[squid-users] Upgrading to Squid 2.6 and NTLM authentication issues
We've recently rolled out Squid 2.6STABLE13, from 2.5STABLE12, and are having an issue with NTLM authentication. Several applications have stopped authenticating correctly since this upgrade. They used to do Basic authentication in the past, but now it appears that they are attempting to do NTLM authentication. One site, for example, where we're seeing this behaviour is http://www.poems.com.sg/ Accessing this via a Squid 2.5 proxy prompts for Basic authetication, while a Squid 2.6 triggers an NTLM authentication dialog box (which doesn't work). Both installs are using Samba 3.0.25a (with winbind) to support NTLM authentication against Active Directory. A large percentage of the errant applications seem to be using some version of Java, but we have also had issues raised with applications like Yahoo Messenger. Our squid.conf's auth configuration: auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 100 auth_param ntlm keep_alive on auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 6 auth_param basic realm Internet Access (via your Windows Username and Password - without the Domain name) auth_param basic credentialsttl 2 hours What should we be looking at to better diagnose this problem? Thanks, David. __ David Gameau ISTS - Systems Infrastructure University of South Australia email: [EMAIL PROTECTED] phone: +61 8 302 3533 fax: +61 8 302 5800 Disclaimer: "His brain sometimes stops working." - Chiyo, Azumange Daoih
[squid-users] always_direct
Hello. I've added an always_direct to my squid config, and run a squid -k reconfigure. It doesn't seem to have taken any effect. Is there anything else I need to do before it will take effect? Cheers Jason http://forum.networkfu.org
[squid-users] error when compiling
hi, i recently trying to build squid proxy with the latest source squid-2.6.STABLE13, on FreeBSD 6.2STABLE build on amd64 arch. but errors show up when i do the "make" step. these are the errors msg: fs/libcoss.a fs/libdiskd.a fs/libnull.a fs/libufs.a auth/libbasic.a auth/libdigest.a -lcrypt -lregex ../snmplib/libsnmp.a -lmiscutil -lpthread -lm fs/libcoss.a(store_dir_coss.o)(.text+0xe9d): In function `storeCossDirCheckLoadAv': coss/store_dir_coss.c:687: undefined reference to `aioQueueSize' fs/libcoss.a(store_dir_coss.o)(.text+0xeb4):coss/store_dir_coss.c:691: undefined reference to `squidaio_magic1' fs/libcoss.a(store_dir_coss.o)(.text+0x2031): In function `storeCossDirInit': coss/store_dir_coss.c:222: undefined reference to `aioInit' fs/libcoss.a(store_dir_coss.o)(.text+0x2036):coss/store_dir_coss.c:223: undefined reference to `squidaio_init' fs/libcoss.a(store_dir_coss.o)(.text+0xf95): In function `storeCossDirCallback': coss/store_dir_coss.c:735: undefined reference to `aioCheckCallbacks' fs/libcoss.a(store_dir_coss.o)(.text+0x1fc5): In function `storeDirCoss_ReadStripe': coss/store_dir_coss.c:1227: undefined reference to `aioRead' fs/libcoss.a(store_io_coss.o)(.text+0x4fc): In function `storeCossSync': coss/store_io_coss.c:679: undefined reference to `aioSync' fs/libcoss.a(store_io_coss.o)(.text+0xa64): In function `storeCossMaybeWriteMemBuf': coss/store_io_coss.c:738: undefined reference to `aioWrite' fs/libcoss.a(store_io_coss.o)(.text+0x1cfb): In function `storeCossNewPendingRelocate': coss/store_io_coss.c:1086: undefined reference to `aioRead' *** Error code 1 Stop in /usr/local/source/squid-2.6.STABLE13/src. *** Error code 1 Stop in /usr/local/source/squid-2.6.STABLE13/src. *** Error code 1 Stop in /usr/local/source/squid-2.6.STABLE13/src. *** Error code 1 Stop in /usr/local/source/squid-2.6.STABLE13. could anyone tell me what is the problems? TIA ZeN
Re: [squid-users] Problem with Sibling squids
I have squid 2.6.Stable 13 installed on two transparent proxy servers. configured as a sibling working fine with this configuration: >Proxy1: >icp_port 3130 >icp_hit_stale off >cache_peer proxy2 sibling 3128 3130 no-netdb-exchange proxy-only no-digest >no-delay >log_icp_queries off >icp_query_timeout 500 >http_access allow Proxy2 >icp_access allow Proxy2 >visible_hostname Proxy1 > >Proxy2: >icp_port 3130 >icp_hit_stale off >cache_peer proxy1 sibling 3128 3130 no-netdb-exchange proxy-only no-digest >no-delay >log_icp_queries off >icp_query_timeout 500 >http_access allow Proxy1 >icp_access allow Proxy1 >visible_hostname Proxy2 > Best regards On 6/5/2007, "Juraj Sakala" <[EMAIL PROTECTED]> wrote: >> Added that line and didn't help :(. >> >> This is what happens: >> >> 1) Squids were configured without sibling. >> 2) Configured sibling on each squid as showed before (4 cache_peer >> lines per squid, total 5 squids). >> 3) Reloaded (not restarted) squid. Sibling started working After a >> while (~20 secs). Stopped working. >> 4) Changed some settings (disable siblings, reloaded, enabled >> siblings, reloaded) and no ICP requests were sent. >> 5) Restarted Squid and sibling started working again for ~20 secs again. >> >> So every change I make I have to restart squid :( >> >> About if I see SIBLING_HITs on my access.log, yes, for those 20 secs >> sibling works. I see SIBLING_HITs :( > >It is strange problem. I use ICP without problems. Which version of squid do >you use? >Do you have checked cache.log? > >This is part of my working config, perhaps it will be helpful for you: > >Proxy1: >icp_port 3130 >icp_hit_stale off >cache_peer proxy2 sibling 3128 3130 no-netdb-exchange proxy-only no-digest >no-delay >log_icp_queries off >icp_query_timeout 500 >http_access allow Proxy2 >icp_access allow Proxy2 >visible_hostname Proxy1 > >Proxy2: >icp_port 3130 >icp_hit_stale off >cache_peer proxy1 sibling 3128 3130 no-netdb-exchange proxy-only no-digest >no-delay >log_icp_queries off >icp_query_timeout 500 >http_access allow Proxy1 >icp_access allow Proxy1 >visible_hostname Proxy2 > >
Re: [squid-users] SSL and Squid
