[squid-users] (110) Connection timed out, but Privoxy can?
On my Gentoo box are a chrooted Squid-2.5.STABLE14 and a Privoxy. I can use both to browse with almost no problem. If I perform a search at "http://www.linuxquestions.org/questions/search.php"; using Squid the error returned is "(110) Connection timed out". The Privoxy on the same box, and an IPCop Squid on a different box, perform the search without fault. After clicking on "Search" at linuxquestions nothing is logged in /var/log/squid. I cannot see how the problem is not Squid. Nor can I see how Squid is the problem. Yes, I have good eye sight, and I'll let you be the judge of the thing between my ears. The squid.conf that achieves the error is as follows: shutdown_lifetime 5 seconds chroot /chroot/squid/ cache_mem 50 MB visible_hostname my-proliant cache_dir ufs /var/cache/squid/ 100 16 256 cache_peer miss-whoops.fogwatch.com.au parent 800 0 default no-query acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_effective_user squid cache_effective_group squid maximum_object_size 102400 KB log_mime_hdrs off forwarded_for off acl my_network src 192.168.1.0/24 acl all src 0.0.0.0/0.0.0.0 http_access allow my_network http_access deny all request_body_max_size 0 KB reply_body_max_size 0 allow all Any help that you are able to allocate to this problem will be much appreciated. Thank you. Regards Fog_Watch.
Re: [squid-users] squid with ntlm + AD, without samba?
ons 2006-09-13 klockan 14:25 +0200 skrev Angel Mieres: > I have been reading some docs about NTLM auth against AD servers but > all of them are based on Squid 2.5 version. With it, it seems you > require NTLM auth plugin plus a set of external apps like samba, > winbind, kerberos, etc Squid needs an external ntlm auth helper yes, and depending on which helper you use additional services like Samba winbind may be needed. > The point is, with latest 2.6 releases it seems Squid has some native > support for NTLM auth, but as I cant find any docs besides the release > notes. My question is, with Squid 2.6 do I need those external apps or > is enough with included NTLM auth now include? No, it's the same as in 2.5. Squid is cooperating with Samba for the integration with Windows domains (both NT and AD). There is no reason why we should duplicate their work. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] blocking external users on a bridge when firewall is disabled
Hi I currently have been running squid for a while now and it work fantastic. On one problem when I disable my firewall I notice that squid goes overtime on caching and external users start using it? Is there a way to make squid only accept connections from my internal interface? I am running two nics in bridge mode. Internet --- squidbox (eth0 / eth1) --- router --- local lan Oh and the squidbox is only live because I need it there temporarily for remote access. Kind Regards William
[squid-users] running Squid on DELL P4/512MB/40GB(IDE).
I am currently setting up a small students lab of about 100 PCs. I am planning on using a BSD 5.5REL running on a Dell machine with this spec: P4/512MB/40GB(IDE). I also need to point to the main campus Webserver as parent. Anybody out there with similar setup or simply knowledge to share with me on the basics in regard to: 1) Configuring and recompiling the Kernel based on the Dell hardware above 2) Configuring and recompiling SQUID for this number of users. Your help is much appreciated! Joe __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[squid-users] Is LDAP better than NTLM?
Currently I am using NTLM Authentication (with winbindd) to authenticate users accessing the internet. This works pretty good after the initial setup, however there are nuances like once the DC is restarted or loses connectivity you need to restart the squid server (or winbindd) to get up and running again. My question is whether LDAP is a better option? Will using LDAP require a user to login to access the internet? The thing I like about NTLM is it using the currently logged on credentials so the users doesn't need to login. I assume that by using LDAP I wont need to reboot the squid server if the connection to the DC is temporarily lost? It would also be nice to restrict users based on their AD group which I will be able to do with LDAP. Any opinions are appreciated, as well as any guides people may have. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.12.3/446 - Release Date: 9/12/2006
Re: [squid-users] squid with ntlm + AD, without samba?
