Re: [squid-users] Fedora
Gustavo Lazarte wrote: The service is up but is not getting any content from the destination server. Is there a line I need to change to make it forward traffic to my target server? What type of proxy are you trying to setup? Your config is for a standard proxy. Amos Thanks -Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 16, 2008 7:38 AM To: Gustavo Lazarte Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Fedora Gustavo Lazarte wrote: I upgraded and now when I am trying to use my squid server to send traffic to the site 10.2.0.140 the squid server IP is 10.2.0.150. I also get the Warning cannot write the log file Permission denied. Then I try the /usr/local/squid/sbin/squid I get cannot write cache.log Permission denied. I use the user nobody for cache_effective_user Ah, well, you need to set read+write permission on the log file directory squid is trying to use and the logs inside it. /usr/local/squid/sbin/squid -z runs correctly Thats good. At least the storage area won't have more of these problems when squid does start. Amos Thanks -Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: Saturday, September 13, 2008 11:39 AM To: Gustavo Lazarte Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Fedora Gustavo Lazarte wrote: I got the service working. Now my old configuration from version 2.4 is not working on 3.0 Stable 2. Please do not use 3.0.stable2 under any circumstances. It does not perform authentication in any meaningful manner. For you should use something 3.0.stable7+ 3.0.stable9 is just out with the most current stability fixes.. In theory the traffic was coming from a load balancer and hit the Proxy server. The proxy server then will request 10.2.0.140 for the content. When I try to start the service with my old configuration is having problems with the following lines, is the syntax different? acl all src 0.0.0.0/0.0.0.0 ***warning*** | acl manager proto cache_object | acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst | 127.0.0.0/8 acl ssl_ports ports 443 563 acl safe_port port 80 acl | safe_port | acl connect method connect | acl mylan src 127.0.0.1 ***Fatal Error*** | acl mysites 10.2.0.140 *** Fatal Error*** | | http_access allow manager localhost | http_access deny manager | http_access deny !safe_port | http_access deny to_localhost | http_access allow mysites | http_access deny all | | http_reply_access allow MYLAN ***Fatal Error*** | http_reply_access allow all Even with the default config I am not able to telnet to port 80 on the squid server. Correct. If squid cannot read it's config it wont be able to start operating. Use a newer version, and please indicate what the warning messages are. My informed guess is listed below acl all src ... ** fully built-in now. no need to specify. acl mylan src 127.0.0.1 ** weird, check that line for extra text or invisible binary characters. same for the other src one. http_reply_access allow MYLAN http_reply_access allow all ** earlier failure of src ACL above may cause this ** only the allow all is needed. Amos -- Please use Squid 2.7.STABLE4 or 3.0.STABLE9
[squid-users] squid ntlm authentication multiple groups
Hi guys, I have been able to authenticate a group in Active Directory but been unable to authenticate multiple groups in the same AD. Does anyone know how to go about it!!So far a single group authentication using ntlm_auth works perfectly apart from the Domain Admins who it cant prevent from accessing the net. Any help will be highly appreciated. Kind Regards Kevin
RE: [squid-users] Fedora
The service is up but is not getting any content from the destination server. Is there a line I need to change to make it forward traffic to my target server? Thanks -Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 16, 2008 7:38 AM To: Gustavo Lazarte Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Fedora Gustavo Lazarte wrote: > I upgraded and now when I am trying to use my squid server to send traffic to > the site 10.2.0.140 the squid server IP is 10.2.0.150. > > I also get the Warning cannot write the log file Permission denied. > > Then I try the /usr/local/squid/sbin/squid I get cannot write cache.log > Permission denied. I use the user nobody for > cache_effective_user Ah, well, you need to set read+write permission on the log file directory squid is trying to use and the logs inside it. > /usr/local/squid/sbin/squid -z runs correctly > Thats good. At least the storage area won't have more of these problems when squid does start. Amos > > Thanks > > > > > -Original Message- > From: Amos Jeffries [mailto:[EMAIL PROTECTED] > Sent: Saturday, September 13, 2008 11:39 AM > To: Gustavo Lazarte > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] Fedora > > Gustavo Lazarte wrote: >> I got the service working. Now my old configuration from version 2.4 is not >> working on 3.0 Stable 2. > > Please do not use 3.0.stable2 under any