The proxy server is working and I am able to use MSN messenging. However I am unable to use yahoo messenger. I have added the following but it is still not working. acl Safe_ports port 5000-5010 # Yahoo Messenger acl Safe_ports port 5050# Yahoo Messenger acl Safe_ports port 1863# MSN Messenger Can anyone pls advise? Thanks. Rgds, Kelvin -- Syed Kashif Ali Bukhari +92-300-4295604 Network Engineer Beaconhouse IT Services, Lahore Pakistan
Re: [squid-users] squid e skype
squid is http proxy and skype wont run under http protocol try blocking it though firewall On 6/27/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Does somebody know a way to block skype via squid? There's some tutorials about that? Thanks Davide -- Syed Kashif Ali Bukhari +92-300-4295604 Network Engineer Beaconhouse IT Services, Lahore Pakistan
[squid-users] 0nline pharmaceutics consultations
nHEJ555vvy3ZZTdSFwmTMA9zJJ8uCN0quWzPh6pOnEKLx8EHrKYKWMvaAkWV2jbMkDV8mhR7NBXN cZUbR165vi7bGx3r01KyKe3AWd1QHDRtGSRrC7ej1GdAQHeFIvye32DwDkfuaht7qQ2yfN5bIVLI8Lm Ac3OYiQAflZ1gCHn9yWg3b1y2FWjxloLsreoImB5ETYY0gqCrkA42pjX8DW98iYqECYCI4 s0n2zcFyNDJMOTgCnJxwt0XYuHTY8mXUYiL01KwUNQpiVEMaLV2CMjMAAxWyNknZthu2oKU ZBrVgxia8Rlg6p7a4C25r64fO0RgWciMlvlkq02PaFz05Odb7PHT1Fczx5D0Sv7qp5q5kW0j q6gK6xlySLUIJq5XKSd2SZZEIuxv9h9M6xAj7WDMGIXpkaPSjlymBFyph5m1OpR7EXbfCgp2RAYhb VEOyxGSis13W2EkTm3iCJr0N1OmXJZI7RjtdROaNxCSEUaXv4hwNjokaWFZbNkJGao0Qb4WBriUNXe yMjmCyzebP2ST6KzpfW6itTK7yb3dbWcDJu11dQqvigpB9Oqtt0mO4gGtrF8wuxaF9FuQw9Ns Z3OtBdEqz1NRtPdU3GjGlBEj34olVoi8HhWTDJPZxpuCOMTHdEVSl9cWO1UUAIn7KPq2asJJpz KNVixcQrstcsHRzuCiFE0nGtnFT1cELeFH8ksjBEn5T4kjwjtFcqccDG37glrvGbycDpKN31x73
[squid-users] TCP_MISS/000 error message
Hi I connected to site https://xxx.com; after I put username and password but it doesn't work (user password are correct because if I tried to connect without squid everything is Ok). In access.log the following messages appears: 1151413575.687 1596 10.239.57.34 TCP_MISS/000 16284 CONNECT xxx.com:443 - DEFAULT_PARENT/parent.it - 1151413592.744 20121 10.239.57.34 TCP_MISS/000 71521 CONNECT xxx.com:443 - DEFAULT_PARENT/parent.it - 1151413593.137 17437 10.239.57.34 TCP_MISS/000 6256 CONNECT xxx.com:443 - DEFAULT_PARENT/parent.it -
Re: [squid-users] Does squid admits ubiquity?
