RE: [squid-users] Squid2-only plugin from Secure Computing
> I would be happy to try to resolve this issue with Secure Computing. > However, I need more information: > > - What exactly is the Secure Computing plugin that supports Squid2 and > does not support Squid3? Does it have a name and a version number? I think SmartFilter patches the squid source, so is tied to specific versions. It certainly adds another option to the configure script. You can download it for free from SecureComputing's website and have look. Sorry I cant be more helpful but I'm not a developer. Smartfilter 4.2.1 works with squid 2.6-17. http://www.securecomputing.com/index.cfm?skey=1326
[squid-users] Cache issue
Hi Friends, i have one issue regarding squid cache. i'm clearing the cache squid -k shutdown cd /cache rm -rf * squid -z squid -k start but the issue is when i'm starting squid the cache is as it is same, before that i confirmed in /cache dir, that was empty . what could be the issue /\ Tarak
Re: [squid-users] Not seeing internal icons
On Tue, 2008-03-18 at 13:43 +, RW wrote: > I don't have any of the internal icons showing in browsers. With > wget -S, I'm seeing a 404 and X-Squid-Error: ERR_INVALID_REQ 0 on the > icon urls. Seems to work fine here. (see below) What do your http_port look like? Is there any complaints about the icons in cache.log when starting Squid? Regards Henrik $ squidclient ftp://ftp.freebsd.org/squid-internal-static/icons/anthony-dir.gif HTTP/1.0 200 OK Date: Thu, 20 Mar 2008 00:44:43 GMT Server: squid/2.6.STABLE19-CVS
Re: [squid-users] Squid2-only plugin from Secure Computing
On Mon, 2008-03-17 at 13:26 +0900, Adrian Chadd wrote: > On Sun, Mar 16, 2008, Nick Duda wrote: > > The only reason I haven't upgraded beyond the current stable 2.6 > code is that some third part companies (like Secure Computing, who we > use as a Squid plugin) only supports certain versions of squid. I > haven't even played with 3.0 because of this. I think squid hands down > is an amazing proxy software and I will continue to keep using it > going forward. We use are proxies as content filtering devices as > well...so need the support of both. > > There's no dialogue as far as I'm aware between the "Squid developers" as a > whole and > Secure Computing. I haven't any idea about specific developers, but I haven't > noticed > anything about Secure Computing on the squid-dev list. I would be happy to try to resolve this issue with Secure Computing. However, I need more information: - What exactly is the Secure Computing plugin that supports Squid2 and does not support Squid3? Does it have a name and a version number? - What API/protocol does that plugin use to integrate with Squid2? - Does anybody know why the plugin does not work with Squid3? Google shows a few suspects, but I want to be as precise as possible when talking to Secure Computing folks, and I do not have first-hand knowledge of this plugin and its problems. Thank you, Alex.
RE: [squid-users] ntlm_auth seems to have losts it mind
Ok, #1 should be all set wbinfo -t -g -u all work correctly #2,3 should be all set (did not work so I went as far as making the squid user and squid group owner of the folder and all the children and assigning 777 for the permissions, just to make sure) #4 should be all set but things are still not working (same message), when I check the cache.log file it says "utils/ntlm_auth.c:get_winbind_domain(146) could not obtain the winbind domain name!", also I setup the proxy on my ibook and pointed firefox to the proxy it gives me the same error in the browser but it does not even ask me for any login info; I would expect the pc not to ask because it is a member of the domain but the I book should at least ask, the msad acl is the first one so it should be hitting that one first. Jeremy -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2008 8:59 PM To: Martin, Jeremy Cc: squid-users@squid-cache.org Subject: RE: [squid-users] ntlm_auth seems to have losts it mind On Wed, 2008-03-19 at 17:37 -0400, Martin, Jeremy wrote: > Does anyone know of a relevant guide that covers install samba and > squid3 and implementing msad authentication that utilizes ntlm? This > was much easier to do with the supplied rpms with redhat but the > versions supplied are old and out of date. Not much have changed. How to use Samba ntlm_auth is the same since Squid-2.5/Samba-3.0 days.. 1. Install Samba and join the domain. 2. Set up a suitable system group for winbind authentication, and chgrp the Samba privileged_pipe directory to this, with at least x permission for the group. 3. Make your cache_effective_user member of the above group. 4. Configure squid.conf as you have done. Regards Henrik -- This message was scanned by ESVA and is believed to be clean. Click here to report this message as spam. http://spam.emcc.edu/cgi-bin/learn-msg.cgi?id=5B53027F1E.60CF5
