Re: [squid-users] Port Problem with squid
On Mon, Jun 2, 2008 at 11:18 AM, Edward Dam [EMAIL PROTECTED] wrote: I've cleared the rules, and then applied your recommended iptables command. Unfortunately, it puts me right back to where I started. When the www.example.com redirects to http://www2.example.com:8098/login.aspx, it never gets there and times out. First, Pls clear the rule I have given, http_port 3128 transparent because of the above rule , you are running squid in transparent intercept mode. I hope you can browse all the other site successfully. Pls let me know. Could you pls check can squid redirect www.example.com to www2.example.com:8098/login.aspx without running squid in transparent intercept mode ? Pls let me know if it can not , Then, It is www.example.com that redirects to www.example.com, What is this www.example.com ? Is it under your control. is it running apache? I think you will have to redirect to www2.example.com:8098/login.aspx there. Hope to hear from you. -- Thank you Indunil Jayasooriya
Re: [squid-users] Port Problem with squid
Hello, thank you again for the reply. When I take off transparent mode, the result is the same, it does not access (time out) There seems to be some confusion on what I am trying to do. I am NOT trying to redirect www.example.com to www2.example.com:8098/login.aspx via my proxy server. The site www.example.com redirects to www2.example.com:8098/login.aspx as it is. The web server at www.example.com does this automatically when you go to www.example.com However users behind my proxy never get to the redirect. It either times out or, if I forward port 8098 to 3128, I get the error I previously showed. I hope that clears up any confusion, and I apologize if I was not clear previously. On Mon, Jun 2, 2008 at 2:01 PM, Indunil Jayasooriya [EMAIL PROTECTED] wrote: On Mon, Jun 2, 2008 at 11:18 AM, Edward Dam [EMAIL PROTECTED] wrote: I've cleared the rules, and then applied your recommended iptables command. Unfortunately, it puts me right back to where I started. When the www.example.com redirects to http://www2.example.com:8098/login.aspx, it never gets there and times out. First, Pls clear the rule I have given, http_port 3128 transparent because of the above rule , you are running squid in transparent intercept mode. I hope you can browse all the other site successfully. Pls let me know. Could you pls check can squid redirect www.example.com to www2.example.com:8098/login.aspx without running squid in transparent intercept mode ? Pls let me know if it can not , Then, It is www.example.com that redirects to www.example.com, What is this www.example.com ? Is it under your control. is it running apache? I think you will have to redirect to www2.example.com:8098/login.aspx there. Hope to hear from you. -- Thank you Indunil Jayasooriya
Re: [squid-users] Port Problem with squid
When I take off transparent mode, the result is the same, it does not access (time out) without squid, When you access www.example.com, does it redirect to www2.example.com:8098/login.aspx ? If yes, Webserver www.example.com is OK. Hope to hear from you. Thank you Indunil Jayasooriya
Re: [squid-users] Port Problem with squid
Yes, that is correct. If I bypass squid and go to www.example.com, it automatically redirects to www2.example.com:8098/login.aspx OK, SOUNDS GOOD. i.e nothing wrong with webserver www.example.com www2.example.com is running on port 8098. Can you change it to port 80 ? Then, Pls browse www.example.com via squid. -- Thank you Indunil Jayasooriya
Re: [squid-users] Port Problem with squid
www2.example.com server is not my within my company. I cannot change the port on it Again, pls disable both transparent intercept mode and dansguardian in squid. Then, browse www.example.com via squid. Pls give me the output of below command tail -f /var/log/squid/acccess.log and, also I need the output of below 2 apache logs of www.example.com at the same time? tail -f /var/log/httpd/access_log tail -f /var/log/httpd/error_log I think it is the easiest way to see what is going on there? -- Thank you Indunil Jayasooriya
Re: [squid-users] Port Problem with squid
On mån, 2008-06-02 at 10:06 +0800, Edward Dam wrote: When a user points to www.example.com, that webpage/server redirects them to http://www2.example.com:8098/login.aspx The redirection is timing out. I've put port 8098 as one of the Safe_ports in squid.conf, and allowed both example.com and www2.example.com in my filters. Still no go. My iptables configuration on the squid server is wide open, with the exception of the redirection of port 80 to 8080. Any ideas, or suggestions for me? That traffic is outside of Squid unless the client is configured to use Squid as proxy. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Port Problem with squid