Henrik Nordstrom wrote: ons 2007-06-06 klockan 10:26 -0700 skrev Michael Puckett: I have a 2 level squid setup. Several top level parent cache servers which connect to the internet with multiple child servers supporting my internal subnets. Is it possible to configure the top level servers to use SSL over the internet and cache the objects locally while allowing the child servers to operate internally with no SSL requirement? Yes, but with limitations. a) If your clients sends https:// URLs to Squid using HTTP (not CONNECT) then the Squid closest to the origin server will wrap them up in SSL. The intention would be that the clients should not even know that the top level was using SSL to the origin servers. The clients would make a regular http:// access. Of course, if the client does use https:// accesses then the CONNECT tunneling through the cache servers would be expected. b) For selected sites you can have Squid act as an accelerator, so that eve if the client requests http://some.site/ squid will still wrap the request in SSL. See the cache_peer (and cache_peer_access) directive. What do you mean by "act as an accelerator"? Just the regular proxy caching? If so , this sounds like what I am after. c) It's also possible to do 'b' by using an url rewriter/redirector to rewrite the request from http:// to https:// on the fly. What would be the advantage of using a url rewriter? Best regards, -mikep
[squid-users] Re: Problem with Squid 2.6 as reverse proxy
Hi henrik, One question: can wildcards be used on cache_peer_access?? Because i've 100 domains (www1.example.com, www2.example.com ... www*.example.com) forwarded to one specific origin server and it could be great if i could use www*.example.com on cache_peer_access rule Also that may change and i've to forward from www1 to www50 to other origin server... How should I do that in a few lines and not more than 50? Thanks!! Santiago On 6/6/07, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: ons 2007-06-06 klockan 15:38 -0300 skrev Santiago Del Castillo: > Hi, I'm having problems configuren Squid 2.6 RELEASE13 as reverse proxy > cache.log: > > 2007/06/05 18:08:35| Failed to select source for > 'http://.com//styles/best.css' > 2007/06/05 18:08:35| always_direct = 0 > 2007/06/05 18:08:35|never_direct = 0 > 2007/06/05 18:08:35|timedout = 0 You need a cache_peer telling Squid where to forward the requests. http://wiki.squid-cache.org/SquidFaq/ReverseProxy Regards Henrik
[squid-users] Squid and hearing internet music
Hi, We are listening music trough internet, but always...suddenly..the music is off.. and then on why? Best regards Antes de imprimir piensa en tu responsabilidad y compromiso con el MEDIO AMBIENTE Mensaje analizado y protegido, tecnologia antivirus amavis+clamav
RE: [squid-users] Proxy AND reverse proxy
ons 2007-06-06 klockan 18:30 +0200 skrev bret.jerome: > I upgrade squid to version 2.6.STABLE13-NT > > I do this in my squid.conf : > http_port 3128 accel defaultsite=SITE > cache_peer 172.17.0.1 parent 80 0 no-query originserver > > No problem for start squid but when I try to access to my site > I have a Invalid request error... You run your site on port 3128? Are you sure you don't have another http_port 80 line, missing the defaultsite? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] SSL and Squid
ons 2007-06-06 klockan 10:26 -0700 skrev Michael Puckett: > I have a 2 level squid setup. Several top level parent cache servers > which connect to the internet with multiple child servers supporting my > internal subnets. Is it possible to configure the top level servers to > use SSL over the internet and cache the objects locally while allowing > the child servers to operate internally with no SSL requirement? Yes, but with limitations. a) If your clients sends https:// URLs to Squid using HTTP (not CONNECT) then the Squid closest to the origin server will wrap them up in SSL. b) For selected sites you can have Squid act as an accelerator, so that eve if the client requests http://some.site/ squid will still wrap the request in SSL. See the cache_peer (and cache_peer_access) directive. c) It's also possible to do 'b' by using an url rewriter/redirector to rewrite the request from http:// to https:// on the fly. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Problem with Squid 2.6 as reverse proxy
ons 2007-06-06 klockan 18:22 -0300 skrev Santiago Del Castillo: > But a lot (more than one houndred) vhosts will point to this squid and > not everyone point to the same server, how do I specify which domain > goes to which origin? Do I have to set it one by one by hand? :-/ http://wiki.squid-cache.org/SquidFaq/ReverseProxy#head-c073a2271a01dac8f222cff894d358707fd497ec Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Problem with Squid 2.6 as reverse proxy
ons 2007-06-06 klockan 15:38 -0300 skrev Santiago Del Castillo: > Hi, I'm having problems configuren Squid 2.6 RELEASE13 as reverse proxy > cache.log: > > 2007/06/05 18:08:35| Failed to select source for > 'http://.com//styles/best.css' > 2007/06/05 18:08:35| always_direct = 0 > 2007/06/05 18:08:35|never_direct = 0 > 2007/06/05 18:08:35|timedout = 0 You need a cache_peer telling Squid where to forward the requests. http://wiki.squid-cache.org/SquidFaq/ReverseProxy Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] LDAP Passthrough Authentication
ons 2007-06-06 klockan 11:36 -0400 skrev Justin Doles: > What I'm asking is that instead of the prompt that pops up for a user > to enter their user name & password I would like to pass the > credentials from OS. For that you need to use the NTLM or Negotiate authentication schemes. > My initial thought is that there's likely not a solution at hand to do > this. I know with Microsoft's ISA server you can pass credentials, > but that's do to the fact that it uses IIS in the background. Squid has this same capability. Best way to configure it is by using Samba to talk to the Windows domain controllers. http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication#head-1d6e24e071a1a5e65f112d9a96cdf1320684a8f2 Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] Default ssl config?
