Fwd: [squid-users] Composit ACL
Thanks Henrik, Its working fine. Can you point me a good document which tell me to integrate any good antivirus (clamAV or any good av) with squid to protact my lan from virus attack I have tried to google but unable to fine good document for fedora + squid + AV. Regards Arun On 9/15/07, Henrik Nordstrom [EMAIL PROTECTED] wrote: On lör, 2007-09-15 at 10:21 +0530, Arun Shrimali wrote: 3. Allow user 'xyz' to view our organisation site only ' www.xyz.co.in' (not working - xyz is surfing all the other sites also. How to restrict to one site only??) acl xyz proxy_auth xyz acl company_site www.xyz.co.in http_access deny xyz !company_site 4. Restrict other users to porn site (working fine) 5. Restrict users to use messengers (yet to check) 6. Allow user 'abc' to even download and user messenger. (confuse how to write acl?) allow abc access before where you deny download messenger.. Order of http_access is important. Squid looks for the first http_acces rule matching the request, the rest is ignored.. Regards Henrik --
[squid-users] fedora + squid + AV
Thanks Henrik, Your support on acl configuration is working fine. Can anyone point me a good document which tell me to integrate any good antivirus (clamAV or any good av) with squid to protact my lan from virus attack I have tried to google but unfortunate to fine good document for fedora + squid + AV. Regards Arun
[squid-users] Banner page for certain users in squid
---BeginMessage--- Hi all I am running Squid Cache: Version 2.5.STABLE14 on FC5 I run SARG against my access.log every day to get a list of top 30 users, and would like to know if there is a way of redirecting these top 30 users to a notice page upon first login in squid, where they are notified of their high usage? After which they can continue surfing of course. TIA! Regards, Hement PS : Excuse the disclaimer... Hement Gopal Computer Network Services University of the Witwatersrand Johannesburg +27 11 717 1658 (Tel) +27 11 717 1614 (Fax) [EMAIL PROTECTED] winmail.dat---End Message--- htmlbodyfont face = verdana size = 0.8 color = navyThis communication is intended for the addressee only. It is confidential. If you have received this communication in error, please notify us immediately and destroy the original message. You may not copy or disseminate this communication without the permission of the University. Only authorized signatories are competent to enter into agreements on behalf of the University and recipients are thus advised that the content of this message may not be legally binding on the University and may contain the personal views and opinions of the author, which are not necessarily the views and opinions of The University of the Witwatersrand, Johannesburg. All agreements between the University and outsiders are subject to South African Law unless the University agrees in writing to the contrary./font/body/html
[squid-users] Squid stop responding
Hi, from 1 week I have a strange behaviour with my squid 2.6.STABLE5... sometime the service stop responding to one-two users (for all other the service work fine)... but the problem disappear if I reload the squid configuration with /etc/init.d/squid reload. I don't have modified anything in squid configuration and the NTLM authentication seems to work fine. Any ideas?? Thanks Stefano
Re: [squid-users] Squid 3.0 ICAP response codes.
Hi Shailesh, Do you know any product which using these type of responses? I think the best is to fill a bug report here: http://www.squid-cache.org/bugs/ Regards, Christos Hi, I got to know that only ICAP responses 100, 200 and 204 are supported. Any idea when the responses 201 will be supported. The comment in the source files says its in the to-do list. Regards, Shailesh
Re: [squid-users] Password authentication: How to log _only failures_ to access_log?
unfortunately none of the above works -- I had already tried several access_log statements before I asked for help in this ML. Anyone else any ideas?! What version of Squid are you using? -- /kinkie
Re: [squid-users] Password authentication: How to log _only failures_ to access_log?
On 17.09.2007 12:15, Kinkie wrote: unfortunately none of the above works -- I had already tried several access_log statements before I asked for help in this ML. Anyone else any ideas?! What version of Squid are you using? Ooops, sorry. Forgot to mention that. :-( I'm using Debian's stable version of Squid, which is 2.6.5-6. Thanks, Ralf
Re: [squid-users] Squid 3.0 ICAP response codes.