No other logging for it. Thanks for your logs. I think that 10.43.8.20 is the server where www2.example.com. So far, We checked in two ways. One way is without squid (Direct connection)Then, It worked. What is this path, Is it via a firewall? Pls write down that PATH. The , other PATH is via squid proxy. Then, It does not work. What is this PATH? I want to see reverse path filtering. hope to hear form you. - Thank you Indunil Jayasooriya
Re: [squid-users] Port Problem with squid
10.1.15.245 is the squid server. It resides on the LAN. 10.1.15.240 is the LAN interface 10.1.15.241 is connected to INTRANET What is you laptop ip? We know you (i.e your laptop) can access www2.example.com without squid. Can you tracert to www2.example.com (NOT throuogh squid) I think 10.1.15.240 is the gateway of your LAPTOP Pls come back to me... From my laptop (through squid) C:\Documents and Settings\eddtracert www2.example.com Tracing route to 10.43.8.20 over a maximum of 30 hops 11 ms1 ms1 ms 10.1.15.245 -- this is my squid server 21 ms1 ms1 ms 10.1.15.240 -- the is our router - LAN interface 3 1 ms1 ms1 ms 10.1.15.241 --- this is the 2nd interface on the router, connected to the WAN (intranet, not internet) 411 ms12 ms13 ms 10.43.113.57 5 8 ms13 ms12 ms 10.43.112.2 613 ms13 ms13 ms 10.43.8.20 Trace complete. C:\Documents and Settings\edd On Mon, Jun 2, 2008 at 3:25 PM, Indunil Jayasooriya [EMAIL PROTECTED] wrote: No other logging for it. Thanks for your logs. I think that 10.43.8.20 is the server where www2.example.com. So far, We checked in two ways. One way is without squid (Direct connection)Then, It worked. What is this path, Is it via a firewall? Pls write down that PATH. The , other PATH is via squid proxy. Then, It does not work. What is this PATH? I want to see reverse path filtering. hope to hear form you. - Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya
Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
On Mon, Jun 2, 2008 at 2:37 AM, Amos Jeffries [EMAIL PROTECTED] wrote: Odhiambo Washington wrote: On Sun, Jun 1, 2008 at 1:38 PM, Amos Jeffries [EMAIL PROTECTED] wrote: Odhiambo Washington wrote: Hello gurus, I have been trying the whole day to get Squid to work as a reverse proxy/accelerator for OWA and RPC-over-https with no sucess. I believe I've come to my /etc on this! I have read the Wiki entries and this thread: http://www.nabble.com/Forwarding-Denied-when-using-dst-cache_peer-in-acl-td15123146.html Not that the article references two Squid wiki articles. All the configs doing OWA using dst ACL were relevant only up to 2.5 and fatally flawed with a required but unstated DNS hack. The wiki presently has updated configs which work with all current Squid. Thank you for informing me about that. All my thinking was that those wiki entries are still relevant. I actually wasn't looking at the above thread per se, but only for the comments and the challenges the poster faced, but within it there are references to the wiki entries, which is what I was following keenly. However, I seem to still miss a critical point. My Squid (2.7RC) is first and foremost being used as a LAN proxy. This in itself has posed a challenge to me in terms of specifying who is allowed to use it as a proxy. I have an M$ Exchange server which is is self-contained, with self-signed certificate. Can I configure Squid as a proxy for the LAN as well as an accelerator for several backend website(s)? I've found this challenging in terms of ordering the ACLs. Yes. With some access control tweaking two 'components' can be kept seperate. see below. That's nice for the ears! I can see from the above thread that Wouter de Jong-2 actually/finally managed to configure Squid to accelerate OWA as well as do the RPC-over-HTTP(s) but he does not mention is th squid instance is also being used as a proxy. Does someone have a sample config for squid being used as LAN proxy and accelerator, especially for M$ Exchange OWA and RPCoHTTPS? Should be no need. All the current squid releases support multiple http_port entries. That is the first important part. Near the top of your config above your ALL of your regular proxy port and _access controls. Setup the OWA/RPC acceleration as listed in the wiki. Omitting the controls which do blanket 'deny all'. Noted, and thank you for that valuable information. Not heading to the wiki again. But I have two last hurdles: 1. My Exchange OWA is accessible as either https://192.168.0.26/exchange or https://mxech.msexch.ourdomain.tld/exchange 2. (a bit OT) The use of a non-commercial certificate on