[squid-users] Streaming audio "burps"
Hello all, Using squid-3.0.STABLE2, Amarok continuously makes annoying, low volume "burping" or "gulping" sounds when I listen to Minnesota public radio's stream and WETA (Washington, D.C.) public radio's stream. These "burping" sounds are not made when using squid-2.5stable13. None of the squid3 log files mentions packets coming from the stream address (which seems to make sense, as the packets aren't being cached, just streaming through squid (correct?)) http://classicalstream1.publicradio.org/ shows what I'm listening to: Server Status: Server is currently up and public. Stream Status: Stream is up at 128 kbps with 241 of 1500 listeners (240 unique) Stream Title: Classical Minnesota Public Radio Content Type: audio/mpeg Stream URL: http://minnesota.publicradio.org/radio/services/cms/ These are the only changes I've made to the default squid3 config file: # 2008mar18, phj: Comment other three and define our local 192.168.1.x network. #acl localnet src 10.0.0.0/8# RFC1918 possible internal network #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network #acl localnet src 192.168.0.0/16# RFC1918 possible internal network acl localnet src 192.168.1.0/24 # RFC1918 possible internal network #acl SSL_ports port 443 # 2008mar18, phj: Added 5190 so AOL IM would work from workstations, # and added 5222 and 5223 so gtalk would work from workstations. acl SSL_ports port 443 5190 5222 5223 # 2008mar18, phj: Added ssh line so winXP machine may use WinSCP to connect to # machines via the internet. acl Safe_ports port 22 # ssh # 2008mar18, phj: Added pcr line so I may connect to the PCR app running # at gchs.com, aka olgchs.org. acl Safe_ports port 843 # pcr # 2008mar18, phj: Following their recommendation, uncommented next line. http_access deny to_localhost # 2008mar18, phj: Allow browsing via any machine attached to our local network. http_access allow localnet # 2008mar17, phj: Added since we have two interfaces, but allow # connections only via the internal interface. http_port 192.168.1.12:3128 Anyone know how to make the "burping" cease? Thanks, Pete
[squid-users] Squid reverse and forward proxy at the same time
Hi, I'm having difficulties configuring squid on the same box for this scenario: - Backend origin apache on port 8080 (hosting a test site for mydomain.com. Real server for mydomain.com hosted somewhere else on the Internet) - squid on port 80 for reverse proxy clients - squid on port 3128 for forward proxy clients The box is also used as a test server. Testers are on 192.168.100.0/24. All other users on other internal subnets. Current configuration is such that all users hit squid and go out to the internet EXCEPT for mydomain.com, where they will be hitting the origin apache server (local test server). But we would like to configure so that the exception applies to only developers from subnet 192.168.100.0/24. Is this even possible? Current relevant config; http_port 80 vhost vport accel http_port 3128 cache_peer 127.0.0.1 parent 8080 0 originserver default login=PASS no-query cache_peer_domain 127.0.0.1 .mydomain.com TIA
Re: [squid-users] squid_ldap_group
On Wed, 2008-03-19 at 11:15 +0200, Dmitry SUROVTSEV wrote: > We have squid 3 with authorization in AD. But! squid_ldap_group does not work > without -R option. > Can anybody explain me what may be a problem? The matter is we defined > some top-level groups in AD and included some dipper groups into them. > But squid_ldap_group does not do the refferal search. That's not referrals, at least not from what i know of referrals... referrals is for redirecting the requestor when LDAP objects or subtrees found in another LDrAP server.. used for example in a global LDAP directory server used for finding each organisations LDAP directory servers.. Can you use ldapsearch to search for those sub-members? Regards Henrik
Re: [squid-users] the sibling cache peer can't work. help!
On Wed, 2008-03-19 at 15:07 +0800, John Lui wrote: > I use 121.9.*.77 and 121.9.*.78 as sibling cache peer > when i see server_list in cachemgr, there has no fetches from it's cache peer. > what is wrong with my configure file? What kind of setup are you using? Reverse or forward? Regards Henrik
Re: [squid-users] Can htcp and cache digest work together?