On mån, 2007-09-17 at 03:59 -0400, Christos Tsantilas wrote: Hi Shailesh, Do you know any product which using these type of responses? I was hoping you remembered... but it was a couple of years since your squid-2.5 icap change the comment refers to... http://devel.squid-cache.org/changesets/squid/patches/7021.patch I think the best is to fill a bug report here: http://www.squid-cache.org/bugs/ Yes, or with the product vendor.. it's quite unclear to me what an ICAP 201 response would mean, or what such response should contain to make sense.. Regards Henrik signature.asc Description: This is a digitally signed message part
RE: [squid-users] Squid 3.0 ICAP response codes.
Hi Henrik, For a AV scenario where any anti-virus solution scans a repairable file and repairs it , the file is not returned to the client as the ICAP response for this case is 201 which is not understood by squid. Whereas it works fine if AV solution is configured for not repairing the file but just to scan it. AV server here uses response code 201 But for a case where a user wants repairable file to be repaired and delivered it wont work in this case. Regards, Shailesh -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Monday, September 17, 2007 3:52 PM To: Christos Tsantilas Cc: Shailesh Mishra; squid-users@squid-cache.org Subject: Re: [squid-users] Squid 3.0 ICAP response codes. On mån, 2007-09-17 at 03:59 -0400, Christos Tsantilas wrote: Hi Shailesh, Do you know any product which using these type of responses? I was hoping you remembered... but it was a couple of years since your squid-2.5 icap change the comment refers to... http://devel.squid-cache.org/changesets/squid/patches/7021.patch I think the best is to fill a bug report here: http://www.squid-cache.org/bugs/ Yes, or with the product vendor.. it's quite unclear to me what an ICAP 201 response would mean, or what such response should contain to make sense.. Regards Henrik
[squid-users] Caching Expired Objects
Hi All, please, to recast, how do I cache expired objects. I get responses with expiry dates being in the past from some servers that I will want to cache. Regards, solomon.
Re: [squid-users] Squid 3.0 ICAP response codes.
Hi Henrik, I was hoping you remembered... but it was a couple of years since your squid-2.5 icap change the comment refers to... http://devel.squid-cache.org/changesets/squid/patches/7021.patch Yep, true... I remembered 201 responses but not exactly why they needed ... Symantec scan engine uses 201 responses: http://cvs.squid-cache.org/mail-archive/squid-users/200508/0690.html I think the best is to fill a bug report here: http://www.squid-cache.org/bugs/ Yes, or with the product vendor.. it's quite unclear to me what an ICAP 201 response would mean, or what such response should contain to make sense.. The ICAP RFC does not talk about 201 responses but says that ICAP status codes match the status codes defined by HTTP (Section 6.1.1 and 10 of [4]), except where otherwise indicated in ICAP RFC. Maybe 201 responses make sense in the case the content returned to the ICAP client is not the original but created internally by ICAP server. As I can understand can handled exactly as the 200 responses by the squid ICAP client so, I think, it is easy to support them Regards, Christos
Re: [squid-users] Caching Expired Objects
On Mon, Sep 17, 2007, Solomon Asare wrote: Hi All, please, to recast, how do I cache expired objects. I get responses with expiry dates being in the past from some servers that I will want to cache. refresh_pattern adrian
RE: [squid-users] Squid 3.0 ICAP response codes.
Hi, Hi Henrik, For a AV scenario where any anti-virus solution scans a repairable file and repairs it , the file is not returned to the client as the ICAP response for this case is 201 which is not understood by squid. Whereas it works fine if AV solution is configured for not repairing the file but just to scan it. AV server here uses response code 201 I think the way the 201 responses handled by your ICAP server is different than the case described here: http://cvs.squid-cache.org/mail-archive/squid-users/200508/0690.html Are you referring to the same ICAP server? Reading the ICAP and HTTP rfcs I am confused Henrik has right, it is not so clear what should contain an ICAP 201 response. Regards, Christos
RE: [squid-users] Squid 3.0 ICAP response codes.