the Exchange server Q1. How do I tell Squid to access the /exchange bit in the url? Does it have to be added in squid? or can squid be left only knowing the '192.168.0.26'/'mxech.msexch.ourdomain.tld' bits? I ask this because while squid can do url-rewriting, that method does not cover all possible uses of the URL, just the request and Host: ones. If your exchange server can accept the /exchange/* URI that would be much better. After reading some Microshit articles, I managed to do make the URI simpler, so M$ Exchange can now be accessed simply as https://msexch.msexch.ourdomain.tld/ or https://192.168.0.26. The /exchange is now not necessary as the redirection is now done within IIS (yes, the Windows web server) so I am one step ahead. I am also NOT enforcing SSL on the exchange now, but that is a small switch that I can easily re-enable if this RPCoHTTPS stuff requires it, especially because Outlook needs the https:// URI. However, as we are going to do the SSL offloading on the accelerator, I believe http:// would suffice. The way to do it without headaches is to get a unique domain/subdomain for the exchange URL and the exchange server handling the entire path of the URI. And squid only switching on the domain. This is now done as a result of the change above. Q2. Do I have to export the cerificate from the Exchange server to be used with Squid in the accel configuration? If you require clients to SSL auth, yes you will need whatever certificate squid presents to them to be your official one. The certificate required in the Squid config MUST be in pem format?? That is where my problem is. When I read about exporting the certificate used in the exchange server, all I was able to get is a .pfx certificate. Not sure if squid will accept this as-is, or should I just blindly try?:-) Anyone has an idea how I can surmount these two Being so much used to doing everything with Open Source apps, this Microsohit Exchange thing is the biggest challenge I've ever faced in my SysAdmin life! I must take some leave as soon as I get this OWA/PRCoHTTPS thing running. I therefore highly appreciate any help I can get towards this goal. http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess
Re: [squid-users] Port Problem with squid
my laptop IP is 10.1.15.57. 10.1.15.240 is the LAN interface of the router. It is normally the gateway - however when I am using squid (transparent) the squid server becomes my gateway. Yeah, Interesting. Then, this is your network setup if you bypass squid , your laptop - Firewall - intranet(www.example.com) it directs to www2.example.com If you go via squid, this would be your network setup your laptop - squid - Firewall - intranet(www.example.com) it directs to www2.example.com I think 10.1.15.240 is the gateway of squid server. How many ethernet does this squid server have? I think this is something that belongs to routing... -- Thank you Indunil Jayasooriya
Re: [squid-users] Port Problem with squid
I am GLAD to hear am very happy about your effort in solving this ISSUE. HAPPY squiding. On Mon, Jun 2, 2008 at 1:57 PM, Edward Dam [EMAIL PROTECTED] wrote: Hello Thank you for all your help. I have figured out that it is actually related to DNS. When I put the intranet DNS server (from that other domain) in front of my own DNS server in resolv.conf, it now works through squid. Thank you again for all your help, and I apologize if I wasted your time. On Mon, Jun 2, 2008 at 4:18 PM, Indunil Jayasooriya [EMAIL PROTECTED] wrote: my laptop IP is 10.1.15.57. 10.1.15.240 is the LAN interface of the router. It is normally the gateway - however when I am using squid (transparent) the squid server becomes my gateway. Yeah, Interesting. Then, this is your network setup if you bypass squid , your laptop - Firewall - intranet(www.example.com) it directs to www2.example.com If you go via squid, this would be your network setup your laptop - squid - Firewall - intranet(www.example.com) it directs to www2.example.com I think 10.1.15.240 is the gateway of squid server. How many ethernet does this squid server have? I think this is something that belongs to routing... -- Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya
Re: [squid-users] Access-list domain and user
Thanks a lot, it's work :)
Re: [squid-users] Access-list domain and user
On mån, 2008-06-02 at 10:52 +0200, Keke Man wrote: Hi, I want to know if it's possible to have an ACL to grant a user to access a domain. Sure. Just combine the two acls on the same http_access line.. http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-926288cb0cbbdea92bc4a807f06dd75ddbc446ff Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] Access-list domain and user