ons 2007-06-06 klockan 11:14 -0500 skrev Jason Hitt: > Thinking maybe I hosted up my squid.conf anf want a config that should > work for reverse proxy using ssl. https_port public.ip:443 cert=/path/cert.pem defaultsite=your.public.website.name cache_peer ip.of.websever parent 443 0 no-query originserver ssl if the peer is using a self-signed certificate or one issued by a CA not in your default list of trusted CAs then you also need the sslcafile= option or sslflags=DONT_VERIFY_PEER (sslflags not recommended, opens for an man-in-the-middle attack on the encryption). For a self-signed certificate use the server certificate as a CA, for a otherwise untrusted CA use the CA root certificate. If your Squid has digest or icmp support enabled then you also want the no-digest and no-netdb-exchange options. Will work fine without them, but you might be a little annoyed by automated HTTP requests from Squid.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] Cert issue on reserve proxy
ons 2007-06-06 klockan 09:57 -0500 skrev Jason Hitt: > For clarity on the error I get and what is in my conf here is squid ran > with the -X. Try squid -DNYCd3 Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid + WPAD issues
tis 2007-06-05 klockan 11:39 -0400 skrev Terry Dobbs: > Hi All, > > We have been using a proxy server with a WPAD.dat file for a year or > two. Now, we have setup another squid server in a remote site. I need to > configure the WPAD.dat file in a way where if you are on subnet A use > Proxy Server A and if you are on subnet B user proxy server B. Trivial, and a fairly standard application of PAC files.. http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html#myIpAddress http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html#isInNet Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Problem with Sibling squids
tis 2007-06-05 klockan 18:18 -0300 skrev Santiago del Castillo: > Nothing :( > > I'm using version 2.5.STABLE14 > I've checked cache.log, nothing appears :( > > nothing comes into my mind! I used tethereal to see if the switch or > some kind of firewall were filtering packets, but it's not the case :(, > packets stop being sent by squids :( > > I'm about to start crying! :( Before crying I would recomment you try upgrading to a supported Squid version. Current supported version is 2.6.STABLE13. If you see the same problem there then you are very welcome to file a bug report. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] [OT] about "Free software only dies when the last copy of the source code is erased"
ons 2007-06-06 klockan 11:45 -0300 skrev Felipe Augusto van de Wiel: > So, just for the record and to try to help, Lucas tried > to explain in his blog entry why is important to know English and > that sometimes a misunderstood can occur because of a bad use of > certain word. Well, my response would have been about the same but slightly different wording if he had used abandoned instead of dead. > AIUI, he doesn't want to offend somebody and/or project > and that was a misunderstood resulted by the wrong words in the > context. ;) And looks like he also agrees that "free software > only dies when the last copy of source code is erased". None offended. It's just a friendly discussion. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Problem with Squid 2.6 as reverse proxy
But a lot (more than one houndred) vhosts will point to this squid and not everyone point to the same server, how do I specify which domain goes to which origin? Do I have to set it one by one by hand? :-/ Cheers! Santiago On 6/6/07, Guillaume Smet <[EMAIL PROTECTED]> wrote: On 6/6/07, Santiago Del Castillo <[EMAIL PROTECTED]> wrote: > Becasue i'm not setting as sibling right now. First i want to make it > work as virtual host reverse proxy. Once working i'll set it as > sibling squid. You have to set a parent cache_peer anyway. Squid 2.6 is a bit different than 2.5 for that. So define a parent cache peer and add sibling when you want it. For example, I have something like: cache_peer X.X.X.X parent 80 0 no-query no-digest no-netdb-exchange no-delay originserver which is my Apache server then I have: cache_peer X.X.X.X sibling 8080 3130 no-digest no-netdb-exchange no-delay for the sibling reverse proxy. HTH. -- Guillaume
Re: [squid-users] Problem with Squid 2.6 as reverse proxy
On 6/6/07, Santiago Del Castillo <[EMAIL PROTECTED]> wrote: Becasue i'm not setting as sibling right now. First i want to make it work as virtual host reverse proxy. Once working i'll set it as sibling squid. You have to set a parent cache_peer anyway. Squid 2.6 is a bit different than 2.5 for that. So define a parent cache peer and add sibling when you want it. For example, I have something like: cache_peer X.X.X.X parent 80 0 no-query no-digest no-netdb-exchange no-delay originserver which is my Apache server then I have: cache_peer X.X.X.X sibling 8080 3130 no-digest no-netdb-exchange no-delay for the sibling reverse proxy. HTH. -- Guillaume
Re: [squid-users] Problem with Squid 2.6 as reverse proxy
