[squid-users] XML files Squid2.6
Hi All, Using squid2.6 on RHEL5.0 with NCSA authentication. Everything is fine except one with application, if i not use squid proxy than XML file used by application does not give any issue. With squid proxy it gives authentication error and if try to open XML direct from IE than give following error: * The XML page cannot be displayed Cannot view XML input using style sheet. Please correct the error and then click the Refresh button, or try again later. The download of the specified resource has failed. Error processing resource 'http://devel.springer.de/A++/V2.4/DTD/A++V2.4... *** I am attaching the XML, I really need to get over from this issue. Thanks Vikas http://devel.springer.de/A++/V2.4/DTD/A++V2.4JobSheetV2.4.1.dtd";> Heidelberg Berlin 3939 0944-3762 Jaha jaha kauni 66717_2_De JAHA Handelsrecht Berlin msc 2 10.1007/978-3-642-03576-0 66717 10 Berlin 2009 Law Commercial 3939 saun matt m...@matt-partner2.de Pestalozzistr. 66 10627 10 11 194 236 2009 2009 8 10 3939 66717_2_De
Re: [squid-users] Re: NCSA Password change and AD Authentication
AD authentication is best, well i tried but could not succeed. Now using NCSA. Problem with NCSA is that: 1) User can't change password herself/himself. 2) Grouping rights. Vikas On Wed, Sep 23, 2009 at 9:48 PM, Juan Cardoza wrote: > I just need to installed an authentication option, what did you think is the > best option??? > I need to add it to the Squid (squid/2.6.STABLE18) > > Note: In the company we have Windows Domain implemented > > Please let me know your comments, thanks > Jhon > > -Mensaje original- > De: news [mailto:n...@ger.gmane.org] En nombre de Markus Moeller > Enviado el: Lunes, 14 de Septiembre de 2009 03:21 p.m. > Para: squid-users@squid-cache.org > Asunto: [squid-users] Re: NCSA Password change and AD Authentication > > What method did you try for AD authentication ? > > Markus > > "vikas rawat" wrote in message > news:d1392a280909140858v38a17373x6675900322a0a...@mail.gmail.com... > Dear All, > > I have configured SQUID in Linux RHEL with NCSA authentication, is > there any option users can changed their password there self. > > I have also tried with uthentication with Active Directory several > times but could not sucess. > > Could you help me how to do these process. > > thanks > > Vikas > > > > Teleperformance values: Integrity - Respect - Professionalism - Innovation - > Commitment > > The information contained in this communication is privileged and > confidential. The content is intended only for the use of the individual or > entity named above. If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have received > this communication in error, please notify me immediately by telephone or > e-mail, and delete this message from your systems. > Please consider the environmental impact of needlessly printing this e-mail. >
Re: [squid-users] Credentials for embedded links
Hi, I think, this is a normal behaviour. Browser tries to fetch all embedded links in the same time. Any possibilities to avoid this, in Outlook mail or in browser or in squid... Please share your views. Vivek -Original Message- From: Vivek To: squid-users@squid-cache.org; squ...@treenet.co.nz; hen...@henriknordstrom.net Sent: Wed, 23 Sep 2009 3:59 pm Subject: [squid-users] Credentials for embedded links HI All, I am using squid with LDAP authentication. It works fine. I have configured the proxy settings in IE. My Outlook express uses the same proxy settings that is configured in IE. If I want to open any html attachments ( Attachment has embedded links href for images ), the browser pop-up authentication for all images. If the attachment has 10 images ( Embedded links images ), it open 10 pop-up window at a same time. Is there any workaround for this issue ( in squid or browser ) ? Thanks Vivek
Re: [squid-users] recommended memory/cache replacement policy
On Wed, 23 Sep 2009 11:28:52 -0500, Luis Daniel Lucio Quiroz wrote: > Le jeudi 10 septembre 2009 06:22:34, Amos Jeffries a écrit : >> Muhammad Sharfuddin wrote: >> > squid cache 2.7 STABLE5 >> > squid cahce 3.0 STABLE19 >> > >> > I am using the following memory/cache replacement policy >> > >> > memory_replacement_policy heap LFUDA >> > cache_replacement_policy heap LFUDA >> > >> > are they(heap LFUDA) best or most recommended ? or should I left them >> > default. >> >> The defaults there were last tuned years ago and is not heap at all. >> Read the descriptions of each carefully, the ones I saw a while back >> covered several scenarios of traffic patterns and sizes and how the >> policies worked in different network needs. >> Pick the one which matches your visitor behaviour. Nobody else can >> identify the best one for you with any accuracy. >> >> Amos >> > helo > > I did change my memory_replacement_policy, and mean_object_size because > server > is in production, a -k reconfigure is enoght or I must stop and start squid > reconfigure is enough. Amos