Hi, I want to know if it's possible to have an ACL to grant a user to access a domain. My users are authenticated with LDAP. To grant access a user : acl prj1 proxy_auth toto http_access allow prj1 http_reply_access allow prj1 To grant access for a domain : acl prj2 dstdom_regex youtube http_access allow prj2 http_reply_access allow prj2 But : - user 'toto' have access all web - OR all my users have acess at youtube An idea ? Thanks a lotz
Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
On mån, 2008-06-02 at 11:09 +0300, Odhiambo Washington wrote: it, especially because Outlook needs the https:// URI. However, as we are going to do the SSL offloading on the accelerator, I believe http:// would suffice. It will, but you need to configure Squid cache_peer with the front-end-https=auto option to let OWA know there is an SSL frontend doing https-http translation. The certificate required in the Squid config MUST be in pem format?? Yes. That is where my problem is. When I read about exporting the certificate used in the exchange server, all I was able to get is a .pfx certificate. Not sure if squid will accept this as-is, or should I just blindly try?:-) pfx archives is binary encrypted archives of both the certificate and private key. Used for transferring a certificate from one server to another is a reasonably secure manner. It can be converted to PEM files by using the openssl tool. openssl pkcs12 -in file.pfx -out file.pem it will ask you for the export password (encryption key). Let me take another stub at this question, so as to be clear: In both config examples, there is the following specification: https_port ip_of_squid:443 cert=/path/to/certificate/ defaultsite=owa_hostname (the OWA example) https_port ip_of_squid:443 cert=/path/to/certificate defaultsite=rpcohttp.url.com (the RPCoHTTPS example) defaultsite SHOULD be the external hostname the clients connect to, which usually is the same name as the certificate is issued to. If unsure use vhost instead.. Note: There can only be one https_port per ip:port combination. But quite likely the same can be used both for OWA and RPCoHTTP even if you have OWA and Exchange on different servers... (which you don't, you have them both on the same server) Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
On Mon, Jun 2, 2008 at 12:39 PM, Henrik Nordstrom [EMAIL PROTECTED] wrote: On mån, 2008-06-02 at 11:09 +0300, Odhiambo Washington wrote: it, especially because Outlook needs the https:// URI. However, as we are going to do the SSL offloading on the accelerator, I believe http:// would suffice. Thanks for chipping in, Henrik. It will, but you need to configure Squid cache_peer with the front-end-https=auto option to let OWA know there is an SSL frontend doing https-http translation. So, for OWA, is the following correct: cache_peer 192.168.0.26 parent 443 0 no-query originserver login=PASS ssl front-end-https=auto sslcert=/opt/squid27/etc/certs/msexch_w3svc1_cert.pem name=msexch.msexch.ourdomain.tld (actually, this is supposed to be the only entry for cache_peer I am goingto have?) The certificate required in the Squid config MUST be in pem format?? Yes. That is where my problem is. When I read about exporting the certificate used in the exchange server, all I was able to get is a .pfx certificate. Not sure if squid will accept this as-is, or should I just blindly try?:-) pfx archives is binary encrypted archives of both the certificate and private key. Used for transferring a certificate from one server to another is a reasonably secure manner. It can be converted to PEM files by using the openssl tool. openssl pkcs12 -in file.pfx -out file.pem it will ask you for the export password (encryption key). That has worked. It also requied a PEM passphrase. I hope this is not supposed to be another problem. These ssl stuff! Let me take another stub at this question, so as to be clear: In both config examples, there is the following specification: https_port ip_of_squid:443 cert=/path/to/certificate/ defaultsite=owa_hostname (the OWA example) https_port ip_of_squid:443 cert=/path/to/certificate defaultsite=rpcohttp.url.com (the RPCoHTTPS example) defaultsite SHOULD be the external hostname the clients connect to, which usually is the same name as the certificate is issued to. If unsure use vhost instead.. In my case, I don't have a certificate for the external hostname, which brings me back to the confusing issue regarding the certificate: I can make a self-signed certificate for the external hostname. Not a problem. However, does this mean I really don't need the internal certifcate Exchange is using? Note: There can only be one https_port