Becasue i'm not setting as sibling right now. First i want to make it work as virtual host reverse proxy. Once working i'll set it as sibling squid. Cheers! Santiago On 6/6/07, Guillaume Smet <[EMAIL PROTECTED]> wrote: On 6/6/07, Santiago Del Castillo <[EMAIL PROTECTED]> wrote: > if i set always_direct allow all it works. But the problem is that > this squid will be used as sibling :( It's normal. I don't see any cache_peer in your configuration file. -- Guillaume
Re: [squid-users] Problem with Squid 2.6 as reverse proxy
On 6/6/07, Santiago Del Castillo <[EMAIL PROTECTED]> wrote: if i set always_direct allow all it works. But the problem is that this squid will be used as sibling :( It's normal. I don't see any cache_peer in your configuration file. -- Guillaume
[squid-users] Problem with Squid 2.6 as reverse proxy
Hi, I'm having problems configuren Squid 2.6 RELEASE13 as reverse proxy here's what i get: access.log: 1181084915.474 2 xxx.xxx.xxx.xxx TCP_MISS/503 1663 GET http://.com//styles/best.css - NONE/- text/html 1181084915.477 2 xxx.xxx.xxx.xxx TCP_MISS/503 1669 GET http://.com//images/favicon.ico - NONE/- text/html 1181084915.855 3 xxx.xxx.xxx.xxx TCP_MISS/503 1665 GET http://.com//styles/stars.css - NONE/- text/html 1181084916.238 3 xxx.xxx.xxx.xxx TCP_MISS/503 1667 GET http://.com//styles/alerts.css - NONE/- text/html 1181084916.619 3 xxx.xxx.xxx.xxx TCP_MISS/503 1671 GET http://.com//styles/register.css - NONE/- text/html cache.log: 2007/06/05 18:08:35| Failed to select source for 'http://.com//styles/best.css' 2007/06/05 18:08:35| always_direct = 0 2007/06/05 18:08:35|never_direct = 0 2007/06/05 18:08:35|timedout = 0 2007/06/05 18:08:35| Failed to select source for 'http://.com//images/favicon.ico' 2007/06/05 18:08:35| always_direct = 0 2007/06/05 18:08:35|never_direct = 0 2007/06/05 18:08:35|timedout = 0 2007/06/05 18:08:35| Failed to select source for 'http://.com//styles/stars.css' 2007/06/05 18:08:35| always_direct = 0 2007/06/05 18:08:35|never_direct = 0 2007/06/05 18:08:35|timedout = 0 2007/06/05 18:08:36| Failed to select source for 'http://.com//styles/alerts.css' 2007/06/05 18:08:36| always_direct = 0 2007/06/05 18:08:36|never_direct = 0 2007/06/05 18:08:36|timedout = 0 2007/06/05 18:08:36| Failed to select source for 'http://.com//styles/register.css' 2007/06/05 18:08:36| always_direct = 0 2007/06/05 18:08:36|never_direct = 0 2007/06/05 18:08:36|timedout = 0 Here's my conf: http_port 80 vhost accel hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache cache_mem 32 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 4096 KB maximum_object_size_in_memory 4096 KB cache_dir aufs /var/spool/squid 100 16 256 access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log dns_nameservers xxx.xxx.xxx.xxx refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 half_closed_clients off acl RP src xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl Safe_ports port 80 acl CONNECT method CONNECT acl AllowedSites dstdomain "/etc/squid/allowed_sites" acl DeniedSites url_regex "/etc/squid/denied_sites" http_access allow AllowedSites !DeniedSites http_access allow RP http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT http_access deny all http_reply_access allow all icp_access allow all miss_access allow all cache_effective_user squid cache_effective_group squid logfile_rotate 4 coredump_dir /var/spool/squid client_persistent_connections off server_persistent_connections off persistent_connection_after_error off if i set always_direct allow all it works. But the problem is that this squid will be used as sibling :( If you need more info, just ask. Cheers! Santiago
[squid-users] SSL and Squid
I have a 2 level squid setup. Several top level parent cache servers which connect to the internet with multiple child servers supporting my internal subnets. Is it possible to configure the top level servers to use SSL over the internet and cache the objects locally while allowing the child servers to operate internally with no SSL requirement? What I desire is to be able to obtain the benefit of caching objects locally while transferring them over the internet via SSL. So the CONNECT method would occur between the top level and the origin server only while allowing the objects to be cached normally within my cache servers. Is this possible? If so, would it also be possible to set up an ACL on the parent servers that indicates which domains should use SSL connections? -mikep
Re: [squid-users] [OT] about "Free software only dies when the last copy of the source code is erased"
thank you i hope to be helpful for squid. We now know that proxymin is not what we need, so two friends are going to help me to do something in php to change the acl rules with a web page. we implement squid in a electronic lab in my university so i will send how the proyect grows. -- Lucas Coudures "from Argentina" Registered Linux User #442566 Blog: http://lucas-coudures.blogspot.com/ Jabber: [EMAIL PROTECTED] - Este mensaje no contiene virus, debido a que todo su contenido se ha generado bajo Linux. Dead is a matter of definition. Free software only dies when the last copy of the source code is erased.
