Re: [squid-users] NTLM Authenticator with big requests number
Hi Amos, At 16.55 12/01/2009, Amos Jeffries wrote: Razvan Grigore wrote: From: Serassio Guido guido.seras...@dont-contact.us Date: Fri, 24 Jun 2005 09:37:06 +0200 Hi, This behaviour is correct by Microsoft NTLM design. When negotiated, NTLM authentication cannot be cached: You are using use_ntlm_negotiate on, so every Challenge/Response request must be handled from Winbind. When using use_ntlm_negotiate on, max_challenge_reuses and max_challenge_lifetime are not (and cannot be) used. This is the only stable configuration using NTLM, disabling use_ntlm_negotiate is a worst option. Regards Guido Hello, I want to know if this is true. Very high likelihood of being true. Guido is the author of the NTLM negotiate code. Not exactly, I'm the author of all the Windows NTLM and Negotiate native helpers. The majority of the Squid NTLM code comes from Kinkie, Robert and Henrik. About the question, yes, this is the NTLM and Negotiate nature: there is always a live challenge-response exchange between the client and the NTLM/Negotiate server. Please note, starting from Squid 2.6 the NTLM negotiation is hard coded to on. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] NTLM Authenticator with big requests number
Guido Serassio wrote: Hi Amos, At 16.55 12/01/2009, Amos Jeffries wrote: Razvan Grigore wrote: From: Serassio Guido guido.seras...@dont-contact.us Date: Fri, 24 Jun 2005 09:37:06 +0200 Hi, This behaviour is correct by Microsoft NTLM design. When negotiated, NTLM authentication cannot be cached: You are using use_ntlm_negotiate on, so every Challenge/Response request must be handled from Winbind. When using use_ntlm_negotiate on, max_challenge_reuses and max_challenge_lifetime are not (and cannot be) used. This is the only stable configuration using NTLM, disabling use_ntlm_negotiate is a worst option. Regards Guido Hello, I want to know if this is true. Very high likelihood of being true. Guido is the author of the NTLM negotiate code. Not exactly, I'm the author of all the Windows NTLM and Negotiate native helpers. The majority of the Squid NTLM code comes from Kinkie, Robert and Henrik. Ah, thats not the impression I got after reading the FAQ entry. Apologies to all involved with that code. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
[squid-users] Fwd: help
hello i have problem with memory the OS centos 5.2 i have 146 GB total size of hard disk the size of cache_dir 91GB i have 5GB RAM squid version 2.7stable5 my conf file is cache_dir aufs /var/spool/squid 91000 130 256 cache_mem 512 MB maximum_object_size 5 MB maximum_object_size_in_memory 32 KB cache_swap_low 98% cache_swap_high 99% cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF high_memory_warning 1500 MB ipcache_size 4096 ipcache_low 98 ipcache_high 99 cache_store_log none hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_effective_user squid auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off when i run free command i found total used free shared buffers cached Mem: 50143724983464 30908 0 2392523424148 please help me to put correct conf thank you
[squid-users] Re: NTLM Authenticator Reserved status problem
Also, I want to add that I was using the samba suite 3.0.28-1.el5_2.1 with Centos 5.2 Today I upgraded to samba 3.2.7-0.23 and still the same problem. Squid seems to run fine, but samba NTLM helpers are going to R state one by one. Should I try using ntlm_auth from squid instead of the one from samba3 suite? Thanks, Razvan On Tue, Jan 13, 2009 at 8:58 AM, Razvan Grigore estet...@gmail.com wrote: Hello all, After I started my NTLM squid3.0STABLE10 configuration in production, I noticed in cache manager that after about 30 min, some of the ntlm_auth helper is going in R state, one by one at 10 min interval and they never comes back. This is explained by R = RESERVED or DEFERRED in help note. If I reload configuration, new helpers are opened, and the reserved ones are changing status to RS, but they are never stopped until I completely restart squid, or manually kill the PID's. What is the problem? There are no other problems with working configuration. Razvan
[squid-users] Is external_acl_type must under authentication mode?
hi,all I want to use external_acl_type to distribute my user to different server, these user need NOT authentication. Squid start my application, but when I access to a special host, no data send to my program from Squid. my program is a very simple script, and when I use an existing application such as ip_user_check, still no actions. My squid configuration is: external_acl_type checkip concurrency=0 ttl=0 children=1 %SRC /usr/local/squid/libexec/ checkip.pl http_port 80 accel vhost vport cache_peer www.myhost.com parent 80 0 no-query no-digest originserver name=host1 acl ipaddress external checkip cache_peer_access www deny ipaddress ... My program is very simple: cat checkip.pl #!/usr/bin/perl $| = 1; open(LOG, /tmp/squid.log); print LOG RUNNING\n; close(LOG); while(defined($line = STDIN)){ print OK\n; open(LOG, /tmp/squid.log); print LOG Got: $line\n; close(LOG); } So, I think that, is external_acl_type must under authentication mode? thanks in advance.
