Re: [squid-users] NTLM and transparent/interception confusion
Hi, At 20.06 31/12/2008, Johnson, S wrote: I've been doing a lot of reading on this... I've got the proxy working in either of these two modes: 1) As a browser configuration proxy 2) with http_port 3128 transparent, in redirected mode I've got NTLM authentication working just fine with #1 above. However, with #2 I never get a password prompt. I don't really care about transparency; I just want to authenticate users that are outbound without having to configure their browser. I asked this question a couple of months back and there are people stating that they are doing the authentication with transparent mode. Some of the references I've found in my searches also seem to corroborate the possibility of this working (but it's not working for me). However, in the documentation it seems that this should not be possible. Am I barking up the wrong tree or is this truly possible? You cannot. Youa are mixing two very different and incompatible things: - Transparent/intercepting proxy - NTLM transparent (silent) authentication, also known as Windows integrated authentication http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe0e21e5c2903473c473d401533ac7 Regards and happy New Year Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
[squid-users] Squid multiple instances log problem
I'm trying to run multiple instances of squid and I've followed the available directions. The second instance of squid throws an error when it tries to open it's access log file. Jan 1 10:32:12 desktop squid[15527]: Squid Parent: child process 15529 started Jan 1 10:32:12 desktop (squid): Cannot open '/var/log/squid3/accessSquid3HTTPProxy.log' for writing. ^IThe parent directory must be writeable by the ^Iuser 'proxy', which is the cache_effective_user ^Iset in squid.conf. Jan 1 10:32:12 desktop squid[15527]: Squid Parent: child process 15529 exited with status 1 Jan 1 10:32:42 desktop squid[15540]: Exiting due to repeated, frequent failures An ls -l /var/log/squid3/ shows, -rw-r- 1 proxy proxy 0 2009-01-01 07:56 access.log -rw-r- 1 proxy proxy 118302 2008-12-31 20:46 access.log.1 -rw-r- 1 proxy proxy 0 2009-01-01 10:29 accessSquid3HTTPProxy.log -rw-r--r-- 1 proxy proxy 6773 2009-01-01 10:11 cache.log -rw-r--r-- 1 proxy proxy 112239 2008-12-31 19:58 cache.log.1 -rw-r--r-- 1 proxy proxy 7005 2009-01-01 10:32 cacheSquid3HTTPProxy.log -rw-r- 1 proxy proxy603 2009-01-01 09:58 store.log -rw-r- 1 proxy proxy 154882 2009-01-01 06:58 store.log.1 Why can't it write to it's log file when the first instance can write to it's log file and starts up properly?
[squid-users] Extra Squid process?
There is a squid process listening on a random port with protocol udp each time I start squid and I'm not sure what it does. I do a ps -ef | grep squid and get root 22110 1 0 18:24 ?00:00:00 /usr/sbin/squid3 -D -sYC proxy22113 22110 0 18:24 ?00:00:00 (squid) -D -sYC I do a sudo netstat -tlnup | grep squid and get tcp0 0 10.6.7.0:3128 0.0.0.0:* LISTEN 22113/(squid) udp0 0 0.0.0.0:36947 0.0.0.0:* 22113/(squid) I'm ok with the one listening on 10.6.7.0:3128, but what does the process do that's listening on 0.0.0.0:36947? I checked syslog and found, DNS Socket created at 0.0.0.0, port 36947, FD 8. Is this a DNS process of some sort? Can I disable it? If not, is there a way for me to make it listen on a specific ip or interface instead of 0.0.0.0? I already disabled the icp process so it doesn't show up.
Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
So I have OWA and RPCoHTTPS accelerator working on 3.0, with forward proxy on a separate instance of 2.6. Now I'm building a new Redhat box and I would like to handle both my normal LAN proxy and reverse proxy for OWA, RPCoHTTPS and Activesync on one instance of Squid. It sounded like 2.6 should be able to handle the chunked encoding and NTLM auth required for Activesync. Can I/should I do all this on one instance of Squid? Am I asking too much? The latest Redhat comes with 2.6STABLE6, which I realize this is rather old. But I decided to forge ahead and try it. I am directing two different public domains to the same Exchange server. This basic configuration works on 3.0. Now trying to add it to the 2.6 forward proxy config, sometimes Squid seems to be redirecting forward proxy requests to my OWA server, and I get: The following error was encountered: * Socket Failure The system returned: (99) Cannot assign requested address Squid is unable to create a TCP socket, presumably due to excessive load. Please retry your request. Config follows... #OWA https_port domain1-owa:443 cert=/usr/share/ssl/combined.crt key=/usr/share/ssl/owa.key defaultsite=owa.domain1.com https_port domain2-owa:443 cert=/usr/share/ssl/domain2/domain2-owa.pem defaultsite=owa.domain2.com cache_peer ip_of_exchange parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/usr/share/ssl/exchange/exch-owa.pem name=owa-server acl OWA dstdomain owa.domain1.com acl OWA dstdomain owa.domain2.com cache_peer_access owa-server allow OWA never_direct allow OWA http_access allow OWA #rpc_http https_port domain1-rpc:443 cert=/usr/share/ssl/rpc/rpc.pem defaultsite=rpc.domain1.com https_port domain2-rpc:443 cert=/usr/share/ssl/domain2/domain2-rpc.pem defaultsite=rpc.domain2.com cache_peer ip_of_exchange parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/usr/share/ssl/exchange/exch-owa.pem name=rpc-server acl RPC dstdomain rpc.domain1.com acl RPC dstdomain rpc.domain2.com cache_peer_access rpc-server allow RPC never_direct allow RPC http_access allow RPC [typical stand-alone forward http proxy configuration follows] Any thoughts would be most appreciated. Thanks Alan Lehman