Re: [squid-users] 3 ISPs: Routing problem
RSCL Mumbai: Hmm... Any other option to route packets via specific internet g/w based on the client IP ? tcp_outgoing_address is already designed well for this purpose. Why don't you use it and try to fix up the problems? -- Jeff Pang DingTong Technology www.dtonenetworks.com
[squid-users] Blocked Domains help :(
I am new to squid and have spent the last week working it all out. At the moment i have most things working. The only problem i have is regarding blocked domains. I have setup a blocked domains list. I have also setup a group in active directory for users to have full access. I have put users in this group but these are still getting the domains blocked. The strange thing is tho. Administrator is in the group. I can see the websites. I removed from the security group and administrator is blocked. Move back in and presto not blocked. But other users always get blocked. I even made one of them a domain administrator, no luck. Any help would be much appreciated. Thanks. -- View this message in context: http://www.nabble.com/Blocked-Domains-help-%3A%28-tp23571021p23571021.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Blocked Domains help :(
I have added my config so that maybe someone with more experience can make sure it ok # NETWORK OPTIONS http_port 8085 acl QUERY urlpath_regex cgi-bin \? cache deny QUERY # OPTIONS WHICH AFFECT THE CACHE SIZE cache_mem 32 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 4096 KB # LOGFILE PATHNAMES AND CACHE DIRECTORIES cache_dir ufs c:/squid/var/cache 1000 16 256 access_log c:/squid/var/logs/access.log squid cache_log c:/squid/var/logs/cache.log cache_store_log c:/squid/var/logs/store.log debug_options ALL,3 # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS allow_underscore on dns_nameservers 192.168.2.3 192.168.2.1 auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe auth_param ntlm children 5 external_acl_type NT_global_group %LOGIN c:/squid/libexec/mswin_check_lm_group.exe -G -c # ACCESS CONTROL VALUES acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 87 # http required for Telstra Statistics website acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl our_networks src 192.168.0.0/16 acl java browser java/6 acl NoAuthDomains dstdomain c:/squid/etc/domains/NoAuthDomains.txt http_access allow java http_access allow NoAuthDomains our_networks Safe_ports acl proxyfullaccess external NT_global_group proxyfullaccess acl password proxy_auth REQUIRED acl DeniedDomains dstdomain c:/squid/etc/domains/DeniedDomains.txt acl CONNECT method CONNECT acl FTP proto FTP always_direct allow FTP http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access deny DeniedDomains http_access allow password our_networks proxyfullaccess http_access allow password our_networks Safe_ports http_access deny all # MISCELLANEOUS logfile_rotate 10 error_directory c:/squid/share/errors/English -- View this message in context: http://www.nabble.com/Blocked-Domains-help-%3A%28-tp23571021p23571090.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] transparent proxy with Active Directory Login
On Thu, 14 May 2009, Amos Jeffries wrote: What can be done is to glean some details such as machine IP and do some local not-quite-auth testing on it to see who is logged in and get their username back (NP: not password). AD may be able to map IP to current user. This has to be done in the background with an external_acl_type helper. It's called out-of-band authorization. Are there any docs or howtos around on this? We use authentication one one subnet, but it's a bit of a pain. We're not really that concerned to require people to remember passwords, we just want to work out who the user is with a reasonable level of accuracy. Authenticated proxies seem to break various clients so if out-of-band might be an interesting alternative. Gavin
Re: [squid-users] Reverse Proxy
Hi Amos, I followed the instruction as per http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess But I am some how failing to configure https. My squid.conf https_port 443 defaultsite=mail.airarabia.ae \ cert=/etc/squid/keys/cert.pem key=/etc/squid/keys/key.pem cache_peer 10.200.22.12 parent 80 0 no-query originserver login=PASS \ front-end-https=on login=PASS name=owaServer cache_peer_access owaServer allow OWA acl OWA dstdomain mail.airarabia.ae http_access allow OWA miss_access allow OWA miss_access deny all cache.log 2009/05/17 13:32:12| fwdNegotiateSSL: Error negotiating SSL connection \ on FD 24: error::lib(0):func(0):reason(0) (5/-1/104) 2009/05/17 13:32:12| fwdNegotiateSSL: Error negotiating SSL connection \ on FD 24: error::lib(0):func(0):reason(0) (5/-1/104) 2009/05/17 13:32:13| fwdNegotiateSSL: Error negotiating SSL connection \ on FD 24: error::lib(0):func(0):reason(0) (5/-1/104) Error on the browser While trying to retrieve the URL: https://mail.airarabia.ae/exchweb/ The following error was encountered: * Connection to 10.200.22.12 Failed The system returned: (71) Protocol error The remote host or network may be down. Please try the request again. Please help //Remy On Fri, 2009-05-15 at 16:35 +1200, Amos Jeffries wrote: Mario Remy Almeida wrote: Hi All, Need to setup Reverse proxy I have Squid 2.7STABLE6 OS Centos Web server= Microsoft Outlook Web Access SSL enabled port 443 My squid config is as below acl vhosts1_domains dstdomain mail.airarabiauae.com http_port 443 accel defaultsite=mail.airarabiauae.com vhost cache_peer 10.200.22.12 parent 443 0 no-query originserver name=vhost1 \ ssl cache_peer_access vhost1 allow vhosts1_domains Please someone tell me it that is the right way to configure it. No. Here is the tutorial: http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess port 443 is often encrypted. It requires the https_port option instead of http_port, and the certificate as well. The peer part may be correct, or further ssl-related options may be needed. It depends on your peer so I can't say for certain unless you actually hit a problem. Amos -- Disclaimer and Confidentiality This material has been checked for computer viruses and although none has been found, we cannot guarantee that it is completely free from such problems and do not accept any liability for loss or damage which may be caused. Please therefore check any attachments for viruses before using them on your own equipment. If you do find a computer virus please inform us immediately so that we may take appropriate action. This communication is intended solely for the addressee and is confidential. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. The views expressed in this message are those of the individual sender, and may not necessarily be that of ISA.