Il giorno mer, 28-06-2006 alle 14:39 +0200, davide ha scritto: Il giorno mer, 28-06-2006 alle 16:29 +0530, Visolve Squid ha scritto: [EMAIL PROTECTED] wrote: Hello, i use squid with ncsa_auth to identify my users, but i have a problem whith the accounts; how to prevent users to connect themselves on different machines with the same account at the same time? I don't know if i was clear I've tried to use at the same time the same accounts on different machine and it was possible. I need to prevent it, because postal police couldn't believe in ubiquity.. Hello Davide, You can try with acl aclname max_user_ip [-s] number directive in squid.conf. I tried but nothing seems to be changed... May it depends on the position of acl in the acl section? Or maybe on the position of the relative http_access string? Thanks, i'll try again...i'm posting my acl and http_access sections, anyway.. acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl onlyonce max_user_ip 1 acl no_exe urlpath_regex \.[eE][xX][eE] acl gator browser Gator/5.0 acl baobaristi src 127.0.0.1 acl password proxy_auth REQUIRED http_access deny onlyonce http_access deny no_exe http_access allow password http_access allow baobaristi http_access deny gator Wow, i found something... I had the authenticate_ip_ttl set to 0 and it would means that squid couldn't remember user's ip. So i changed it setting to 30 minutes, and something happened; initially squid refuses request from the same user on different machine but if i try again it keeps connecting without problems.. Why? maybe something related to the .auth_param basic children 5. string? Thanks, by Davide
[squid-users] OWA reverse proxy with 2.6RC2
Hello list, (sended on behalf of B Constant) I'm currently trying to reverse proxy an OWA from Exchange 2003 with the CVS snapshot 20060628 without success. The idea is to perform SSL offloading on the squid for traffic coming from Internet send back the traffic to the Exchange front-end. It basically: client --HTTPS-- Squid --HTTP-- Exchange FE. Here are some details on my environment. Squid version and compile options: ./squid -v Squid Cache: Version 2.6.RC2-20060628 configure options: '--prefix=/usr/local/squid' '--with-pthreads' '--enable-ssl' '--enable-useragent-log' '--enable-referer-log' '--enable-ident-lookups' '--enable-cachemgr-hostname=localhost' '--disable-dependency-tracking' '--enable-truncate' '--enable-underscores' /etc/hosts file on my Linux box: 10.2.1.5 exchange-fe.local.mysite exchange-frontend 10.2.1.5 exchange-fe.local.mysite. exchange-fe.local.mysite is resolvable from squid box. Squid configuration file: https_port 10.1.1.2:443 defaultsite=exchange.mysite \ cert=/usr/local/squid/etc/exchange.mysite.crt \ key=/usr/local/squid/etc/exchange.mysite.key protocol=http cache_peer exchange-fe.local.mysite parent 80 0 front-end-https=on \ originserver proxy-only connection-auth=off cache_peer_access exchange-fe.local.mysite allow all http_access allow all The shell command './squid -k' parse doesn't report any error or misconfiguration. Now the problem is that I'm unable to authenticate to the Exchange Front-end, I always get a 401 till the completely authentication failed. The exchange front-end is configured with anonymous access and basic authentication and I can see the