Re: [squid-users] SNMP OIDs
On Wed, 23 Sep 2009 13:39:51 -0500, Luis Daniel Lucio Quiroz wrote: > Le vendredi 16 janvier 2009 15:27:45, Gregori Parker a écrit : >> Google is your friend, search for Squid+OID...the following were in the >> top 10 results: >> http://www.linofee.org/~jel/proxy/Squid/oid.shtml >> http://www.oidview.com/mibs/3495/SQUID-MIB.html >> >> Keep in mind that a lot of these OIDs will end in .1, .5 and .60 (for 1 >> min, 5 min and hourly averages) >> >> e.g. >> requestHitRatioOneMin .1.3.6.1.4.1.3495.1.3.2.2.1.9.1 >> requestHitRatioFiveMin .1.3.6.1.4.1.3495.1.3.2.2.1.9.5 >> requestHitRatioHourly .1.3.6.1.4.1.3495.1.3.2.2.1.9.60 >> >> You can also just snmpwalk the 1.3.6.1.4.1.3495.1 tree >> >> >> >> -Original Message- >> From: Luis Daniel Lucio Quiroz [mailto:luis.daniel.lu...@gmail.com] >> Sent: Friday, January 16, 2009 9:54 AM >> To: squid-users@squid-cache.org >> Subject: [squid-users] SNMP OIDs >> >> Hi, >> >> We are trying to get rid fo a commercial reverse proxy, how ever, we >> must get >> this data from SNMP. I know that squid has snmp support, I've used, but >> I >> dont know all oids. Does any one has a link where oids are specified? >> >> Regards, >> > Thanx > > Just to ask, is this still valid in squid 3.0? and will in 3.1? Sort of but not really. The shorter the OID the less likely it has changed, however each major version has some changes in OID leaf nodes. The best way is to walk the tree and find the sepecifics. Amos
Re: [squid-users] proxy is showing up as transparent
On Wed, 23 Sep 2009 23:13:36 +0100, "J Webster" wrote: > Hi > I have my proxy set up for port 8080 and 3128. > I used most of the defaults and it is successfully transmitting webpages. > However, when I go to: http://www.hideyouripaddress.net/what_is_my_ip/ > it shows the server IP. > However, it is passing on the fact that it is a proxy and that my real IP > address is: > YOUR Proxy > Proxy Type: Transparent, Real IP: 86.xxx.xxx.xx > Any ideas why this is and what to check in the config? The term "transparent" has several an muddled meanings. That website seems to classify all modes of Squid proxy as "transparent". Perhapse the website itself is behind a transparent proxy :) most of that web page you reference is pure marketing hype mixed with some outright lies. Amos
Re: [squid-users] Mac Address in access.log
On Wed, 23 Sep 2009 12:01:40 -0300, Sergio Belkin wrote: > Hi, I wonder if is there a way to list the mac address besides ip > address in access.log. Only the hard way at present using Squid-3 specific stuff... Creating an external ACL to lookup the MAC and then logging the tag returned using the %et code. MAC handling is getting an upgrade for 3.2 which will hopefully include logging abilities. Amos
Re: [squid-users] weird traffic
On Wed, 23 Sep 2009 10:17:31 -0400, Matthew Morgan wrote: > Amos Jeffries wrote: >> On Tue, 22 Sep 2009 11:58:16 -0400, Matthew Morgan >> >> wrote: >> >>> Leonardo Carneiro wrote: >>> you could bind squid to only listen the LAN interface. doind this, no one will be able to estabilish a external connection with squid. >>> I'll try that, but I thought my firewall rules were taking care of >>> that. They may not be though...I'm just recently learning iptables. >>> I'll post back with the results. >>> >>> Thanks! >>> >>> >> >> IIRC llnw.net are one of the providers for a lot of video content. If >> your >> Squid is configured to download a complete file on range requests and one >> of your users started downloading a video then stopped Squid would show >> this behavior. >> > Ah! This may be it. My squid IS set to download an entire file on > range request so that windows updates will cache properly. We're > actually a computer shop, so there is no telling what type of downloads > the virus infested customer machines may initiate and drop as we work on > them. > > Thanks for the tip! > > As for Leonardo Carneiro's advice about only binding to the local port: > it may just be my imagination, but it seems like that has cut down on > the length of time these strange connections last. As I said, I'm not > really a networking expert, so I don't even know if that makes sense. > Either way, it was a security measure I should have taken in the first > place. Ah, since you have untrusted machines internally. I'd suggest locking down the access even further. So