[squid-users] Caching pages for users without a cookie (guest)
Hi, We have reverse proxy squid in front of an application server. All static pages have cache headers and are cached properly. We want to cache dynamic pages as well, only for users that are not logged in. A logged in user has messages on the home page (like you have a 5 messages in your inbox), so pages for logged in users should not be cached. A logged in user is identified by a cookie. The vast majority of users are not logged in, so caching dynamic pages for those users can be very effective. Is it possible to configure squid so: 1. A logged in user always get a fresh page from the origin server, and squid does not attempt to cache this file. 2. For guest users cache this file like it is a static file (based on headers Expires, Vary, etc). The URL is the same in both cases, the only difference is the cookie header. We can control the headers that the origin server outputs, so they will be present only if the user is not logged in. I did a lot of searching and the closest I got was javascript based solutions, which I think can work, but I prefer keeping it server only solution. Is it possible to write a regular expression on the cookie? If it matches, go to the origin server and do not cache the response. If it does not match, continue as normal (use cached file or cache the reply). Thanks
[squid-users] Problems forcing mandatory proxy use.
I have squid operating well on a small NAT network. Currently - all clients select automatic proxy detection and that is all working correctly with proxy.pac script on the http server. I wanted to ensure that the proxy is handling ALL http traffic ALL of the time - so I can be confident of the statistics generated by sarg (squid analysis and report generator). I thought this should e easy. I have a netgear DG834G router acting as the internet DSL connection. I added 2 outgoing firewall rules in the Dg834G: 1) allow all going traffic from the squid servers local IP. 2) Block port 80 traffic from all (other) local ip addresses. When I apply these 2 rules - the network experiences erratic internet access. Some sites work some of the time - but not everything works correctly. I have tried disabling the above rules - then enabling just rule 1 - and even then the network behaves erratically. Note that rule 1 is an allow rule. But as soon as I disable both rules - everything returns to normal. This seems very weird to me. Can anyone suggest some subtlety I am overlooking? I have checked the netgear knowledge base and there are no glaring bugs reported related to this behaviour. I have updated to the latest netgear firmware. I can only assume the DG834 is not behaving as expected. Can anyone se another explanation? In case it is relevant - the linux box is performing squid, dns, dhcp, http and lots of other stuff but the dg834 is performing NAT (and only NAT). Thanks Richard.
Re: [squid-users] Re: WCCP configuration
Hello Hendrik, I am facing some issues while implementing Squid + Tproxy and WCCP. There is no problem with squid + Transparent + WCCP. cache.log as follows... 2009/01/12 08:36:11| clientTryParseRequest: FD 155 (189.50.133.254:1955) Invalid Request 2009/01/12 08:36:18| clientTryParseRequest: FD 114 (189.50.133.254:1956) Invalid Request 2009/01/12 08:36:25| clientTryParseRequest: FD 78 (189.50.133.254:1957) Invalid Request 2009/01/12 08:36:33| clientTryParseRequest: FD 60 (189.50.133.254:1958) Invalid Request 2009/01/12 08:36:40| clientTryParseRequest: FD 60 (189.50.133.254:1959) Invalid Request 2009/01/12 08:36:47| clientTryParseRequest: FD 42 (189.50.133.254:1960) Invalid Request 2009/01/12 08:36:55| clientTryParseRequest: FD 159 (189.50.133.254:1961) Invalid Request 2009/01/12 08:37:02| clientTryParseRequest: FD 77 (189.50.133.254:1962) Invalid Request access.log as follows... TCP_DENIED/400 1415 GET / - NONE/- text/html TCP_DENIED/400 1415 GET / - NONE/- text/html squid.conf... http_port 3128 transparent. tcp_outgoing_address is configured. /usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128. . Squid version : Squid 2.7 Stable 5. Kernel : linux-2.6.20.21 OS : FC 8 Router IOS : 2800 Software, Version 12.4(13b) Regards, vk From: vivek...@aol.in [mailto:vivek...@aol.in] We have configured as squid+tproxy. The squid ip is not displayed and only the client ip is displayed when we do the proxy test. But after configuring wccp we find that the server ip is displayed in the proxy test instead of the client ip. http_port 3128 transparent tproxy You should only use one of transparent or tproxy, not both. transparent for transparent interception (NAT style) tproxy for TPROXY interception. Regards Henrik You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
[squid-users] Hi All, Squid+ADS
Hi friends again, it's posible authenticate squid3 with one active directory server(windows server 2003 R2) using LDAP? Thanks in Advance Hermidio
Re: [squid-users] Hi All, Squid+ADS
AD has indeed LDAP, so short answer is yes. You should see how is configure your AD to know where are users. On Tuesday 13 January 2009 08:30:07 Hermidio A. Rodriguez Chavez wrote: Hi friends again, it's posible authenticate squid3 with one active directory server(windows server 2003 R2) using LDAP? Thanks in Advance Hermidio
[squid-users] question on digest_ldap_auth