On Wed, 2008-03-19 at 11:23 +0800, John Lui wrote: > 1, Can htcp work with cache digest? Yes. > 2, How I can checked the cache digest is be used? There is stats in cachemgr. > 3, What is better to choice,ICP or HTCP? Today I would recommend ICP as it has lower overhead. Squid does not yet make much use of the additional features HTCP provides over ICP, and even if it would it's only relevant on a very low percentage of the requests. Regards Henrik
RE: [squid-users] ntlm_auth seems to have losts it mind
On Wed, 2008-03-19 at 17:37 -0400, Martin, Jeremy wrote: > Does anyone know of a relevant guide that covers install samba and > squid3 and implementing msad authentication that utilizes ntlm? This > was much easier to do with the supplied rpms with redhat but the > versions supplied are old and out of date. Not much have changed. How to use Samba ntlm_auth is the same since Squid-2.5/Samba-3.0 days.. 1. Install Samba and join the domain. 2. Set up a suitable system group for winbind authentication, and chgrp the Samba privileged_pipe directory to this, with at least x permission for the group. 3. Make your cache_effective_user member of the above group. 4. Configure squid.conf as you have done. Regards Henrik
Re: [squid-users] CentOS 5.1, Squid, PIX WCCP
On Wed, 2008-03-19 at 10:08 +0900, Adrian Chadd wrote: > Could you ask Cisco TAC if there are any bug id's relating to WCCP > between your previous and current versions? Or PMTU discovery, or TCP window scaling. Regards Henrik
Re: [squid-users] debugging ACLs
On Tue, 2008-03-18 at 17:51 +, paul cooper wrote: > a follow-on > > ive turned up debugging to > debug_options ALL,1 33,2 28,9 > > squid.conf has > hepworth andrew # cat -n /etc/squid/squid.conf |grep ip_user >405 external_acl_type ip_user_helper %SRC %LOGIN > /usr/libexec/squid/ip_user_check -f /etc/squid/ip_user.conf > hepworth andrew # > hepworth andrew # cat -n /etc/squid/squid.conf |grep andr >563 acl andrew ext_user andrew >642 http_access allow andrew > hepworth andrew # You also need an external acl triggering the lookup. acl ip_user external ip_user_helper http_access deny !ip_user http_access allow andrew The ext_user acl only matches the returned username after the fact. It does not in it self trigger an external acl lookup. Regards Henrik
Re: [squid-users] Re: Not seeing internal icons
On Thu, 2008-03-20 at 11:46 +1300, Amos Jeffries wrote: > > 2008/03/19 12:45:25| internalStart: unknown request: > > Client: 127.0.0.1 http_port: 127.0.0.1:3128 > > GET > > internal://gumby.homeunix.com/squid-internal-static/icons/anthony-dir.gif > > HTTP/1.0 > > User-Agent: Wget/1.11 > > Accept: */* > > Host: ftp.freebsd.org > > Aha!. Thats a bug. The Host: is being set badly. I doub't that's the actual bug. All that matters here is the url which is correct. > Can you file all these details in a bug report please so we don't loose > it and someone who knows the error-paths can get onto it. +1 Regards Henrik
Re: [squid-users] What exactly makes accelerator mode faster then transparent mode ?
Raemaekers Mark wrote: For me it is not clear why an accelerator mode WC is faster then a Transparant Mode webcache. This is how I understand both modes after googling for about half a day on this topic : WC IN TRANSPARANT MODE (WCTM), When an http request hits the WCTM for the second time, then the WC will send its cached contents back to the client. Since the info is in the cache, the real web server does not have to be contacted by the WCTM. WC IN ACCELERATOR MODE (WCAM) : when an http request hits the WCAM for the second time,the the WC will look if this request is in its cache and send the cached response of this request back to the client. Since the info is in the cache, the real web server does not have to be contaced by the WCAM. In both cases (from the second request onwards) the real web server is not contacted. So, what exactly makes an accelerator mode WC go faster then ? Nothing. Neither name accurately reflects the operation of the cache. Whats the confusion? proxy - software that sits between a web server and a web-client with purpose of resource saving or improving web service to the clients. intercepting proxy - software that performs as a proxy, but additionally can handle traffic redirected to it by a FW without the web-clients knowledge. Usually typed 'transparent' by those who confuse client-hidden with totally-invisible. transparent proxy - software that performs all duties of proxy and additionally spoofs/hide its IP from both parties such that neither can detect its existence. reverse-proxy - software that performs many of the service duties of a web-server. Redirecting all requests it can't handle to a separate 'true' web-server or more authoritative source. accelerator - nickname for reverse-proxy. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] Squid 2.6 with Citirix and MS outlook web access
Ritter, Nicholas wrote: Are there specific items that need to be in the squid configuration to make it work with Citrix and (seperatly) MS Outlook Web Access? Nicholas Not sure about Citrix. There is some needed for OWA. http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] debugging ACLs
paul cooper wrote:
so ive tried to simplify this to see if i can work out whats going on
squid 2.6.17 on gentoo linux
/etc/squid/ip_user.conf
127.0.0.1 ALL
/etc/squid/squid.conf
hepworth andrew # grep ^[a-z] /etc/squid/squid.conf
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 1 hours
auth_param basic casesensitive off
external_acl_type ip_user_helper %SRC %LOGIN
/usr/libexec/squid/ip_user_check -f /etc/squid/ip_user.conf
acl all src 0.0.0.0/0.0.0.0
acl hepworth external ip_user_helper
http_access allow hepworth
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
debug_options ALL,1 33,2 28,9
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 144020% 10080
refresh_pattern ^gopher:14400% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
visible_hostname AnnesHouse
forwarded_for off
coredump_dir /var/cache/squid
hepworth andrew #
and i use a browser to get http://www.bbc.co.uk which -> cache access denied
and this in cache.log
2008/03/19 21:37:16| aclCheckFast: list: 0x82a76f0
2008/03/19 21:37:16| aclMatchAclList: checking all
2008/03/19 21:37:16| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/19 21:37:16| aclMatchIp: '127.0.0.1' found
2008/03/19 21:37:16| aclMatchAclList: returning 1
2008/03/19 21:37:16| aclCheck: checking 'http_access allow hepworth'
2008/03/19 21:37:16| aclMatchAclList: checking hepworth
2008/03/19 21:37:16| aclMatchAcl: checking 'acl hepworth external
ip_user_helper'
2008/03/19 21:37:16| aclMatchAcl: returning 0 sending authentication
challenge.