that only known machines have random access out. The ones being fixed allowed out to a whitelist of sites (AV vendors and WU sources) so the auto-updates can work easily with less worry about viral requests. The squid logs can be grep'd during/after to see what it attempted, or the sqstat web script to show current connections for live tracking. That to give a fair idea if there was any viral activity or if the whitelist need to be updated. Amos >> Though yeah, a firewall spot-check is also good when strange things >> happen. >> >> Amos >> >> Matthew Morgan escreveu: > I have squid set up as a transparent proxy. It has two interfaces: > eth0 (internet facing wan) and eth1 (local). I'm using iptables to > masquerade the packets from my local network on eth1 and redirect > them to squid's port. All this seems to work fine. > > The thing is, I keep seeing long periods of high incoming traffic on > eth0, but low outgoing traffic on eth0, and nearly no traffic on > eth1. Every time I see this, the data is always coming from either > llnw.net or msecn.net. Both of these are legitimate content delivery > networks. When I inspect the traffic I'm getting with > tcpdump/wireshark, none of the traffic from these domain is going > through to eth1 at all. I can confirm that this traffic is going to > squid, since a netstat -p shows squid as the program with the > connection open. > > What could be causing this? I tried turning off persistent > connections in case a client was making the connection and then > ignoring the data, but I'm not sure if that's possible or the > problem. I'm not a network expert. > > >> >>
[squid-users] proxy is showing up as transparent
Hi I have my proxy set up for port 8080 and 3128. I used most of the defaults and it is successfully transmitting webpages. However, when I go to: http://www.hideyouripaddress.net/what_is_my_ip/ it shows the server IP. However, it is passing on the fact that it is a proxy and that my real IP address is: YOUR Proxy Proxy Type: Transparent, Real IP: 86.xxx.xxx.xx Any ideas why this is and what to check in the config? Thanks
[squid-users] Re: Re: squid_kerb_auth.... Key Version number?
"Mrvka Andreas" wrote in message news:200909230856.14501@tuv.at... Hi Markus, thank you for your response. It seemes that I've solved it fir myself with keep very long trying I would have done your debugging questions if I had read your answer sooner. Well, What do you mean with clearing cache on Windows client? Do you mean the AD Server Win2k8 or a normal Windows browser cache? Windows XP Kerberos cache. When you authenticate on XP ( or other Windows systems) against AD you cache a ticket for about 8 hours. This ticket is used to get a so called TGS for the service HTTP/fqdn from AD. Once requested from AD the TGS is also cached for 8 hours. This means if you change during the 8 hours the entry in AD the Windows XP client won't know and will still use the previously cached TGS with the key from the "old" AD entry. I havent' read anywhere that the client cache has something to do with it... (but maybe - because on one domain the auth worked and at the other domain not) Your kinit line never worked for me, as I can remind. Only >kinit administrator< did. If the keytab has been created with msktutil in the way I described in the wiki then the kinit must work otherwise the key in teh keytab does not macth the entry in AD. I tested with klist, ktab, kvno and looked to have the versions coherent and after using kinit I had to do an net ads join again becaue wbinfo -t check You must make sure that the AD entries don't have the same name (e.g. the computername in msktutil can not be the same as the one net ads join uses !!) BTW net ads join is not needed for Kerberos, but I guess you want to handle NTLM too I can only guess that you did use the same name as this would explain a chnage in the kvno. failed afterwards and this changes the version of the host prinical ticket sometimes... It was really a trial and error with destroying the computer account, using kdestroy on squid and do ktpass or msktutil again... But in the end where kvno and klist say that they have the same version - it seemed that I just had to wait that the message "key version incorrect" disappeared in cache.log. Maybe the client cache is really important Yes it is. Regards Andrew Am Dienstag, 22. September 2009 22:33:48 schrieb Markus Moeller: Can you send me the cache.log entries ? Can you do a kinit -kt /etc/squid/HTTP.keytab HTTP/f...