Re: [squid-users] Need help in integrating squid and samba

[Avinash Rao]

On Tue, Sep 8, 2009 at 12:19 PM, Amos Jeffries wrote:
> Avinash Rao wrote:
>>
>> On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries
>> wrote:
>>>
>>> Avinash Rao wrote:

 -- Forwarded message --
 From: Avinash Rao 
 Date: Tue, Sep 8, 2009 at 11:13 AM
 Subject: Re: Fwd: [squid-users] Need help in integrating squid and samba
 To: Amos Jeffries 
 Cc: Henrik Nordstrom ,
 squid-users@squid-cache.org




 On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries 
 wrote:
>
> Avinash Rao wrote:
>>
>> On 8/31/09, Amos Jeffries  wrote:
>>>
>>> Avinash Rao wrote:
>>>
 On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom
>>>
>>> >> > wrote:

  sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao:
  > I couldn't find any document that shows me how to enable wb_info
  for squid.
  > Can anybody help me?

  external_acl_type NT_Group %LOGIN
  /usr/local/squid/libexec/wbinfo_group.pl

  acl group1 external NT_Group group1


  then use group1 whenever you want to match users belonging to that
  Windows group.

  Regards
  Henrik


 Hi Henrik,

 I have used the following in my squid.conf

 external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl
>>>
>>> group1 external NT_Group staff

 acl net time M T W T F S S 9:00-18:00
 http_access allow net

 On my linux server, I have created a group called staff and made a
 couple
>>>
>>> of users a member of this group called staff. My intention is to
>>> provide
>>> access to users belonging to group staff on all days from morning 9am
>>> -
>>> 7PM.
>>> The rest should be denied.

 But this didn't work, when the Samba users login from a winxp
 client,
 it
>>>
>>> doesn't get access to internet at all.
>>> There is no http_access lien making any use of ACL "group1"
>>>
>>> And _everybody_ (me included on this side of the Internet) is allowed
>>> to use
>>> your proxy between 9am ad 6pm.
>>>
>>>
>>> Amos
>>
>> Thanks for the reply, Ya i missed http_access allow group1
>> I didn't understand your second statement, are u telling me that i
>> should deny access to net?
>
> You should combine the ACL with others on an http_access line so that
> its
> limited to who it allows.
>
> This:
>  acl net time M T W T F S S 9:00-18:00
>  http_access allow net
>
> simply says "all requests are allowed between time X and Y".
> Without additional controls, ie on IP address making the request,  you
> end up with an open proxy.
>
> Amos

 Dear Amos,

 I am still not able to get this working.  Here's what i want to
 accomplish. I have WinXP - SP2 clients logging onto the samba domain
 and LTSP users. All users use squid proxy. My intention is to control
 the samba users from accessing the internet at certain times.

 If i don't use the external_acl_type NT_Group as mentioned below, the
 squid works properly for all users, even windows and anybody using
 squid proxy.

 external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/
 wbinfo_group.pl
 acl group1 external NT_Group group1
 I have created a group called staff using net rpc command and i am i
 have made all the users using winxp a member of this group staff. So,
 my acl will look like

 external_acl_type NT_Group %LOGIN
 /usr/local/squid/libexec/wbinfo_group.pl
 acl acl_name external NT_Group staff
 http_access allow staff

 According to my understanding, it should allow only those samba users
 which come under the group staff. But thats not happening, squid
 denies access to the internet.
>>>
>>> _when tested_ it should be doing that. Other rules around it have an
>>> effect
>>> that you may have overlooked.
>>>
>>> Then again the group name is case-sensitive. The helper is OS access
>>> permission sensitive, and NTLM auth has difficulties all of its own.
>>>
>>>
>>> I'll need to see the whole access config to know whats going on. And
>>> remind
>>> me what version of Squid this is.
>>>
>>>
>>> Amos
>>
>> hi,
>>
>>
>> r...@sunbox:/etc/squid# dpkg -l | grep squid
>> ii  squid                                 2.6.18-1ubuntu3
>>                        Internet object cache (WWW proxy cache)
>> ii  squid-common                          2.6.18-1ubuntu3
>>                        Internet object cache (WWW proxy cache) - co
>>
>> squid.conf
>>
>> visible_hostname sunbox
>> hierarchy_stoplist cgi-bin ?
>> acl QUERY urlpath_regex cgi-bin \?
>> no_cache deny QUERY
>
> use:  cache deny QUERY
>

RE: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED

[Henrik Nordstrom]

tis 2009-09-08 klockan 11:29 +1200 skrev Amos Jeffries:

> [2] No. Go back to the _current_ documentation and responses. Disregard the
> terminology from a decade ago about a non-relevant release of Squid. Things
> change.

The dstdomain acl is still the same

www.example.com  -> Matches just the host www.example.com
.example.com -> Matches the whole example.com domain
example.com  -> Matches just the host example.com, not www.example.com

Regards
Henrik

Re: [squid-users] Need help in integrating squid and samba

[Amos Jeffries]

Avinash Rao wrote:

On Tue, Sep 8, 2009 at 12:19 PM, Amos Jeffries wrote:

Avinash Rao wrote:

On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries
wrote:

Avinash Rao wrote:

-- Forwarded message --
From: Avinash Rao 
Date: Tue, Sep 8, 2009 at 11:13 AM
Subject: Re: Fwd: [squid-users] Need help in integrating squid and samba
To: Amos Jeffries 
Cc: Henrik Nordstrom ,
squid-users@squid-cache.org




On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries 
wrote:

Avinash Rao wrote:

On 8/31/09, Amos Jeffries  wrote:

Avinash Rao wrote:


On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom

mailto:hen...@henriknordstrom.net>> wrote:

 sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao:
 > I couldn't find any document that shows me how to enable wb_info
 for squid.
 > Can anybody help me?

 external_acl_type NT_Group %LOGIN
 /usr/local/squid/libexec/wbinfo_group.pl

 acl group1 external NT_Group group1


 then use group1 whenever you want to match users belonging to that
 Windows group.