Hi Christos, As you mentioned in the previous mail Maybe 201 responses make sense in the case the content returned to the ICAP client is not the original but created internally by ICAP server. It can be handled exactly as the 200 responses by the squid ICAP client . You are right here . As Symantec Scan Engine 5.0 and later sends the response as 201 always for a modified request inside ICAP server ( infected files getting deleted or repaired) . The user when requesting for a file ends up with getting an error which says ICAP Protocol Error . Is this expected to be fixed in near future? Regards, Shailesh -Original Message- From: Christos Tsantilas [mailto:[EMAIL PROTECTED] Sent: Monday, September 17, 2007 5:16 PM To: Shailesh Mishra Cc: Henrik Nordstrom; squid-users@squid-cache.org Subject: RE: [squid-users] Squid 3.0 ICAP response codes. Hi, Hi Henrik, For a AV scenario where any anti-virus solution scans a repairable file and repairs it , the file is not returned to the client as the ICAP response for this case is 201 which is not understood by squid. Whereas it works fine if AV solution is configured for not repairing the file but just to scan it. AV server here uses response code 201 I think the way the 201 responses handled by your ICAP server is different than the case described here: http://cvs.squid-cache.org/mail-archive/squid-users/200508/0690.html Are you referring to the same ICAP server? Reading the ICAP and HTTP rfcs I am confused Henrik has right, it is not so clear what should contain an ICAP 201 response. Regards, Christos
Re: [squid-users] Confusing about login name in AD-proxy authentication?
On 9/15/07, chowalit.lab Chowalit Lab Linux [EMAIL PROTECTED] wrote: Dear All First of all I will explain about my system. I have authenticate proxy with account from windows 2003 server. I use ntlm. On login pop-up, I must use MYDOMAIN\username into login box. My question is -- How to configurate my system (both of windows and squid) to support login name like [EMAIL PROTECTED]? It's doable but it requires some coding on the auth helpers to parse and normalize the user name. -- /kinkie
Re: [squid-users] Squid stop responding
Hi Stefano, Stefano Fraccaro wrote: Hi, from 1 week I have a strange behaviour with my squid 2.6.STABLE5... sometime the service stop responding to one-two users (for all other the service work fine)... but the problem disappear if I reload the squid configuration with /etc/init.d/squid reload. I don't have modified anything in squid configuration and the NTLM authentication seems to work fine. Any ideas?? At the time when Squid stops responding to your 1-2 users, can the clients telnet to the Squid box on port 3128 or whichever port your Squid is running on? Can they even ping the Squid box itself? Usually, you can find the cause of your Squid box's strange behavior by running tcpdump. What is your firewall and network layout? What does cache.log and access.log say? It would help if you post your squid.conf. Maybe it's also time to upgrade to Squid-2.6.STABLE16?? http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE16.tar.gz Thanks Stefano -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu System Administrator (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np
Re: [squid-users] Caching Expired Objects
Hi, just to clarify: I don't mean getting a HIT, just caching the object into my store. Any link to a refresh_pattern that will cache an object that has expired for about 60 secs by the time you fetch it? Regards, solomon. --- Adrian Chadd [EMAIL PROTECTED] wrote: On Mon, Sep 17, 2007, Solomon Asare wrote: Hi All, please, to recast, how do I cache expired objects. I get responses with expiry dates being in the past from some servers that I will want to cache. refresh_pattern adrian
Re: [squid-users] Caching Expired Objects
Solomon Asare wrote: Hi, just to clarify: I don't mean getting a HIT, just caching the object into my store. Any link to a refresh_pattern that will cache an object that has expired for about 60 secs by the time you fetch it? http://www.squid-cache.org/Versions/v2/2.6/cfgman/refresh_pattern.html http://www.squid-cache.org/Versions/v3/3.0/cfgman/refresh_pattern.html Amos
Re: [squid-users] Squid 3.0 ICAP response codes.