Would you be willing to describe your setup so it can be used as an example configuration in the Squid wiki? OK, I will see that I put things together a bit. The problem is that I am not aware what crucial points there could be to avoid any problems. What are the instabilities connected to the ntlm helpers ? Let me know if you're interested in using the standalone ntlm helper with squid-2.6 and squid-3. Well, as long as it is there and works we will use it, if not we will switch. I will have to look into 2.6 anyway, no chance yet. If I upgrade, I can try something out and report. Jakob Curdes
Re: [squid-users] squid with ntlm + AD, without samba?
On Wed, Sep 13, 2006, Jakob Curdes wrote: > But that unreliable tool works for me with 150+ users since years. Never > had any probs. I know it's different sometimes, but occasionally even > IT people have luck ! Would you be willing to describe your setup so it can be used as an example configuration in the Squid wiki? There's apparently a bit of interest in the Squid stand-alone ntlm authentication module over using the ntlm helper with Samba. Let me know if you're interested in using the standalone ntlm helper with squid-2.6 and squid-3. Adrian
Re: [squid-users] Authenticaton failure with dotnet 2.0 app
Squid-2.5 doesn't support the stuff required to properly proxy NTLM authentication. Here's the problem. NTLM is a three-stage process - the first stage is the "fail, auth required, please speak-y NTLM if you can." The client spits back some initial details. The second stage is the "fail, auth required, here's your challenge." The third stage is the successful bit but only stays successful for that particular server connection. Squid before squid-2.6 didn't "glue" server connections to client connections if NTLM authentication occured. This meant that the client may get a different server connection for each leg of the request (as the server has to support persistent connections to even participate in NTLM) and thus never quite managing to hold open an NTLM authenticated session. Squid-2.6 fixes this. Please try upgrading to the latest Squid-2.6 and let us know whether this fixes the problem or not. Adrian On Wed, Sep 13, 2006, Michael Davidson wrote: > Hi, >Has anyone had problems with Windows app's, using dotnet 2.0, > authenticating against a Squid proxy.? > > We have a situation where a C# application, using .NET 1.1, which > relays SMS's via the Internet, has been working successfully for many > moons. Upon re-compling this app and running it with .Net 2.0 we find > that the NTLMSSP authentication fails against our SQUID proxy server. > > Ethereal traces shows the usual initial situation where the app > establishes a TCP session with the proxy and then sends a HTTP POST, the > proxy responds with authentication required using NTLM and that TCP > session is closed. The application initiates another session and in the > HTTP POST, now includes the NTLM type 1 message. The proxy responds with > the "challenge" however the app does not respond to this and stops with > a 407 error. > > I'm more that ready to believe that this isn't a SQUID problem and > indeed have logged a ticket with Microsoft. I was really hoping that > someone on the list has a ready answer/suggestion for me. > > I have tested against a proxy made up of: > > System: 2.6.15-1.2054_FC5smp #1 SMP Tue Mar 14 16:05:46 EST 2006 i686 > i686 i386 GNU/Linux > > Squid Cache: Version 2.5.STABLE12 > configure options: --prefix=/etc/squid --bindir=/usr/bin > --sbindir=/usr/sbin --libexecdir=/usr/sbin --datadir=/usr/lib/squid > --sysconfdir=/etc/squid --localstatedir=/var/squid --libdir=/etc/squid > --m andir=/usr/share/man --enable-cache-digests > --enable-default-err-language=English --enable-err-languages=English > --enable-auth=ntlm --enable-ntlm-auth-helpers=SMB > --with-samba-sources=/root/samba-3.0.23b > > squid.conf snippet: > < > auth_param ntlm use_ntlm_negotiate on > auth_param ntlm program /usr/bin/ntlm_auth -d 9 -l /root/ntlm.log > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 5 > > > SAMBA/WinBind: samba-3.0.23b-1. > > The authentication backend is a Windows AD. > > Regards Mike D. > > -- > >