per ip:port combination. But quite likely the same can be used both for OWA and RPCoHTTP even if you have OWA and Exchange on different servers... (which you don't, you have them both on the same server) Suppose: My Squid host is publicly known as mail.odhiambo.COM (IP of 1.2.3.4) My Exchange server is named msexch.msexch.odhiambo.BIZ (IP of 192.168.0.26) Given that both OWA and RPCoHTTPS are directed at these... What values should I use for the following variables (from the wiki): (a) owa_hostname? (b) ip_of_owa_server? (c) rpcohttp.url.com? (d) the_exchange_server? From there, I believe I will only get stuck at the ssl certificates step, which is where I am still a bit confused. Thank you in advance. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Oh My God! They killed init! You Bastards! --from a /. post
Re: [squid-users] 2.7 dns res problem (probably bug)
Henrik Nordstrom disse na ultima mensagem: On sön, 2008-06-01 at 09:45 -0300, Michel (M) wrote: yes I understand the msgs but it is not the case, I run the exact same config on the exact same machine (only by stopping 2.7 and starting 2.6 with the exact same configs) and 2.6 works but 2.7 does not And they are built with the same configure options? There is no difference between 2.6 and 2.7 how the internal DNS resolver accesses the DNS servers. Both uses udp_outgoing_address (or _incoming if _outgoing not set) as source address. hmm, so then it gets awkward now Just a wild guess, but maybe your squid-2.6 is built with --disable-internal-dns making it fall back on the OS provided dns resolver? yes, same configure options as follows and no dns tweaks --enable-storeio=diskd,aufs,ufs,null --enable-async-io=90 \ --enable-removal-policies=heap,lru --enable-underscores --disable-ident-lookups \ --disable-hostname-checks --enable-large-files --disable-http-violations \ --enable-snmp --enable-truncate --enable-time-hack \ --enable-external-acl-helpers=session \ --disable-wccp --disable-wccpv2 --enable-follow-x-forwarded-for \ --disable-linux-tproxy --disable-linux-netfilter --disable-epoll michel ... Tecnologia Internet Matik http://info.matik.com.br Sistemas Wireless para o Provedor Banda Larga Hospedagem e Email personalizado - e claro, no Brasil.
[squid-users] Blocking Shoutcast Streaming
Hello, I am trying to block shoutcast streaming, but all i can find on the net is blocking the media players, which is something that I can not do since it is needed at times. As well, the non standard ports are needed to access other sites. Can anyone help please?
Re: [squid-users] ldap_auth
I found that the method below did not work, actually. I still have not figured out just how Apache's htdigest is joining the several inputs to create the md5 hash, but it isn't user:realm:password | md5sum. I finally got digest auth to work by doing the following (the -c creates the passwd file): # htdigest -c passwd_file realm username which requested a password. I provided it twice, and it generated the following line in the file: username:realm:md5-hash Now that format isn't usable by squid, so take out the realm one of its colons, leaving just: username:md5-hash That works for squid--I'm posting this via that very proxy--and the md5-hash does NOT match the hash made from the command: echo -n username:realm:password I haven't yet figured out just what htdigest is doing, but I hope to do so shortly. (To reply to the other request: yes, I'll gladly update the wiki just as soon as I've figured this all out). Sorry for the slow reply. I had the weekend off! Chris On Sun, Jun 1, 2008 at 6:49 PM, Henrik Nordstrom [EMAIL PROTECTED] wrote: On sön, 2008-06-01 at 13:23 -0700, Lawrence Anthony wrote: Can someone point me to how to encode the passwords using the helper? Here is one: echo -n user:realm:password | md5sum Using Apache htdigest is another.. Regards Henrik
[squid-users] 2.7 ready for production
Hi Dears We use wccpv2, delay_pools and reply and request headers set to 128K, Does the 2.7 Version supports it? Thanks :)
Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