On mån, 2007-09-17 at 10:43 +0530, Shailesh Mishra wrote: Hi, I got to know that only ICAP responses 100, 200 and 204 are supported. Any idea when the responses 201 will be supported. Seeing 201 in ICAP do not make much sense to me. The 201 status code do not have a clear mapping to ICAP context, but I guess you have an ICAP server which sometimes sends 201 when 200 is expected so I guess it should work to just accept it as if it was a 200 response.. The definition of 201 is quite different from 200. The comment in the source files says its in the to-do list. Yes and no.. it says that it's on the TODO to consider if supporting 201 responses is a good idea or not.. Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] Compiling Squid to auth on ldap server
Hello all, I would like to compile my squid to make autentication on a ldap server, can anybody help me? if possible, show me how to define the acl autentication. thanks :D -- Mauricio Paulo de Sousa
RE: [squid-users] Compiling Squid to auth on ldap server
While I can't help with the compile side of things, using SquidNT myself, I can lend a hand with the LDAP authentication within an AD environment. Using Squid 2.6 STABLE 14 we use the following lines (filed in the usual places): # Where InternetAccess is a group in Active Directory and GProxyUsers is a name we give the group for reference within squid.conf acl GProxyUsers external NT_global_group InternetAccess # Before http_access deny all http_access allow password GProxyUsers # If you're using NTLM you'll need something like the following auth_param ntlm program D:/squid2614/libexec/mswin_ntlm_auth.exe auth_param ntlm children 5 auth_param ntlm keep_alive on # If not you'll need to list your auth_param of choice Hope this helps :) Paul Cocker IT Systems Administrator IT Security Officer 01628 81(6647) TNT Post (Doordrop Media) Ltd. 1 Globeside Business Park Fieldhouse Lane Marlow Bucks SL7 1HY -Original Message- From: Mauricio Paulo de Sousa [mailto:[EMAIL PROTECTED] Sent: 17 September 2007 15:14 To: squid-users@squid-cache.org Subject: [squid-users] Compiling Squid to auth on ldap server Hello all, I would like to compile my squid to make autentication on a ldap server, can anybody help me? if possible, show me how to define the acl autentication. thanks :D -- Mauricio Paulo de Sousa TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
[squid-users] Only TCP_MISS/200
Hello all, I have a problem with squid configuration. I has installed squid 2.6 in transparent mode on a OpenBSD server but when i look squid's log i read only TCP_MISS/200 in my access.log Any ideas? Thanks. -- Can you correct my english ?!!
RE: [squid-users] Squid 3.0 ICAP response codes.
On mån, 2007-09-17 at 17:30 +0530, Shailesh Mishra wrote: Is this expected to be fixed in near future? If it's the same as a 200 then it should be trivial to fix. Patches adding support for this is welcome. Submit them to [EMAIL PROTECTED] or via the bug tracker. Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] Using Squid as a cache for Apache -- and that's it
Hi, I have googled like crazy for some simple instructions to setup Squid as a cache for Apache. I do NOT want any filtering or authentication. Just a transparent cache. I am on CentOS 5. For firewall, I use the usual APF and BFD with iptables, and I do not want to use Squid for any filtering. I have installed squid with the usual yum install squid. Now how do I configure it so that Apache (on port 80) will internally check if a file is cached on Squid (on whatever port) and if the file is found, then serve that instead of an Apache connection. Am I understanding Squid right? Also, will it cache dynamic content as well -- I mean, for instance, the generated output of a PHP program, at least the ones without url parameters? We have a number of pages on the site that have no file extension at all (e.g., *.php) because the default handler is set up as php, so we could have http://ourdomain.com/index -- and Apache serves this up as a php page as it is meant to. Will Squid recognize this? Thanks for any tips or pointers. I went to the wiki but sadly it talks in very jargon-ish language, and does not answer the simple question How to install Squid as a cache for Apache. PK
Re: [squid-users] Only TCP_MISS/200
Hi Janczuk, f.janczuk wrote: Hello all, I have a problem with squid configuration. I has installed squid 2.6 in transparent mode on a OpenBSD server but when i look squid's log i read only TCP_MISS/200 in my access.log Any ideas? Maybe you compiled Squid with the --enable-storeio=null,ufs,coss,diskd,aufs option and configured it as a proxy only without caching anything? How did you test your transparent Squid proxy? With just a few requests or for an entire network? Try browsing multiple sites and check your access.log and see if you get HIT logs besides the TCP_MISS logs. Doesn't your cache.log report anything? Can you post your output of squidclient mgr:info ? Posting your squid.conf might also help. Thanking you... Thanks. -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu System Administrator (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np
Re: [squid-users] Using Squid as a cache for Apache -- and that's it