[squid-users] Illegal hostname
Hi, my cache.log file give : 2006/09/13 07:50:21| urlParse: Illegal hostname '.update.toolbar.yahoo.com' 2006/09/13 07:50:59| urlParse: Illegal hostname '.update.toolbar.yahoo.com' 2006/09/13 07:51:44| urlParse: Illegal hostname '.update.toolbar.yahoo.com' 2006/09/13 07:53:32| urlParse: Illegal hostname '.update.toolbar.yahoo.com' 2006/09/13 08:17:56| urlParse: Illegal hostname '.update.toolbar.yahoo.com' 2006/09/13 08:18:56| urlParse: Illegal hostname '.update.toolbar.yahoo.com' 2006/09/13 08:19:07| urlParse: Illegal hostname '.update.toolbar.yahoo.com' 2006/09/13 09:26:33| sslReadServer: FD 33: read failure: (104) Connection reset by peer 2006/09/13 09:26:34| sslReadServer: FD 24: read failure: (104) Connection reset by peer 2006/09/13 09:26:55| sslReadServer: FD 46: read failure: (104) Connection reset by peer 2006/09/13 09:55:51| urlParse: Illegal hostname '.update.toolbar.yahoo.com' 2006/09/13 09:55:54| urlParse: Illegal hostname '.update.toolbar.yahoo.com' 2006/09/13 09:56:14| urlParse: Illegal hostname '.update.toolbar.yahoo.com' The web access is very slow :( Do you have an idea ? Thanks, Aurélien Bras
Re: [squid-users] Squid+Cisco w/WCCP ---> multiple tcp ports?
Rightio! # On squid: wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp priority=240 ports=80,8000,2080 tcp_outgoing_address 203.56.15.78 wccp2_router 192.168.1.1:2048 http_port 192.168.1.10:3128 transparent vport=80 http_port 192.168.1.10:8000 transparent vport=8000 http_port 192.168.1.10:2080 transparent vport=2080 http_port localhost:3128 (I have a squid box that's intercepting WCCP stuff from a NAT'ted network; and to do it "right" it seems I need to intercept it on the internal interface. Squid then connects out using its other "public" interface.) # On the router: ! ip wccp 80 ! interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip wccp 80 redirect in ip nat inside ip virtual-reassembly duplex auto speed auto ! # /root/wccp.sh : iptables -F -t nat iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10:3128 iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.168.1.10:8000 iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 2080 -j DNAT --to-destination 192.168.1.10:2080 Let me know if that works. Adrian On Wed, Sep 13, 2006, Tom Warren wrote: > I have recently set up a transparent squid cache at the small ISP > where I work using Fedora Core 4 and squid-2.6.STABLE3. It is > performing well but I'd like to cache additional traffic such as > alternate HTTP ports and maybe later even FTP using something like > FROX. > > The problem is after days of searching I've found sparse information > on Squid's 'wccp2_service dynamic' and 'wccp2_service_info' > configuration parameters. I've tried something like this: > > wccp2_service dynamic 80 password=foo > wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source > priority=240 ports=8080,2080,2443 > > > The Cisco router was configured thusly: > > ip wccp 80 redirect-list 3 group-list 10 password 7 XYXYXYXY > > > Then from my workstation (the only host in access-list 3) I visit > something like: > > http://snind.gotdns.com:8080/ > > The page loads but although the Cisco router sees the cache register > service ID 80, it never redirects any packets; I always see: > > core#sh ip wccp 80 > Global WCCP information: >Router information: >Router Identifier: xxx.yyy.zzz.50 >Protocol Version:2.0 > >Service Identifier: 80 >Number of Cache Engines: 1 >Number of routers: 1 >Total Packets Redirected:0 >Redirect access-list:3 >Total Packets Denied Redirect: 0 >Total Packets Unassigned:0 >Group access-list: 10 >Total Messages Denied to Group: 0 >Total Authentication failures: 0 > > > I've tried several other permutations of the Squid wccp 'info' > parameter to no avail. I'd like to know the following: > > - What is the standard syntax for redirecting multiple ports using > 'wccp2_service dynamic' and 'wccp2_service_info' configuration > parameters. > > - Can I operate standard (web-cache) and dynamic services simultaneously? > > - After I successfully redirect other ports like 8080, et. al. to > squid, will it automagically use the original port number in its > request? > > Much thanks, > > Tom
