[squid-users] Anti-Virus Exclusions
The proxy server running squid will soon be getting a real-time anti-virus scanner on it. Are there any exclusions which need to be configured in regards to squid? Paul Cocker TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
[squid-users] block internet access from same users on squid with ntlm authentication
Good morning, I have configured squid -2.5.STABLE3-6 on Rh3 ES Squid is configured to use ntlm authentication To an Active Directoy Server in such to give internet access only to authenticated users,it works optimally all. I would know how to block a single user's internet access from different ip at the same time. Thanks in advance for any kind of support. Best regards Luca Forti System Network Administrator
[squid-users] cachemgr - how to read the histogram page ?
Hi, How to read and interpret the cachemgr's Full History Count page ? Ionel -- Ionel GARDAIS System-Network Engineer begin:vcard fn:Ionel GARDAIS n:GARDAIS;Ionel org:Tech'Advantage;IT adr:;;1 Rue Isabey;Rueil Malmaison;FR;92500;FR email;internet:[EMAIL PROTECTED] tel;work:+33(0)147088131 tel;fax:+33(0)147088065 x-mozilla-html:FALSE url:http://www.tech-advantage.com version:2.1 end:vcard
Re: [squid-users] block internet access from same users on squid with ntlm authentication
On fre, 2008-06-13 at 11:12 +0200, [EMAIL PROTECTED] wrote: I would know how to block a single user's internet access from different ip at the same time. See the max_user_ip acl acl more_than_one_ip max_user_ip -s 1 http_access deny more_than_one_ip Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] authorization with openldap
Is there any way to do the authorization with openldap authentication so that people can only access those site defined by Administrator of squid server.. -- Regards Piyush Joshi 9415414376
[squid-users] How can I turn off TCP_DENIED/403 and 407 logging?
I use squid since 1.1. Now it 2.6s17, on linux, of course! Since 1.1, squid always runs in Proxy_Authen mode. Now the 2.6s17 serves about 1,200 clients . There's new clients, around 100 every month (the old one just fade away). All clients (and software) have to log in to Squid Proxy before able to surf (via basic auth: ncsa). Problem is that: While most ppl read the documents, follow instructions, etc, etc, some are NOT. Some even careless ... install software they don't use, or let rogue softwares install themself ! So, both the people and softwares try to access the new without login. Result ? My access.log size is 400-1,200 MB everyday (yes, I rotate it everyday at 23:55pm) Worse, 3/4 of access.log is just TCP_DENIED/403 and TCP_DENIED/407. I have to pipe it to grep -v after every rotation. But ... wrote 3/4 gigabyte of useless information slow down squid somewhat. QUESTION: How can I turn off these two messages? It's useless .. BTW, I had tried my best to search through _that_ dreadfull /src/*.c and try making some changes. Useless. (In fact , I'm just a half-noob in VB). Try searching/reading 4 years of usenet. No answer. Google ignores me completely ... Thanks in advance. -- ... Lyrics of the Forest ...
Re: [squid-users] Anti-Virus Exclusions
Hi Paul, At 10.23 13/06/2008, Paul Cocker wrote: The proxy server running squid will soon be getting a real-time anti-virus scanner on it. Are there any exclusions which need to be configured in regards to squid? Exclude the cache directory (and subfolders) is really a good idea. This is better for performance and for Squid reliability: it's a bad thing if the antivirus will delete a file in the cache dir. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] authorization with openldap
On fre, 2008-06-13 at 17:18 +0530, piyush joshi wrote: Is there any way to do the authorization with openldap authentication so that people can only access those site defined by Administrator of squid server.. Yes, squid_ldap_group can be used for this purpose. Behinds it's group name is actually a generic LDAP match and can be used for a wide variety of LDAP queries, not just user group membership.. What LDAP schema did you have in mind for defining the authorization? Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] How can I turn off TCP_DENIED/403 and 407 logging?