On mån, 2008-06-02 at 13:41 +0300, Odhiambo Washington wrote: (actually, this is supposed to be the only entry for cache_peer I am goingto have?) If you only have one server, and that server is only talking http then yes there is only a single cache_peer.. That has worked. It also requied a PEM passphrase. I hope this is not supposed to be another problem. These ssl stuff! You can configure the password in squid.conf if the PEM key is encrypted, or easily decrypt it with the openssl rsa command. In my case, I don't have a certificate for the external hostname, which brings me back to the confusing issue regarding the certificate: I can make a self-signed certificate for the external hostname. Not a problem. However, does this mean I really don't need the internal certifcate Exchange is using? Correct. Suppose: My Squid host is publicly known as mail.odhiambo.COM (IP of 1.2.3.4) My Exchange server is named msexch.msexch.odhiambo.BIZ (IP of 192.168.0.26) Given that both OWA and RPCoHTTPS are directed at these... What values should I use for the following variables (from the wiki): (a) owa_hostname? In https_port defaultsite you should use mail.odhiambo.COM as this is what the clients are expected to connect to. (b) ip_of_owa_server? The ip of your exchange/owa server. (c) rpcohttp.url.com? Ignore. That example uses a setup with more Exchange servers, where OWA is running on a separarate server from Exchange. (d) the_exchange_server? Ignore as above. From there, I believe I will only get stuck at the ssl certificates step, which is where I am still a bit confused. Since you are not going to use a real certificate then issue yourself a self-signed one using OpenSSL. openssl req -new -x509 -days 1 -nodes -out mail.odhiambo.COM_selfsigned.pem -keyout mail.odhiambo.COM_key.pem Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] Re: allow group 1 to access few sites and group 2 to access another group of sites
anyone? On Sat, May 31, 2008 at 7:55 PM, alexus [EMAIL PROTECTED] wrote: is there a way using squid proxy to somehow allow certaint people to access some websites and another group of people access another group of websites? maybe some sort of authentication of some sort? -- http://alexus.org/ -- http://alexus.org/
Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
On Mon, Jun 2, 2008 at 7:27 PM, Henrik Nordstrom [EMAIL PROTECTED] wrote: On mån, 2008-06-02 at 13:41 +0300, Odhiambo Washington wrote: (actually, this is supposed to be the only entry for cache_peer I am goingto have?) If you only have one server, and that server is only talking http then yes there is only a single cache_peer.. Understood. That has worked. It also requied a PEM passphrase. I hope this is not supposed to be another problem. These ssl stuff! You can configure the password in squid.conf if the PEM key is encrypted, or easily decrypt it with the openssl rsa command. Understood as well. In my case, I don't have a certificate for the external hostname, which brings me back to the confusing issue regarding the certificate: I can make a self-signed certificate for the external hostname. Not a problem. However, does this mean I really don't need the internal certifcate Exchange is using? Correct. Pooh! That was so confusing:-) Suppose: My Squid host is publicly known as mail.odhiambo.COM (IP of 1.2.3.4) My Exchange server is named msexch.msexch.odhiambo.BIZ (IP of 192.168.0.26) Given that both OWA and RPCoHTTPS are directed at these... What values should I use for the following variables (from the wiki): (a) owa_hostname? In https_port defaultsite you should use mail.odhiambo.COM as this is what the clients are expected to connect to. (b) ip_of_owa_server? The ip of your exchange/owa server. (c) rpcohttp.url.com? Ignore. That example uses a setup with more Exchange servers, where OWA is running on a separarate server from Exchange. (d) the_exchange_server? Ignore as above. From there, I believe I will only get stuck at the ssl certificates step, which is where I am still a bit confused. Since you are not going to use a real certificate then issue yourself a self-signed one using OpenSSL. openssl req -new -x509 -days 1 -nodes -out mail.odhiambo.COM_selfsigned.pem -keyout mail.odhiambo.COM_key.pem Everything is all clear now. Will find good time to test this out and see how well it goes. Thank you very much, Amos and Henrik! That was quite some hand-holding. I really appreciate. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Oh My God! They killed init! You Bastards! --from a /. post
Re: [squid-users] 2.7 ready for production
On mån, 2008-06-02 at 12:03 -0430, Juan C. Crespo R. wrote: We use wccpv2, delay_pools and reply and request headers set to 128K, Does the 2.7 Version supports it? Yes. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] ldap_auth
On mån, 2008-06-02 at 10:10 -0400, Chris Riggins wrote:
I found that the method below did not work, actually. I still
have not figured out just how Apache's htdigest is joining the
several inputs to create the md5 hash, but it isn't
user:realm:password | md5sum.
It is the same. Try again..
$ echo -n henrik:Squid HTTP Proxy:testing | md5sum
e07afc91b0cfe99ff7a3630d6f34db62 -
$ htdigest -c test.pwd Squid HTTP Proxy henrik
Adding password for henrik in realm Squid HTTP Proxy.