[squid-users] Authenticaton failure with dotnet 2.0 app
Hi, Has anyone had problems with Windows app's, using dotnet 2.0, authenticating against a Squid proxy.? We have a situation where a C# application, using .NET 1.1, which relays SMS's via the Internet, has been working successfully for many moons. Upon re-compling this app and running it with .Net 2.0 we find that the NTLMSSP authentication fails against our SQUID proxy server. Ethereal traces shows the usual initial situation where the app establishes a TCP session with the proxy and then sends a HTTP POST, the proxy responds with authentication required using NTLM and that TCP session is closed. The application initiates another session and in the HTTP POST, now includes the NTLM type 1 message. The proxy responds with the "challenge" however the app does not respond to this and stops with a 407 error. I'm more that ready to believe that this isn't a SQUID problem and indeed have logged a ticket with Microsoft. I was really hoping that someone on the list has a ready answer/suggestion for me. I have tested against a proxy made up of: System: 2.6.15-1.2054_FC5smp #1 SMP Tue Mar 14 16:05:46 EST 2006 i686 i686 i386 GNU/Linux Squid Cache: Version 2.5.STABLE12 configure options: --prefix=/etc/squid --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/sbin --datadir=/usr/lib/squid --sysconfdir=/etc/squid --localstatedir=/var/squid --libdir=/etc/squid --m andir=/usr/share/man --enable-cache-digests --enable-default-err-language=English --enable-err-languages=English --enable-auth=ntlm --enable-ntlm-auth-helpers=SMB --with-samba-sources=/root/samba-3.0.23b squid.conf snippet: < auth_param ntlm use_ntlm_negotiate on auth_param ntlm program /usr/bin/ntlm_auth -d 9 -l /root/ntlm.log --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 > SAMBA/WinBind: samba-3.0.23b-1. The authentication backend is a Windows AD. Regards Mike D. --
Re: [squid-users] squid with ntlm + AD, without samba?
El mar, 12-09-2006 a las 20:30 +0200, Henrik Nordstrom escribió: Not in any reliable manner. But if you are happy with an unreliable manner then the ntlm_auth helper shipped with Squid works to some degree. Just needs access to some SMB server(s) who are member of the domain. But that unreliable tool works for me with 150+ users since years. Never had any probs. I know it's different sometimes, but occasionally even IT people have luck ! Jakob Curdes
Re: [squid-users] squid with ntlm + AD, without samba?
Hi Henrik, > But if you are happy with an unreliable manner then the ntlm_auth helper > shipped with Squid works to some degree. Just needs access to some SMB > server(s) who are member of the domain. Provably my first email was not enough descriptive. I have been reading some docs about NTLM auth against AD servers but all of them are based on Squid 2.5 version. With it, it seems you require NTLM auth plugin plus a set of external apps like samba, winbind, kerberos, etc The point is, with latest 2.6 releases it seems Squid has some native support for NTLM auth, but as I cant find any docs besides the release notes. My question is, with Squid 2.6 do I need those external apps or is enough with included NTLM auth now include? Thanks and regards -- Angel Mieres - [EMAIL PROTECTED] / Gentoo has you...
[squid-users] FATAL: Failed to make swap directory /cache1: (17) File exists
Help I get the following message while initilizaing cache. 006/09/13 17:30:46| Creating Swap Directories FATAL: Failed to make swap directory /cache1: (17) File exists Squid Cache (Version 2.5.STABLE6): Terminated abnormally. CPU Usage: 0.000 seconds = 0.000 user + 0.000 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0
Re: [squid-users] Squid+Cisco w/WCCP ---> multiple tcp ports?