request in the logs of the web server. If I sniff the session on the server running squid and using tethereal, I can see the following traffic: Traffic from client to Squid server: /usr/sbin/tethereal host 10.1.1.2 and port 80 -d tcp.port==80,http Capturing on eth0 0.00 10.1.1.1 - 10.1.1.2 TCP 3178 http [SYN] Seq=0 Len=0 MSS=1460 0.001328 10.1.1.2 - 10.1.1.1 TCP http 3178 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 0.000310 10.1.1.1 - 10.1.1.2 TCP 3178 http [ACK] Seq=1 Ack=1 Win=65535 Len=0 0.001366 10.1.1.1 - 10.1.1.2 HTTP GET /exchange HTTP/1.1 0.001407 10.1.1.2 - 10.1.1.1 TCP http 3178 [ACK] Seq=1 Ack=428 Win=6432 Len=0 0.001827 10.1.1.2 - 57.230.248.96 TCP 32849 http [SYN] Seq=0 Len=0 MSS=1460 TSV=175445106 TSER=0 WS=2 0.003363 57.230.248.96 - 10.1.1.2 TCP http 32849 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0 0.003397 10.1.1.2 - 57.230.248.96 TCP 32849 http [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=175445108 TSER=0 0.003604 10.1.1.2 - 57.230.248.96 HTTP GET /exchange HTTP/1.0 0.009619 57.230.248.96 - 10.1.1.2 HTTP HTTP/1.1 401 Unauthorized (text/html) 0.009640 10.1.1.2 - 57.230.248.96 TCP 32849 http [ACK] Seq=544 Ack=330 Win=6912 Len=0 TSV=175445114 TSER=77610845 0.009963 10.1.1.2 - 10.1.1.1 HTTP HTTP/1.0 401 Unauthorized (text/html) 0.010196 10.1.1.2 - 10.1.1.1 TCP http 3178 [FIN, ACK] Seq=447 Ack=428 Win=6432 Len=0 0.010575 10.1.1.1 - 10.1.1.2 TCP 3178 http [ACK] Seq=428 Ack=448 Win=65089 Len=0 0.010614 10.1.1.1 - 10.1.1.2 TCP 3178 http [FIN, ACK] Seq=428 Ack=448 Win=65089 Len=0 0.010630 10.1.1.2 - 10.1.1.1 TCP http 3178 [ACK] Seq=448 Ack=429 Win=6432 Len=0 5.358676 10.1.1.1 - 10.1.1.2 TCP 3179 http [SYN] Seq=0 Len=0 MSS=1460 5.358708 10.1.1.2 - 10.1.1.1 TCP http 3179 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 5.359039 10.1.1.1 - 10.1.1.2 TCP 3179 http [ACK] Seq=1 Ack=1 Win=65535 Len=0 5.359214 10.1.1.1 - 10.1.1.2 HTTP GET /exchange HTTP/1.1 5.359235 10.1.1.2 - 10.1.1.1 TCP http 3179 [ACK] Seq=1 Ack=479 Win=6432 Len=0 5.359543 10.1.1.2 - 57.230.248.96 HTTP GET /exchange HTTP/1.0 5.361375 57.230.248.96 - 10.1.1.2 HTTP HTTP/1.1 401 Unauthorized (text/html) 5.361393 10.1.1.2 - 57.230.248.96 TCP 32849 http [ACK] Seq=1087 Ack=659 Win=7984 Len=0 TSV=175450466 TSER=77610899 5.361721 10.1.1.2 - 10.1.1.1 HTTP HTTP/1.0 401 Unauthorized (text/html) 5.361984 10.1.1.2 - 10.1.1.1 TCP http 3179 [FIN, ACK] Seq=447 Ack=479 Win=6432 Len=0 5.362381 10.1.1.1 - 10.1.1.2 TCP 3179 http [ACK] Seq=479 Ack=448 Win=65089 Len=0 10.189259 10.1.1.1 - 10.1.1.2 HTTP GET /exchange HTTP/1.1 10.189289 10.1.1.2 - 10.1.1.1 TCP http 3179 [RST] Seq=448 Len=0 10.189837 10.1.1.1 - 10.1.1.2 TCP 3180 http [SYN] Seq=0 Len=0 MSS=1460 10.189865 10.1.1.2 - 10.1.1.1 TCP http 3180 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 10.190213 10.1.1.1 - 10.1.1.2 TCP 3180 http [ACK] Seq=1 Ack=1 Win=65535 Len=0 10.190890 10.1.1.1 - 10.1.1.2 HTTP GET /exchange HTTP/1.1 10.190917 10.1.1.2 - 10.1.1.1 TCP http 3180 [ACK] Seq=1 Ack=479 Win=6432 Len=0 10.191282 10.1.1.2 - 57.230.248.96 HTTP GET /exchange HTTP/1.0 10.192348 57.230.248.96 - 10.1.1.2 HTTP HTTP/1.1 401 Unauthorized (text/html) 10.192367 10.1.1.2 - 57.230.248.96 TCP 32849 http [ACK] Seq=1630 Ack=988 Win=9056 Len=0 TSV=175455298 TSER=77610947 10.192688 10.1.1.2 - 10.1.1.1 HTTP HTTP/1.0 401