@domain ? Can you capture with wireshark the traffic on port 88 on the kdc when doing kinit ? Did you clear the cache on the Windows client using the Windows klist or kerbtray from the resource kit ? Regards Markus "Mrvka Andreas" wrote in message news:200909221022.00697@tuv.at... Hi again, now I created the HTTP.keytab file on Win2k8 server and actually the apps "klist -ke" and kvno say the key versions are VALID. but squid is of the opion that they differ. # klist -ke Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Principal -- 5 HTTP/f...@domain (DES cbc mode with CRC-32) 5 HTTP/f...@domain (DES cbc mode with RSA-MD5) 5 HTTP/f...@domain (ArcFour with HMAC/md5) 5 HTTP/f...@domain (AES-256 CTS mode with 96-bit SHA-1 HMAC) 5 HTTP/f...@domain (AES-128 CTS mode with 96-bit SHA-1 HMAC) # kvno -k /etc/squid/HTTP.keytab HTTP/f...@domain HTTP/f...@domain: kvno = 5, keytab entry valid From where does squid get his wrong impression? My squid.conf auth_param negotiate program squid_kerb_auth -d -s HTTP/f...@domain Maybe I can support anyone by my detailed described errors. :-) Regards Andrew Am Dienstag, 22. September 2009 08:48:28 schrieb Mrvka Andreas: > Hello, > > on the next day, I also get my "Key Version number"-problem on the same > domain > > What is the best way to keep the versions in sync? > I already erased the computer account and did msktutil again. > I believe that for a short time the versions were correct (said klist > and > kvno) but during tests with squid they differed.!? > > I only use one KDC Win2k8 (configured in krb5.conf). > > Does anybody has a clue? > > Thanks > Andrew > > Am Dienstag, 22. September 2009 00:33:13 schrieb Mrvka Andreas: > > Hi list, > > > > does anybody know what to do againg different key version numbers > > using > > squid_kerb_auth? > > > > I created HTTP.keytab from the msktutil and works great. > > In fact in this domain where squid lives this internet explorers has > > no > > problem using squid_kerb_auth. > > > > On other domains I get > > "Unspecified GSS failure. Minor code may provide more information. > > Key > > version number for principal in key table is incorrect" > > > > Via "klist -ke" and "kvno HTTP/fqdn" I am able to can compare these > > keys and they differ. > > > > "kinit -R" doesn't work...: "KDC can't fulfill requested option while > > renewing credentials" > > > > Can anybody shine me a light? > > > > Thanks you very much. > > Andrew
Re: [squid-users] Squid + Trendmicro
On Wed, Sep 23, 2009 at 1:27 PM, Luis Daniel Lucio Quiroz wrote: > Le lundi 7 septembre 2009 01:04:49, Amos Jeffries a écrit : >> Luis Daniel Lucio Quiroz wrote: >> > Hi all, >> > >> > Well, I have a really big problem, We have deployed a Squid with digest >> > auth + LDAP, it was work perfectly but other department has installed a >> > Trendmicro antivirii solution. >> > >> > Well the problem is that when trendmicro cliend ask squid to access an >> > url, it fails in first acl related with auth. >> > >> > My log is this: >> > Request: >> > 2009/09/05 23:56:30.829| parseHttpRequest: Request Header is >> > Host: licenseupdate.trendmicro.com:80 >> > User-Agent: Mozilla/4.0 (compatible;MSIE 5.0; Windows 98) >> > Accept: */* >> > Pragma: no-cache >> > Cache-Control: no-cache,no-store >> > Proxy-Authorization: Digest username="avedstrend", realm="XXX", >> > nonce="/kCjSgB4/JcCAKLZuWMA", uri >> > ="http://licenseupdate.trendmicro.com:80/ollu/license_update.aspx?Protoco >> >l_version=1&AC=OSVMX49VN7GTUMQ8QYQAX >> > SGJ72QENXK&Product_Code=OS&AP_Name=OC&OS=WW&Language=E&Product_Version=R3 >> >CnAGQAyAA", response="5bd515897ca2f1 >> > 84b196eae2fafc654a" >> > Proxy-Connection: Keep-Alive >> > Connection: Close >> > >> > >> > Acl who fails: >> > 2009/09/05 23:56:30.832| ACLChecklist::preCheck: 0x146e1b0 checking >> > 'http_access deny !plUexception !plU' >> > 2009/09/05 23:56:30.832| ACLList::matches: checking !plUexception >> > 2009/09/05 23:56:30.832| ACL::checklistMatches: checking 'plUexception' >> > 2009/09/05 23:56:30.832| authenticateAuthenticate: no connection >> > authentication type >> > 2009/09/05 23:56:30.832| AuthUserRequest::AuthUserRequest: initialised >> > request 0x189cc30 >> > 2009/09/05 23:56:30.832| authenticateValidateUser: Validated Auth_user >> > request '0x189cc30'. >> > 2009/09/05 23:56:30.832| authenticateValidateUser: Validated Auth_user >> > request '0x189cc30'. >> > FATAL: Received Segment Violation...dying. >> > >> > As you see plUexception is failling , this acl is declared as next: >> > >> > plUexception acl auth user1 >> > >> > >> > I wonder if anyone knows how to fix it. >> >> Segment violation crashes require a code fix. What release of Squid is >> this? >> >> ... and can you get any stack trace info? >> >> http://wiki.squid-cache.org/SquidFaq/TroubleShooting#head-7067fc0034ce967e6 >> 7911becaabb8c95a34d576d >> >> >> Amos >> > We are about to make stack trace, > but sys admins is worry about diskspace, aproxy, how many diskspace we need > for disktrace > > right know we have 44Gb free, is this enough? > > TIA > 44 GB is plenty. You need something like your processes' actual memory usage at the time of the crash for each crash trace. You can turn on and off the tracing rapidly - you configure a directory for the dumps in the suqid.conf, but set permissions on the directory so that the Squid user can't write there, and nothing comes out. Then set permissions on, wait for a crash or a few crashes, turn permissions off again. With 44 GB general range of available diskspace I had very balky versions of Squid doing multi-day all crash dump capture without exhausting the space available. You don't want to just turn it on and ignore it - it will eventually fill up - but that should be multiple days worth, even if it crashes a lot for Squid. -- -george william herbert george.herb...@gmail.com
Re: [squid-users] Squid + Trendmicro
Le lundi 7 septembre 2009 01:04:49, Amos Jeffries a écrit : > Luis Daniel Lucio Quiroz wrote: > > Hi all, > > > > Well, I have a really big problem, We have deployed a Squid with digest > > auth + LDAP, it was work perfectly but other department has installed a > > Trendmicro antivirii solution. > > > > Well the problem is that when trendmicro cliend ask squid to access an > > url, it fails in first acl related with auth. > > > > My log is this: > > Request: > > 2009/09/05 23:56:30.829| parseHttpRequest: Request Header is > > Host: licenseupdate.trendmicro.com:80 > > User-Agent: Mozilla/4.0 (compatible;MSIE 5.0; Windows 98) > > Accept: */* > > Pragma: no-cache > > Cache-Control: no-cache,no-store > > Proxy-Authorization: Digest username="avedstrend", realm="XXX", > > nonce="/kCjSgB4/JcCAKLZuWMA", uri > > ="http://licenseupdate.trendmicro.com:80/ollu/license_update.aspx?Protoco > >l_version=1&AC=OSVMX49VN7GTUMQ8QYQAX > > SGJ72QENXK&Product_Code=OS&AP_Name=OC&OS=WW&Language=E&Product_Version=R3 > >CnAGQAyAA", response="5bd515897ca2f1 > > 84b196eae2fafc654a" > > Proxy-Connection: Keep-Alive > > Connection: Close > > > > > > Acl who fails: > > 2009/09/05 23:56:30.832| ACLChecklist::preCheck: 0x146e1b0 checking > > 'http_access deny !plUexception !plU' > > 2009/09/05 23:56:30.832| ACLList::matches: checking !plUexception > > 2009/09/05 23:56:30.832| ACL::checklistMatches: checking 'plUexception' > > 2009/09/05 23:56:30.832| authenticateAuthenticate: no connection > > authentication type > > 2009/09/05 23:56:30.832| AuthUserRequest::AuthUserRequest: initialised > > request 0x189cc30 > > 2009/09/05 23:56:30.832| authenticateValidateUser: Validated Auth_user > > request '0x189cc30'. > > 2009/09/05 23:56:30.832| authenticateValidateUser: Validated Auth_user > > request '0x189cc30'. > > FATAL: Received Segment Violation...dying. > > > > As you see plUexception is failling , this acl is declared as next: > > > > plUexception acl auth user1 > > > > > > I wonder if anyone knows how to fix it. > > Segment violation crashes require a code fix. What release of Squid is > this? > > ... and can you get any stack trace info? > > http://wiki.squid-cache.org/SquidFaq/TroubleShooting#head-7067fc0034ce967e6 > 7911becaabb8c95a34d576d > > > Amos > We are about to make stack trace, but sys admins is worry about diskspace, aproxy, how many diskspace we need for disktrace right know we have 44Gb free, is this enough? TIA
Re: [squid-users] SNMP OIDs
Le vendredi 16 janvier 2009 15:27:45, Gregori Parker a écrit : > Google is your friend, search for Squid+OID...the following were in the > top 10 results: > http://www.linofee.org/~jel/proxy/Squid/oid.shtml > http://www.oidview.com/mibs/3495/SQUID-MIB.html > > Keep in mind that a lot of these OIDs will end in .1, .5 and .60 (for 1 > min, 5 min and hourly averages) > > e.g. > requestHitRatioOneMin .1.3.6.1.4.1.3495.1.3.2.2.1.9.1 > requestHitRatioFiveMin .1.3.6.1.4.1.3495.1.3.2.2.1.9.5 > requestHitRatioHourly .1.3.6.1.4.1.3495.1.3.2.2.1.9.60 > > You can also just snmpwalk the 1.3.6.1.4.1.3495.1 tree > > > > -Original Message- > From: Luis Daniel Lucio Quiroz [mailto:luis.daniel.lu...@gmail.com] > Sent: Friday, January 16, 2009 9:54 AM > To: squid-users@squid-cache.org > Subject: [squid-users] SNMP OIDs > > Hi, > > We are trying to get rid fo a commercial reverse proxy, how ever, we > must get > this data from SNMP. I know that squid has snmp support, I've used, but > I > dont know all oids. Does any one has a link where oids are specified? > > Regards, > Thanx Just to ask, is this still valid in squid 3.0? and will in 3.1?