On Wed, Sep 13, 2006, Tom Warren wrote: > I have recently set up a transparent squid cache at the small ISP > where I work using Fedora Core 4 and squid-2.6.STABLE3. It is > performing well but I'd like to cache additional traffic such as > alternate HTTP ports and maybe later even FTP using something like > FROX. Hm, FTP will be a bit nasty - I'm not sure how WCCP will redirect all the traffic for the dynamic data ports.. > - What is the standard syntax for redirecting multiple ports using > 'wccp2_service dynamic' and 'wccp2_service_info' configuration > parameters. Good question! I'll take a look when I get home tonight. > - Can I operate standard (web-cache) and dynamic services simultaneously? I think so. I'll re-read the spec (and the code) tonight. > - After I successfully redirect other ports like 8080, et. al. to > squid, will it automagically use the original port number in its > request? I don't think squid has the smarts to do this; but its easy to emulate. You'd just redirect multiple traffic ports in iptables (one per rule) to Squid, and have a bunch of http_port lines, eg: http_port 3128 ip.ip.ip.ip:3128 transparent vport=80 http_port 8080 ip.ip.ip.ip:8080 transparent vport=8080 http_port 8081 ip.ip.ip.ip:8080 transparent vport=8081 .. which I think -should- work, but its a good question! I'll try it out with my WCCPv2 testing setup at home and let you know. Adrian
[squid-users] Squid+Cisco w/WCCP ---> multiple tcp ports?
I have recently set up a transparent squid cache at the small ISP where I work using Fedora Core 4 and squid-2.6.STABLE3. It is performing well but I'd like to cache additional traffic such as alternate HTTP ports and maybe later even FTP using something like FROX. The problem is after days of searching I've found sparse information on Squid's 'wccp2_service dynamic' and 'wccp2_service_info' configuration parameters. I've tried something like this: wccp2_service dynamic 80 password=foo wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source priority=240 ports=8080,2080,2443 The Cisco router was configured thusly: ip wccp 80 redirect-list 3 group-list 10 password 7 XYXYXYXY Then from my workstation (the only host in access-list 3) I visit something like: http://snind.gotdns.com:8080/ The page loads but although the Cisco router sees the cache register service ID 80, it never redirects any packets; I always see: core#sh ip wccp 80 Global WCCP information: Router information: Router Identifier: xxx.yyy.zzz.50 Protocol Version:2.0 Service Identifier: 80 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:0 Redirect access-list:3 Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: 10 Total Messages Denied to Group: 0 Total Authentication failures: 0 I've tried several other permutations of the Squid wccp 'info' parameter to no avail. I'd like to know the following: - What is the standard syntax for redirecting multiple ports using 'wccp2_service dynamic' and 'wccp2_service_info' configuration parameters. - Can I operate standard (web-cache) and dynamic services simultaneously? - After I successfully redirect other ports like 8080, et. al. to squid, will it automagically use the original port number in its request? Much thanks, Tom
Re: [squid-users] squid with ntlm + AD, without samba?
El mar, 12-09-2006 a las 20:30 +0200, Henrik Nordstrom escribió: > tis 2006-09-12 klockan 19:13 +0200 skrev Kinkie: > > On Tue, 2006-09-12 at 17:57 +0200, Angel Mieres wrote: > > > Hi all, > > > > > > There is anyway to set squid with ntlm auth for Active Directory(and > > > IExplorer clients) without samba? > > > > Not in any reliable manner. > > But if you are happy with an unreliable manner then the ntlm_auth helper > shipped with Squid works to some degree. Just needs access to some SMB > server(s) who are member of the domain. > > Regards > Henrik A lot of thx Henrik & Kinkie. Cheers. Angel M. -- Angel Mieres - [EMAIL PROTECTED] / Gentoo has you...