Re: [squid-users] delay access to cached objects
Sirs/ Madams I wonder how should I tell squid not to cache any thing! I am trying to chain two squid proxies. Both squids are installed on different machines. (I may sound foolish here! pardon me). I am telling one machine (machine 'A') to fetch data from other squid machine (machine 'B'). In machine 'A' , I have this line under TAG 'cache_peer' cache_peer 192.168.x.x sibling 8080 3130 proxy-only I am not able to get data from cache of machine 'A' by this directive (It is fetching data from internet) . Do I have to pass some directive in squid's configuration file on machine 'A' too? Best Regards On 26/06/06, Santosh Rani [EMAIL PROTECTED] wrote: Thanks Mehdi, I shall try the path you have shown. Regards On 25/06/06, Mehdi Sarmadi [EMAIL PROTECTED] wrote: I guess, it could be possible running two squids one cache-only and the other delay_pool-only(with caching disabled) chained On 6/25/06, Santosh Rani [EMAIL PROTECTED] wrote: Hello, Is it possible? I want that the objects from the cache should not be served instantly. Your help is needed please. Regards -- Mehdi Sarmadi
[squid-users] Remove/Delete
Re: [squid-users] squid e skype
Kashif Ali Bukhari wrote: squid is http proxy and skype wont run under http protocol try blocking it though firewall yes. On 6/27/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Does somebody know a way to block skype via squid? There's some tutorials about that? Thanks Davide Skype versions 0.97 or later can use a HTTPS/SSL proxy. Look in this list for the subject Allowing/Unblocking Skype with Squid Thanks Emilio C.
[squid-users] Caching large amounts of images...
We are developing an infrastructure that will serve up images directly from a database. The numbers will vary into the thousands and higher. In front of this process, I would like to place a cache of the most frequently accessed images, to reduce the load on the database server itself. The images are small (under 200k). My question is what is the most effective way to accomplish this (without a commercial cache solution like content distribution). Would Squid be appropriate. There are other approaches such as Apache's mod_cache_disk et al. Looking through the Squid book, there are a lot of tunables... including consideration of the underlying filesystem (the OS is open here, we can use Linux or FreeBSD (preferred)). COSS sounds interesting, but it appears to be dead - or, at least, not ready for production. The web page I found hasn't been updated in a long time and indicated development being on Windows. Any pointers would be appreciated (I'm new to caching), thank you.
[squid-users] Squid use SSL ALWAYS?
I have squid working perfectly as a caching proxy server. If I access my squid proxy server from a network that has some kind of sniffing software, they can see the headers are HTTP headers (even though it is on a weird port) and still identify where your going and read all the plain text HTML. Is there any way to make it so that when I connect to the squid proxy and authenticate (which I require based on my ACL) that it creates a SSL connection (or something similar) to where all traffic is encrypted even if the destination page is not a https website? I want to hide the plain text.