[squid-users] Swapfile clashes avoided
I have this in log. What are this swapfile clashes that are being avoided? why they are being avoided... 2009/09/23 19:42:53| 2166281 Entries scanned 2009/09/23 19:42:53| 0 Invalid entries. 2009/09/23 19:42:53| 0 With invalid flags. 2009/09/23 19:42:53| 1455120 Objects loaded. 2009/09/23 19:42:53| 0 Objects expired. 2009/09/23 19:42:53| 0 Objects cancelled. 2009/09/23 19:42:53|83 Duplicate URLs purged. 2009/09/23 19:42:53|711073 Swapfile clashes avoided.
Re: [squid-users] recommended memory/cache replacement policy
Le jeudi 10 septembre 2009 06:22:34, Amos Jeffries a écrit : > Muhammad Sharfuddin wrote: > > squid cache 2.7 STABLE5 > > squid cahce 3.0 STABLE19 > > > > I am using the following memory/cache replacement policy > > > > memory_replacement_policy heap LFUDA > > cache_replacement_policy heap LFUDA > > > > are they(heap LFUDA) best or most recommended ? or should I left them > > default. > > The defaults there were last tuned years ago and is not heap at all. > Read the descriptions of each carefully, the ones I saw a while back > covered several scenarios of traffic patterns and sizes and how the > policies worked in different network needs. > Pick the one which matches your visitor behaviour. Nobody else can > identify the best one for you with any accuracy. > > Amos > helo I did change my memory_replacement_policy, and mean_object_size because server is in production, a -k reconfigure is enoght or I must stop and start squid TIA LD
RE: [squid-users] Re: NCSA Password change and AD Authentication
I just need to installed an authentication option, what did you think is the best option??? I need to add it to the Squid (squid/2.6.STABLE18) Note: In the company we have Windows Domain implemented Please let me know your comments, thanks Jhon -Mensaje original- De: news [mailto:n...@ger.gmane.org] En nombre de Markus Moeller Enviado el: Lunes, 14 de Septiembre de 2009 03:21 p.m. Para: squid-users@squid-cache.org Asunto: [squid-users] Re: NCSA Password change and AD Authentication What method did you try for AD authentication ? Markus "vikas rawat" wrote in message news:d1392a280909140858v38a17373x6675900322a0a...@mail.gmail.com... Dear All, I have configured SQUID in Linux RHEL with NCSA authentication, is there any option users can changed their password there self. I have also tried with uthentication with Active Directory several times but could not sucess. Could you help me how to do these process. thanks Vikas Teleperformance values: Integrity - Respect - Professionalism - Innovation - Commitment The information contained in this communication is privileged and confidential. The content is intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by telephone or e-mail, and delete this message from your systems. Please consider the environmental impact of needlessly printing this e-mail.
[squid-users] Mac Address in access.log
Hi, I wonder if is there a way to list the mac address besides ip address in access.log. Thanks in advance. -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
[squid-users] Question related to cache headers
Hi guys! This question is almost OFF TOPIC but I think that probably you can help me sharing your experiences with me. We have a news portal behind a squid server. We have spent a lot of time setting cache headers on the application + configuring the squid server. Basically I'd like to know which headers would you set in order to cache a (very) dynamic page for 10 minutes. Seems that some cache servers won't store anything without the last-modified header, but it's almost impossible for me to build an accurate last-modified date. Basically I have this headers for cache: Cache-Control: public, max-age=300 Expires: Wed, 23 Sep 2009 14:49:19 GMT Could you tell me how would you set squid + headers for storing 10 minutes the content pages on any cache (without revalidation end-to-end if possible)? thanks in advance!
Re: [squid-users] weird traffic
Amos Jeffries wrote: On Tue, 22 Sep 2009 11:58:16 -0400, Matthew Morgan wrote: Leonardo Carneiro wrote: you could bind squid to only listen the LAN interface. doind this, no one will be able to estabilish a external connection with squid. I'll try that, but I thought my firewall rules were taking care of that. They may not be though...I'm just recently learning iptables. I'll post back with the results. Thanks! IIRC llnw.net are one of the providers for a lot of video content. If your Squid is configured to download a complete file on range requests and one of your users started downloading a video then stopped Squid would show this behavior. Ah! This may be it. My squid IS set to download an entire file on range request so that windows updates will cache properly. We're actually a computer shop, so there is no telling what type of downloads the virus infested customer machines may initiate and drop as we work on them. Thanks for the tip! As for Leonardo Carneiro's advice about only binding to the local port: it may just be my imagination, but it seems like that has cut down on the length of time these strange connections last. As I said, I'm not really a networking expert, so I don't even know if that makes sense. Either way, it was a security measure I should have taken in the first place. Though yeah, a firewall spot-check is also good when strange things happen. Amos Matthew Morgan escreveu: I have squid set up as a transparent proxy. It has two interfaces: eth0 (internet facing wan) and eth1 (local). I'm using iptables to masquerade the packets from my local network on eth1 and redirect them to squid's port. All this seems to work fine. The thing is, I keep seeing long periods of high incoming traffic on eth0, but low outgoing traffic on eth0, and nearly no traffic on eth1. Every time I see this, the data is always coming from either llnw.net or msecn.net. Both of these are legitimate content delivery networks. When I inspect the traffic I'm getting with tcpdump/wireshark, none of the traffic from these domain is going through to eth1 at all. I can confirm that this traffic is going to squid, since a netstat -p shows squid as the program with the connection open. What could be causing this? I tried turning off persistent connections in case a client was making the connection and then ignoring the data, but I'm not sure if that's possible or the problem. I'm not a network expert.