 Regards
 Henrik


Hi Henrik,

I have used the following in my squid.conf

external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl

group1 external NT_Group staff

acl net time M T W T F S S 9:00-18:00
http_access allow net

On my linux server, I have created a group called staff and made a
couple

of users a member of this group called staff. My intention is to
provide
access to users belonging to group staff on all days from morning 9am
-
7PM.
The rest should be denied.

But this didn't work, when the Samba users login from a winxp
client,
it

doesn't get access to internet at all.
There is no http_access lien making any use of ACL "group1"

And _everybody_ (me included on this side of the Internet) is allowed
to use
your proxy between 9am ad 6pm.


Amos

Thanks for the reply, Ya i missed http_access allow group1
I didn't understand your second statement, are u telling me that i
should deny access to net?

You should combine the ACL with others on an http_access line so that
its
limited to who it allows.

This:
 acl net time M T W T F S S 9:00-18:00
 http_access allow net

simply says "all requests are allowed between time X and Y".
Without additional controls, ie on IP address making the request,  you
end up with an open proxy.

Amos

Dear Amos,

I am still not able to get this working.  Here's what i want to
accomplish. I have WinXP - SP2 clients logging onto the samba domain
and LTSP users. All users use squid proxy. My intention is to control
the samba users from accessing the internet at certain times.

If i don't use the external_acl_type NT_Group as mentioned below, the
squid works properly for all users, even windows and anybody using
squid proxy.

external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/
wbinfo_group.pl
acl group1 external NT_Group group1
I have created a group called staff using net rpc command and i am i
have made all the users using winxp a member of this group staff. So,
my acl will look like

external_acl_type NT_Group %LOGIN
/usr/local/squid/libexec/wbinfo_group.pl
acl acl_name external NT_Group staff
http_access allow staff

According to my understanding, it should allow only those samba users
which come under the group staff. But thats not happening, squid
denies access to the internet.

_when tested_ it should be doing that. Other rules around it have an
effect
that you may have overlooked.

Then again the group name is case-sensitive. The helper is OS access
permission sensitive, and NTLM auth has difficulties all of its own.


I'll need to see the whole access config to know whats going on. And
remind
me what version of Squid this is.


Amos

hi,


r...@sunbox:/etc/squid# dpkg -l | grep squid
ii  squid 2.6.18-1ubuntu3
   Internet object cache (WWW proxy cache)
ii  squid-common  2.6.18-1ubuntu3
   Internet object cache (WWW proxy cache) - co

squid.conf

visible_hostname sunbox
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

use:  cache deny QUERY


hosts_file /etc/hosts
http_port 10.10.10.200:3128
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
acl staffgroup external NT_Group staff

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443 563   # https, snews
acl Safe_ports port 70# gopher
acl Safe_ports port 210   # wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280   # http-mgmt
acl Safe_ports port 488   # gss-http
acl Safe_ports port 591   # filemaker
acl Safe_ports port 631 

[squid-users] squid 3.0

[Anders Larsson]

Hi!


how do i conf squid to allow x_forwarded ? when i enable it i get 

proxy:/usr/sbin# squid -k check
2009/09/08 11:23:53| cache_cf.cc(346) squid.conf:657 unrecognized:
'follow_x_forwarded_for'

./configure with -enable-follow-x-forwarded-for
added to squid.conf

acl localhost src 127.0.0.1/32 
follow_x_forwarded_for allow localhost





-- 
 Med Vänliga Hälsningar
 Best Regards 
 
* Anders Larsson
 * Systemadmin Unix/Linux
 * Tietoenator PN
* 831 48 ÖSTERSUND
 * Växel:+46 (0)63 664 63 00
 * Fax:  +46 (0)63 664 63 20
 * Tel:  +46 (0)10 481 98 01
 * Mobil:+46 (0)70 656 42 64
 * Mail: anders.lars...@tietoenator.com
 **
 
  Debian is they way to salvation 
 
 ---  How Hard Can It Be ---

Re: [squid-users] squid 3.0

[Amos Jeffries]

Anders Larsson wrote:

Hi!


how do i conf squid to allow x_forwarded ? when i enable it i get 


proxy:/usr/sbin# squid -k check
2009/09/08 11:23:53| cache_cf.cc(346) squid.conf:657 unrecognized:
'follow_x_forwarded_for'

./configure with -enable-follow-x-forwarded-for
added to squid.conf

acl localhost src 127.0.0.1/32 
follow_x_forwarded_for allow localhost




That feature is not present in 3.0. It was only ported to 3.1 and later.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13

Re: [squid-users] squid 3.0

[Anders Larsson]

hmm ok.. thats bad. need that option or is there another way to get the
ip adresses from the clients?



On Tue, 2009-09-08 at 13:31 +0300, Amos Jeffries wrote:
> Anders Larsson wrote:
> > Hi!
> > 
> > 
> > how do i conf squid to allow x_forwarded ? when i enable it i get 
> > 
> > proxy:/usr/sbin# squid -k check
> > 2009/09/08 11:23:53| cache_cf.cc(346) squid.conf:657 unrecognized:
> > 'follow_x_forwarded_for'
> > 
> > ./configure with -enable-follow-x-forwarded-for
> > added to squid.conf
> > 
> > acl localhost src 127.0.0.1/32 
> > follow_x_forwarded_for allow localhost
> > 
> 
> That feature is not present in 3.0. It was only ported to 3.1 and later.
> 
> Amos
-- 
 Med Vänliga Hälsningar
 Best Regards 
 