Hi Phoenix, Phoenix Kiula wrote: Hi, I have googled like crazy for some simple instructions to setup Squid as a cache for Apache. I do NOT want any filtering or authentication. Just a transparent cache. I am on CentOS 5. For firewall, I use the usual APF and BFD with iptables, and I do not want to use Squid for any filtering. I have installed squid with the usual yum install squid. Now how do I configure it so that Apache (on port 80) will internally check if a file is cached on Squid (on whatever port) and if the file is found, then serve that instead of an Apache connection. Am I understanding Squid right? Also, will it cache dynamic content as well -- I mean, for instance, the generated output of a PHP program, at least the ones without url parameters? We have a number of pages on the site that have no file extension at all (e.g., *.php) because the default handler is set up as php, so we could have http://ourdomain.com/index -- and Apache serves this up as a php page as it is meant to. Will Squid recognize this? Thanks for any tips or pointers. I went to the wiki but sadly it talks in very jargon-ish language, and does not answer the simple question How to install Squid as a cache for Apache. From what you are saying above, you need a Squid reverse proxy instead of a normal forward proxy. Check out the URL below: http://wiki.squid-cache.org/SquidFaq/ReverseProxy PK -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu System Administrator (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np
Re: [squid-users] Only TCP_MISS/200
I have installed with packages method ( pre-built binaries ). I use my squid with an entire network i can say that squid is operationnal because the redirector (squidGuard) works well. I am not at home I would contact again to you dices my return (with my squid.conf). Thanks ! 2007/9/17, Tek Bahadur Limbu [EMAIL PROTECTED]: Hi Janczuk, f.janczuk wrote: Hello all, I have a problem with squid configuration. I has installed squid 2.6 in transparent mode on a OpenBSD server but when i look squid's log i read only TCP_MISS/200 in my access.log Any ideas? Maybe you compiled Squid with the --enable-storeio=null,ufs,coss,diskd,aufs option and configured it as a proxy only without caching anything? How did you test your transparent Squid proxy? With just a few requests or for an entire network? Try browsing multiple sites and check your access.log and see if you get HIT logs besides the TCP_MISS logs. Doesn't your cache.log report anything? Can you post your output of squidclient mgr:info ? Posting your squid.conf might also help. Thanking you... Thanks. -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu System Administrator (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np -- Can you correct my english !!??!! ^_^
Re: [squid-users] Child Squid Server(s) - Log username in access.log file
On ons, 2007-09-12 at 12:13 +0930, Adam Parsons wrote: My question is, is it possible to have the username and password included in the child server access logs, so the local sites can interpret where the users are going. At the moment we only see IP addresses. With a bit of coding it should be possible to add login snooping to log the username of forwarded authentication, especially if you are using basic authentication as parsing the basic authentication header is trivial.. Snooping Digest authentication requires a little more work, but not much.. NTLM/Negotiate is a bit trickier, but still doable (at least NTLM, not entirely sure about Negotiate, but probably..). Regards Henrik signature.asc Description: This is a digitally signed message part
Re: Fwd: [squid-users] Composit ACL
On mån, 2007-09-17 at 12:04 +0530, Arun Shrimali wrote: Thanks Henrik, Its working fine. Can you point me a good document which tell me to integrate any good antivirus (clamAV or any good av) with squid to protact my lan from virus attack I have tried to google but unable to fine good document for fedora + squid + AV. I would recommend looking into using Squid-3 + c-icap with ClamAV. Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] multiple squid Instances
Hi, I am using Squid 2.6 stable 12. I have one squid instance as frontend for apache web server. Now I need one more squid instance with ssl-enable option on the same box (as existing squid instance can not handle https_port directive, it was build with non ssl option). Is this possible? can I build squid with --enable-ssl option on the same box?
Re: [squid-users] multiple squid Instances
On mån, 2007-09-17 at 13:25 -0700, Srinivas B wrote: I have one squid instance as frontend for apache web server. Now I need one more squid instance with ssl-enable option on the same box (as existing squid instance can not handle https_port directive, it was build with non ssl option). Is this possible? can I build squid with --enable-ssl option on the same box? Yes, just make sure to give it a different squid.conf and cache etc.. You can also upgrade the instance you already have.. there is no problem for a single SSL capable Squid instance to handle both http and https. Regards Henrik signature.asc Description: This is a digitally signed message part
RE: [squid-users] Squid 3.0 ICAP response codes.