RE: [squid-users] Proxy AND reverse proxy
I upgrade squid to version 2.6.STABLE13-NT I do this in my squid.conf : http_port 3128 accel defaultsite=SITE cache_peer 172.17.0.1 parent 80 0 no-query originserver No problem for start squid but when I try to access to my site I have a Invalid request error... Could you help me ? Thanks Jérôme -Message d'origine- De : Henrik Nordstrom [mailto:[EMAIL PROTECTED] Envoyé : samedi 2 juin 2007 15:44 À : bret.jerome Cc : squid-users Objet : RE: [squid-users] Proxy AND reverse proxy tor 2007-05-31 klockan 18:31 +0200 skrev bret.jerome: > OK Thanks > For simplified, i try to work with a no ssl site and if it work i try > ssl > > I do this in my squid.conf : > http_port 3128 accel defaultsite=SITE > cache_peer 172.17.0.1 parent 80 0 no-query originserver > > But I am a error when i try to launch squid : > FATAL: Bungled squid.conf line 332: http_port 3128 accel > defaultsite=SITE Squid Cache (Version 2.6.STABLE5-NT): Terminated > abnormally. See FAQ again.. and read the whole of "How do I set it up?". Or upgrade to a more recent 2.6 version.. Regards Henrik Créez votre adresse électronique [EMAIL PROTECTED] 1 Go d'espace de stockage, anti-spam et anti-virus intégrés.
RE: [squid-users] Default ssl config?
Thinking maybe I hosted up my squid.conf anf want a config that should work for reverse proxy using ssl. -Original Message- From: Slacker [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 06, 2007 10:51 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Default ssl config? Jason Hitt, on 06/06/2007 08:40 PM [GMT+500], wrote : > > Can someone post one, think I'm going to start fresh. > Post what ... hack? Regards.
Re: [squid-users] Default ssl config?
Jason Hitt, on 06/06/2007 08:40 PM [GMT+500], wrote : > > Can someone post one, think I'm going to start fresh. > Post what ... hack? Regards.
[squid-users] LDAP Passthrough Authentication
I'm curious if there is anyway of doing passthrough authentication via Squid? I'm using 2.6.STABLE13-20070524 right now. What I'm asking is that instead of the prompt that pops up for a user to enter their user name & password I would like to pass the credentials from OS. My initial thought is that there's likely not a solution at hand to do this. I know with Microsoft's ISA server you can pass credentials, but that's do to the fact that it uses IIS in the background. I was also able to do this with Novell's Bordermanager product, but it required the client to run a special app (called ClientTrust) in order to pass the credentials. So while I'm at it, I was thinking that maybe an alternative would be to redirect the users to a web page where they can enter their credentials and then forward the credentials to Squid somehow. I've written web based LDAP apps before so I know how to do that portion, but I'm not sure how I could pass this on to Squid. But the gears are turning in my head I type ;) Sorry for the long email Maybe some of the gurus on this list can shed some light on this for me. Thanks, Justin Doles ** IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error, please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies thereof. *** eSafe scanned this email for viruses, vandals, and malicious content. *** **
[squid-users] Default ssl config?
Can someone post one, think I'm going to start fresh.
RE: [squid-users] Cert issue on reserve proxy
For clarity on the error I get and what is in my conf here is squid ran with the -X. $ ./squid -N -X 2007/06/06 08:46:25| Memory pools are 'off'; limit: 0.00 MB 2007/06/06 08:46:25| cachemgrRegister: registered mem 2007/06/06 08:46:25| cbdataInit 2007/06/06 08:46:25| cachemgrRegister: registered cbdata 2007/06/06 08:46:25| cachemgrRegister: registered events 2007/06/06 08:46:25| authSchemeAdd: adding basic 2007/06/06 08:46:25| parse_line: ssl_unclean_shutdown off 2007/06/06 08:46:25| parse_line: sslproxy_version 1 2007/06/06 08:46:25| parse_line: icp_port 3130 2007/06/06 08:46:25| parse_line: udp_incoming_address 0.0.0.0 2007/06/06 08:46:25| parse_line: udp_outgoing_address 255.255.255.255 2007/06/06 08:46:25| parse_line: icp_query_timeout 0 2007/06/06 08:46:25| parse_line: maximum_icp_query_timeout 2000 2007/06/06 08:46:25| parse_line: mcast_icp_query_timeout 2000 2007/06/06 08:46:25| parse_line: dead_peer_timeout 10 seconds 2007/06/06 08:46:25| parse_line: cache_vary on 2007/06/06 08:46:25| parse_line: cache_mem 8 MB 2007/06/06 08:46:25| parse_line: cache_swap_low 90 2007/06/06 08:46:25| parse_line: cache_swap_high 95 2007/06/06 08:46:25| parse_line: maximum_object_size 4096 KB 2007/06/06 08:46:25| parse_line: minimum_object_size 0 KB 2007/06/06 08:46:25| parse_line: maximum_object_size_in_memory 8 KB 2007/06/06 08:46:25| parse_line: ipcache_size 1024 2007/06/06 08:46:25| parse_line: ipcache_low 90 2007/06/06 08:46:25| parse_line: ipcache_high 95 2007/06/06 08:46:25| parse_line: fqdncache_size 1024 2007/06/06 08:46:25| parse_line: cache_replacement_policy lru 2007/06/06 08:46:25| parse_line: memory_replacement_policy lru 2007/06/06 08:46:25| parse_line: cache_log /usr/local/squid/var/logs/cache.log 2007/06/06 08:46:25| parse_line: cache_store_log /usr/local/squid/var/logs/store.log 2007/06/06 08:46:25| parse_line: emulate_httpd_log