* Anders Larsson
 * Systemadmin Unix/Linux
 * Tietoenator PN
* 831 48 ÖSTERSUND
 * Växel:+46 (0)63 664 63 00
 * Fax:  +46 (0)63 664 63 20
 * Tel:  +46 (0)10 481 98 01
 * Mobil:+46 (0)70 656 42 64
 * Mail: anders.lars...@tietoenator.com
 **
 
  Debian is they way to salvation 
 
 ---  How Hard Can It Be ---

Re: [squid-users] Need help in integrating squid and samba

[Avinash Rao]

On Tue, Sep 8, 2009 at 2:49 PM, Amos Jeffries wrote:
> Avinash Rao wrote:
>>
>> On Tue, Sep 8, 2009 at 12:19 PM, Amos Jeffries
>> wrote:
>>>
>>> Avinash Rao wrote:

 On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries
 wrote:
>
> Avinash Rao wrote:
>>
>> -- Forwarded message --
>> From: Avinash Rao 
>> Date: Tue, Sep 8, 2009 at 11:13 AM
>> Subject: Re: Fwd: [squid-users] Need help in integrating squid and
>> samba
>> To: Amos Jeffries 
>> Cc: Henrik Nordstrom ,
>> squid-users@squid-cache.org
>>
>>
>>
>>
>> On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries 
>> wrote:
>>>
>>> Avinash Rao wrote:

 On 8/31/09, Amos Jeffries  wrote:
>
> Avinash Rao wrote:
>
>> On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom
>
>  > wrote:
>>
>>  sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao:
>>  > I couldn't find any document that shows me how to enable
>> wb_info
>>  for squid.
>>  > Can anybody help me?
>>
>>  external_acl_type NT_Group %LOGIN
>>  /usr/local/squid/libexec/wbinfo_group.pl
>>
>>  acl group1 external NT_Group group1
>>
>>
>>  then use group1 whenever you want to match users belonging to
>> that
>>  Windows group.
>>
>>  Regards
>>  Henrik
>>
>>
>> Hi Henrik,
>>
>> I have used the following in my squid.conf
>>
>> external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl
>> acl
>
> group1 external NT_Group staff
>>
>> acl net time M T W T F S S 9:00-18:00
>> http_access allow net
>>
>> On my linux server, I have created a group called staff and made a
>> couple
>
> of users a member of this group called staff. My intention is to
> provide
> access to users belonging to group staff on all days from morning
> 9am
> -
> 7PM.
> The rest should be denied.
>>
>> But this didn't work, when the Samba users login from a winxp
>> client,
>> it
>
> doesn't get access to internet at all.
> There is no http_access lien making any use of ACL "group1"
>
> And _everybody_ (me included on this side of the Internet) is
> allowed
> to use
> your proxy between 9am ad 6pm.
>
>
> Amos

 Thanks for the reply, Ya i missed http_access allow group1
 I didn't understand your second statement, are u telling me that i
 should deny access to net?
>>>
>>> You should combine the ACL with others on an http_access line so that
>>> its
>>> limited to who it allows.
>>>
>>> This:
>>>  acl net time M T W T F S S 9:00-18:00
>>>  http_access allow net
>>>
>>> simply says "all requests are allowed between time X and Y".
>>> Without additional controls, ie on IP address making the request,
>>>  you
>>> end up with an open proxy.
>>>
>>> Amos
>>
>> Dear Amos,
>>
>> I am still not able to get this working.  Here's what i want to
>> accomplish. I have WinXP - SP2 clients logging onto the samba domain
>> and LTSP users. All users use squid proxy. My intention is to control
>> the samba users from accessing the internet at certain times.
>>
>> If i don't use the external_acl_type NT_Group as mentioned below, the
>> squid works properly for all users, even windows and anybody using
>> squid proxy.
>>
>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/
>> wbinfo_group.pl
>> acl group1 external NT_Group group1
>> I have created a group called staff using net rpc command and i am i
>> have made all the users using winxp a member of this group staff. So,
>> my acl will look like
>>
>> external_acl_type NT_Group %LOGIN
>> /usr/local/squid/libexec/wbinfo_group.pl
>> acl acl_name external NT_Group staff
>> http_access allow staff
>>
>> According to my understanding, it should allow only those samba users
>> which come under the group staff. But thats not happening, squid
>> denies access to the internet.
>
> _when tested_ it should be doing that. Other rules around it have an
> effect
> that you may have overlooked.
>
> Then again the group name is case-sensitive. The helper is OS access
> permission sensitive, and NTLM auth has difficulties all of its own.
>
>
> I'll need to see the whole access config to know whats going on. And
> remind
> me what version of Squid this is.
>
>
> Amos

 hi,


 r...@sunbox:/etc/sq

[squid-users] squid 3.1 ntlm_smb_lm_auth --require-membership-of

[Bammer Sebastian]

Hello,

I have a question regarding squid 3.1.
I'd like to authenticate my users based on their AD group membership.
In the previous squid version this was possible with ntlm_auth
--require-membership-of=DOMAIN\\Group
>From what I understand ntlm_smb_lm_auth is the successor to ntlm_auth?
And there is no such parameter for ntlm_smb_lm_auth
Is there maybe another way to achieve my goal?