2008/03/19 21:37:16| aclMatchAclList: no match, returning 0
2008/03/19 21:37:16| aclCheck: requiring Proxy Auth header.
checking for Proxy-Auth...:
2008/03/19 21:37:16| aclCheck: match found, returning 2
found the header (nothing about the headers content though)...
2008/03/19 21:37:16| aclCheckCallback: answer=2
2008/03/19 21:37:16| The request GET http://www.bbc.co.uk/ is DENIED,
because it matched 'hepworth'
... the header content fails to match the ACL text.
2008/03/19 21:37:16| The reply for GET http://www.bbc.co.uk/ is ALLOWED,
because it matched 'hepworth'
407 reply ('auth needed') gets sent out ok.
it would appear to be authenticating the user ( ie ALL from 127.0.0.1)
so where is it denying the request ?
It looks to me like the authentication details are being found but do
not match the ACL.
I think it may be related to the user-domain. Does the fix for bug 2172
fix this?
Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Re: [squid-users] Re: Not seeing internal icons
RW wrote: On Thu, 20 Mar 2008 00:34:36 +1300 Amos Jeffries <[EMAIL PROTECTED]> wrote: RW wrote: I don't have any of the internal icons showing in browsers. With wget -S, I'm seeing a 404 and X-Squid-Error: ERR_INVALID_REQ 0 on the icon urls. What does your access.log say? 1205930725.472 4 127.0.0.1 TCP_MISS/404 1627 GET ftp://ftp.freebsd.org/squid-internal-static/icons/anthony-dir.gif - NONE/- text/html Failing that your cache.log? 2008/03/19 12:45:25| internalStart: unknown request: Client: 127.0.0.1 http_port: 127.0.0.1:3128 GET internal://gumby.homeunix.com/squid-internal-static/icons/anthony-dir.gif HTTP/1.0 User-Agent: Wget/1.11 Accept: */* Host: ftp.freebsd.org Aha!. Thats a bug. The Host: is being set badly. Can you file all these details in a bug report please so we don't loose it and someone who knows the error-paths can get onto it. Amos I suspect you are blocking certain types of file or request. Commenting-out adzap was one of the first things I tried, and I don't have any other such blocking: $ grep -oE "^[^#]+" /usr/local/etc/squid/squid.conf http_port 3128 hierarchy_stoplist cgi-bin ? acl apache rep_header Server ^Apache broken_vary_encoding allow apache maximum_object_size 25 MB cache_replacement_policy lru cache_dir aufs /usr/local/squid/cache-N 4000 16 256 max-size=65 cache_dir aufs /usr/local/squid/cache-L 600 16 256 min-size=50 cache_swap_low 90 cache_swap_high 98 cache_mem 6 MB memory_replacement_policy heap GDSF maximum_object_size_in_memory 200 KB dns_nameservers 127.0.0.1 pipeline_prefetch on logfile_rotate 5 access_log /usr/local/squid/logs/access.log squid strip_query_terms off refresh_pattern -i ^ftp: 1440 5% 1 refresh_pattern -i ^gopher: 1440 0% 1000 refresh_pattern -i http://(image|pic)s?\..+\?3050% 1 ignore-private refresh_pattern -i \?.*\.(png|jpe?g|gif|ico|css)$3030% ignore-private refresh_pattern -i \?0 0% 0 refresh_pattern -i \.(zip|rar|bz2|gz|pdf|ps|css|js|swf)$ 3030% ignore-private refresh_pattern -i \.(avi|divx|mpe?g|mp.|ra|rm|wma|wmv|swv)$ 30% 10 ignore-private refresh_pattern -i \.(png|jpe?g|gif|tif+|ico)$ 50% 30 ignore-private refresh_pattern. 5 30% quick_abort_min 50 KB quick_abort_max 200 KB quick_abort_pct 30 range_offset_limit 128 KB acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl SSL_ports port 993 acl Safe_ports port 800 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl mylan src 192.168.1.0/255.255.255.0 http_access allow mylan http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all coredump_dir /usr/local/squid icon_directory /usr/local/etc/squid/icons short_icon_urls off -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] debugging ACLs