circumstances. It does not > perform authentication in any meaningful manner. > > For you should use something 3.0.stable7+ > > 3.0.stable9 is just out with the most current stability fixes.. > >> In theory the traffic was coming from a load balancer and hit the Proxy >> server. The proxy server then will request 10.2.0.140 for the content. >> >> When I try to start the service with my old configuration is having problems >> with the following lines, is the syntax different? >> >> acl all src 0.0.0.0/0.0.0.0 ***warning*** >> | acl manager proto cache_object >> | acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst >> | 127.0.0.0/8 acl ssl_ports ports 443 563 acl safe_port port 80 acl >> | safe_port >> | acl connect method connect >> | acl mylan src 127.0.0.1 ***Fatal Error*** >> | acl mysites 10.2.0.140 *** Fatal Error*** >> | >> | http_access allow manager localhost >> | http_access deny manager >> | http_access deny !safe_port >> | http_access deny to_localhost >> | http_access allow mysites >> | http_access deny all >> | >> | http_reply_access allow MYLAN ***Fatal Error*** >> | http_reply_access allow all >> >> Even with the default config I am not able to telnet to port 80 on the squid >> server. > > Correct. If squid cannot read it's config it wont be able to start > operating. > > Use a newer version, and please indicate what the warning messages are. > My informed guess is listed below > > acl all src ... > ** fully built-in now. no need to specify. > > acl mylan src 127.0.0.1 > ** weird, check that line for extra text or invisible binary > characters. same for the other src one. > > http_reply_access allow MYLAN > http_reply_access allow all > > ** earlier failure of src ACL above may cause this > ** only the allow all is needed. > > Amos > > -- Please use Squid 2.7.STABLE4 or 3.0.STABLE9
Re: [squid-users] squid authentication against windows Active Directory 2008 ??
No you wouldn't. I guess the squid one works too, everyone just recommends that you user the samba one. In my experience, both work fine. Have you tried the squid one? Kevin On Tue, Sep 16, 2008 at 3:56 AM, Gregory Machin <[EMAIL PROTECTED]> wrote: > then I would have to install samba from what I understand, and or > policy is not file sharing services allowed on the firewalls . Is > there a way to get a single sign on with out installing samba ? > > On Mon, Sep 15, 2008 at 5:56 PM, Kevin Blackwell <[EMAIL PROTECTED]> wrote: >> Gregory, >> >> I was running into the same problems. I finally for it working. >> >> Couple of questions >> >> 1. What OS >> 2. Why not use ntlm_auth? Works better. >> >> Kevin >> >> On Mon, Sep 15, 2008 at 9:06 AM, Gregory Machin <[EMAIL PROTECTED]> wrote: >>> Hi >>> I'm batteling to get squid_ldap_auth to authenticate against M$ >>> windows Active Directory 2008 with my config below >>> >>> /usr/lib64/squid/squid_ldap_auth -b "OU=Organizational >>> Structure,DC=example,DC=co,DC=za" -h 10.*.*.250 -D >>> "CN=squid,OU=Other,OU=TC JHB,OU=Company,OU=Organizational >>> Structure,DC=example,DC=co,DC=za" -w "Password1" -f >>> "(&(uid=%s)(objectclass=user))" >>> >>> I have used a similar config on windows Active Directory 2003 and it >>> worked perfectly fine. Is there a catch to authenticating against the >>> 2008 version of AD ? or have I missed some thing .. >>> >>> How is the best way to debug this as squid does not log or output any >>> errors even when in debugging mode .. >>> >>> when is run >>> [EMAIL PROTECTED] ~]# /usr/lib64/squid/squid_ldap_auth -b >>> "OU=Organizational Structure,DC=techconcepts,DC=co,DC=za" -h >>> 10.0.1.250 -D "CN=squid,OU=Other,OU=TC >>> JHB,OU=Company,OU=Organizational >>> Structure,DC=techconcepts,DC=co,DC=za" -w "Password1" -f >>> "(&(uid=%s)(objectclass=user))" -v3 >>> gregory.machin Password1 >>> ERR Success >>> >>> I get "ERR Success" >>> I believe I should get "OK" >>> How can I get more info out of this interface ? >>> >>> Thanks in advance . >>> >> >
[squid-users] NTLM authentication cache parameters
Hello, I'm configuring a 2.7 Stable 4 squid for NTLM authentication across a slow link (VPN over internet). It's working, no problem at all. I've joined squid box on the AD, winbind is running, wbinfo -t, -g and -u are OK. Everything is OK, authentication is running fine. Altough, i have noticed there's some great traffic on the VPN between squid box and AD server, which is expected, because of the authentication traffic. I remembered, from ancient ages, of those: "max_challenge_reuses" number "max_challenge_lifetime" timespan ntlm parameters from outdated 2.5 squid and noticed they didnt exists on 2.7 anymore. Question is . is there some similar option on squid 2.7 that can be used to reduce authentication traffic between slow links, just like those 2 parameters that existed on squid 2.5 ?? -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it
Re: [squid-users] squid authentication against windows Active Directory 2008 ??