On mån, 2007-09-17 at 16:03 +0530, Shailesh Mishra wrote: Hi Henrik, For a AV scenario where any anti-virus solution scans a repairable file and repairs it , the file is not returned to the client as the ICAP response for this case is 201 which is not understood by squid. Whereas it works fine if AV solution is configured for not repairing the file but just to scan it. What you describe above is not proper use of 201 from what I can tell. But as I said there is no clear mapping of 201 to ICAP, and the ICAP specifications do not mention how 201 is supposed to be used in ICAP (or the other 2xx responses other than 200 and 204). The HTTP status codes is inherited from HTTP/1.1, and using 201 in this manner do not match the HTTP specifications that well.. But on the other hand the ICAP specifications do in a sense say that all 2xx responses is to be handled equal. Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] store.log filling up
Could spyware or addware cause the store.log to fill up very quickly? Another tech has had troubles with this in the last couple of days and was asking. He says that they can clear it out and in no time (not sure how long, but under an hour) it is filled up and causing problems. Here is a small post of what was in it. Why does it list all the ? Thanks for any info. 1190033958.390 RELEASE -1 7B1287005AF9902646FDACC9F3EA9C7F ? ? ? ? ?/? ?/? ? ? 1190033958.390 RELEASE -1 2D7DD2E39301864787EE9444068060D2 ? ? ? ? ?/? ?/? ? ? 1190033958.394 RELEASE -1 B4282EA5117EEE9DB891618B5B116E37 ? ? ? ? ?/? ?/? ? ? 1190033958.394 RELEASE -1 ADD64CFEB2777B0FB5604A9DC0874831 ? ? ? ? ?/? ?/? ? ? 1190033958.394 RELEASE -1 D2A6C86243B580FB2FCFFBB66DC91E70 ? ? ? ? ?/? ?/? ? ? 1190033958.394 RELEASE -1 495371655EB836C29B7997D4415D221B ? ? ? ? ?/? ?/? ? ? 1190033958.394 RELEASE -1 31ED7CAC2B3C0D89F1962CDB13854106 ? ? ? ? ?/? ?/? ? ? 1190033958.394 RELEASE -1 684425DB8B67A7E381CA1793C0AF8075 ? ? ? ? ?/? ?/? ? ? 1190033958.394 RELEASE -1 14962B373F9C885B4EA356EF51947776 ? ? ? ? ?/? ?/? ? ? 1190033958.394 RELEASE -1 1AD9E81AC3AFED43417B04634CF227DD ? ? ? ? ?/? ?/? ? ? 1190033958.394 RELEASE -1 6ECBA9BDB5519B28B9271F0BF576BF9B ? ? ? ? ?/? ?/? ? ? 1190033958.394 RELEASE -1 B72E07BD1A279FAB9A08CCCEE6194814 ? ? ? ? ?/? ?/? ? ? 1190033958.394 RELEASE -1 39D1AFCC9BD8FAB2A39155AEFF510FBF ? ? ? ? ?/? ?/? ? ? -- Scott Mayo System Administrator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Gun Control: Belief that violent predators willing to ignore laws against robbery, kidnapping, rape, and murder will obey a law telling them that they cannot do so with a gun.
[squid-users] Bypass ICAP
Hi all, Is it possible to bypass the ICAP when the acl sites_no_authentication match? I'd like to do this because this ACL don't require user authentication and the icap server only accept request that send user authentication. acl sites_no_authentication url_regex /etc/squid/sites_no_auth http_access allow sites_no_authentication always_direct allow sites_no_authentication icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod icap_class filtro_url service_1 service_2 icap_access filtro_url allow all I'm using squid Version 3.0.PRE6-20070718. Regards, Thiago Cruz
[squid-users] What's wrong with my squid?