New password: [testing]
Re-type new password: [testing]
$ cat test.pwd
henrik:Squid HTTP Proxy:e07afc91b0cfe99ff7a3630d6f34db62
The following perl snippet also does the same thing:
#!/usr/bin/perl
use Digest::MD5 qw(md5_hex);
if (@ARGV != 3) {
die(usage: user realm password\n);
}
print md5_hex(join(:, @ARGV)).\n;
I finally got digest auth to work by doing the following (the
-c creates the passwd file):
# htdigest -c passwd_file realm username
which requested a password. I provided it twice, and it generated the
following line in the file:
username:realm:md5-hash
Now that format isn't usable by squid
It is. Squid digest_pw_auth accepts both username:hash and
username:realm:hash, with the Apache format preferred.
In the LDAP directory the format is slightly different however as the
data is there stored within the user object, and Squid expecting
realm:hash in the LDAP attribute.
Regards
Henrik
signature.asc
Description: This is a digitally signed message part
Re: [squid-users] Re: allow group 1 to access few sites and group 2 to access another group of sites
http://wiki.squid-cache.org/SquidFaq/SquidAcl http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication On mån, 2008-06-02 at 12:15 -0400, alexus wrote: anyone? On Sat, May 31, 2008 at 7:55 PM, alexus [EMAIL PROTECTED] wrote: is there a way using squid proxy to somehow allow certaint people to access some websites and another group of people access another group of websites? maybe some sort of authentication of some sort? -- http://alexus.org/ signature.asc Description: This is a digitally signed message part
Re: [squid-users] ldap_auth
Sorry, it never matches when I do it. eg.
(0)[slash]/opt/home/p36wk $ echo -n p36wk:Realm:passw0rd | md5sum
3acaf7548c911426be232de30c802233 -
$ /opt/apache/bin/htdigest -c passwd.htdigest p36wk Realm
Adding password for Realm in realm p36wk.
New password: [passw0rd]
Re-type new password: [passw0rd]
(0)[slash]/opt/home/p36wk $ cat passwd.htdigest
Realm:p36wk:828cadb12e66abf15ed07a7db267d3ea
My squid 3.0.5 proxy is running on Solaris 9, the above test
was done on Solaris 10. The md5sum results don't match on either
machine.
I also tested the unchanged htdigest output file as the input to
digest_pw_auth under 3.0.5, and it fails to work.
I agree the digest_ldap_auth attribute value is somewhat
different. I'll have to login to my testing lab to double-check the
format I used.
Chris
On Mon, Jun 2, 2008 at 1:46 PM, Henrik Nordstrom
[EMAIL PROTECTED] wrote:
On mån, 2008-06-02 at 10:10 -0400, Chris Riggins wrote:
I found that the method below did not work, actually. I still
have not figured out just how Apache's htdigest is joining the
several inputs to create the md5 hash, but it isn't
user:realm:password | md5sum.
It is the same. Try again..
$ echo -n henrik:Squid HTTP Proxy:testing | md5sum
e07afc91b0cfe99ff7a3630d6f34db62 -
$ htdigest -c test.pwd Squid HTTP Proxy henrik
Adding password for henrik in realm Squid HTTP Proxy.
New password: [testing]
Re-type new password: [testing]
$ cat test.pwd
henrik:Squid HTTP Proxy:e07afc91b0cfe99ff7a3630d6f34db62
The following perl snippet also does the same thing:
#!/usr/bin/perl
use Digest::MD5 qw(md5_hex);
if (@ARGV != 3) {
die(usage: user realm password\n);
}
print md5_hex(join(:, @ARGV)).\n;
I finally got digest auth to work by doing the following (the
-c creates the passwd file):
# htdigest -c passwd_file realm username
which requested a password. I provided it twice, and it generated the
following line in the file:
username:realm:md5-hash
Now that format isn't usable by squid
It is. Squid digest_pw_auth accepts both username:hash and
username:realm:hash, with the Apache format preferred.
In the LDAP directory the format is slightly different however as the
data is there stored within the user object, and Squid expecting
realm:hash in the LDAP attribute.