i'm actually running squid (2.7 stable4) with squid_ldap_auth for authenticating users in my MS Active Directory tree. I'm running: auth_param basic program /usr/bin/squid_ldap_auth -R -b dc=XXX,dc=X -D cn=X,ou=Internet,dc=XX,dc=XXX -w XX -f sAMAccountName=%s -h 192.168.0.8 i was trying to change from basic authentication to digest one, so avoiding cleartext passwords to flow over network. but i'm not having success on that. can anyone share a working digest_ldap_auth syntax that is working to authenticate users in MS AD ??? Thanks. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
[squid-users] question on digest_ldap_auth
i'm actually running squid (2.7 stable4) with squid_ldap_auth for authenticating users in my MS Active Directory tree. I'm running: auth_param basic program /usr/bin/squid_ldap_auth -R -b dc=XXX,dc=X -D cn=X,ou=Internet,dc=XX,dc=XXX -w XX -f sAMAccountName=%s -h 192.168.0.8 i was trying to change from basic authentication to digest one, so avoiding cleartext passwords to flow over network. but i'm not having success on that. can anyone share a working digest_ldap_auth syntax that is working to authenticate users in MS AD ??? Thanks. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
Re: [squid-users] question on digest_ldap_auth
On Tue, Jan 13, 2009 at 3:58 PM, Leonardo Rodrigues Magalhães leolis...@solutti.com.br wrote: i'm actually running squid (2.7 stable4) with squid_ldap_auth for authenticating users in my MS Active Directory tree. I'm running: auth_param basic program /usr/bin/squid_ldap_auth -R -b dc=XXX,dc=X -D cn=X,ou=Internet,dc=XX,dc=XXX -w XX -f sAMAccountName=%s -h 192.168.0.8 i was trying to change from basic authentication to digest one, so avoiding cleartext passwords to flow over network. but i'm not having success on that. can anyone share a working digest_ldap_auth syntax that is working to authenticate users in MS AD ??? I'm not really sure it's even possible: Microsoft KB http://support.microsoft.com/kb/222028 says that in order for IIS to be able to offer Digest authentication, passwords have to be stored in AD using reversible encryption, as Digest authentication uses encryption mechanisms wich are not compatible with those used in AD. I don't expect that AD would make plaintext-equivalent passwords available over LDAP... -- /kinkie
RE: [squid-users] OWA accelerator authentication weirdness
Try some of the settings to disable pass-thru on the specific ports and/or peer: http://wiki.squid-cache.org/Features/ConnPin My config pretty much follows the wiki example for OWA accelerator. Squid 3.1.0.3. I'm using the same port for OWA and Activesync. I just added connection-auth=off on https_port and removed all auth_param lines, and that took care of my problem. Before I go recommending this as a general fix in 3.1, are BOTH of those changes needed for it to work? I know there are people using Squid+OWA in multi-mode who may need auth for other things. Can we get away with just connection-auth=off on the port? Amos The auth_param lines don't seem to make any difference. It works for me with them in. Great. I'll get the wiki updated. Thanks for your help finding this and testing the solution. That's terrific that it works, but I'm not sure I understand why. Does connection-auth=off disable pass-through of NTLM? My understanding of the Activesync devices is that they require NTLM. Alan -- Please note our new email and website address! Alan Lehman, PE Associate mailto:aleh...@gbateam.com creating remarkable solutions for a higher quality of life http://www.gbateam.com 9801 Renner Boulevard Lenexa, KS 66219-9745 913.577.8829 direct 816.210.8785 mobile 913.577.8264 fax CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you
Re: [squid-users] Problems forcing mandatory proxy use.
is there any need to use NAT. you could simply forward all data to the squid by setting it's IP address as the DMZ server in the WAN setup page. which would send all incomming DSL data to the IP address. if it's a tight network your after you should think about have the squid dual homed, one connecting to the router/firewall and the other to your network, thus forcing all data to pass through the proxy. also the proxy may be proxying data on more ports than 80 such as https on port 4** ect. i have a GD834g too but havent tried the above as i use NAT and not a proxy at home. matt. Richard Chapman wrote: I have squid operating well on a small NAT network. Currently - all clients select automatic proxy detection and that is all working correctly with proxy.pac script on the http server. I wanted to ensure that the proxy is handling ALL http traffic ALL of the time - so I can be confident of the statistics generated by sarg (squid analysis and report generator). I thought this should e easy. I have a netgear DG834G router acting as the internet DSL connection. I added 2 outgoing firewall rules in the Dg834G: 1) allow all going traffic from the squid servers local IP. 2) Block port 80 traffic from all (other) local ip addresses. When I apply these 2 rules - the network experiences erratic internet access. Some sites work some of the time - but not everything works correctly. I have tried disabling the above rules - then enabling just rule 1 - and even then the network behaves erratically. Note that rule 1 is an allow rule. But as soon as I disable both rules - everything returns to normal. This seems very weird to me. Can anyone suggest some subtlety I am overlooking? I have checked the netgear knowledge base and there are no glaring bugs reported related to this behaviour. I have updated to the latest netgear firmware. I can only assume the DG834 is not behaving as expected. Can anyone se another explanation? In case it is relevant - the linux box is performing squid, dns, dhcp, http and lots of other stuff but the dg834 is performing NAT (and only NAT). Thanks Richard.