off 2007/06/06 08:46:25| parse_line: log_ip_on_direct on 2007/06/06 08:46:25| parse_line: mime_table /usr/local/squid/etc/mime.conf 2007/06/06 08:46:25| parse_line: log_mime_hdrs off 2007/06/06 08:46:25| parse_line: pid_filename /usr/local/squid/var/logs/squid.pid 2007/06/06 08:46:25| parse_line: debug_options ALL,1 2007/06/06 08:46:25| parse_line: log_fqdn off 2007/06/06 08:46:25| parse_line: client_netmask 255.255.255.255 2007/06/06 08:46:25| parse_line: ftp_user Squid@ 2007/06/06 08:46:25| parse_line: ftp_list_width 32 2007/06/06 08:46:25| parse_line: ftp_passive on 2007/06/06 08:46:25| parse_line: ftp_sanitycheck on 2007/06/06 08:46:25| parse_line: ftp_telnet_protocol on 2007/06/06 08:46:25| parse_line: check_hostnames on 2007/06/06 08:46:25| parse_line: allow_underscore on 2007/06/06 08:46:25| parse_line: dns_retransmit_interval 5 seconds 2007/06/06 08:46:25| parse_line: dns_timeout 2 minutes 2007/06/06 08:46:25| parse_line: dns_defnames off 2007/06/06 08:46:25| parse_line: hosts_file /etc/hosts 2007/06/06 08:46:25| parse_line: diskd_program /usr/local/squid/libexec/diskd-daemon 2007/06/06 08:46:25| parse_line: unlinkd_program /usr/local/squid/libexec/unlinkd 2007/06/06 08:46:25| parse_line: url_rewrite_children 5 2007/06/06 08:46:25| parse_line: url_rewrite_concurrency 0 2007/06/06 08:46:25| parse_line: url_rewrite_host_header on 2007/06/06 08:46:25| parse_line: location_rewrite_children 5 2007/06/06 08:46:25| parse_line: location_rewrite_concurrency 0 2007/06/06 08:46:25| parse_line: authenticate_cache_garbage_interval 1 hour 2007/06/06 08:46:25| parse_line: authenticate_ttl 1 hour 2007/06/06 08:46:25| parse_line: authenticate_ip_ttl 0 seconds 2007/06/06 08:46:25| parse_line: wais_relay_port 0 2007/06/06 08:46:25| parse_line: request_header_max_size 20 KB 2007/06/06 08:46:25| parse_line: request_body_max_size 0 KB 2007/06/06 08:46:25| parse_line: quick_abort_min 16 KB 2007/06/06 08:46:25| parse_line: quick_abort_max 16 KB 2007/06/06 08:46:25| parse_line: quick_abort_pct 95 2007/06/06 08:46:25| parse_line: read_ahead_gap 16 KB 2007/06/06 08:46:25| parse_line: negative_ttl 5 minutes 2007/06/06 08:46:25| parse_line: positive_dns_ttl 6 hours 2007/06/06 08:46:25| parse_line: negative_dns_ttl 1 minute 2007/06/06 08:46:25| parse_line: range_offset_limit 0 KB 2007/06/06 08:46:25| parse_line: collapsed_forwarding off 2007/06/06 08:46:25| parse_line: refresh_stale_hit 0 seconds 2007/06/06 08:46:25| parse_line: forward_timeout 4 minutes 2007/06/06 08:46:25| parse_line: connect_timeout 1 minute 2007/06/06 08:46:25| parse_line: peer_connect_timeout 30 seconds 2007/06/06 08:46:25| parse_line: read_timeout 15 minutes 2007/06/06 08:46:25| parse_line: request_timeout 5 minutes 2007/06/06 08:46:25| parse_line: persistent_request_timeout 1 minute 2007/06/06 08:46:25| parse_line: client_lifetime 1 day 2007/06/06 08:46:25| parse_line: half_closed_clients on 2007/06/06 08:46:25| parse_line: pconn_timeout 120 seconds 2007/06/06 08:46:25| parse_line: ident_timeout 10 seconds 2007/06/06 08:46:25| parse_line: shutdown_lifetime 30 seconds 2007/06/06 08:46:25| parse_line: reply_header_max_size 2
Re: [squid-users] authentication and user based filtering
ons 2007-06-06 klockan 08:11 +1000 skrev [EMAIL PROTECTED]: > 4. filter content based on user access - a field in LDAP (no idea how > to get this to work) squid_ldap_group can make Squid aware of the LDAP fields. > I'm stuck on how to get a filter solution that will query LDAP to get > the groups for the users and then filter on that. Or is this something that > should be done by Squid. Depends on how your filter is implemented. If using Squid ACLs then the group information plugs in as acls using squid_ldap_group. If using an urlrewriter/redirector such as SquidGuard then the urlrewriter/redirector needs to look up the group memberships as part of it's own acl processing. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] [OT] about "Free software only dies when the last copy of the source code is erased"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/06/2007 07:51 AM, Henrik Nordstrom wrote: > tis 2007-06-05 klockan 14:49 -0300 skrev lucas coudures: >> I wrote something to explain what I mean to say when i said >> "I can't implement this if the proyect is dead " >> http://lucas-coudures.blogspot.com/2007/06/cuando-muere-un-proyecto-de-software.html >> I am sorry because i can't explain very well in English so a wrote >> this in Spanish, someone in this mailing list speak Spanish?? > > I don't speek Spanish, but we all understood you I think. It's a matter > of mindset about software and therefore my comment. I do speak just a little bit of Spanish. :-) > If that project does what you need (or close to) and you like it, it's > in your best interest to find resources capable of maintaining the > project to your needs. Sometimes it's sufficient to just talk about the > project, sometimes this involves actually having your own or hiring > other people working on it. > > The starting point that "I can not use the software because.." isn't > very helpful for anyone. The slight change in mindset to "To use the > software I need .." is a much better mindset. So, just for the record and to try to help, Lucas tried