Cheers
Sebastian

Re: [squid-users] NTLM or fakeauth_auth

[apmailist]

Quoting Amos Jeffries :

> On Tue, 01 Sep 2009 15:38:24 +0200, apmail...@free.fr wrote:
> > Hello,
> >
> >
> > We are switching from an LDAP authentication to an AD one.
> > It works GREAT either with basic [password in clear :-(  ] or ntlm
> > authentication schemes. SSO was also requested, and works great.
> >
> > We have one problem though :
> > - during the tests, some user accounts get locked very often. ( after 5
> > attempts).
> > We know it comes from software trying to connect to internet with older
> > passwords. But as we cannot guarantee it will not happen on a large scale
> > when
> > we migrate,
> > ->> I am looking for a way to prevent these accounts getting locked.
> >
> > I thought of two solutions :
> >
> > 1.
> > I searched for a way to make Squid only ask 3 times in a row for a valid
> > credential. But couldn't find it : Any clue ?
>
> Not possible.  There is no such thing as a 'repeat' in HTTP.  Every request
> is 'new'.
>

I was thinking of some kind caching , similar to
authenticate_ip_shortcircuit_ttl

> > (After three bad attempts, Squid would not send a 407, but a 200 with the
> > error
> > page , maybe ?)
> >
> > 2.
> > The other solution I went for was a more relaxed authentication scheme :
> > using
> > fakeauth_auth (NTLM), and basic as a failback for non-sso browsers.
> > The idea is the following :
> > IE ( the in-house main browser ) would send the windows credential in a
> sso
> > way
> > (thus the user is logged) in an automatic way (meaning the user doesn't
> see
> > it,
> > and cannot tamper the authentication). We rely on IE to send us the
> > username
> > (windows logon credential)
> > Other browsers (FF) would use the basic scheme to send it's credentials.
>
> IE is the most limited of all browsers security-wise. Other web browsers
> are mostly capable of NTLM and more advanced authentication Schemes without
> the bugs IE has.
>
> >
> > The problem is that at least one browser that is NTLM-compatible (Opera)
> is
> > able
> > to provide the user with a prompt during the authentication : And the
> user
> > may
> > give any valid account, along with any password.
>
> This is true of _all_ web browsers.

OK

> > Here are the two lines :
> > auth_param ntlm program /proxy3/libexec/fakeauth_auth
> > auth_param basic program /proxy3/libexec/squid_ldap_auth  -P -ZZ -v 3 -c
> 5
> > -t 5
> > -b ou=BLABLA -f(sAMAccountName=%s) -D "cn=reqaccount-BLABLA" -W
> > /proxy3/etc/ldapauth_prd_secretfile -h dc002.fgn.com dc003.global.fgn.com
> > Inverting the two lines forces all browsers to use the basic
> > authentication.
> > Is there a way to do NTLM only with SSO able browsers, and then revert to
> > BASIC
> > for all the others ?
>
> Yes. By using what you have configured above.
> The problem you face is that Squid sends out a list of available methods.
> Then the browser chooses the authentication method its going to use and
> sends credentials. If those credentials fail Squid responds with a
> 407/'failed try again' and the browser does whatever it can to get new
> credentials. Usually they start with a popup window to ask the user.
>
>
> > I figure playing with useragent strings wouldn't be enough, because Opera
> > can
> > easily masquerade as IE (or used to).
>
> Agent strings is not relevant, only the credentials the browser pass to
> Squid and the method chosen to send them.

Still, is it possible to present specific autentication schemes depending on the
useragent ?



>
> What I would do in your place is setup an external ACL which accepted the
> Proxy-Auth header and processed it.
> Detect old-style logins and redirect to a special error page saying to
> change their settings.
> If the type is 'Basic' it returns OK. Otherwise ERR.
>
> external_acl_type oldAuthTest %{Proxy-Authentication} /bla.sh
> acl oldAuth external oldAuthTest
> deny_info http://blah.example.com/fix-your-proxy-login.html oldAuth
> http_access deny oldAuth
>
> ... http_access bits to do the new login stuff go below ...
>
> Amos
>

Maybe I didn't explain clearly : it's not the migration process in itself that
worries us. It's the everyday use of the future AD authentication : Accounts
getting locked too often.
As anybody had such accounts locking problems ? If so, Could they share with us
how they prevented these lockouts from happening ?

Thanks,

Andrew

[squid-users] Squid HTTP 1.1 & Keep alive as reverse proxy

[Ryan Chan]

Hello,

I am using Squid 3.0 as a reverse proxy to Apache 1.3.

What I found out that is client => squid is using keep alive (from
live http header, Connection: keep alive)

but squid => apache is only using HTTP 1.0 (from apache access log)


Is this normal?


Thanks.

Re: [squid-users] I/O Performance Tuning

[Chris Robertson]

Henrik Nordstrom wrote:
sön 2009-09-06 klockan 07:26 -0700 skrev pokeman: 
  

Thanks henrik for your tip can you guide me what is the recomended setting
for coss .2ndly currenly i am using aufs . after enabling coss what heppen
with store cache object. coss required to use clean disk .



You can use both coss & aufs on the same drive. To keep config clean
just move the aufs data down to a folder below the root of that disk.

cd /cache
mkdir aufs
mv ?? swap.state* aufs
mkdir coss1
[repeat for as many coss stores you need]
  


For what it's worth, I found that putting my COSS stripe in a file on a 
congested disk did nothing for performance.  I wound up creating two 
partitions per disk.  The first is dedicated to COSS and the second 
(formatted ext3) holds my aufs cache dir.


[r...@proxypool-1 ~]# fdisk -l /dev/sdc

Disk /dev/sdc: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

  Device Boot  Start End  Blocks   Id  System
/dev/sdc1   1608048837568+  83  Linux
/dev/sdc26081   24317   146488702+  83  Linux
[r...@proxypool-1 ~]# mount|grep squid
/dev/sdc2 on /usr/local/squid/var/cache/1 type ext3 (rw,noatime,nodiratime)
...
[r...@proxypool-1 ~]# grep ^cache_dir /etc/squid/squid.conf
cache_dir coss /dev/sdc1 46080 max-size=51200 max-stripe-waste=32768 
block-size=4096

...
cache_dir aufs /usr/local/squid/var/cache/1 153600 128 256 min-size=51200

At current peaks of 80 req/sec, my load average hovers around 0.3 and my 
HIT service time rarely even registers.


Of course, YMMV.


then reconfigure squid as appropriate.