[squid-users] collapsed_forwarding and logging
Hey all - Recently turned on collapsed_forwarding for an reverse-proxy accelerator setup we use. Love it, especially for dealing with the Range: request storms some media browser plugins seem to like to generate. My only gripe right now is that all of the satisfied requests get logged as a cache MISS. Anyone have a way to distinguish a MISS that got passed through to the origin server from one that got collapsed? I'd like to count them as effective-cache-hits, since they stopped additional load on the actual content servers. Some obscure custom-log-format code, perhaps? Ross -- Ross Reedstrom, Ph.D. reeds...@rice.edu Systems Engineer Admin, Research Scientistphone: 713-348-6166 The Connexions Project http://cnx.orgfax: 713-348-3665 Rice University MS-375, Houston, TX 77005 GPG Key fingerprint = F023 82C8 9B0E 2CC6 0D8E F888 D3AE 810E 88F0 BEDE
Re: [squid-users] Fwd: help
vivian t wrote: hello i have problem with memory the OS centos 5.2 i have 146 GB total size of hard disk the size of cache_dir 91GB i have 5GB RAM squid version 2.7stable5 my conf file is cache_dir aufs /var/spool/squid 91000 130 256 cache_mem 512 MB maximum_object_size 5 MB maximum_object_size_in_memory 32 KB cache_swap_low 98% cache_swap_high 99% cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF high_memory_warning 1500 MB ipcache_size 4096 ipcache_low 98 ipcache_high 99 cache_store_log none hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_effective_user squid auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off when i run free command i found total used free shared buffers cached Mem: 50143724983464 30908 0 2392523424148 What makes you think you have memory problems? Of the 5GB, just under 3.5GB is being used by the OS to speed up disk accesses (cached) and another 200+MB is being held by the OS for quick allocation (buffers). The 30MB of free memory is not being used at all, and as such is effectively wasted. Since it's just over half a percent of your total RAM, I suppose that can be forgiven. ;o) please help me to put correct conf Bump that high_memory_warning to half your RAM, or reset it to the default value, which will disable it. thank you Chris P.S. Have a gander at the RH9 admin primer page on memory usage (http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/admin-primer/s1-memory-rhlspec.html). The tools used haven't changed significantly in the intervening time.
Re: [squid-users] Is external_acl_type must under authentication mode?
NetSnake wrote: hi,all I want to use external_acl_type to distribute my user to different server, these user need NOT authentication. Squid start my application, but when I access to a special host, no data send to my program from Squid. my program is a very simple script, and when I use an existing application such as ip_user_check, still no actions. My squid configuration is: external_acl_type checkip concurrency=0 ttl=0 children=1 %SRC /usr/local/squid/libexec/ checkip.pl http_port 80 accel vhost vport cache_peer www.myhost.com parent 80 0 no-query no-digest originserver name=host1 acl ipaddress external checkip cache_peer_access www deny ipaddress There is no cache_peer defined as www. There is one defined as www.myhost.com. Perhaps that's a typo in the obfuscation of your squid.conf. Are you sure the checkip.pl script is runnable by the squid_effective_user? Does /tmp/squid.log exists? If so, is it writeable by the squid_effective_user? Are you running SELinux or AppArmor? ... My program is very simple: cat checkip.pl #!/usr/bin/perl $| = 1; open(LOG, /tmp/squid.log); print LOG RUNNING\n; close(LOG); while(defined($line = STDIN)){ print OK\n; open(LOG, /tmp/squid.log); print LOG Got: $line\n; close(LOG); } So, I think that, is external_acl_type must under authentication mode? thanks in advance. Chris
Re: [squid-users] NTLM Authenticator with big requests number
On Tue, 2009-01-13 at 23:43 +1300, Amos Jeffries wrote: Not exactly, I'm the author of all the Windows NTLM and Negotiate native helpers. The majority of the Squid NTLM code comes from Kinkie, Robert and Henrik. Ah, thats not the impression I got after reading the FAQ entry. Apologies to all involved with that code. If it helps the major history that I recall for NTLM is: - There was a broken branch, I don't recall the original author, Pat someone perhaps. - Using it as inspiration Kinkie and I overhauled the squid internals and went beyond the fake helper that had been created to get a actual SMB implementation running; this failed miserably in production where Kinkie worked though... - Andrew Bartlett chimed in around this point with the samba winbindd helper which solved the reliability problems the SMB approach had by allowing the local machine to generate challenges. - Guido wrote native helpers for windows (analogous to the winbindd helper on unix machines) -Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: [squid-users] Is external_acl_type must under authentication mode?