to explain in his blog entry why is important to know English and that sometimes a misunderstood can occur because of a bad use of certain word. He was thinking about "abandoned" when he used the "dead" word about the proxymin. He also advises to read with attention and make some research before make statements about something. AIUI, he doesn't want to offend somebody and/or project and that was a misunderstood resulted by the wrong words in the context. ;) And looks like he also agrees that "free software only dies when the last copy of source code is erased". Kind regards, - -- Felipe Augusto van de Wiel <[EMAIL PROTECTED]> Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGZsinCj65ZxU4gPQRAie3AJ0VI73RrGnMtqjO/NldLMChGp8eQQCfcXPm t+fW765X54XG0xnXdD8lKI4= =jHox -END PGP SIGNATURE-
Re: [squid-users] copy paste from yahoo mail asks password
On 6/5/07, Kamal Paryani <[EMAIL PROTECTED]> wrote: hi the copy paste from yahoo problem occurs only when i copy from yahoo and paste in to word 2003 if i paste into notepad or any the app, or even an older version of word then it does not ask for authentication only with yahoo and word 2003 regards It then probably is a problem with Microsoft's way of integrating copy'n paste. MSIE is transferring to MS Word not just a blob of text, but also information about the embedded graphics etc. Word then tries do download those graphics, but since it's another process it doesn't share MSIE's knowledge of the user's password and thus the password request. Squid can't do anything here without severely compromising your security levels. -- /kinkie
RE: [squid-users] Squid + WPAD issues
Yes, your right. I need the myIpAddress(), however like you said it doesn't always works as desired. I also read somewhere that not all browsers support that particular function. Right now that's what im using (in theory I really don't care what proxy they use as they can authenticate to either, but it makes logical and geographical sense to distinguish between the two), but your idea seems pretty cool. What exactly do you do though? What kind of script do you point them to, is it the .pac java script? (anyway we can see a sample?). Im assuming you do it in the "Automatic Configuration Script" field in Internet Explorer, or do you still use the WPAD.dat file? Thanks for any input. -Original Message- From: K K [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 06, 2007 4:30 AM To: Terry Dobbs Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid + WPAD issues On 6/5/07, Terry Dobbs <[EMAIL PROTECTED]> wrote: > We have been using a proxy server with a WPAD.dat file for a year or > two. Now, we have setup another squid server in a remote site. I need > to configure the WPAD.dat file in a way where if you are on subnet A > use Proxy Server A and if you are on subnet B user proxy server B. In my environment, I've solved this by having a single proxy script and setting all browsers to use the same URL, but the server where the file is hosted actually generates the contents on the fly. This way the script can be customized by the server in ways not supported in the client, including providing a different default proxy server/port to different clients. The other reason I do this is to eliminate 99.9% of the DNS lookups by the client -- in theory, we could disable Internet resolution by internal workstations (we've done this once or twice,mostly by accident) and so long as the proxy server was able to resolve, browsers would never notice. > For the life of me, I cannot get this to work. For example, I am using > what is seen below, and it seems the only line that works is the "else" > statement so everyone is using the same server? Where you say: if (isInNet(host,"192.168.0.0","255.255.0.0")) I think you meant: if (isInNet(myIpAddress() ,"192.168.0.0","255.255.0.0")) While myIpAddress() is documented in the original Netscape specification, it doesn't have provisions for hosts with multiple interfaces. In the past I've seen false negatives, where the above test returns false when it really should have been true. That's one reason we instead have the web server hosting the script look at REMOTE_ADDR instead. Kevin -- http://wiki.squid-cache.org/Technology/WPAD ^Watch this space^
Re: [squid-users] [OT] about "Free software only dies when the last copy of the source code is erased"
tis 2007-06-05 klockan 14:49 -0300 skrev lucas coudures: > I wrote something to explain what I mean to say when i said > "I can't implement this if the proyect is dead " I don't speek Spanish, but we all understood you I think. It's a matter of mindset about software and therefore my comment. If that project does what you need (or close to) and you like it, it's in your best interest to find resources capable of maintaining the project to your needs. Sometimes it's sufficient to just talk about the project, sometimes this involves actually having your own or hiring other people working on it. The starting point that "I can not use the software because.." isn't very helpful for anyone. The slight change in mindset to "To use the software I need .." is a much better mindset. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] a bug in the new squid pakage (CentOS 4.5) ?