Regards
Henrik
  


Chris

Re: [squid-users] another Reverse Proxy question

[Chris Robertson]

f0...@aol.com wrote:

-Original Message-
From: Jeff Pang 
To: f0...@aol.com
Cc: squid-users@squid-cache.org
Sent: Mon, Sep 7, 2009 2:35 pm
Subject: Re: [squid-users] another Reverse Proxy question

sure.
use src ACL type instead of dstdomain in the reverse proxy setting.

-End Message-

Thanks for your reply.
Can you give me example, please? I'm still learning...


http_port 80 accel default_site=www.example.com
acl mydomain dstdomain www.example.com
# Default http_access rules go here (Deny to not Safe_ports, deny 
connect to not  SSL_ports, etc).

http_access allow mydomain
http_access deny all
cache_peer 10.0.0.77 parent 77 0 originserver noquery name=default
cache_peer 10.0.0.88 parent 88 0 originserver noquery name=special
acl special_guests src 192.168.1.0/24
cache_peer_access special allow special_guests
cache_peer_access special deny all
cache_peer_access default allow all

Chris

[squid-users] LDAP configuration for squid

[Juan Cardoza]

Hello all

How can I configure the LDAP into the squid server, I have been googling but 
there is a lot of information but no one is working into my squid server, I 
really appreciate you can help me with it.

Best regards
Jhon


Teleperformance values: Integrity - Respect - Professionalism - Innovation - 
Commitment

The information contained in this communication is privileged and confidential. 
 The content is intended only for the use of the individual or entity named 
above. If the reader of this message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited.  If you have received this communication 
in error, please notify me immediately by telephone or e-mail, and delete this 
message from your systems.
Please consider the environmental impact of needlessly printing this e-mail.

Re: [squid-users] SVC times

[Chris Robertson]

balkris...@subisu.net.np wrote:

Dear all,

Someone please help me finding difference between HTTP all service time,
HTTP miss service time and HTTP near miss service time.

Thanks in advance.

Regards,

Bal Krishna
  


HTTP all: A general average of all service times.
HTTP miss: How long it takes Squid to service a request where the data 
was not found in the cache (or the cache object was found to be stale).
HTTP near miss: 
http://www.squid-cache.org/mail-archive/squid-users/200604/0178.html  
"the service time of TCP_IMS_HIT requests. This is successful cache 
validations sent to your cache, served directly out of the cache."


Chris

Re: [squid-users] Restricting access to users logging onto windows domain

[Chris Robertson]

Tejpal Amin wrote:

Hi,

Any suggestions for my query?
  


The same suggestion that has been given a couple times but either missed 
or ignored.  I'll quote it for emphasis...


On Tue, Sep 1, 2009 at 2:54 PM, Amos Jeffries wrote:


http_access deny !auth all

Where "auth" is whatever ACL name you have in your squid.conf to test
authentication.

On Wed, Sep 2, 2009 at 5:36 AM, Amos Jeffries wrote:

I assume when you said "squid throws up an authentication dialog box" that
you already had authentication working. This line replaces whatever you
currently have doing "deny !auth" in your config and causing the dialog box
to appear.


Here's the really important bit...


 The 'all' at the end of the [http_access] line prevents the dialog being
requested by Squid.

Amos



Chris

Re: [squid-users] squid 3.0

[Chris Robertson]

Anders Larsson wrote:

hmm ok.. thats bad. need that option or is there another way to get the
ip adresses from the clients?
  


The follow_x_forwarded_for allows a parent cache to read the 
X-Forwarded-For header for logging (and possibly for ACLs).  As long as 
you don't disable X-Forwarded-For 
(http://www.squid-cache.org/Doc/config/forwarded_for/ or 
http://www.squid-cache.org/Doc/config/header_access/), the header will 
be populated by Squid.


Chris

Re: [squid-users] Squid HTTP 1.1 & Keep alive as reverse proxy

[Chris Robertson]

Ryan Chan wrote:

Hello,

I am using Squid 3.0 as a reverse proxy to Apache 1.3.

What I found out that is client => squid is using keep alive (from
live http header, Connection: keep alive)

but squid => apache is only using HTTP 1.0 (from apache access log)


Is this normal?
  


Yes.  Squid is not yet HTTP 1.1 compliant.


Thanks.
  


Chris

[squid-users] squid didn't not write all logs

[Friedrich Hattendorf]

 Hello list,

 we are running a debian ltsp system at our school

 since our last update squid wrote only the
 store.log
 cache.log
 but no longer the
 access.log


Seems to be a problem of squid.conf:

all three had the same entry:

#Default:
# cache_access_log /var/log/squid/access.log

I deleted the # in the above line with access.log, restarted 
squid and the access .log was there again.

But I don't comprehend, why the other two weren't conflicted.

-- 
mit freundlichen Grüßen
Friedrich Hattendorf

---
Lernen ist wie das Rudern gegen den Strom;
sobald man aufhört, treibt man zurück
Benjamin Britten

[squid-users] NT_STATUS_PIPE_DISCONNECTED

[SecureSoft - Daniel Merino]

Hi everyone,
I worry about this please its urgent...
I have two squids working with the same squid.conf and same steps for
installing all, centos 5.2, both authenticate users of an AD with NTLM.
So my squids were working well a good time but now some times ceases to
authenticate the users, all the users can't authenticate, and when this
occurs I restart de winbindd services and work the authentication again.
This happened with both squids at the same time and both aren’t sync, they
are for different networks. The AD doesn’t show any problems but I'm not
sure. This is the error that appears in the messages archive: 

winbindd[11358]: [2009/09/08 13:09:53, 0]
rpc_client/cli_pipe.c:rpc_api_pipe(790) 
Sep  8 13:09:53 s7729w50 winbindd[11358]:   rpc_api_pipe: Remote machine
s7729502.pe.igrupobbva pipe \NETLOGON fnum 0x4007returned critical error.
Error was NT_STATUS_PIPE_DISCONNECTED


And it repeats until I restart the services. Please any thought about what
could be the problem or explaining what refers with
NT_STATUS_PIPE_DISCONNECTED.