Actually, I defined a cache_peer named host1 as this: cache_peer www.myhost.com parent 80 0 no-query no-digest originserver name=host1 and I defined a ACL named ipaddress: acl ipaddress external checkip and then I defined the access rule, to deny access to hosts through my checkip script. cache_peer_access host1 deny ipaddress And I found my script is already running after squid is up, and it can write data to the file. But it like squid just start up my script, and never call it when a connection arraived. BTW, No SELinux running on my box. thanks. 2009/1/14 Chris Robertson crobert...@gci.net: NetSnake wrote: hi,all I want to use external_acl_type to distribute my user to different server, these user need NOT authentication. Squid start my application, but when I access to a special host, no data send to my program from Squid. my program is a very simple script, and when I use an existing application such as ip_user_check, still no actions. My squid configuration is: external_acl_type checkip concurrency=0 ttl=0 children=1 %SRC /usr/local/squid/libexec/ checkip.pl http_port 80 accel vhost vport cache_peer www.myhost.com parent 80 0 no-query no-digest originserver name=host1 acl ipaddress external checkip cache_peer_access www deny ipaddress There is no cache_peer defined as www. There is one defined as www.myhost.com. Perhaps that's a typo in the obfuscation of your squid.conf. Are you sure the checkip.pl script is runnable by the squid_effective_user? Does /tmp/squid.log exists? If so, is it writeable by the squid_effective_user? Are you running SELinux or AppArmor? ... My program is very simple: cat checkip.pl #!/usr/bin/perl $| = 1; open(LOG, /tmp/squid.log); print LOG RUNNING\n; close(LOG); while(defined($line = STDIN)){ print OK\n; open(LOG, /tmp/squid.log); print LOG Got: $line\n; close(LOG); } So, I think that, is external_acl_type must under authentication mode? thanks in advance. Chris
Re: [squid-users] Problems forcing mandatory proxy use.
Thanks Matthew The network has evolved from NAT without squid to NAt+squid - so I hadn't thought about eliminating NAT altogether. Do you have much experience with squid only networks. Will squid handle all the other stuff well. eg IM, bittorrrent, etc. Indeed - can these applications be persuaded to direct traffic through the proxy anyway. Are there any other consideration before turning of NAT? Thanks again Richard. matthew jones wrote: is there any need to use NAT. you could simply forward all data to the squid by setting it's IP address as the DMZ server in the WAN setup page. which would send all incomming DSL data to the IP address. if it's a tight network your after you should think about have the squid dual homed, one connecting to the router/firewall and the other to your network, thus forcing all data to pass through the proxy. also the proxy may be proxying data on more ports than 80 such as https on port 4** ect. i have a GD834g too but havent tried the above as i use NAT and not a proxy at home. matt. Richard Chapman wrote: I have squid operating well on a small NAT network. Currently - all clients select automatic proxy detection and that is all working correctly with proxy.pac script on the http server. I wanted to ensure that the proxy is handling ALL http traffic ALL of the time - so I can be confident of the statistics generated by sarg (squid analysis and report generator). I thought this should e easy. I have a netgear DG834G router acting as the internet DSL connection. I added 2 outgoing firewall rules in the Dg834G: 1) allow all going traffic from the squid servers local IP. 2) Block port 80 traffic from all (other) local ip addresses. When I apply these 2 rules - the network experiences erratic internet access. Some sites work some of the time - but not everything works correctly. I have tried disabling the above rules - then enabling just rule 1 - and even then the network behaves erratically. Note that rule 1 is an allow rule. But as soon as I disable both rules - everything returns to normal. This seems very weird to me. Can anyone suggest some subtlety I am overlooking? I have checked the netgear knowledge base and there are no glaring bugs reported related to this behaviour. I have updated to the latest netgear firmware. I can only assume the DG834 is not behaving as expected. Can anyone se another explanation? In case it is relevant - the linux box is performing squid, dns, dhcp, http and lots of other stuff but the dg834 is performing NAT (and only NAT). Thanks Richard.
