RE: [squid-users] NTLM and transparent/interception confusion
That's too bad... I've set up numerous Bluecoat proxies and they do have this capability. But of course, you're paying about $50k usd / box. -Original Message- From: Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Sent: Thursday, January 01, 2009 4:00 AM To: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] NTLM and transparent/interception confusion Hi, At 20.06 31/12/2008, Johnson, S wrote: I've been doing a lot of reading on this... I've got the proxy working in either of these two modes: 1) As a browser configuration proxy 2) with http_port 3128 transparent, in redirected mode I've got NTLM authentication working just fine with #1 above. However, with #2 I never get a password prompt. I don't really care about transparency; I just want to authenticate users that are outbound without having to configure their browser. I asked this question a couple of months back and there are people stating that they are doing the authentication with transparent mode. Some of the references I've found in my searches also seem to corroborate the possibility of this working (but it's not working for me). However, in the documentation it seems that this should not be possible. Am I barking up the wrong tree or is this truly possible? You cannot. Youa are mixing two very different and incompatible things: - Transparent/intercepting proxy - NTLM transparent (silent) authentication, also known as Windows integrated authentication http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe 0e21e5c2903473c473d401533ac7 Regards and happy New Year Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] url_regex help
I have an internal web server that some users are accessing through a proxy, it's an older server that badly needs to be replaced, but until the developers get around to migrating the applications I have to solve a problem. Basically it is serving some Excel and PDF files, but the server responds with a 304 Unmodified response even though the files have been updated, causing squid to serve the cached file instead of the updated file. I was able to use the an ACL using the dstdomain option and a no_cache deny line to stop it from caching the server entirely. However as this machine is quite slow, I would like to still cache the html and images as those work correctly. While using the url_regex lines to get just the Excel and PDF files not cached, I am still getting some TCP_MEM_HIT entries in the access logs on these files. I probably should mention that I disabled the disk cache for now on this system while figuring this problem out, all actual web request are forwarded through another proxy that is still caching on disk, only the internal web applications go direct. Here's what I have, anyone have an idea where I went wrong I am Running Squid 3.0 Stable 9 on FreeBSD 6.2 Acl NOCACHEPDF url_regex -i ^http://hostname.\*pdf$ Acl NOCACHEXLS url_regex -i ^http://hostname.\*xls$ No_cache deny NOCACHEPDF NOCACHEXLS I have used cat combined with awk and grep to check the pattern matching on the access logs with: Cat /usr/local/squid/var/logs/access.log | awk '{print $7}' | grep -e ^http://hostname.\*pdf$ Cat /usr/local/squid/var/logs/access.log | awk '{print $7}' | grep -e ^http://hostname.\*xls$ This correctly matches all the entries I want and none that I don't want to stop caching. Thanks, Dean Weimer Network Administrator Orscheln Management Co
Re: [squid-users] NTLM and transparent/interception confusion
Could you try to get a network trace of a successfully authenticated http transaction? I would love to see how they do it... Thanks! On 1/2/09, Johnson, S sjohn...