Gregory Machin wrote: then I would have to install samba from what I understand, and or policy is not file sharing services allowed on the firewalls . Is there a way to get a single sign on with out installing samba ? Correct me if I'm wrong, but I don't think the NTLM helper for squid requires that samba be installed on the same mahcine. Just at an available source over the network. Amos On Mon, Sep 15, 2008 at 5:56 PM, Kevin Blackwell <[EMAIL PROTECTED]> wrote: Gregory, I was running into the same problems. I finally for it working. Couple of questions 1. What OS 2. Why not use ntlm_auth? Works better. Kevin On Mon, Sep 15, 2008 at 9:06 AM, Gregory Machin <[EMAIL PROTECTED]> wrote: Hi I'm batteling to get squid_ldap_auth to authenticate against M$ windows Active Directory 2008 with my config below /usr/lib64/squid/squid_ldap_auth -b "OU=Organizational Structure,DC=example,DC=co,DC=za" -h 10.*.*.250 -D "CN=squid,OU=Other,OU=TC JHB,OU=Company,OU=Organizational Structure,DC=example,DC=co,DC=za" -w "Password1" -f "(&(uid=%s)(objectclass=user))" I have used a similar config on windows Active Directory 2003 and it worked perfectly fine. Is there a catch to authenticating against the 2008 version of AD ? or have I missed some thing .. How is the best way to debug this as squid does not log or output any errors even when in debugging mode .. when is run [EMAIL PROTECTED] ~]# /usr/lib64/squid/squid_ldap_auth -b "OU=Organizational Structure,DC=techconcepts,DC=co,DC=za" -h 10.0.1.250 -D "CN=squid,OU=Other,OU=TC JHB,OU=Company,OU=Organizational Structure,DC=techconcepts,DC=co,DC=za" -w "Password1" -f "(&(uid=%s)(objectclass=user))" -v3 gregory.machin Password1 ERR Success I get "ERR Success" I believe I should get "OK" How can I get more info out of this interface ? Thanks in advance . -- Please use Squid 2.7.STABLE4 or 3.0.STABLE9
Re: FW: [squid-users] Bypassing Squid completely for specific domains/IPs
Mike Raath wrote: proxy.pac may be an option, but if possible I'd like to keep the zero configuration element of a transparent proxy. Amos - I'm not quite sure how to integrate your suggestion with what I had. Bear in mind that the IP address specified in the request could be anything from localhost (developer's own box although in this case it won't hit the proxy), development server, test server or live server. Defining a cache-peer as you have it there assumes everyone will be looking at the same box at the same time, which would mean I could define the entry in the DNS forwarding, unless I've misunderstood you. I can't do that simply because during a normal dev sprint developers would be pointing at a dev server, testers at a test server, and product owners/others would be looking at live. Bear in mind that in almost all cases traffic will be normal browsing traffic, and caching is exactly what I want. But in this specific case I need to be able to bypass not only the cache, but also the proxy. And everyone in the office has a laptop which means that they regularly connect to different APs, so setting proxy information manually would be a major pain. The cache_peer_access options in Squid can be used with any of the request ACL, and cache_peer can have multiple entries. As long as you can define explicitly who is meant to be going where it can be written as ACL in squid.conf and the same request from different people routed anywhere. May take a little getting your head around the possibilities, but once you do you will find it an easier way to run things. Arbitrarily complex: ie user B it goes to server B no matter the source machines in subnet A aways go to server A user C from machine D goes to Server B etc, etc. add on top external ACL feature, which can pull settings from a database or arbitrary information source. And you have a real-time plug-n-play access system for any number of source servers. Amos -- Please use Squid 2.7.STABLE4 or 3.0.STABLE9
Re: [squid-users] Fedora