On fre, 2008-06-13 at 18:56 +0700, docdiz wrote: My access.log size is 400-1,200 MB everyday (yes, I rotate it everyday at 23:55pm) Worse, 3/4 of access.log is just TCP_DENIED/403 and TCP_DENIED/407. I have to pipe it to grep -v after every rotation. But ... wrote 3/4 gigabyte of useless information slow down squid somewhat. QUESTION: How can I turn off these two messages? It's useless .. Not completely useless. But try the following: acl useless_squid_response rep_header X-Squid-Error ERR_CACHE_ACCESS_DENIED ERR_ACCESS_DENIED log_access deny useless_squid_response Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] Remote access acls
I'm trying to provide an externally available proxy to our employees. This way they can have the same basic protection when traveling that they get when they're inside our corporate walls. What acls or rules do I need to be looking at? I'm a newbie and just trying to keep my job. Thank you in advance.
Re: [squid-users] Remote access acls
[EMAIL PROTECTED] wrote: I'm trying to provide an externally available proxy to our employees. This way they can have the same basic protection when traveling that they get when they're inside our corporate walls. What acls or rules do I need to be looking at? I'm a newbie and just trying to keep my job. Thank you in advance. Safest ones are auth IMO. They can use any net connection, and link in through the proxy to get anywhere. After the local accepts and before the global external denial. Amos -- Please use Squid 2.7.STABLE2 or 3.0.STABLE6
Re: [squid-users] Remote access acls
-- Original message -- From: Amos Jeffries [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'm trying to provide an externally available proxy to our employees. This way they can have the same basic protection when traveling that they get when they're inside our corporate walls. What acls or rules do I need to be looking at? I'm a newbie and just trying to keep my job. Thank you in advance. Safest ones are auth IMO. They can use any net connection, and link in through the proxy to get anywhere. After the local accepts and before the global external denial. Amos -- Please use Squid 2.7.STABLE2 or 3.0.STABLE6 Thank you for your quick reply. What auth would you recommend? The powers above decided it shouldn't be Active Directory. What other auth is recommended? is there any based on a cert installed on the laptops? Or could it be cookie based? (I know it sounds like a dumb question but I know I'll be asked) Anything to avoid login and password would be great. Thank you again.
Re: [squid-users] Remote access acls
I use simple NCSA. Then add small password file to NCSA directory. This password file is changed EVERY day, at 08:00am and 17:00pm. User have to call in to get the username/password of that day before they're able to use this office's squid (another way to audit who's working or not :-D) # heh! this line is extract from the very old 2.0 conf authenticate_program /usr/local/squid/bin/ncsa /usr/local/squid/etc/registered # this two lines never change eventhough it's now 2.6 acl MEMBER proxy_auth REQUIRED http_access deny !MEMBER 2008/6/13, [EMAIL PROTECTED] [EMAIL PROTECTED]: -- Original message -- From: Amos Jeffries [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'm trying to provide an externally available proxy to our employees. This way they can have the same basic protection when traveling that they get when they're inside our corporate walls. What acls or rules do I need to be looking at? I'm a newbie and just trying to keep my job. Thank you in advance. Safest ones are auth IMO. They can use any net connection, and link in through the proxy to get anywhere. After the local accepts and before the global external denial. Amos -- Please use Squid 2.7.STABLE2 or 3.0.STABLE6 Thank you for your quick reply. What auth would you recommend? The powers above decided it shouldn't be Active Directory. What other auth is recommended? is there any based on a cert installed on the laptops? Or could it be cookie based? (I know it sounds like a dumb question but I know I'll be asked) Anything to avoid login and password would be great. Thank you again. -- ... Lyrics of the Forest ...