Re: [squid-users] Upgrade from 2.6 to 3.0 on Red Hat
Iosif wrote: I would like to perform an upgrade from 2.6 to 3.0. What is the procedure to perform the upgrade? 0) locate the packages suitable for install to your system. or prepare to build your own squid http://wiki.squid-cache.org/SquidFaq has info there. 1) find the 3.0 release notes: http://www.squid-cache.org/Versions/v3/3.0/RELEASENOTES.html 2) read section 8 carefully (it does include features in 2.6 despite the title). Looking for mention of any features or config options you need to use. If you find one you cant do without, then abort. 3.0 is not a good upgrade for you. 3) read sections 6 and 7 carefully as well. Make any changes you need to. Should the existing configuration ...squid/etc files need to be deleted? No. just altered according to results from the above (#3) checks. Can a backup be performed to be used to reverse back the configuration if the new version will not work? Of course you can if you wish. If you are lucky you may be able to simply uninstall the new version and install a replacement old version. Then drop in the config files. Worst case you might need to run " squid -v " (before doing the upgrade) to find out where all the libexec (helper binaries) and other files used by squid are located. The configure options give an idea list what file names and where. They will also need to be down-graded along with the config files if you revert to the old version. This is usually automatic when installing packaged versions. ... or the old build options can be used to rebuild an old version clean. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
[squid-users] Upgrade from 2.6 to 3.0 on Red Hat
I would like to perform an upgrade from 2.6 to 3.0. What is the procedure to perform the upgrade? Should the existing configuration ...squid/etc files need to be deleted? Can a backup be performed to be used to reverse back the configuration if the new version will not work? Thanks Jo __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[squid-users] Credentails for embedded links
HI All, I am using squid with LDAP authentication. It works fine. I have configured the proxy settings in IE. My Outlook express uses the same proxy settings that is configured in IE. If I want to open any html attachments ( Attachment has embedded links href for images ), the browser pop-up authentication for all images. If the attachment has 10 images ( Embedded links images ), it open 10 pop-up window at a same time. Is there any workaround for this issue ( in squid or browser ) ? Thanks Vivek
[squid-users] Re: Weird statistics from snmp
Thank you very much for your clarification guys. I'd love to help the squid developers to document this and what represents exactly each oid, but I'm afraid I don't have the needed knowledge to do this. Thanks again. Matias. Henrik Nordstrom wrote: mån 2009-09-21 klockan 10:27 +0200 skrev Matias: Hi, I'm monitoring the oids: 1.3.6.1.4.1.3495.1.4.1.3 (cacheHits) and 1.3.6.1.4.1.3495.1.4.1.6 (cacheMisses) Those two are squid.cacheNetwork.cacheIpCache.cacheIpHits and squid.cacheNetwork.cacheIpCache.cacheIpMisses What you are looking for are squid.cachePerf.cacheProtoStats.cacheProtoAggregateStats.cacheHttpHits .1.3.6.1.4.1.3495.1.3.2.1.2 and squid.cachePerf.cacheProtoStats.cacheProtoAggregateStats.cacheProtoClientHttpRequests .1.3.6.1.4.1.3495.1.3.2.1.1 there is no SNMP variable for the number of misses, but you can calculate it by substracting the hits from reqeusts. For some reason, the first one increases much more than the latter one. I'm watching the access_log, and most of the results are TCP_MISS. It should. You are looking into the IP cache where Squid internally caches DNS lookups. Regards Henrik
[squid-users] NTLM auth working with 2008 AD native mode.