Gustavo Lazarte wrote: I upgraded and now when I am trying to use my squid server to send traffic to the site 10.2.0.140 the squid server IP is 10.2.0.150. I also get the Warning cannot write the log file Permission denied. Then I try the /usr/local/squid/sbin/squid I get cannot write cache.log Permission denied. I use the user nobody for cache_effective_user Ah, well, you need to set read+write permission on the log file directory squid is trying to use and the logs inside it. /usr/local/squid/sbin/squid -z runs correctly Thats good. At least the storage area won't have more of these problems when squid does start. Amos Thanks -Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: Saturday, September 13, 2008 11:39 AM To: Gustavo Lazarte Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Fedora Gustavo Lazarte wrote: I got the service working. Now my old configuration from version 2.4 is not working on 3.0 Stable 2. Please do not use 3.0.stable2 under any circumstances. It does not perform authentication in any meaningful manner. For you should use something 3.0.stable7+ 3.0.stable9 is just out with the most current stability fixes.. In theory the traffic was coming from a load balancer and hit the Proxy server. The proxy server then will request 10.2.0.140 for the content. When I try to start the service with my old configuration is having problems with the following lines, is the syntax different? acl all src 0.0.0.0/0.0.0.0 ***warning*** | acl manager proto cache_object | acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst | 127.0.0.0/8 acl ssl_ports ports 443 563 acl safe_port port 80 acl | safe_port | acl connect method connect | acl mylan src 127.0.0.1 ***Fatal Error*** | acl mysites 10.2.0.140 *** Fatal Error*** | | http_access allow manager localhost | http_access deny manager | http_access deny !safe_port | http_access deny to_localhost | http_access allow mysites | http_access deny all | | http_reply_access allow MYLAN ***Fatal Error*** | http_reply_access allow all Even with the default config I am not able to telnet to port 80 on the squid server. Correct. If squid cannot read it's config it wont be able to start operating. Use a newer version, and please indicate what the warning messages are. My informed guess is listed below acl all src ... ** fully built-in now. no need to specify. acl mylan src 127.0.0.1 ** weird, check that line for extra text or invisible binary characters. same for the other src one. http_reply_access allow MYLAN http_reply_access allow all ** earlier failure of src ACL above may cause this ** only the allow all is needed. Amos -- Please use Squid 2.7.STABLE4 or 3.0.STABLE9
Re: FW: [squid-users] Bypassing Squid completely for specific domains/IPs
On Mon, Sep 15, 2008 at 03:30:37PM +0200, Mike Raath wrote: > proxy.pac may be an option, but if possible I'd like to keep the > zero configuration element of a transparent proxy. The best solution is to bypass your interception completely for those particular servers (based on their IP). Is this an option? How are you doing the interception at present, e.g. netfilter REDIRECT or WCCP or...? You should be able to prevent certain traffic from being redirected to squid in the first place. > Amos - I'm not quite sure how to integrate your suggestion with > what I had. Bear in mind that the IP address specified in the > request could be anything from localhost (developer's own box > although in this case it won't hit the proxy), development server, > test server or live server. Defining a cache-peer as you have it > there assumes everyone will be looking at the same box at the same > time, which would mean I could define the entry in the DNS > forwarding, unless I've misunderstood you. > > I can't do that simply because during a normal dev sprint > developers would be pointing at a dev server, testers at a test > server, and product owners/others would be looking at live. Did you see my reply, which is basically an extension of Amos' method? So long as the servers have fixed IPs and there aren't too many of them that could work. But I'd really try to bypass the interception if at all possible, because it would be a lot simpler to manage long-term. I don't think squid has any options to use the IP the client originally connected to. I'm not even sure if squid is ever actually aware of what that IP is.