I found in Google people asking with almost the same problem but no one
answer. Thanks for answering

Hasta luego.
Daniel Merino
Consultor Junior en Seguridad Informática 
Secure Soft S.A.C. 
C Begonias 630-656 
     Oficina 14 (Segundo Piso) 
     San Isidro. Lima27 - PERU 
(511) 994622555 (RPC) 
(511) 4402031 (TeleFax) 
+ dmer...@securesoft.com.pe 
: http://www.securesoft.com.pe

 

__ Information from ESET Smart Security, version of virus signature
database 4403 (20090907) __

The message was checked by ESET Smart Security.

http://www.eset.com
 

Re: [squid-users] squid 3.1 ntlm_smb_lm_auth --require- membership-of

[Amos Jeffries]

On Tue, 8 Sep 2009 16:37:55 +0200, "Bammer Sebastian"
 wrote:
> Hello,
> 
> I have a question regarding squid 3.1.
> I'd like to authenticate my users based on their AD group membership.
> In the previous squid version this was possible with ntlm_auth
> --require-membership-of=DOMAIN\\Group
> From what I understand ntlm_smb_lm_auth is the successor to ntlm_auth?

No ntlm_smb_lm_auth is a simple rename of the binary previously bundled
with squid.
It does not now and never has performed NTLM auth, it only does SMB LM auth
via the NTLM challenge protocol. Thus the rename.

For full NTLM auth use the Samba bundled helper which is still named
ntlm_auth.

> And there is no such parameter for ntlm_smb_lm_auth
> Is there maybe another way to achieve my goal?

Perhapse this parameter is for the Samba helper previously. Its the
preferred binary to use for NTLM anyway.

Amos

Re: [squid-users] NTLM or fakeauth_auth

[Henrik Nordstrom]

tis 2009-09-08 klockan 17:54 +0200 skrev apmail...@free.fr:

> Still, is it possible to present specific autentication schemes depending on 
> the
> useragent ?

Not yet.

> Maybe I didn't explain clearly : it's not the migration process in itself that
> worries us. It's the everyday use of the future AD authentication : Accounts
> getting locked too often.
> As anybody had such accounts locking problems ? If so, Could they share with 
> us
> how they prevented these lockouts from happening ?

>From what I remember AD allows for bad NTLM logins with an old password
for quite some time without locking the account, to avoid the issue with
shares/applications continuing using the old password after the user
have changed his password.

But if using Negotiate (kerberos) then this pretty much should be a
non-issue as Kerberos is ticket based and not directly derived from the
password, or at least that's my understanding.

Regards
Henrik

Re: [squid-users] I/O Performance Tuning

[Henrik Nordstrom]

tis 2009-09-08 klockan 10:27 -0800 skrev Chris Robertson:

> For what it's worth, I found that putting my COSS stripe in a file on a 
> congested disk did nothing for performance.  I wound up creating two 
> partitions per disk.  The first is dedicated to COSS and the second 
> (formatted ext3) holds my aufs cache dir.

Hmm.. sounds like you may need to tune your ext3 a little.. primarily
journal size & commit interval.

When things are running proper there should not be any measurable
difference between having COSS in a file on the same ext3 partition or
on a separate partition on the same drive.

Regards
Henrik

Re: [squid-users] Squid HTTP 1.1 & Keep alive as reverse proxy

[Henrik Nordstrom]

ons 2009-09-09 klockan 00:29 +0800 skrev Ryan Chan:
> Hello,
> 
> I am using Squid 3.0 as a reverse proxy to Apache 1.3.
> 
> What I found out that is client => squid is using keep alive (from
> live http header, Connection: keep alive)
> 
> but squid => apache is only using HTTP 1.0 (from apache access log)

There should be a "Connection: keep-alive" header in the request from
Squid to Apache as well.

(note: "Connection: keep-alive" is HTTP/1.0, HTTP/1.1 does it slightly
differently using "Connection: close")

Regards
Henrik

Re: [squid-users] squid didn't not write all logs

[Henrik Nordstrom]

tis 2009-09-08 klockan 23:09 +0200 skrev Friedrich Hattendorf:

> Seems to be a problem of squid.conf:
> 
> all three had the same entry:
> 
> #Default:
> # cache_access_log /var/log/squid/access.log
> 
> I deleted the # in the above line with access.log, restarted 
> squid and the access .log was there again.

My guess to what has happened is that you have an old squid.conf from an
earlier release, probably 2.5 or so..

Default for access_log changed some many years ago. The directive name
also changed from cache_access_log to just access_log.

Regards
Henrik

Re: [squid-users] LDAP configuration for squid

[Amos Jeffries]

On Tue, 8 Sep 2009 13:47:15 -0500, "Juan Cardoza" 
wrote:
> Hello all
> 
> How can I configure the LDAP into the squid server, I have been googling
> but there is a lot of information but no one is working into my squid
> server, I really appreciate you can help me with it.
> 
> Best regards
> Jhon
> 

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap

How to setup and manage LDAP itself is not covered.

Amos

Re: [squid-users] NT_STATUS_PIPE_DISCONNECTED

[Henrik Nordstrom]

tis 2009-09-08 klockan 17:16 -0500 skrev SecureSoft - Daniel Merino:

> winbindd[11358]: [2009/09/08 13:09:53, 0]
> rpc_client/cli_pipe.c:rpc_api_pipe(790) 
> Sep  8 13:09:53 s7729w50 winbindd[11358]:   rpc_api_pipe: Remote machine
> s7729502.pe.igrupobbva pipe \NETLOGON fnum 0x4007returned critical error.
> Error was NT_STATUS_PIPE_DISCONNECTED

Samba winbind lost connection to the domain controller for some reason.

Why is best asked in a Samba forum..