I'm getting some weird errors here. For instance, it complains about something on line 8, when my squid.conf is only 6 lines. I'm using FreeBSD where /usr/local/etc/squid/squid.conf is the default configuration file. I just want a simple IP anonymizer setup. Nothing fancy. ([EMAIL PROTECTED])(09/17+20:44) (/usr/local/etc/squid) cat squid.conf http_port 3127 acl my_ip src 88.89.21.124/255.255.255.255 http_access allow my_ip forwarded_for off ([EMAIL PROTECTED])(09/17+20:44) (/usr/local/etc/squid) /usr/local/etc/rc.d/squid start Starting squid. 2007/09/17 20:45:07| ACL name 'all' not defined! FATAL: Bungled squid.conf line 8: http_reply_access allow all Squid Cache (Version 2.6.STABLE14): Terminated abnormally. ([EMAIL PROTECTED])(09/17+20:45) (/usr/local/etc/squid) squid -v Squid Cache: Version 2.6.STABLE14 configure options: '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/usr/local/squid' '--sysconfdir=/usr/local/etc/squid' '--enable-removal-policies=lru heap' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-epoll' '--enable-auth=basic ntlm digest' '--enable-basic-auth-helpers=DB NCSA PAM MSNT SMB YP' '--enable-digest-auth-helpers=password' '--enable-external-acl-helpers=ip_user session unix_group wbinfo_group' '--enable-ntlm-auth-helpers=SMB' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-storeio=ufs diskd null' '--enable-err-languages=Azerbaijani Bulgarian Catalan Czech Danish Dutch English Estonian Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Lithuanian Polish Portuguese Romanian Russian-1251 Russian-koi8-r Serbian Simplify_Chinese Slovak Spanish Swedish Traditional_Chinese Turkish' '--enable-default-err-language=English' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' 'i386-portbld-freebsd6.2' 'CC=cc' 'CFLAGS=-O2 -fno-strict-aliasing -pipe ' 'CPPFLAGS=' 'LDFLAGS=' 'build_alias=i386-portbld-freebsd6.2' 'host_alias=i386-portbld-freebsd6.2' 'target_alias=i386-portbld-freebsd6.2' ([EMAIL PROTECTED])(09/17+20:45) (/usr/local/etc/squid) uname -a FreeBSD box.mydomain.net 6.2-STABLE FreeBSD 6.2-STABLE #0: Thu Aug 16 16:25:42 CDT 2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 Thanks, Kyrre
Re: [squid-users] Bypass ICAP
On mån, 2007-09-17 at 18:41 -0300, Thiago Cruz wrote: Hi all, Is it possible to bypass the ICAP when the acl sites_no_authentication match? I'd like to do this because this ACL don't require user authentication and the icap server only accept request that send user authentication. acl sites_no_authentication url_regex /etc/squid/sites_no_auth http_access allow sites_no_authentication always_direct allow sites_no_authentication icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod icap_class filtro_url service_1 service_2 icap_access filtro_url deny sites_no_authentication icap_access filtro_url allow all Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] What's wrong with my squid?
On tis, 2007-09-18 at 04:23 +0200, Kyrre Nygård wrote: I'm getting some weird errors here. For instance, it complains about something on line 8, when my squid.conf is only 6 lines. 2007/09/17 20:45:07| ACL name 'all' not defined! squid.conf MUST include an all acl, and it should be defined as follows: acl all src 0.0.0.0/0 FATAL: Bungled squid.conf line 8: http_reply_access allow all Thats the default for http_reply_access when none is specified.. Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] header_access debug, pam_appl.h, digest-auth-helper, storeio
1) I got pam_auth.c:74:31: error: security/pam_appl.h: No such file or directory when compiling squid-2.6.STABLE16-20070916. I found a nearly identical instance in the list archive more than a year ago. That got me looking into the pam-devel on my host os--Mac OS X 10.4. It turns out pam_appl.h is located in /usr/include/pam/ on OS X 10.4 and 10.3, rather than /usr/include/security. A symbolic link takes care of it. I wonder, however, if the developers are open to accommodating this type of OS-specific peculiarities by adjusting during ./configure based on --host=. 2) I narrowed down the cause of my inability to log into several sites to the last line in the 'http_anonymizer paranoid' emulation of squid-2.6 that I was using, namely: header_access All deny all. I'd like to find out what headers these sites need to see. Could anyone let me know the debug_options number for header_access without going full bore to debug_options ALL,9? Currently I'm aware of 33 for reply_mime_type and 28 for ACL debugging. Is there a quick list of all the debug option numbers, without resorting to reading the source code? 3) Does the latest squid-2.6 still need the digest-auth-helper from squid-3PRE if I want to use digest password? Is this going to change? 4) What are the possible squid storeio options on Mac OS X (HFS+ or UFS format)? So far it seems I have to either accept the default (UFS) even though my disk is formatted HFS+, or --enable-storeio=null. Anything else I tried had failed. Is there a matrix of all the storeio possibilities for every OS squid has been compiled on? Thanks.
Re: [squid-users] What's wrong with my squid?