@edina.k12.mn.us wrote: That's too bad... I've set up numerous Bluecoat proxies and they do have this capability. But of course, you're paying about $50k usd / box. -Original Message- From: Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Sent: Thursday, January 01, 2009 4:00 AM To: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] NTLM and transparent/interception confusion Hi, At 20.06 31/12/2008, Johnson, S wrote: I've been doing a lot of reading on this... I've got the proxy working in either of these two modes: 1) As a browser configuration proxy 2) with http_port 3128 transparent, in redirected mode I've got NTLM authentication working just fine with #1 above. However, with #2 I never get a password prompt. I don't really care about transparency; I just want to authenticate users that are outbound without having to configure their browser. I asked this question a couple of months back and there are people stating that they are doing the authentication with transparent mode. Some of the references I've found in my searches also seem to corroborate the possibility of this working (but it's not working for me). However, in the documentation it seems that this should not be possible. Am I barking up the wrong tree or is this truly possible? You cannot. Youa are mixing two very different and incompatible things: - Transparent/intercepting proxy - NTLM transparent (silent) authentication, also known as Windows integrated authentication http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe 0e21e5c2903473c473d401533ac7 Regards and happy New Year Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- /kinkie
[squid-users] squid restarts itself
Hello again and Happy New Year to all. Today I decided to review the cache.log file to see how things were running after receiving some complaints from users that there hasnt' been Internet a couple of times. I noticed that squid is restarting itself every once in a while. I dont know what' going on with squid or my configuration but, I'm getting a lot of errors and is not working properly. Please help me figure out what's wrong. Thank you in advanced for your help. Heres my squid.conf file: # Port Squid listens on http_port 192.168.2.1:3128 transparent # Access-lists (ACLs) will permit or deny hosts to access the proxy #acl lan-access src 192.168.1.0/255.255.255.0 acl lan-access src 192.168.2.0/255.255.255.0 acl localhost src 127.0.0.1 acl all src 0.0.0.0/0.0.0.0 # Access rule http_access allow localhost http_access allow lan-access http_access deny all maximum_object_size 100 MB cache_mem 100 MB access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log cache_dir ufs /var/log/squid/cache 10 255 255 htcp_port 0 icp_port 0 extension_methods SEARCH NICK - Now, here's part of the cache.log file: 2008/12/19 12:32:53| Done reading /var/log/squid/cache swaplog (426776 entries) 2008/12/19 12:32:53| Finished rebuilding storage from disk. 2008/12/19 12:32:53|419973 Entries scanned 2008/12/19 12:32:53| 0 Invalid entries. 2008/12/19 12:32:53| 0 With invalid flags. 2008/12/19 12:32:53|418997 Objects loaded. 2008/12/19 12:32:53| 0 Objects expired. 2008/12/19 12:32:53| 640 Objects cancelled. 2008/12/19 12:32:53| 5918 Duplicate URLs purged. 2008/12/19 12:32:53| 192 Swapfile clashes avoided. 2008/12/19 12:32:53| Took 46.1 seconds (9096.9 objects/sec). 2008/12/19 12:32:53| Beginning Validation Procedure 2008/12/19 12:32:54| 262144 Entries Validated so far. 2008/12/19 12:32:54| storeLateRelease: released 45 objects 2008/12/19 12:32:56| Completed Validation Procedure 2008/12/19 12:32:56| Validated 826549 Entries 2008/12/19 12:32:56| store_swap_size = 24545080 2008/12/19 12:49:23| clientParseRequestMethod: Unsupported method in request '^C' 2008/12/19 12:49:23| clientProcessRequest: Invalid Request 2008/12/19 12:53:19| WARNING: unparseable HTTP header field {POST /mortalfm/ HTTP/1.0} 2008/12/19 13:01:32| WARNING: 1 swapin MD5 mismatches 2008/12/19 13:08:19| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:08:35| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:08:55| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:09:23| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:09:36| clientNatLookup: NF getsockopt(SO_ORIGINAL_DST) failed: (2) No such file or directory 2008/12/19 13:09:44| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:10:00| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:10:37| clientNatLookup: NF getsockopt(SO_ORIGINAL_DST) failed: (2) No such file or directory 2008/12/19 