Regards
Henrik

Re: [squid-users] squid didn't not write all logs

[Amos Jeffries]

On Tue, 8 Sep 2009 23:09:10 +0200, Friedrich Hattendorf
 wrote:
> Hello list,
> 
>  we are running a debian ltsp system at our school
> 
>  since our last update squid wrote only the
>  store.log
>  cache.log
>  but no longer the
>  access.log
> 
> 
> Seems to be a problem of squid.conf:
> 
> all three had the same entry:
> 
> #Default:
> # cache_access_log /var/log/squid/access.log
> 
> I deleted the # in the above line with access.log, restarted 
> squid and the access .log was there again.
> 
> But I don't comprehend, why the other two weren't conflicted.

Somebody change the config file on you?

Or maybe you have an automatic system that changes certain config lines to
your local settings?
cache_access_log is obsolete in 2.6 and later. Use access_log instead.

Amos

Re: [squid-users] NTLM or fakeauth_auth

[Amos Jeffries]

On Tue, 08 Sep 2009 17:54:28 +0200, apmail...@free.fr wrote:
> Quoting Amos Jeffries :
> 
>> On Tue, 01 Sep 2009 15:38:24 +0200, apmail...@free.fr wrote:
>> > Hello,
>> >
>> >
>> > We are switching from an LDAP authentication to an AD one.
>> > It works GREAT either with basic [password in clear :-(  ] or ntlm
>> > authentication schemes. SSO was also requested, and works great.
>> >
>> > We have one problem though :
>> > - during the tests, some user accounts get locked very often. ( after
5
>> > attempts).
>> > We know it comes from software trying to connect to internet with
older
>> > passwords. But as we cannot guarantee it will not happen on a large
>> > scale
>> > when
>> > we migrate,
>> > ->> I am looking for a way to prevent these accounts getting locked.
>> >
>> > I thought of two solutions :
>> >
>> > 1.
>> > I searched for a way to make Squid only ask 3 times in a row for a
>> > valid
>> > credential. But couldn't find it : Any clue ?
>>
>> Not possible.  There is no such thing as a 'repeat' in HTTP.  Every
>> request
>> is 'new'.
>>
> 
> I was thinking of some kind caching , similar to
> authenticate_ip_shortcircuit_ttl

That would cache the first (possibly bad) set of credentials for N seconds
regardless of if they fixed their login correctly. Not exactly what you
seem to need.

> 
>> > (After three bad attempts, Squid would not send a 407, but a 200 with
>> > the
>> > error
>> > page , maybe ?)
>> >
>> > 2.
>> > The other solution I went for was a more relaxed authentication scheme
>> > :
>> > using
>> > fakeauth_auth (NTLM), and basic as a failback for non-sso browsers.
>> > The idea is the following :
>> > IE ( the in-house main browser ) would send the windows credential in
a
>> sso
>> > way
>> > (thus the user is logged) in an automatic way (meaning the user
doesn't
>> see
>> > it,
>> > and cannot tamper the authentication). We rely on IE to send us the
>> > username
>> > (windows logon credential)
>> > Other browsers (FF) would use the basic scheme to send it's
>> > credentials.
>>
>> IE is the most limited of all browsers security-wise. Other web browsers
>> are mostly capable of NTLM and more advanced authentication Schemes
>> without
>> the bugs IE has.
>>
>> >
>> > The problem is that at least one browser that is NTLM-compatible
>> > (Opera)
>> is
>> > able
>> > to provide the user with a prompt during the authentication : And the
>> user
>> > may
>> > give any valid account, along with any password.
>>
>> This is true of _all_ web browsers.
> 
> OK
> 
>> > Here are the two lines :
>> > auth_param ntlm program /proxy3/libexec/fakeauth_auth
>> > auth_param basic program /proxy3/libexec/squid_ldap_auth  -P -ZZ -v 3
>> > -c
>> 5
>> > -t 5
>> > -b ou=BLABLA -f(sAMAccountName=%s) -D "cn=reqaccount-BLABLA" -W
>> > /proxy3/etc/ldapauth_prd_secretfile -h dc002.fgn.com
>> > dc003.global.fgn.com
>> > Inverting the two lines forces all browsers to use the basic
>> > authentication.
>> > Is there a way to do NTLM only with SSO able browsers, and then revert
>> > to
>> > BASIC
>> > for all the others ?
>>
>> Yes. By using what you have configured above.
>> The problem you face is that Squid sends out a list of available
methods.
>> Then the browser chooses the authentication method its going to use and
>> sends credentials. If those credentials fail Squid responds with a
>> 407/'failed try again' and the browser does whatever it can to get new
>> credentials. Usually they start with a popup window to ask the user.
>>
>>
>> > I figure playing with useragent strings wouldn't be enough, because
>> > Opera
>> > can
>> > easily masquerade as IE (or used to).
>>
>> Agent strings is not relevant, only the credentials the browser pass to
>> Squid and the method chosen to send them.
> 
> Still, is it possible to present specific autentication schemes depending
> on the
> useragent ?
> 

Would be wonderful wouldn't it?
Sadly, nobody has coded ACL control for auth_param usage yet.
It might be possible if we can find someone with coding skills and time to
do it.

> 
>>
>> What I would do in your place is setup an external ACL which accepted
the
>> Proxy-Auth header and processed it.
>> Detect old-style logins and redirect to a special error page saying to
>> change their settings.
>> If the type is 'Basic' it returns OK. Otherwise ERR.
>>
>> external_acl_type oldAuthTest %{Proxy-Authentication} /bla.sh
>> acl oldAuth external oldAuthTest
>> deny_info http://blah.example.com/fix-your-proxy-login.html oldAuth
>> http_access deny oldAuth
>>
>> ... http_access bits to do the new login stuff go below ...
>>
>> Amos
>>
> 
> Maybe I didn't explain clearly : it's not the migration process in itself
> that
> worries us. It's the everyday use of the future AD authentication :
> Accounts
> getting locked too often.