so ive tried to simplify this to see if i can work out whats going on squid 2.6.17 on gentoo linux /etc/squid/ip_user.conf 127.0.0.1 ALL /etc/squid/squid.conf hepworth andrew # grep ^[a-z] /etc/squid/squid.conf auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 1 hours auth_param basic casesensitive off external_acl_type ip_user_helper %SRC %LOGIN /usr/libexec/squid/ip_user_check -f /etc/squid/ip_user.conf acl all src 0.0.0.0/0.0.0.0 acl hepworth external ip_user_helper http_access allow hepworth http_access deny all icp_access allow all http_port 3128 hierarchy_stoplist cgi-bin ? access_log /var/log/squid/access.log squid debug_options ALL,1 33,2 28,9 acl QUERY urlpath_regex cgi-bin \? cache deny QUERY refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl apache rep_header Server ^Apache broken_vary_encoding allow apache visible_hostname AnnesHouse forwarded_for off coredump_dir /var/cache/squid hepworth andrew # and i use a browser to get http://www.bbc.co.uk which -> cache access denied and this in cache.log 2008/03/19 21:37:16| aclCheckFast: list: 0x82a76f0 2008/03/19 21:37:16| aclMatchAclList: checking all 2008/03/19 21:37:16| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/19 21:37:16| aclMatchIp: '127.0.0.1' found 2008/03/19 21:37:16| aclMatchAclList: returning 1 2008/03/19 21:37:16| aclCheck: checking 'http_access allow hepworth' 2008/03/19 21:37:16| aclMatchAclList: checking hepworth 2008/03/19 21:37:16| aclMatchAcl: checking 'acl hepworth external ip_user_helper' 2008/03/19 21:37:16| aclMatchAcl: returning 0 sending authentication challenge. 2008/03/19 21:37:16| aclMatchAclList: no match, returning 0 2008/03/19 21:37:16| aclCheck: requiring Proxy Auth header. 2008/03/19 21:37:16| aclCheck: match found, returning 2 2008/03/19 21:37:16| aclCheckCallback: answer=2 2008/03/19 21:37:16| The request GET http://www.bbc.co.uk/ is DENIED, because it matched 'hepworth' 2008/03/19 21:37:16| The reply for GET http://www.bbc.co.uk/ is ALLOWED, because it matched 'hepworth' it would appear to be authenticating the user ( ie ALL from 127.0.0.1) so where is it denying the request ?
RE: [squid-users] ntlm_auth seems to have losts it mind
That took care of that part, it now works from the command prompt but when I try to visit a page now it says While trying to retrieve the URL: http://www.google.com/ The following error was encountered: * Cache Access Denied. Sorry, you are not currently allowed to request: http://www.google.com/ from this cache until you have authenticated yourself. For ntlm helpers I have /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp And for basic /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic Acl acl msad proxy_auth REQUIRED http_access allow msad Does anyone know of a relevant guide that covers install samba and squid3 and implementing msad authentication that utilizes ntlm? This was much easier to do with the supplied rpms with redhat but the versions supplied are old and out of date. Jeremy -Original Message- From: Kinkie [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2008 2:46 AM To: Amos Jeffries Cc: Martin, Jeremy; squid-users@squid-cache.org Subject: Re: [squid-users] ntlm_auth seems to have losts it mind On Wed, Mar 19, 2008 at 7:07 AM, Amos Jeffries <[EMAIL PROTECTED]> wrote: > Martin, Jeremy wrote: > > Ok here is my issue, I have compiled and installed the latest stable > version of squid and samba, and all seemed well until I tried the following > command and got the following output. Anyone have any idea why this is not > working like it used to, on my other box it will give the prompt where I can > enter my username and password and it returns ok. Wbinfo -u and -g will > populate the user and group info so I am pretty sure that is setup correctly, > I just seem to be missing something here . > > > > Thanks > > Jeremy > > > > debian:/usr/local/squid/libexec# ./ntlm_auth > --helper-protocol=squid-2.5-basic > > ./ntlm_auth: invalid option -- - > > unknown option: -?. Exiting > > ./ntlm_auth usage: > > ./ntlm_auth [-b] [-f] [-d] [-l] domain\controller [domain\controller ...] > > -b enables load-balancing among controllers > > -f enables failover among controllers (DEPRECATED and always active) > > -l changes behavior on domain controller failyures to last-ditch. > > -d enables debugging statements if DEBUG was defined at build-time. > > > > You MUST specify at least one Domain Controller. > > You can use either \ or / as separator between the domain name > > and the controller name > > ./ntlm_auth: invalid option -- h > > > Weird, but it is saying --helper-option= is not one of the command-line > options. > > I think that is a squid internal option to tell squid how to connect to > the helper. Jeremy, you're using the squid-supplied NTLM helper, and not the Samba one. I suggest you change that to the helper written by the Samba team (and which understands the helper-protocol option) -- /kinkie -- This message was scanned by ESVA and is believed to be clean. Click here to report this message as spam. http://spam.emcc.edu/cgi-bin/learn-msg.cgi?id=5C81729E75.7C831