Re: [squid-users] OWA accelerator authentication weirdness
Alan Lehman wrote: Try some of the settings to disable pass-thru on the specific ports and/or peer: http://wiki.squid-cache.org/Features/ConnPin My config pretty much follows the wiki example for OWA accelerator. Squid 3.1.0.3. I'm using the same port for OWA and Activesync. I just added connection-auth=off on https_port and removed all auth_param lines, and that took care of my problem. Before I go recommending this as a general fix in 3.1, are BOTH of those changes needed for it to work? I know there are people using Squid+OWA in multi-mode who may need auth for other things. Can we get away with just connection-auth=off on the port? Amos The auth_param lines don't seem to make any difference. It works for me with them in. Great. I'll get the wiki updated. Thanks for your help finding this and testing the solution. That's terrific that it works, but I'm not sure I understand why. Does connection-auth=off disable pass-through of NTLM? My understanding of the Activesync devices is that they require NTLM. Yes it disables pass-thru for NTLM. Which for you blocks that first NTLM challenge (direct from the OWA?), and leaves the second (from your Squid auth_* setup?) to go through. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] collapsed_forwarding and logging
Ross J. Reedstrom wrote: Hey all - Recently turned on collapsed_forwarding for an reverse-proxy accelerator setup we use. Love it, especially for dealing with the Range: request storms some media browser plugins seem to like to generate. My only gripe right now is that all of the satisfied requests get logged as a cache MISS. Anyone have a way to distinguish a MISS that got passed through to the origin server from one that got collapsed? I'd like to count them as effective-cache-hits, since they stopped additional load on the actual content servers. Some obscure custom-log-format code, perhaps? Ross Unlikely in Squid-2. Collapsed forwarding is due a re-work for Squid-3 though so if you have any additions feel free to ad them to the wiki development plan: http://wiki.squid-cache.org/Features/CollapsedForwarding I'm thinking a TCP_SHARED status type for secondary links like this. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] Problems forcing mandatory proxy use.
Richard Chapman wrote: Thanks Matthew The network has evolved from NAT without squid to NAt+squid - so I hadn't thought about eliminating NAT altogether. Do you have much experience with squid only networks. Will squid handle all the other stuff well. eg IM, bittorrrent, etc. Indeed - can these applications be persuaded to direct traffic through the proxy anyway. Are there any other consideration before turning of NAT? Squid itself won't. But the box underneath it will have firewall and routing control you can use (assuming its a non-windows box). Amos Thanks again Richard. matthew jones wrote: is there any need to use NAT. you could simply forward all data to the squid by setting it's IP address as the DMZ server in the WAN setup page. which would send all incomming DSL data to the IP address. if it's a tight network your after you should think about have the squid dual homed, one connecting to the router/firewall and the other to your network, thus forcing all data to pass through the proxy. also the proxy may be proxying data on more ports than 80 such as https on port 4** ect. i have a GD834g too but havent tried the above as i use NAT and not a proxy at home. matt. Richard Chapman wrote: I have squid operating well on a small NAT network. Currently - all clients select automatic proxy detection and that is all working correctly with proxy.pac script on the http server. I wanted to ensure that the proxy is handling ALL http traffic ALL of the time - so I can be confident of the statistics generated by sarg (squid analysis and report generator). I thought this should e easy. I have a netgear DG834G router acting as the internet DSL connection. I added 2 outgoing firewall rules in the Dg834G: 1) allow all going traffic from the squid servers local IP. 2) Block port 80 traffic from all (other) local ip addresses. When I apply these 2 rules - the network experiences erratic internet access. Some sites work some of the time - but not everything works correctly. I have tried disabling the above rules - then enabling just rule 1 - and even then the network behaves erratically. Note that rule 1 is an allow rule. But as soon as I disable both rules - everything returns to normal. This seems very weird to me. Can anyone suggest some subtlety I am overlooking? I have checked the netgear knowledge base and there are no glaring bugs reported related to this behaviour. I have updated to the latest netgear firmware. I can only assume the DG834 is not behaving as expected. Can anyone se another explanation? In case it is relevant - the linux box is performing squid, dns, dhcp, http and lots of other stuff but the dg834 is performing NAT (and only NAT). Thanks Richard. -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] Caching pages for users without a cookie (guest)
Elli Albek wrote: Hi, We have reverse proxy squid in front of an application server. All static pages have cache headers and are cached properly. We want to cache dynamic pages as well, only for users that are not logged in. A logged in user has messages on the home page (like you have a 5 messages in your inbox), so pages for logged in users should not be cached. Your squid is most likely configured with cache deny QUERY. http://wiki.squid-cache.org/ConfigExamples/DynamicContent This lets squid believe the cache-control headers received in dynamic requests. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] Is external_acl_type must under authentication mode?