By choosing to do locking at all you trade off having an account locked
when attacked vs the frequency of it locking on the users own mistakes. By
doing this you are gambling that the user is going to be

Re: [squid-users] squid didn't not write all logs

[Avinash Rao]

On Wed, Sep 9, 2009 at 6:22 AM, Amos Jeffries  wrote:
>
> On Tue, 8 Sep 2009 23:09:10 +0200, Friedrich Hattendorf
>  wrote:
> > Hello list,
> >
> >  we are running a debian ltsp system at our school
> >
> >  since our last update squid wrote only the
> >  store.log
> >  cache.log
> >  but no longer the
> >  access.log
> >
> >
> > Seems to be a problem of squid.conf:
> >
> > all three had the same entry:
> >
> > #Default:
> > # cache_access_log /var/log/squid/access.log
> >
> > I deleted the # in the above line with access.log, restarted
> > squid and the access .log was there again.
> >
> > But I don't comprehend, why the other two weren't conflicted.
>
> Somebody change the config file on you?
>
> Or maybe you have an automatic system that changes certain config lines to
> your local settings?
> cache_access_log is obsolete in 2.6 and later. Use access_log instead.
>
> Amos


Even i don't have access.log on my system. I see only cache.log and
store.log under /var/log/squid. Why i access.log used and how can i
enable it. I am using Squid2.6stable18.

Sorry for using the same thread.

Avinash

Re: [squid-users] msn messenger problem with squid

[serfer]

Please help me in the above issue

thanks
-- 
View this message in context: 
http://www.nabble.com/msn-messenger-problem-with-squid-tp25270715p25358918.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] Need help in integrating squid and samba

[Avinash Rao]

On Tue, Sep 8, 2009 at 2:49 PM, Amos Jeffries  wrote:
>
> Avinash Rao wrote:
>>
>> On Tue, Sep 8, 2009 at 12:19 PM, Amos Jeffries wrote:
>>>
>>> Avinash Rao wrote:

 On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries
 wrote:
>
> Avinash Rao wrote:
>>
>> -- Forwarded message --
>> From: Avinash Rao 
>> Date: Tue, Sep 8, 2009 at 11:13 AM
>> Subject: Re: Fwd: [squid-users] Need help in integrating squid and samba
>> To: Amos Jeffries 
>> Cc: Henrik Nordstrom ,
>> squid-users@squid-cache.org
>>
>>
>>
>>
>> On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries 
>> wrote:
>>>
>>> Avinash Rao wrote:

 On 8/31/09, Amos Jeffries  wrote:
>
> Avinash Rao wrote:
>
>> On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom
>
>  > wrote:
>>
>>  sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao:
>>  > I couldn't find any document that shows me how to enable wb_info
>>  for squid.
>>  > Can anybody help me?
>>
>>  external_acl_type NT_Group %LOGIN
>>  /usr/local/squid/libexec/wbinfo_group.pl
>>
>>  acl group1 external NT_Group group1
>>
>>
>>  then use group1 whenever you want to match users belonging to that
>>  Windows group.
>>
>>  Regards
>>  Henrik
>>
>>
>> Hi Henrik,
>>
>> I have used the following in my squid.conf
>>
>> external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl
>
> group1 external NT_Group staff
>>
>> acl net time M T W T F S S 9:00-18:00
>> http_access allow net
>>
>> On my linux server, I have created a group called staff and made a
>> couple
>
> of users a member of this group called staff. My intention is to
> provide
> access to users belonging to group staff on all days from morning 9am
> -
> 7PM.
> The rest should be denied.
>>
>> But this didn't work, when the Samba users login from a winxp
>> client,
>> it
>
> doesn't get access to internet at all.
> There is no http_access lien making any use of ACL "group1"
>
> And _everybody_ (me included on this side of the Internet) is allowed
> to use
> your proxy between 9am ad 6pm.
>
>
> Amos

 Thanks for the reply, Ya i missed http_access allow group1
 I didn't understand your second statement, are u telling me that i
 should deny access to net?
>>>
>>> You should combine the ACL with others on an http_access line so that
>>> its
>>> limited to who it allows.
>>>
>>> This:
>>>  acl net time M T W T F S S 9:00-18:00
>>>  http_access allow net
>>>
>>> simply says "all requests are allowed between time X and Y".
>>> Without additional controls, ie on IP address making the request,  you
>>> end up with an open proxy.
>>>
>>> Amos
>>
>> Dear Amos,
>>
>> I am still not able to get this working.  Here's what i want to
>> accomplish. I have WinXP - SP2 clients logging onto the samba domain
>> and LTSP users. All users use squid proxy. My intention is to control
>> the samba users from accessing the internet at certain times.
>>
>> If i don't use the external_acl_type NT_Group as mentioned below, the
>> squid works properly for all users, even windows and anybody using
>> squid proxy.
>>
>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/
>> wbinfo_group.pl
>> acl group1 external NT_Group group1
>> I have created a group called staff using net rpc command and i am i
>> have made all the users using winxp a member of this group staff. So,
>> my acl will look like
>>
>> external_acl_type NT_Group %LOGIN
>> /usr/local/squid/libexec/wbinfo_group.pl
>> acl acl_name external NT_Group staff
>> http_access allow staff
>>
>> According to my understanding, it should allow only those samba users
>> which come under the group staff. But thats not happening, squid
>> denies access to the internet.
>
> _when tested_ it should be doing that. Other rules around it have an
> effect
> that you may have overlooked.
>
> Then again the group name is case-sensitive. The helper is OS access
> permission sensitive, and NTLM auth has difficulties all of its own.
>
>
> I'll need to see the whole access config to know whats going on. And
> remind
> me what version of Squid this is.
>
>
> Amos

 hi,


 r...@sunbox:/etc/squid# dpkg -l | grep squid
 ii  squid