[squid-users] Squid 2.6 with Citirix and MS outlook web access
Are there specific items that need to be in the squid configuration to make it work with Citrix and (seperatly) MS Outlook Web Access? Nicholas
[squid-users] RE: MedHelp 43953
Canadian Doctor Loretta Blount Best Price On Net March 82% OFF! http://www.google.net/pagead/iclk?sa=l&ai=kzrhz&num=822234&adurl=http://www.sugarfrom.com
Re: [squid-users] Support for NTLM web authentication on squid 3.0
On Wed, 2008-03-19 at 21:18 +0800, John Mok wrote: > Is it necessary to do all these stuffs (kerberos + samba) on squid3.0? > On my current squid-2.6 setup, the NTLM web authentication worked out of > the box, that squid proxied the CHAP back and forth from the web server > back to the client PC. I tried on squid-3.0, and found that it was > broken, and the IIS web server kept prompting for id and password. Is it > a bug on squid-3.0 ? Could be http://www.squid-cache.org/bugs/show_bug.cgi?id=2206 Alex. > Kinkie wrote: > > On Mon, Mar 17, 2008 at 4:19 PM, John Mok <[EMAIL PROTECTED]> wrote: > >> Hi, > >> > >> Did anyone try "Proxying of NTLM web authentication" on squid 3.0 :- > >> > >> http://devel.squid-cache.org/ntlm/ > >> > >> Does it come with squid 3.0? If not, what is the any roadmap for the > >> support? > > > > Hi John, > >NTLM authentication works "out of the box" with Squid 3, with some > > support provided by Samba. > > > > See http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM > > > > > >
RE: [squid-users] ntlm_auth seems to have losts it mind
Hi Jeremy, > debian:/usr/local/squid/libexec# ./ntlm_auth --helper-protocol=squid- > 2.5-basic It's better to use the ntlm_auth that comes with Samba, since it seems better suited to the task. At least that's what I've been told... :-) HTH, Joop Dit bericht is gescand op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn. Mailscanner door http://www.prosolit.nl Professional Solutions fot IT
Re: [squid-users] Re: Logging/Blocking URLs with question marks ?
On Thu, Mar 20, 2008, Amos Jeffries wrote:
> >>I don't know much about 2.5 but in up-to-date versions, logging of query
> >>urls is governed by "strip_query_terms". By default it's on to avoid
> >>logging things like session IDs.
> >
> >it's called privacy :)
>
> It's called philanthropy: protecting idiots against themselves at ones
> own cost.
>
> No webmaster with any serious intentions of privacy publishes the
> SESSION-IDs in visible URI. The sensible ones use session cookies,
> nicely hidden from script-kiddies eyes, easily removed by
> security-conscious users, and not getting in the way of smart users
> direct-linking.
It happens. Think "Java application session ids". I saw one today.
foo.com?SESSION_ID=${MD5}.
Thanks! No way to possibly cache that!
Adrian
--
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
[squid-users] What exactly makes accelerator mode faster then transparent mode ?
For me it is not clear why an accelerator mode WC is faster then a Transparant Mode webcache. This is how I understand both modes after googling for about half a day on this topic : WC IN TRANSPARANT MODE (WCTM), When an http request hits the WCTM for the second time, then the WC will send its cached contents back to the client. Since the info is in the cache, the real web server does not have to be contacted by the WCTM. WC IN ACCELERATOR MODE (WCAM) : when an http request hits the WCAM for the second time,the the WC will look if this request is in its cache and send the cached response of this request back to the client. Since the info is in the cache, the real web server does not have to be contaced by the WCAM. In both cases (from the second request onwards) the real web server is not contacted. So, what exactly makes an accelerator mode WC go faster then ? Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Re: [squid-users] Support for NTLM web authentication on squid 3.0