Re: [squid-users] delay access to cached objects
Santosh Rani wrote: Sirs/ Madams I wonder how should I tell squid not to cache any thing! I am trying to chain two squid proxies. Both squids are installed on different machines. (I may sound foolish here! pardon me). I am telling one machine (machine 'A') to fetch data from other squid machine (machine 'B'). In machine 'A' , I have this line under TAG 'cache_peer' cache_peer 192.168.x.x sibling 8080 3130 proxy-only # Set the relationship to a parent, and don't bother with ICP queries cache_peer 192.168.x.x parent 8080 3130 proxy-only no-query # Make sure ALL requests pass through parent never_direct allow all I am not able to get data from cache of machine 'A' by this directive (It is fetching data from internet) . Do I have to pass some directive in squid's configuration file on machine 'A' too? Best Regards Chris
[squid-users] problem sending a POST from a form
Help! I am having problems sending post data through a webform through squid. If I turn off the proxy and go direct it works. I see the post in the squid access logs, 1151512753.833 3114 10.10.121.203 TCP_MISS/502 1540 POST http://zip4.usps.com/zip4/zcl_1_results.jsp mmendelsohn DIRECT/56.0.134.62 text/html However when I isolate the packet in tcpdump, the connecting server sends me a RESET packet. 12:34:53.729409 IP zip4.usps.com.http FTWPSINFPXY01out.41975: S 2519078180:2519078180(0) ack 97214157 win 8190 mss 1380 12:34:53.729430 IP FTWPSINFPXY01out.41975 zip4.usps.com.http: . ack 1 win 5840 12:34:53.729831 IP FTWPSINFPXY01out.41975 zip4.usps.com.http: P 1:549(548) ack 1 win 5840 12:34:53.729937 IP FTWPSINFPXY01out.41975 zip4.usps.com.http: P 549:618(69) ack 1 win 5840 12:34:56.727686 IP FTWPSINFPXY01out.41975 zip4.usps.com.http: P 1:618(617) ack 1 win 5840 12:34:56.729163 IP zip4.usps.com.http FTWPSINFPXY01out.41975: R 1:1(0) ack 1 win 5840 All I get is the page The requested URL could not be retrieved _ While trying to retrieve the URL: http://zip4.usps.com/zip4/zcl_2_results.jsp http://zip4.usps.com/zip4/zcl_2_results.jsp The following error was encountered: * Read Error The system returned: (104) Connection reset by peer An error condition occurred while reading data from the network. Please retry your request. Your cache administrator Can someone please help? Thanks, Michael
Re: [squid-users] Caching large amounts of images...
Forrest Aldrich wrote: We are developing an infrastructure that will serve up images directly from a database. The numbers will vary into the thousands and higher. In front of this process, I would like to place a cache of the most frequently accessed images, to reduce the load on the database server itself. The images are small (under 200k). My question is what is the most effective way to accomplish this (without a commercial cache solution like content distribution). Would Squid be appropriate. There are other approaches such as Apache's mod_cache_disk et al. Squid would be appropriate. If your need is not too urgent, I would suggest deploying your test on Squid2.6 (which is still in the Release Candidate stage), as it apparently has improvements to the reverse proxy setup. Apache's mod_proxy or mod_cache_disk would certainly be another option. I'm not familiar enough with them to provide an opinion on which would be better. Looking through the Squid book, there are a lot of tunables... including consideration of the underlying filesystem (the OS is open here, we can use Linux or FreeBSD (preferred)). While the page at http://www.squid-cache.org/Doc/Users-Guide/opt/performance.html is old, the bullet points are still valid. The question of underlying file system is posed on occasion to the list. I've been subscribed to the list for close to two years now, and I have yet to see any compelling evidence of one over the other. Use what you are familiar with. Tune it to the best of your ability (at the very least follow the advice in the bullets from the above link. Squid is actively supported on (at least) Linux, FreeBSD and Windows. Pick your platform and go to town. COSS sounds interesting, but it appears to be dead - or, at least, not ready for production. The web page I found hasn't been updated in a long time and indicated development being on Windows. There has been some recent activity on COSS (check the mailing list archive), but it's not ready for production. Any pointers would be appreciated (I'm new to caching), thank you. In no particular order: *Stay away from regex ACLs. *Throw as much RAM as you can afford in to the caching servers. *Use lots of disks. * Don't RAID your cache disks. *Stay away from the ufs store type (aufs seems to be the more stable than diskd, diskd might be a bit quicker). *Keep your cache_mem setting fairly low (it's only used for objects fetched from the network), let your system's disk caching work to your advantage. Chris
Re: [squid-users] Squid use SSL ALWAYS?
Aaron Gray wrote: I have squid working perfectly as a caching proxy server. If I access my squid proxy server from a network that has some kind of sniffing software, they can see the headers are HTTP headers (even though it is on a weird port) and still identify where your going and read all the plain text HTML. Is there any way to make it so that when I connect to the squid proxy and authenticate (which I require based on my ACL) that it creates a SSL connection (or something similar) to where all traffic is encrypted even if the destination page is not a https website? I want to hide the plain text. You can certainly encrypt the traffic between the client and Squid (look into stunnel, http://www.stunnel.org/), but encrypting between Squid and a non-SSL (HTTPS) server is not possible. If you just want to encrypt the authentication, look into using digest. Chris
Re: [squid-users] Squid use SSL ALWAYS?