13:10:37| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:11:02| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:11:18| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:11:34| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:11:50| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:12:06| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:12:22| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:12:38| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:12:54| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:13:22| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:13:38| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:13:55| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:14:13| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:14:36| clientNatLookup: NF getsockopt(SO_ORIGINAL_DST) failed: (2) No such file or directory 2008/12/19 13:14:36| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:14:52| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:15:23| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:33:35| clientParseRequestMethod: Unsupported method in request '^C' 2008/12/19 13:33:35|
Re: [squid-users] url_regex help
On Fri, Jan 2, 2009 at 5:13 PM, Dean Weimer dwei...@orscheln.com wrote: Here's what I have, anyone have an idea where I went wrong I am Running Squid 3.0 Stable 9 on FreeBSD 6.2 Acl NOCACHEPDF url_regex -i ^http://hostname.\*pdf$ Acl NOCACHEXLS url_regex -i ^http://hostname.\*xls$ No_cache deny NOCACHEPDF NOCACHEXLS I have used cat combined with awk and grep to check the pattern matching on the access logs with: Cat /usr/local/squid/var/logs/access.log | awk '{print $7}' | grep -e ^http://hostname.\*pdf$ Cat /usr/local/squid/var/logs/access.log | awk '{print $7}' | grep -e ^http://hostname.\*xls$ The \ character before the * is only necessary to prevent your shell from expanding the wildcard because you didn't use quotes to escape your regexp. In your Squid conf file, you just need: acl NOCACHEPDF url_regex -i ^http://hostname.*pdf$ acl NOCACHEXLS url_regex -i ^http://hostname.*xls$ But if I were you, I'd use: acl NOCACHEXLS url_regex -i ^http://hostname/.*\.xls$ acl NOCACHEPDF url_regex -i ^http://hostname/.*\.pdf$ which is more precise and more correct IMHO. Or shorter: acl NOCACHE url_regex -i ^http://hostname/.*\.(pdf|xls)$ -- Guillaume
RE: [squid-users] url_regex help
That worked, thanks a lot, used your advice on a single rule instead of two as well. Thanks, Dean Weimer Network Administrator Orscheln Management Co -Original Message- From: Guillaume Smet [mailto:guillaume.s...@gmail.com] Sent: Friday, January 02, 2009 3:19 PM To: Dean Weimer Cc: squid-users@squid-cache.org Subject: Re: [squid-users] url_regex help On Fri, Jan 2, 2009 at 5:13 PM, Dean Weimer dwei...@orscheln.com wrote: Here's what I have, anyone have an idea where I went wrong I am Running Squid 3.0 Stable 9 on FreeBSD 6.2 Acl NOCACHEPDF url_regex -i ^http://hostname.\*pdf$ Acl NOCACHEXLS url_regex -i ^http://hostname.\*xls$ No_cache deny NOCACHEPDF NOCACHEXLS I have used cat combined with awk and grep to check the pattern matching on the access logs with: Cat /usr/local/squid/var/logs/access.log | awk '{print $7}' | grep -e ^http://hostname.\*pdf$ Cat /usr/local/squid/var/logs/access.log | awk '{print $7}' | grep -e ^http://hostname.\*xls$ The \ character before the * is only necessary to prevent your shell from expanding the wildcard because you didn't use quotes to escape your regexp. In your Squid conf file, you just need: acl NOCACHEPDF url_regex -i ^http://hostname.*pdf$ acl NOCACHEXLS url_regex -i ^http://hostname.*xls$ But if I were you, I'd use: acl NOCACHEXLS url_regex -i ^http://hostname/.*\.xls$ acl NOCACHEPDF url_regex -i ^http://hostname/.*\.pdf$ which is more precise and more correct IMHO. Or shorter: acl NOCACHE url_regex -i ^http://hostname/.*\.(pdf|xls)$ -- Guillaume
RE: [squid-users] Extra Squid process?
On Wed, 29 Mar 2006 04:58:10 -0800, Henrik Nordstrom said: With Squid you will see the following ports in use: a) The TCP ports specified by http_port (and/or https_port) in LISTEN state, and any client connections open to these.. b) UDP icp_port, snmp_port and htcp_port c) One additional random UDP port for DNS d) Random TCP connections over the loopback (127.0.0.1) interface to each helper, all in CONNECTED state. You should NOT see random TCP ports in LISTEN state. If you do then you have probably set http_port 0 in your squid.conf.. Regards Henrik