Is it necessary to do all these stuffs (kerberos + samba) on squid3.0? On my current squid-2.6 setup, the NTLM web authentication worked out of the box, that squid proxied the CHAP back and forth from the web server back to the client PC. I tried on squid-3.0, and found that it was broken, and the IIS web server kept prompting for id and password. Is it a bug on squid-3.0 ? John Mok Kinkie wrote: On Mon, Mar 17, 2008 at 4:19 PM, John Mok <[EMAIL PROTECTED]> wrote: Hi, Did anyone try "Proxying of NTLM web authentication" on squid 3.0 :- http://devel.squid-cache.org/ntlm/ Does it come with squid 3.0? If not, what is the any roadmap for the support? Hi John, NTLM authentication works "out of the box" with Squid 3, with some support provided by Samba. See http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM
[squid-users] Re: Not seeing internal icons
On Thu, 20 Mar 2008 00:34:36 +1300 Amos Jeffries <[EMAIL PROTECTED]> wrote: > RW wrote: > > I don't have any of the internal icons showing in browsers. With > > wget -S, I'm seeing a 404 and X-Squid-Error: ERR_INVALID_REQ 0 on > > the icon urls. > > > What does your access.log say? 1205930725.472 4 127.0.0.1 TCP_MISS/404 1627 GET ftp://ftp.freebsd.org/squid-internal-static/icons/anthony-dir.gif - NONE/- text/html > Failing that your cache.log? 2008/03/19 12:45:25| internalStart: unknown request: Client: 127.0.0.1 http_port: 127.0.0.1:3128 GET internal://gumby.homeunix.com/squid-internal-static/icons/anthony-dir.gif HTTP/1.0 User-Agent: Wget/1.11 Accept: */* Host: ftp.freebsd.org > > I suspect you are blocking certain types of file or request. Commenting-out adzap was one of the first things I tried, and I don't have any other such blocking: $ grep -oE "^[^#]+" /usr/local/etc/squid/squid.conf http_port 3128 hierarchy_stoplist cgi-bin ? acl apache rep_header Server ^Apache broken_vary_encoding allow apache maximum_object_size 25 MB cache_replacement_policy lru cache_dir aufs /usr/local/squid/cache-N 4000 16 256 max-size=65 cache_dir aufs /usr/local/squid/cache-L 600 16 256 min-size=50 cache_swap_low 90 cache_swap_high 98 cache_mem 6 MB memory_replacement_policy heap GDSF maximum_object_size_in_memory 200 KB dns_nameservers 127.0.0.1 pipeline_prefetch on logfile_rotate 5 access_log /usr/local/squid/logs/access.log squid strip_query_terms off refresh_pattern -i ^ftp: 1440 5% 1 refresh_pattern -i ^gopher: 1440 0% 1000 refresh_pattern -i http://(image|pic)s?\..+\?3050% 1 ignore-private refresh_pattern -i \?.*\.(png|jpe?g|gif|ico|css)$3030% ignore-private refresh_pattern -i \?0 0% 0 refresh_pattern -i \.(zip|rar|bz2|gz|pdf|ps|css|js|swf)$ 3030% ignore-private refresh_pattern -i \.(avi|divx|mpe?g|mp.|ra|rm|wma|wmv|swv)$ 30% 10 ignore-private refresh_pattern -i \.(png|jpe?g|gif|tif+|ico)$ 50% 30 ignore-private refresh_pattern. 5 30% quick_abort_min 50 KB quick_abort_max 200 KB quick_abort_pct 30 range_offset_limit 128 KB acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl SSL_ports port 993 acl Safe_ports port 800 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl mylan src 192.168.1.0/255.255.255.0 http_access allow mylan http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all coredump_dir /usr/local/squid icon_directory /usr/local/etc/squid/icons short_icon_urls off
Re: [squid-users] Re: Logging/Blocking URLs with question marks ?
Matus UHLAR - fantomas wrote: On Mon, 17 Mar 2008 11:31:39 + "Robin Clayton" <[EMAIL PROTECTED]> wrote: 2.5-Stable-5 I have used squid for probably 8 years. We see :) It has recently come to my attention that sites with dynamic content as denoted by a ? "question mark" are not being logged or blocked. so for example searches on google do not show the full URL. On 18.03.08 13:07, RW wrote: I don't know much about 2.5 but in up-to-date versions, logging of query urls is governed by "strip_query_terms". By default it's on to avoid logging things like session IDs. it's called privacy :) It's called philanthropy: protecting idiots against themselves at ones own cost. No webmaster with any serious intentions of privacy publishes the SESSION-IDs in visible URI. The sensible ones use session cookies, nicely hidden from script-kiddies eyes, easily removed by security-conscious users, and not getting in the way of smart users direct-linking. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] the sibling cache peer can't work. help!