Regards
Henrik
[squid-users] SQUID filtering with WIndows
I am preparing to use SQUID for web-filtering at a public library to replace CyberSitter. I have it running on a test machine locally and am using some temp homemade blacklists. Is there an easy way to make Dans Guardian run on a Windows machine? IF not, is there an alternative to Dans Guardian that will run on a Windows machine? Thanks in Advance. Curt
Re: [squid-users] ldap_auth
On mån, 2008-06-02 at 15:19 -0400, Chris Riggins wrote: Sorry, it never matches when I do it. eg. (0)[slash]/opt/home/p36wk $ echo -n p36wk:Realm:passw0rd | md5sum 3acaf7548c911426be232de30c802233 - $ echo -n p36wk:Realm:passw0rd | md5sum 336326719e5c087aa1016fe5a3c871d4 - $ /opt/apache/bin/htdigest -c passwd.htdigest p36wk Realm wrong order.. shouldbe Realm p36wk (0)[slash]/opt/home/p36wk $ cat passwd.htdigest Realm:p36wk:828cadb12e66abf15ed07a7db267d3ea $ htdigest -c test.pwd p36wk Realm $ cat test.pwd p36wk:Realm:336326719e5c087aa1016fe5a3c871d4 My squid 3.0.5 proxy is running on Solaris 9, the above test was done on Solaris 10. The md5sum results don't match on either machine. Maybe your echo doesn't support -n? In my shell echo -n is echo without newline. echo -n Hello; echo There produces the string HelloThere I also tested the unchanged htdigest output file as the input to digest_pw_auth under 3.0.5, and it fails to work. Hmm... should work. Let me check. Seems to work just fine here in manual test. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] SQUID filtering with WIndows
On mån, 2008-06-02 at 15:52 -0400, Curt Coleman wrote: I am preparing to use SQUID for web-filtering at a public library to replace CyberSitter. I have it running on a test machine locally and am using some temp homemade blacklists. Is there an easy way to make Dans Guardian run on a Windows machine? IF not, is there an alternative to Dans Guardian that will run on a Windows machine? DansGuardian should work in Cygwin I think. But I haven't tried. Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] ignoring a no_cache directive
Is there a way to tell squid 2.6 (selective to URL or not) to ignore the Cache-Control: no-cache directive? Nick
[squid-users] Youtube and other streaming media (caching)
Hello Guys! Please, is the information about the message (http://www.squid-cache.org/mail-archive/squid-users/200804/0420.html#replies) work in squid version 3.0 stable 5? thanks
Re: [squid-users] ignoring a no_cache directive
On mån, 2008-06-02 at 15:47 -0500, Ritter, Nicholas wrote: Is there a way to tell squid 2.6 (selective to URL or not) to ignore the Cache-Control: no-cache directive? refresh_pattern ignore-reload option. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Youtube and other streaming media (caching)
On mån, 2008-06-02 at 18:27 -0300, Rodrigo de Oliveira Gomes wrote: Hello Guys! Please, is the information about the message (http://www.squid-cache.org/mail-archive/squid-users/200804/0420.html#replies) work in squid version 3.0 stable 5? No, only 2.7 so far. But is likely to be seen in 3.1 or 3.2 as well. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] allow group 1 to access few sites and group 2 to access another group of sites
is there a way using squid proxy to somehow allow certaint people to access some websites and another group of people access another group of websites? maybe some sort of authentication of some sort? yes. I am running with nsca_auth pls add below lines to squid.conf file auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd acl ncsa_users proxy_auth REQUIRED acl group1 proxy_auth user1 user2 user3 user4 user5 acl group2 proxy_auth user6 user7 acl group3 proxy_auth user9 user11 acl DOMAINSLIST1 dstdomain .bbc.com .cnn.com acl DOMAINSLIST2 dstdomain .google.com .yahoo.com .gmail.com acl DOMAINSLIST3 dstdomain .bsd.org .openbsd.org .freebsd.org .redhat.com http_access deny group1 !DOMAINSLIST1 http_access deny group2 !DOMAINSLIST2 http_access deny group3 !DOMAINSLIST3 http_access allow ncsa_users then, using htpasswd file , pls add users as follows [EMAIL PROTECTED] ~]# htpasswd /etc/squid/squid_passwd user1 New password: Re-type new password: Adding password for user user1 finally, Pls restart squid server. That's it Happy squiding -- Thank you Indunil Jayasooriya