Re: [squid-users] Remote access acls
[EMAIL PROTECTED] wrote: -- Original message -- From: Amos Jeffries [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'm trying to provide an externally available proxy to our employees. This way they can have the same basic protection when traveling that they get when they're inside our corporate walls. What acls or rules do I need to be looking at? I'm a newbie and just trying to keep my job. Thank you in advance. Safest ones are auth IMO. They can use any net connection, and link in through the proxy to get anywhere. After the local accepts and before the global external denial. Amos -- Please use Squid 2.7.STABLE2 or 3.0.STABLE6 Thank you for your quick reply. What auth would you recommend? The powers above decided it shouldn't be Active Directory. What other auth is recommended? is there any based on a cert installed on the laptops? Or could it be cookie based? (I know it sounds like a dumb question but I know I'll be asked) Anything to avoid login and password would be great. Thank you again. Well, the thing about login/password is that its built into HTTP and gets through almost any intermediate systems. You could implement some fancy side-band setups, but they are more risky and prone to errors. There are plenty of back ends to Basic Auth, its simple and users do understand it. If its a problem with security there is digest auth with encrypted name/password nonce. Amos -- Please use Squid 2.7.STABLE2 or 3.0.STABLE6
[squid-users] Squid + AD Auth - popup
Hi all I will migrate my proxy infrastructure to use Squid. I´m doing a LDAP (MS AD) authentication without problems but, i´m in trouble to authenticate my users against MS AD without web popup.(asking for user and password) I need to do it as a transparent mode for authentication could you please give me some help . thanks in advance Alexandre Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! http://br.mail.yahoo.com/
Re: [squid-users] Squid + AD Auth - popup
Alexandre augusto escreveu: Hi all I will migrate my proxy infrastructure to use Squid. I´m doing a LDAP (MS AD) authentication without problems but, i´m in trouble to authenticate my users against MS AD without web popup.(asking for user and password) I need to do it as a transparent mode for authentication could you please give me some help . NTLM authentication is what you need. Google for it and good luck. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it
RE: [squid-users] Squid + AD Auth - popup
Alexandre, Poderia enviar uma parte do log para verificarmos o que acontece. (PS: no arquivo de log, envie apenas a parte que trata-se da popup). Fabiano Cese Arantes CLE9 - Certified Linux Engineer Suse 9 CLP9 - Certified Linux Professional Suse 9 P Antes de imprimir pense em sua responsabilidade e compromisso com o MEIO AMBIENTE! -Original Message- From: Alexandre augusto [mailto:[EMAIL PROTECTED] Sent: sexta-feira, 13 de junho de 2008 14:47 To: squid-users@squid-cache.org Subject: [squid-users] Squid + AD Auth - popup Hi all I will migrate my proxy infrastructure to use Squid. I´m doing a LDAP (MS AD) authentication without problems but, i´m in trouble to authenticate my users against MS AD without web popup.(asking for user and password) I need to do it as a transparent mode for authentication could you please give me some help . thanks in advance Alexandre Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! http://br.mail.yahoo.com/ Important notice: This e-mail and any attachment thereof contains corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system. Thank you. For alternate languages please go to http://www.siemens.com.ar/disclaimer/
[squid-users] Where are the ircache.net cgi for creating graphs?
Hello squid world, I was looking for the scripts that create the graphs on ircache.net, I found everything but the cgi scripts. Does anyone know where to get them? Or maybe there's another package that's preferred to make use of RRD for Squid?
Re: [squid-users] Remote access acls
I would recommend you use digest instead of basic. That way the password is not transmitted in plain text. almost the same setup as basic, except for the auth_param settings. auth_param digest program /usr/local/squid/libexec/digest_pw_auth /usr/local/squid/etc/registered.htdigest and change the rest of the basic auth_param to digest instead.. the password file is most easily maintained using Apache htdigest, instead of Apache htpasswd.. Regards Henrik On fre, 2008-06-13 at 21:42 +0700, docdiz wrote: I use simple NCSA. Then add small password file to NCSA directory. This password file is changed EVERY day, at 08:00am and 17:00pm. User have to call in to get the username/password of that day before they're able to use this office's squid (another way to audit who's working or not :-D) # heh! this line is extract from the very old 2.0 conf authenticate_program /usr/local/squid/bin/ncsa /usr/local/squid/etc/registered # this two lines never change eventhough it's now 2.6 acl MEMBER proxy_auth REQUIRED http_access deny !MEMBER signature.asc Description: This is a digitally signed message part
Re: [squid-users] Where are the ircache.net cgi for creating graphs?