John Lui wrote: I use 121.9.*.77 and 121.9.*.78 as sibling cache peer when i see server_list in cachemgr, there has no fetches from it's cache peer. what is wrong with my configure file? htcp 4827 cache_peer 121.9.*.78 sibling 80 4827 proxy-only htcp acl All src 0/0 htcp_access allow All Maybe the fact its not getting anything over HTTP? do you have anything mentioning never_direct? always_direct? prefer_direct? http_access? other acl lines? Any of those will affect the peering of requests. Sibling: 121.9.*.78 Host : 121.9.*.78/80/4827 Flags : proxy-only htcp Address[0] : 121.9.233.78 Status : Up AVG RTT: 0 msec OPEN CONNS : 0 LAST QUERY : 1205908950 seconds ago LAST REPLY : none received PINGS SENT :0 PINGS ACKED:0 0% FETCHES:0 0% IGNORED:0 0% Histogram of PINGS ACKED: Misses 0 0% Hits 0 0% keep-alive ratio: 0% Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] Not seeing internal icons
RW wrote: I don't have any of the internal icons showing in browsers. With wget -S, I'm seeing a 404 and X-Squid-Error: ERR_INVALID_REQ 0 on the icon urls. What does your access.log say? Failing that your cache.log? I suspect you are blocking certain types of file or request. Amos This is just a local cache on my FreeBSD 7.0 desktop, short_icon_urls doesn't seem to make any difference, and global_internal_static is set to its default. The path looks correct in squid.conf and the permissions look OK: in squid.conf: icon_directory /usr/local/etc/squid/icons The permissions: rwxr-xr-x 2 root squid 1024 Mar 17 22:37 /usr/local/etc/squid/icons -r--r--r-- 1 root wheel 166 Mar 17 22:37 /usr/local/etc/squid/icons/anthony-binhex.gif -r--r--r-- 1 root wheel 192 Mar 17 22:37 /usr/local/etc/squid/icons/anthony-bomb.gif -r--r--r-- 1 root wheel 176 Mar 17 22:37 /usr/local/etc/squid/icons/anthony-box.gif ... $ squid -v Squid Cache: Version 2.6.STABLE18 configure options: '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/usr/local/squid' '--sysconfdir=/usr/local/etc/squid' '--enable-removal-policies=lru heap' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-epoll' '--enable-auth=basic ntlm digest' '--enable-basic-auth-helpers=DB NCSA PAM MSNT SMB YP' '--enable-digest-auth-helpers=password' '--enable-external-acl-helpers=ip_user session unix_group wbinfo_group' '--enable-ntlm-auth-helpers=SMB' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--with-pthreads' '--enable-storeio=ufs diskd null aufs' '--enable-err-languages=English' '--enable-default-err-language=English' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' 'i386-portbld-freebsd7.0' 'build_alias=i386-portbld-freebsd7.0' 'host_alias=i386-portbld-freebsd7.0' 'target_alias=i386-portbld-freebsd7.0' 'CC=cc' 'CFLAGS=-O2 -fno-strict-aliasing -pipe -march=athlon-mp ' 'LDFLAGS=' 'CPPFLAGS=' -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] Transparent Proxy and NT Authentication
On 18.03.08 12:44, Nick Duda wrote: > I know with older squid versions, you could not query AD/LDAP for > authentication using a transparent setup. I want to be able to have the > clients gateway point to the proxy and autnehticate them based on AD (like > I do now in a non-transparent setup). Then obviously when authenticated > forward 80/443 to its local 3128 (iptables for this) and anything else to > another gateway, the core router. > > Can this be done with 2.6? the impossibility of authenticating intercepted users does not come from squid version, but from the principle. You only can "authenticate" user by querying some service that tells you which user is logged in given IP. No browser will authenticate to a proxy if it thinks there is no proxy... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Re: [squid-users] Re: Logging/Blocking URLs with question marks ?
> On Mon, 17 Mar 2008 11:31:39 + > "Robin Clayton" <[EMAIL PROTECTED]> wrote: > > 2.5-Stable-5 > > > > I have used squid for probably 8 years. We see :) > > It has recently come to my attention that sites with dynamic content > > as denoted by a ? "question mark" are not being logged or blocked. > > > > so for example searches on google do not show the full URL. On 18.03.08 13:07, RW wrote: > I don't know much about 2.5 but in up-to-date versions, logging of query > urls is governed by "strip_query_terms". By default it's on to avoid > logging things like session IDs. it's called privacy :) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
[squid-users] squid_ldap_group
Hello, We have squid 3 with authorization in AD. But! squid_ldap_group does not work without -R option. Can anybody explain me what may be a problem? The matter is we defined some top-level groups in AD and included some dipper groups into them. But squid_ldap_group does not do the refferal search. Best Regards, Dmitry Surovtsev - Дмитрий Суровцев Credit Europe Bank - Кредит Европа Банк 390-67-33, ext. 4011
[squid-users] you tube +delay pool
Hello, I am trying to put you tube and other flv videos in delay pool acl flvvideo rep_mime_type video/flv delay_access 1 allow flvvideo our_networks But its not working. How can I do that?
Re: [squid-users] debugging ACLs
OS= gentoo linux squid = 2.6.17
[squid-users] the sibling cache peer can't work. help!
I use 121.9.*.77 and 121.9.*.78 as sibling cache peer when i see server_list in cachemgr, there has no fetches from it's cache peer. what is wrong with my configure file? htcp 4827 cache_peer 121.9.*.78 sibling 80 4827 proxy-only htcp acl All src 0/0 htcp_access allow All Sibling: 121.9.*.78 Host : 121.9.*.78/80/4827 Flags : proxy-only htcp Address[0] : 121.9.233.78 Status : Up AVG RTT: 0 msec OPEN CONNS : 0 LAST QUERY : 1205908950 seconds ago LAST REPLY : none received PINGS SENT :0 PINGS ACKED:0 0% FETCHES:0 0% IGNORED:0 0% Histogram of PINGS ACKED: Misses 0 0% Hits 0 0% keep-alive ratio: 0%