NetSnake wrote: Actually, I defined a cache_peer named host1 as this: cache_peer www.myhost.com parent 80 0 no-query no-digest originserver name=host1 and I defined a ACL named ipaddress: acl ipaddress external checkip and then I defined the access rule, to deny access to hosts through my checkip script. cache_peer_access host1 deny ipaddress And I found my script is already running after squid is up, and it can write data to the file. But it like squid just start up my script, and never call it when a connection arraived. cache_peer_access is a fast-ACL check. It cannot wait for delayed actions such as remote helpers to reply. It's also only checked after the request has been accepted. You need to use your ACL in an http_access line first. Which will check it early, and cache the result long enough for the peer checks to use. Amos BTW, No SELinux running on my box. thanks. 2009/1/14 Chris Robertson crobert...@gci.net: NetSnake wrote: hi,all I want to use external_acl_type to distribute my user to different server, these user need NOT authentication. Squid start my application, but when I access to a special host, no data send to my program from Squid. my program is a very simple script, and when I use an existing application such as ip_user_check, still no actions. My squid configuration is: external_acl_type checkip concurrency=0 ttl=0 children=1 %SRC /usr/local/squid/libexec/ checkip.pl http_port 80 accel vhost vport cache_peer www.myhost.com parent 80 0 no-query no-digest originserver name=host1 acl ipaddress external checkip cache_peer_access www deny ipaddress There is no cache_peer defined as www. There is one defined as www.myhost.com. Perhaps that's a typo in the obfuscation of your squid.conf. Are you sure the checkip.pl script is runnable by the squid_effective_user? Does /tmp/squid.log exists? If so, is it writeable by the squid_effective_user? Are you running SELinux or AppArmor? ... My program is very simple: cat checkip.pl #!/usr/bin/perl $| = 1; open(LOG, /tmp/squid.log); print LOG RUNNING\n; close(LOG); while(defined($line = STDIN)){ print OK\n; open(LOG, /tmp/squid.log); print LOG Got: $line\n; close(LOG); } So, I think that, is external_acl_type must under authentication mode? thanks in advance. Chris -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] Is external_acl_type must under authentication mode?
You means I need set http_access allow all first? I tried that, but still no effect. Dose anybody have a simplest and good squid.conf configuration file with external_acl_type and cache_peer_access? thanks a lot. 2009/1/14 Amos Jeffries squ...@treenet.co.nz: NetSnake wrote: Actually, I defined a cache_peer named host1 as this: cache_peer www.myhost.com parent 80 0 no-query no-digest originserver name=host1 and I defined a ACL named ipaddress: acl ipaddress external checkip and then I defined the access rule, to deny access to hosts through my checkip script. cache_peer_access host1 deny ipaddress And I found my script is already running after squid is up, and it can write data to the file. But it like squid just start up my script, and never call it when a connection arraived. cache_peer_access is a fast-ACL check. It cannot wait for delayed actions such as remote helpers to reply. It's also only checked after the request has been accepted. You need to use your ACL in an http_access line first. Which will check it early, and cache the result long enough for the peer checks to use. Amos BTW, No SELinux running on my box. thanks. 2009/1/14 Chris Robertson crobert...@gci.net: NetSnake wrote: hi,all I want to use external_acl_type to distribute my user to different server, these user need NOT authentication. Squid start my application, but when I access to a special host, no data send to my program from Squid. my program is a very simple script, and when I use an existing application such as ip_user_check, still no actions. My squid configuration is: external_acl_type checkip concurrency=0 ttl=0 children=1 %SRC /usr/local/squid/libexec/ checkip.pl http_port 80 accel vhost vport cache_peer www.myhost.com parent 80 0 no-query no-digest originserver name=host1 acl ipaddress external checkip cache_peer_access www deny ipaddress There is no cache_peer defined as www. There is one defined as www.myhost.com. Perhaps that's a typo in the obfuscation of your squid.conf. Are you sure the checkip.pl script is runnable by the squid_effective_user? Does /tmp/squid.log exists? If so, is it writeable by the squid_effective_user? Are you running SELinux or AppArmor? ... My program is very simple: cat checkip.pl #!/usr/bin/perl $| = 1; open(LOG, /tmp/squid.log); print LOG RUNNING\n; close(LOG); while(defined($line = STDIN)){ print OK\n; open(LOG, /tmp/squid.log); print LOG Got: $line\n; close(LOG); } So, I think that, is external_acl_type must under authentication mode? thanks in advance. Chris -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] Is external_acl_type must under authentication mode?