tis 2007-06-05 klockan 20:24 +0300 skrev Gonen Radai: > Hello, > > I think i found a bug in the new squid pakage > squid-2.5.STABLE14-1.4E that repalce squid-2.5.STABLE6-3.4E.12 (in last > CentOS 4.5 update) Sorry, that release is a vendor release of an obsolete Squid version. You have to use the appropriate support channel for that vendor. It's impossible for us to track the patches and modifications of vendor packages. Current Squid version supported here is Squid-2.6.STABLE13, and I recommend you to upgrade to this release before digging too deep into this problem. There is no reason to run Squid-2.5 today, and certainly not on an OS like CentOs where you don't really have any support channel to the vendor. Note: Reverse proxy mode has been considerably cleaned up and rewritten in Squid-2.6 so some changes for the better to your squid.conf is needed as part of the upgrade. It's also quite likely you can get rid of the redirector in most cases. See FAQ for how to configure Squid-2.6 as a reverse proxy. http://wiki.squid-cache.org/SquidFaq/ReverseProxy Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: FW: [squid-users] Cert issue on reserve proxy
tis 2007-06-05 klockan 10:59 -0500 skrev Jason Hitt: > When I log in as root I get access denied on writing cache due to the > user account owning the directory, set it back to nobody? So what account have you told Squid to run as using the cache_effective_user directive? Directories etc should be owned by that user. > cache_peer parent 443 0 no-query originserver ssl > sslflags=DONT_VERIFY_PEER Login=PASS Looks fine to me. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid + WPAD issues
On 6/5/07, Terry Dobbs <[EMAIL PROTECTED]> wrote: We have been using a proxy server with a WPAD.dat file for a year or two. Now, we have setup another squid server in a remote site. I need to configure the WPAD.dat file in a way where if you are on subnet A use Proxy Server A and if you are on subnet B user proxy server B. In my environment, I've solved this by having a single proxy script and setting all browsers to use the same URL, but the server where the file is hosted actually generates the contents on the fly. This way the script can be customized by the server in ways not supported in the client, including providing a different default proxy server/port to different clients. The other reason I do this is to eliminate 99.9% of the DNS lookups by the client -- in theory, we could disable Internet resolution by internal workstations (we've done this once or twice,mostly by accident) and so long as the proxy server was able to resolve, browsers would never notice. For the life of me, I cannot get this to work. For example, I am using what is seen below, and it seems the only line that works is the "else" statement so everyone is using the same server? Where you say: if (isInNet(host,"192.168.0.0","255.255.0.0")) I think you meant: if (isInNet(myIpAddress() ,"192.168.0.0","255.255.0.0")) While myIpAddress() is documented in the original Netscape specification, it doesn't have provisions for hosts with multiple interfaces. In the past I've seen false negatives, where the above test returns false when it really should have been true. That's one reason we instead have the web server hosting the script look at REMOTE_ADDR instead. Kevin -- http://wiki.squid-cache.org/Technology/WPAD ^Watch this space^
[squid-users] Forwarding loop detected.
Hello, I've squid2.6 STABLE running as web-accelerator, on 'image' (having ip:67.107.145.109) machine with parent configured as 192.168.7.1. 'image' machine is also the nameserver having 'hosts' file entry: 127.0.0.1 localhost.localdomain localhost The squid-cache stops working sometime throwing 'Forward loop detected' warning in cache.log. Can anyone suggest the remedie. Thanks. squid.conf http_port 80 transparent cache_peer 192.168.7.1 parent 81 0 no-query originserver weight=1 http_access allow all acl all src 0.0.0.0/0.0.0.0 icp_access allow all cache.log 2007/06/05 20:42:35| WARNING: Forwarding loop detected for: Client: 67.107.145.109 http_port: 67.107.145.109:80 GET http://image.bridgemailsystem.com/pms/graphics/6.05.07directresponse2r1(650x90).gif HTTP/1.0 If-Modified-Since: Tue, 05 Jun 2007 15:15:59 GMT If-None-Match: "19577-1181056559000" Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ= User-Agent: www.clamav.net Host: image.bridgemailsystem.com Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Via: 1.1 localhost.localdomain:80 (squid/2.6.STABLE12), 1.0 localhost.localdomain:80 (squid/2.6.STABLE12), 1.0 localhost.localdomain:80 (squid /2.6.STABLE12), 1.0 localhost.localdomain:80 (squid/2.6.STABLE12), 1.0 localhost.localdomain:80 (squid/2.6.STABLE12), 1.0 localhost.localdomai n:80 (squid/2.6.STABLE12), 1.0 localhost.localdomain:80 (squid/2.6.STABLE12), 1.0 localhost.localdomain:80 (squid/2.6.STABLE12), 1.0 localhost .localdomain:80 (squid/2.6.STABLE12), 1.0 localhost.localdomain:80 (squid/2.6.STABLE12) X-Forwarded-For: 24.164.28.34, 67.107.145.109, 67.107.145.109, 67.107.145.109, 67.107.145.109, 67.107.145.109, 67.107.145.109, 67.107.145.109, 67.107.145.109, 67.107.145.109 Cache-Control: max-age=259200 Connection: keep-alive Regards, Suhaib