On fre, 2008-06-13 at 14:53 -0700, Richard Hubbell wrote: Hello squid world, I was looking for the scripts that create the graphs on ircache.net, I found everything but the cgi scripts. Does anyone know where to get them? Or maybe there's another package that's preferred to make use of RRD for Squid? I have a small script at http://www.henriknordstrom.net/code/ There is also Squid packages to most of the system monitoring tools munin cacti monit Ganglia nagios Zenoss Any other SNMP capable monitoring tools is also able to graph Squid without too much effort Zabbix The above is just a small collection, there is plenty of these tools around.. My experience after making the script mentioned above is that you are most likely better off using a real monitoring package than something special tailored just for Squid. Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] Squid + AD (LDAP)
Hi All, I was wrong when said that my authentication was working in last email... I´m trying work Squid with MS AD So this is my squid.conf entry about LDAP auth: auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R -b CN=user_admin,OU=ABC,DC=abc,DC=com,DC=br -D CN=user_admin,OU=ABC,DC=abc,DC=com,DC=br -w /usr/local/squid/etc/file -f (objectclass=*) -h ldap_server_ip:port Using this configuration with Ldapbrowser tool (Softerra), I can search my entire LDAP tree without problems. my search base is: CN=user_admin,OU=Usuarios,OU=ABC,DC=abc,DC=com,DC=br user_admin is Domain Admin of AD ( maybe necessary to bind on it ???) But Squid just give me an old TCP_DENIED entry on log files: 1213403347.792 15 192.168.10.1 TCP_DENIED/407 2706 GET http://www.gm.com/ user_admin NONE/- text/html 1213405393.479 15 192.168.10.1 TCP_DENIED/407 2706 GET http://www.squid-cache.org/ user_admin NONE/- text/html Anyone can help me ? Thanks in advance Alexandre Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! http://br.mail.yahoo.com/
[squid-users] Debug Problem
Dear all , this is , in fact two question , any idea on cause of this : #dmesg | grep -i squid3 squid3[27598]: segfault at eip 0810f3e9 esp bfaa73f4 error 4 squid3[32012]: segfault at eip 0810f3e9 esp bfeb7804 error 4 squid3[32042]: segfault at eip 0810f3e9 esp bfcdf634 error 4 squid3[32569]: segfault at eip 0810f3e9 esp bfea9ff4 error 4 squid3[32599]: segfault at eip 0810f3e9 esp bfe47f94 error 4 squid3[32648]: segfault at eip 0810f3e9 esp bff898d4 error 4 squid3[32678]: segfault at eip 0810f3e9 esp bfa8e3e4 error 4 squid3[335]: segfault at eip 0810f3e9 esp bf8a79f4 error 4 squid3[365]: segfault at eip 0810f3e9 esp bf9c2b14 error 4 squid3[1741]: segfault at eip 0810f3e9 esp bff9d8f4 error 4 squid3[1833]: segfault at eip 0810f3e9 esp bf824974 error 4 squid3[2174]: segfault at eip 0810f3e9 esp bf9acb04 error 4 squid3[24311]: segfault at 0008 eip 08118881 esp bf8d09d0 error 4 squid3[7007]: segfault at eip 0810f3e9 esp bfc92a44 error 4 do i need a core dump here ? if yes, how can i compile squid with debugging info ? ( gcc -g ) -- Armin ranjbar , System Administrator