I'm getting some weird errors here. For instance, it complains about something on line 8, when my squid.conf is only 6 lines. I'm using FreeBSD where /usr/local/etc/squid/squid.conf is the default configuration file. I just want a simple IP anonymizer setup. Nothing fancy. ([EMAIL PROTECTED])(09/17+20:44) (/usr/local/etc/squid) cat squid.conf http_port 3127 acl my_ip src 88.89.21.124/255.255.255.255 http_access allow my_ip forwarded_for off ([EMAIL PROTECTED])(09/17+20:44) (/usr/local/etc/squid) /usr/local/etc/rc.d/squid start Starting squid. 2007/09/17 20:45:07| ACL name 'all' not defined! FATAL: Bungled squid.conf line 8: http_reply_access allow all Squid Cache (Version 2.6.STABLE14): Terminated abnormally. ([EMAIL PROTECTED])(09/17+20:45) I dare say squid is not using the squid.conf you think it is. Start by checking that rc.d script to see if its explicitly passing another .conf location via -f. If thats not it then search your system to see if there is another squid.conf file sitting somewhere unhelpful. Amos
Re: [squid-users] What's wrong with my squid?
On 9/18/07, Amos Jeffries [EMAIL PROTECTED] wrote: I'm getting some weird errors here. For instance, it complains about something on line 8, when my squid.conf is only 6 lines. I'm using FreeBSD where /usr/local/etc/squid/squid.conf is the default configuration file. I just want a simple IP anonymizer setup. Nothing fancy. ([EMAIL PROTECTED])(09/17+20:44) (/usr/local/etc/squid) cat squid.conf http_port 3127 acl my_ip src 88.89.21.124/255.255.255.255 http_access allow my_ip forwarded_for off ([EMAIL PROTECTED])(09/17+20:44) (/usr/local/etc/squid) /usr/local/etc/rc.d/squid start Starting squid. 2007/09/17 20:45:07| ACL name 'all' not defined! it says all not deined. I think it is a minor issue. pls check squid.conf carefully. Just check below line. leave it uncommented. #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 -- Thank you Indunil Jayasooriya
Re: [squid-users] header_access debug, pam_appl.h, digest-auth-helper, storeio
On mån, 2007-09-17 at 22:43 -0400, [EMAIL PROTECTED] wrote: 1) I got pam_auth.c:74:31: error: security/pam_appl.h: No such file or directory when compiling squid-2.6.STABLE16-20070916. I found a nearly identical instance in the list archive more than a year ago. That got me looking into the pam-devel on my host os--Mac OS X 10.4. It turns out pam_appl.h is located in /usr/include/pam/ on OS X 10.4 and 10.3, rather than /usr/include/security. A symbolic link takes care of it. I wonder, however, if the developers are open to accommodating this type of OS-specific peculiarities by adjusting during ./configure based on --host=. so we need a configure test to see which of the two is available, and include the proper one.. (should not make that decision based on the host type) 2) I narrowed down the cause of my inability to log into several sites to the last line in the 'http_anonymizer paranoid' emulation of squid-2.6 that I was using, namely: header_access All deny all. I'd like to find out what headers these sites need to see. Could anyone let me know the debug_options number for header_access without going full bore to debug_options ALL,9? Currently I'm aware of 33 for reply_mime_type and 28 for ACL debugging. Is there a quick list of all the debug option numbers, without resorting to reading the source code? Usually login problems means you have blocked cookies.. 3) Does the latest squid-2.6 still need the digest-auth-helper from squid-3PRE if I want to use digest password? Is this going to change? Squid-2.6 has the same digest helper as Squid-3. 4) What are the possible squid storeio options on Mac OS X (HFS+ or UFS format)? So far it seems I have to either accept the default (UFS) even though my disk is formatted HFS+, or --enable-storeio=null. Anything else I tried had failed. Is there a matrix of all the storeio possibilities for every OS squid has been compiled on? only ufs and null I am afraid.. Max OS X do not provide the factilities needed for either aufs or diskd.. and coss is still experimental. the name ufs has no relation to the actual filesystem type used by your OS. It's just Squid's name for cache ontop of unix-like filesystem. A better name would be simple with aufs being threaded. Regards Henrik signature.asc Description: This is a digitally signed message part