Re: [squid-users] squid authentication against windows Active Directory 2008 ??
then I would have to install samba from what I understand, and or policy is not file sharing services allowed on the firewalls . Is there a way to get a single sign on with out installing samba ? On Mon, Sep 15, 2008 at 5:56 PM, Kevin Blackwell <[EMAIL PROTECTED]> wrote: > Gregory, > > I was running into the same problems. I finally for it working. > > Couple of questions > > 1. What OS > 2. Why not use ntlm_auth? Works better. > > Kevin > > On Mon, Sep 15, 2008 at 9:06 AM, Gregory Machin <[EMAIL PROTECTED]> wrote: >> Hi >> I'm batteling to get squid_ldap_auth to authenticate against M$ >> windows Active Directory 2008 with my config below >> >> /usr/lib64/squid/squid_ldap_auth -b "OU=Organizational >> Structure,DC=example,DC=co,DC=za" -h 10.*.*.250 -D >> "CN=squid,OU=Other,OU=TC JHB,OU=Company,OU=Organizational >> Structure,DC=example,DC=co,DC=za" -w "Password1" -f >> "(&(uid=%s)(objectclass=user))" >> >> I have used a similar config on windows Active Directory 2003 and it >> worked perfectly fine. Is there a catch to authenticating against the >> 2008 version of AD ? or have I missed some thing .. >> >> How is the best way to debug this as squid does not log or output any >> errors even when in debugging mode .. >> >> when is run >> [EMAIL PROTECTED] ~]# /usr/lib64/squid/squid_ldap_auth -b >> "OU=Organizational Structure,DC=techconcepts,DC=co,DC=za" -h >> 10.0.1.250 -D "CN=squid,OU=Other,OU=TC >> JHB,OU=Company,OU=Organizational >> Structure,DC=techconcepts,DC=co,DC=za" -w "Password1" -f >> "(&(uid=%s)(objectclass=user))" -v3 >> gregory.machin Password1 >> ERR Success >> >> I get "ERR Success" >> I believe I should get "OK" >> How can I get more info out of this interface ? >> >> Thanks in advance . >> >
Re: [squid-users] different parent proxy for specific sites
Tim Bates schrieb: Andreas Moroder wrote: our squid passes all the http traffic to a parent proxy. Now we have two sites that work only if we access them through another parent proxy. Is there a way to tell squid to redirect certain domains to this secondary proxy ? Yes. It is possible. I'm a bit rusty on how, but it involves "cache_peer_domain". http://www.squid-cache.org/Versions/v2/2.6/cfgman/cache_peer_domain.html Something like this (from memory, could be wrong): cache_peer 192.168.1.1 parent 3128 3130 cache_peer 192.168.1.2 parent 3128 3130 cache_peer_domain 192.168.1.2 hotmail.com yahoo.com Tim B Hello Tim, does this work for https too ? I tried it but it did not work. Thanks Andreas
Re: [squid-users] different parent proxy for specific sites
Andreas, There is an option to redirect specifically some sites. For example, we can redirect example.com to another server by using cache_peer as follows. cache_peer 172.16.x.x(IP of another Server) parent 3128(SQUID PORT) 3130(ICP_PORT) cache_peer_domain example.com Thanks Visolve Squid Team www.visolve.com Andreas Moroder wrote: Hello, our squid passes all the http traffic to a parent proxy. Now we have two sites that work only if we access them through another parent proxy. Is there a way to tell squid to redirect certain domains to this secondary proxy ? Thanks Andreas
Re: [squid-users] different parent proxy for specific sites
Andreas Moroder wrote: our squid passes all the http traffic to a parent proxy. Now we have two sites that work only if we access them through another parent proxy. Is there a way to tell squid to redirect certain domains to this secondary proxy ? Yes. It is possible. I'm a bit rusty on how, but it involves "cache_peer_domain". http://www.squid-cache.org/Versions/v2/2.6/cfgman/cache_peer_domain.html Something like this (from memory, could be wrong): cache_peer 192.168.1.1 parent 3128 3130 cache_peer 192.168.1.2 parent 3128 3130 cache_peer_domain 192.168.1.2 hotmail.com yahoo.com Tim B