Hi! I got ntlm working against a Windows 2008 AD domain in native mode. But i got some problem with some sites thats sends a popup for login for the squid server to the requested site. As i read this is a problem when the site uses Microsoft JAVA ? I can create an acl thats allow this urls but that is some work to maintain... What is the best way to handle this? And why do i get a deny of every request when using AUTH ? is this the way it designed ? first a deny the a refresh 0 citrix28.jll.jllad.se TCP_DENIED/407 2056 GET http://www.projectplace.se/Projektplatsen_images/newsticker.gif jll\jore NONE/- text/html 1253694393.722 1 citrix28.jll.jllad.se TCP_DENIED/407 2234 GET http://www.projectplace.se/Projektplatsen_images/newsticker.gif - NONE/- text/html 1253694393.750 19 citrix28.jll.jllad.se TCP_REFRESH_HIT/304 408 GET http://www.projectplace.se/Projektplatsen_images/newsticker.gif jore DIRECT/92.123.155.18 image/gif Regards Anders -- Med Vänliga Hälsningar Best Regards * Anders Larsson * Systemadmin Unix/Linux * Tieto * 831 48 ÖSTERSUND * Växel:+46 (0)63 664 63 00 * Fax: +46 (0)63 664 63 20 * Tel: +46 (0)10 481 98 01 * Mobil:+46 (0)70 656 42 64 * Mail: anders.lars...@tieto.com ** Debian is they way to salvation --- How Hard Can It Be ---
Re: [squid-users] Disable file upload
Hi Maurizio, Thanks for your reply. unfortunately even that policy is not working. //Remy Maurizio Marini wrote: > On Tuesday 22 September 2009, Mario Remy Almeida wrote: > >> Hi All >> >> Need to disable file upload with gmail how can I do this? >> >> >> acl fileupload req_mime_type -i ^multipart/form-data$ >> > > http_reply_access deny fileupload > > -m > -- Disclaimer and Confidentiality This material has been checked for computer viruses and although none has been found, we cannot guarantee that it is completely free from such problems and do not accept any liability for loss or damage which may be caused. Please therefore check any attachments for viruses before using them on your own equipment. If you do find a computer virus please inform us immediately so that we may take appropriate action. This communication is intended solely for the addressee and is confidential. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. The views expressed in this message are those of the individual sender, and may not necessarily be that of ISA.
Re: [squid-users] squid http -> https translation
Dnia 2009-09-20, nie o godzinie 23:46 +1200, Amos Jeffries pisze: > > Hi, > > according to the post: > > > > http://www.squid-cache.org/mail-archive/squid-users/200506/0071.html > > > > On 03.06 14:22, Gruskovnjak Oliver wrote: > >>> Is it possible to make squid act as a "translater" ? > >>> The setup should look like that: > >>> > >>> There is a server and a client both can change their state to server > >>> or client. > > > >>> The traffic should look like this: > >>> > >>> Client -- HTTP -- Squid -- HTTPS -- Server > > > >> - squid-2.5 needs ssl patch do do this. > >> squid-3.0 can do this but it's not released yet. > > > >>> Server -- HTTPS --Squid --HTTP -- Client > > > >> pardon, you don't wnt the server to connect to the client, do you? > >> Why do you want to use SSL? And why can't you use SSL directly from > >> client to server? > > > >>> To the server there shoudl be a HTTP to HTTPS translation and from > > the > >>> server to the client a HTTPS to HTTP translation. > >>> > >>> Is it possible to do this with squid ? > > > > I would like to re-ask the same question. > > I am trying to run IE via wine on Linux > > Eew. I wouldn't do this, if it wasn't necessary. One site, that is required in some company is written in the way, that only IE 5.5 or 6.0 is able to print it properly. > > > and it's unable to connect to > > the sites via https, so I thought about some kind of https-to-http > > translation and found the link above with alike issue. > > > > And the answer is nearly the same. 2.5 needs a patch. All the currently > supported Squid can do this without trouble in several ways. > > * Squid in normal operation can let the browser open a tunnel and > shovel HTTPS bits directly between the browser and website. > > * Squid can also open https:// URLs if the client browser is happy to > be talking unsecured HTTP and let the secure bit only happen between > Squid and the website. (There are no actual web browsers I know of that > do this, only simplistic web libraries and tools). > > * Squid reverse-proxy can translate from public facing HTTPS to a > private HTTP-only server if it is given the authoritative SSL > certificate and keys for the domain being serviced. > > The second scenerio is the most convinent, but I don't know if IE is able to work in such a configuration, but I'll try. If it fails, I'll try the third one. The first is out of the question, since IE via wine (with the native engine, not gecko) is unable to connect via secure channel. If I will have some questions or problems with squid's configuration I will just ask You :-) > You need to configure IE to use the Squid as a proxy. > > > NP: If you are trying to make IE secure, using HTTPS will not help. The > flaws in IE are in the way it handles HTML. There is no way to do so > short of re-coding IE without all its bugs AND re-coding the OS it runs > on without its bugs as well. As I said, I am trying to use IE since it necessary. It's only perpous will be connecting to the one (rather secure) site. Wiktor