It sounds like based on what you said, I should look into stunnel. My basic reason behind this is that some places I go, they are still able to sniff the traffic and determine what it is I am doing. My Squid proxy server is in a co-lo so I am not concerned about the squid server to the website, only squid to my desktop client traffic. I want all that to appear as jibberish encrypted gabbledygook (thats a technical term!) :P thanks On 6/28/06, Chris Robertson [EMAIL PROTECTED] wrote: Aaron Gray wrote: I have squid working perfectly as a caching proxy server. If I access my squid proxy server from a network that has some kind of sniffing software, they can see the headers are HTTP headers (even though it is on a weird port) and still identify where your going and read all the plain text HTML. Is there any way to make it so that when I connect to the squid proxy and authenticate (which I require based on my ACL) that it creates a SSL connection (or something similar) to where all traffic is encrypted even if the destination page is not a https website? I want to hide the plain text. You can certainly encrypt the traffic between the client and Squid (look into stunnel, http://www.stunnel.org/), but encrypting between Squid and a non-SSL (HTTPS) server is not possible. If you just want to encrypt the authentication, look into using digest. Chris
Re: [squid-users] squid e skype
OH thanks for updating me :P On 6/28/06, Emilio Casbas [EMAIL PROTECTED] wrote: Kashif Ali Bukhari wrote: squid is http proxy and skype wont run under http protocol try blocking it though firewall yes. On 6/27/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Does somebody know a way to block skype via squid? There's some tutorials about that? Thanks Davide Skype versions 0.97 or later can use a HTTPS/SSL proxy. Look in this list for the subject Allowing/Unblocking Skype with Squid Thanks Emilio C. -- Syed Kashif Ali Bukhari +92-300-4295604 Network Engineer Beaconhouse IT Services, Lahore Pakistan
Re: [squid-users] Squid use SSL ALWAYS?
Aaron Gray wrote: It sounds like based on what you said, I should look into stunnel. My basic reason behind this is that some places I go, they are still able to sniff the traffic and determine what it is I am doing. My Squid proxy server is in a co-lo so I am not concerned about the squid server to the website, only squid to my desktop client traffic. I want all that to appear as jibberish encrypted gabbledygook (thats a technical term!) :P You could have Squid listen on port 443, using https, and have clients connect with https, right? Squid can still use http to talk to your servers, too. It would also be simple to have a webserver redirecting http requests to https (Google redirect http to https), so clients wouldn't have to change their browsing habits. This is exactly what I am in the process of setting up for myself. The relevant settings are: https_port x.x.x.x:443 cert=certfile key=keyfile ... httpd_accel_port 80 Note that this requires a version of Squid that supports https connections. I mention this because, from personal experience, I would recommend against using stunnel for web traffic. In our setup it was extremely slow, with lots of broken images per page. -Bryan
[squid-users] filterset.g and squid
I am not an expert on the regular expression syntax used by squid, but I was wondering if the syntax as used in filterset.g (a filterset for the Adblock extension to Firefox) is 'compatible' with the syntax as used by squid. If this is the case this is a beautiful set of filters (regular expressions and hosts) that blocks most of the ads out there. Regards, E.S. Rosenberg
Re: [squid-users] Squid use SSL ALWAYS?