NetSnake wrote: You means I need set http_access allow all first? I tried that, but still no effect. Dose anybody have a simplest and good squid.conf configuration file with external_acl_type and cache_peer_access? No I mean: http_access deny ipaddress or http_access allow ipaddress or some such blocking access checks that _uses_ the ipaddress ACL before cache_peer_access gets it. Amos thanks a lot. 2009/1/14 Amos Jeffries squ...@treenet.co.nz: NetSnake wrote: Actually, I defined a cache_peer named host1 as this: cache_peer www.myhost.com parent 80 0 no-query no-digest originserver name=host1 and I defined a ACL named ipaddress: acl ipaddress external checkip and then I defined the access rule, to deny access to hosts through my checkip script. cache_peer_access host1 deny ipaddress And I found my script is already running after squid is up, and it can write data to the file. But it like squid just start up my script, and never call it when a connection arraived. cache_peer_access is a fast-ACL check. It cannot wait for delayed actions such as remote helpers to reply. It's also only checked after the request has been accepted. You need to use your ACL in an http_access line first. Which will check it early, and cache the result long enough for the peer checks to use. Amos BTW, No SELinux running on my box. thanks. 2009/1/14 Chris Robertson crobert...@gci.net: NetSnake wrote: hi,all I want to use external_acl_type to distribute my user to different server, these user need NOT authentication. Squid start my application, but when I access to a special host, no data send to my program from Squid. my program is a very simple script, and when I use an existing application such as ip_user_check, still no actions. My squid configuration is: external_acl_type checkip concurrency=0 ttl=0 children=1 %SRC /usr/local/squid/libexec/ checkip.pl http_port 80 accel vhost vport cache_peer www.myhost.com parent 80 0 no-query no-digest originserver name=host1 acl ipaddress external checkip cache_peer_access www deny ipaddress There is no cache_peer defined as www. There is one defined as www.myhost.com. Perhaps that's a typo in the obfuscation of your squid.conf. Are you sure the checkip.pl script is runnable by the squid_effective_user? Does /tmp/squid.log exists? If so, is it writeable by the squid_effective_user? Are you running SELinux or AppArmor? ... My program is very simple: cat checkip.pl #!/usr/bin/perl $| = 1; open(LOG, /tmp/squid.log); print LOG RUNNING\n; close(LOG); while(defined($line = STDIN)){ print OK\n; open(LOG, /tmp/squid.log); print LOG Got: $line\n; close(LOG); } So, I think that, is external_acl_type must under authentication mode? thanks in advance. Chris -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3 -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] question on digest_ldap_auth
You need a special hash, none of native AD your properti should have REALM:MD5(user:REALM:password) On Tuesday 13 January 2009 08:59:46 Leonardo Rodrigues Magalhães wrote: i'm actually running squid (2.7 stable4) with squid_ldap_auth for authenticating users in my MS Active Directory tree. I'm running: auth_param basic program /usr/bin/squid_ldap_auth -R -b dc=XXX,dc=X -D cn=X,ou=Internet,dc=XX,dc=XXX -w XX -f sAMAccountName=%s -h 192.168.0.8 i was trying to change from basic authentication to digest one, so avoiding cleartext passwords to flow over network. but i'm not having success on that. can anyone share a working digest_ldap_auth syntax that is working to authenticate users in MS AD ??? Thanks.
Re: [squid-users] Is external_acl_type must under authentication mode?
I add http_access before my cache_peer_access, no effect. 2009/1/14 Amos Jeffries squ...@treenet.co.nz: NetSnake wrote: You means I need set http_access allow all first? I tried that, but still no effect. Dose anybody have a simplest and good squid.conf configuration file with external_acl_type and cache_peer_access? No I mean: http_access deny ipaddress or http_access allow ipaddress or some such blocking access checks that _uses_ the ipaddress ACL before cache_peer_access gets it. Amos thanks a lot. 2009/1/14 Amos Jeffries squ...@treenet.co.nz: NetSnake wrote: Actually, I defined a cache_peer named host1 as this: cache_peer www.myhost.com parent 80 0 no-query no-digest originserver name=host1 and I defined a ACL named ipaddress: acl ipaddress external checkip and then I defined the access rule, to deny access to hosts through my checkip script. cache_peer_access host1 deny ipaddress And I found my script is already running after squid is up, and it can write data to the file. But it like squid just start up my script, and never call it when a connection arraived. cache_peer_access is a fast-ACL check. It cannot wait for delayed actions such as remote helpers to reply. It's also only checked after the request has been accepted. You need to use your ACL in an http_access line first. Which will check it early, and cache the result long enough for the peer checks to use. Amos BTW, No SELinux running on my box. thanks. 2009/1/14 Chris Robertson crobert...@gci.net: NetSnake wrote: hi,all I want to use external_acl_type to distribute my user to different server, these user need NOT authentication. Squid start my application, but when I access to a special host, no data send to my program from Squid. my program is a very simple script, and when I use an existing application such as ip_user_check, still no actions. My squid configuration is: external_acl_type checkip concurrency=0 ttl=0 children=1 %SRC /usr/local/squid/libexec/ checkip.pl http_port 80 accel vhost vport cache_peer www.myhost.com parent 80 0 no-query no-digest originserver name=host1 acl ipaddress external checkip cache_peer_access www deny ipaddress There is no cache_peer defined as www. There is one defined as www.myhost.com. Perhaps that's a typo in the obfuscation of your squid.conf. Are you sure the checkip.pl script is runnable by the squid_effective_user? Does /tmp/squid.log exists? If so, is it writeable by the squid_effective_user? Are you running SELinux or AppArmor? ... My program is very simple: cat checkip.pl #!/usr/bin/perl $| = 1; open(LOG, /tmp/squid.log); print LOG RUNNING\n; close(LOG); while(defined($line = STDIN)){ print OK\n; open(LOG, /tmp/squid.log); print LOG Got: $line\n; close(LOG); } So, I think that, is external_acl_type must under authentication mode? thanks in advance. Chris -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3 -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3