On Wed, Jun 28, 2006 at 11:07:01AM -0700, Aaron Gray wrote: I have squid working perfectly as a caching proxy server. If I access my squid proxy server from a network that has some kind of sniffing software, they can see the headers are HTTP headers (even though it is on a weird port) and still identify where your going and read all the plain text HTML. Is there any way to make it so that when I connect to the squid proxy and authenticate (which I require based on my ACL) that it creates a SSL connection (or something similar) to where all traffic is encrypted even if the destination page is not a https website? I want to hide the plain text. as others have suggested, you can use an SSL tunnel for this application. You could also use SSH's port forwarding facilities. However, note that this will not prevent an attacker with access to the network from discovering that you are using HTTP -- the pattern and timing of requests sent and replies received is likely to be quite characteristic of the protocol. This sort of traffic analysis will not reveal which web pages you are viewing (unless your client leaks that information in other ways, for instance by doing DNS queries for them) but it will reveal that you're using HTTP, or another similar protocol. -- ``My teacher's face when he worked out what I was doing was a picture. A picture of howling existential despair. So no change there, then.'' (Dominic Fox, on abbreviations)
[squid-users] LDAP
I hope you can help. what I am wanting to do is have squid take the ip address of the client and look it up on Novell's LDAP to find out what user name that is and drop it in the log. I need this to be completely invisible to the user, no log in. Thank for your help.
RE: [squid-users] Squid Server with Yahoo Messenger
Hi, Thanks for the reply. The yahoo messenger works if I removed proxy authentication but that is not the case that I wanted. There is no user logon and password dialogue box on the yahoo messenger. Does it means that the yahoo messenger cannot be supported by squid NTLM proxy authentication? Pls advise. Thanks. Best Regards, Kelvin -Original Message- From: Kashif Ali Bukhari [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 28, 2006 8:34 PM To: Foo Kok Chian Kelvin NCS Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid Server with Yahoo Messenger it wont work until you add nating for these ports ( if your clinets are on private ips) or use proxy setting in yahoo msn messenger can read I.E's proxy setting but yahoo messenger wont be On 6/28/06, Foo Kok Chian Kelvin NCS [EMAIL PROTECTED] wrote: Hi, I have install squid server with NTLM windows authentication. The proxy server is working and I am able to use MSN messenging. However I am unable to use yahoo messenger. I have added the following but it is still not working. acl Safe_ports port 5000-5010 # Yahoo Messenger acl Safe_ports port 5050# Yahoo Messenger acl Safe_ports port 1863# MSN Messenger Can anyone pls advise? Thanks. Rgds, Kelvin -- Syed Kashif Ali Bukhari +92-300-4295604 Network Engineer Beaconhouse IT Services, Lahore Pakistan
RE: [squid-users] Squid Server with Yahoo Messenger
in internet explorer options- advanced TAB - check use http 1.1 through proxy connections then put proxy settings in yahoo messenger. Quoting Foo Kok Chian Kelvin NCS [EMAIL PROTECTED]: Hi, Thanks for the reply. The yahoo messenger works if I removed proxy authentication but that is not the case that I wanted. There is no user logon and password dialogue box on the yahoo messenger. Does it means that the yahoo messenger cannot be supported by squid NTLM proxy authentication? Pls advise. Thanks. Best Regards, Kelvin -Original Message- From: Kashif Ali Bukhari [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 28, 2006 8:34 PM To: Foo Kok Chian Kelvin NCS Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid Server with Yahoo Messenger it wont work until you add nating for these ports ( if your clinets are on private ips) or use proxy setting in yahoo msn messenger can read I.E's proxy setting but yahoo messenger wont be On 6/28/06, Foo Kok Chian Kelvin NCS [EMAIL PROTECTED] wrote: Hi, I have install squid server with NTLM windows authentication. The proxy server is working and I am able to use MSN messenging. However I am unable to use yahoo messenger. I have added the following but it is still not working. acl Safe_ports port 5000-5010 # Yahoo Messenger acl Safe_ports port 5050# Yahoo Messenger acl Safe_ports port 1863# MSN Messenger Can anyone pls advise? Thanks. Rgds, Kelvin -- Syed Kashif Ali Bukhari +92-300-4295604 Network Engineer Beaconhouse IT Services, Lahore Pakistan This message was sent using IMP, the Internet Messaging Program.