[squid-users] R: [squid-users] kerberos authentication and ldap
Hi, The patch is already included since the following STABLE versions: 2.7 STABLE1 3.0 STABLE2 Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Joseph L. Casale [mailto:jcas...@activenetwerx.com] Inviato: domenica 31 gennaio 2010 0.48 A: 'squid-users@squid-cache.org' Oggetto: [squid-users] kerberos authentication and ldap We are getting some Win7 machines so I am migrating our ntlm setup to Kerberos. Looking at Markus Moeller's kerb guide, I see that it doesn't state how to control access after successful auth. Looking online, http://klaubert.wordpress.com/2008/01/09/squid-kerberos- authentication-and-ldap-authorization-in-active-directory/ suggests an ldap companion method but this involves a patch. Is that patch still needed, or does there exist a stock approach to facilitate this, as our access is done by group ad membership? Thanks, jlc
Re: [squid-users] monitor bandwidth
You can use this script http://samm.kiev.ua/sqstat/ to monitor bandwidth usage of requests in real time. It's specially interesting to monitor bandwidth usage of downloads, which takes some times to happen and finish. Logs can show you that, but only after it ends. This script can show it in real time. It will help you identify which is the bastard and/or maybe identify some criteria for making your delay_pool rules, as pointed by Amos. Em 29/01/2010 20:02, J. Webster escreveu: Is there anyway to monitor the current bandwidth in use by a user (NCSA auth) on squid? Occasionally we get a user downloading too many videos at once, which blocks bandwidth to other users on the network. As I have no idea which user it is until the end of the day (SARG reports), we just restart the squid server to disconnect their downloads - not ideal. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
RE: [squid-users] kerberos authentication and ldap
The patch is already included since the following STABLE versions: 2.7 STABLE1 3.0 STABLE2 Guido, Thanks, I should have read all the comments in the post:) Do you know if it's possible to facilitate the following scenario where access is auth'ed by Kerberos, and an ldap external_acl_type checks group membership without a specific bind account, but uses the Kerberos auth'ed user as the bind account? Thanks, jlc
[squid-users] squid is closing sessions after 1 hour
Dear mates, We have an Intel SSR212MMC2 system with 32GB of rams , 12 SATA HD;s (each 2 are made raid0) port 80 traffic is routed from a mikrotik to the squid 2.7 stable7 box (running on debian lenny) cache_dir aufs /cache1 120 16 256 cache_dir aufs /cache2 120 16 256 cache_dir aufs /cache3 120 16 256 cache_dir aufs /cache4 120 16 256 fdisk -l /dev/sdc1 1.8T 72G 1.7T 5% /cache1 /dev/sdd1 1.8T 72G 1.7T 5% /cache2 /dev/sde1 1.8T 72G 1.7T 5% /cache3 /dev/sdf1 1.8T 72G 1.7T 5% /cache4 we noticed that when cache is nearly about 280GB (70GB on each cache_dir), squid closes all sessions every 1 hour for 30 seconds, then it works back normally... So what can cause this problem? Iam sorry i didnt mention too much details, because iam afraid to flood you with data. Iam ready to provide any details you need. Cordially, Bilal
[squid-users] WARNING: redirector .....
Hello. Once again my 3.0.STABLE20 server on Lenny has stalled. This is the error: 2010/01/31 13:33:20| WARNING: redirector #2 (FD 808) exited 2010/01/31 13:33:20| Too few redirector processes are running 2010/01/31 13:33:20| Starting new helpers 2010/01/31 13:33:20| helperOpenServers: Starting 6/10 'python' processes 2010/01/31 13:33:21| WARNING: redirector #3 (FD 809) exited 2010/01/31 13:33:37| WARNING: redirector #4 (FD 810) exited 2010/01/31 13:35:18| clientParseRequestMethod: Unsupported method attempted by 172.16.100.56: This is not a bug. see squid.conf extension_methods 2010/01/31 13:35:18| clientParseRequestMethod: Unsupported method in request '_g_g?^=__ k__...@_m_l_q_m___da_c7yx___3h_~_;P__P_'_ \!hn\_O_X' 2010/01/31 13:35:18| clientProcessRequest: Invalid Request 2010/01/31 13:38:55| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:41:30| clientParseRequestMethod: Unsupported method attempted by 172.16.100.56: This is not a bug. see squid.conf extension_methods 2010/01/31 13:41:30| clientParseRequestMethod: Unsupported method in request 'NTK_;_C6r4_a___`_i_]_WB__bZ__#4_1__x__f`S|6s__?__$_%#a__ ___S_b__l___$__Cm' 2010/01/31 13:41:30| clientProcessRequest: Invalid Request 2010/01/31 13:45:09| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:45:29| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:45:45| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:45:56| clientNatLookup: NF getsockopt(SO_ORIGINAL_DST) failed: (2) No such file or directory 2010/01/31 13:46:01| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:46:17| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:46:33| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:46:51| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:47:07| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:47:23| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:47:39| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:48:14| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:49:50| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:52:06| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:56:13| clientParseRequestMethod: Unsupported method attempted by 172.16.100.56: This is not a bug. see squid.conf extension_methods 2010/01/31 13:56:13| clientParseRequestMethod: Unsupported method in request '__P_BY_y_B9r0_K)_k|__6_CIhL_u_`___/q___6___ $___t___Z_Ee[' 2010/01/31 13:56:13| clientProcessRequest: Invalid Request 2010/01/31 13:57:10| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:58:22| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:59:24| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 14:04:32| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 14:05:36| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 14:07:28| WARNING: redirector #5 (FD 811) exited 2010/01/31 14:07:30| WARNING: redirector #6 (FD 812) exited 2010/01/31 14:07:32| WARNING: redirector #1 (FD 877) exited 2010/01/31 14:08:20| WARNING: redirector #2 (FD 884) exited 2010/01/31 14:08:20| Too few redirector processes are running 2010/01/31 14:08:20| Starting new helpers Cache-Control: no-cache, no-store Expires: Thu, 01 Jan 1970 00:00:01 GMT Set-Cookie: TRG=Mz0tMSY0PTEmNT0yJjY9NCY3PTAmOT0zJjEwPTAmMTE9LTEmMTI9MSY0MC4yPTEmMTM9MSYxND0tMSYxNT05MTMxJjM5LjI9MSYxNj0zJjE3PTEmMTg9RE8mMTk9MCYyMD0tMSYyMT0xJ jIyPT} 2010/01/31 15:09:52| ctx: exit level 0 2010/01/31 15:09:52| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 15:10:08| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 15:10:24| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 15:10:40| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 15:10:56| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 15:15:10| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 15:16:13| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 15:19:19| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 15:19:35| client_side.cc(2843) WARNING!
[squid-users] Unsupported method
Hello. How can I avoid these lines: 2010/01/31 19:44:21| clientParseRequestMethod: Unsupported method attempted by 172.16.100.56: This is not a bug. see squid.conf extension_methods 2010/01/31 19:44:21| clientParseRequestMethod: Unsupported method in request 'h3_`___z___Ca___A_W'f_8g_8|iF__u~$(_E___)R_h[_[_p_r4o__?U_w~mn___un9S__' 2010/01/31 19:44:21| clientProcessRequest: Invalid Request 2010/01/31 19:53:01| WARNING: redirector #1 (FD 8) exited 2010/01/31 19:54:03| clientParseRequestMethod: Unsupported method attempted by 172.16.100.56: This is not a bug. see squid.conf extension_methods 2010/01/31 19:54:03| clientParseRequestMethod: Unsupported method in request 'z__yAfN[___t___h_W___^_aV__4_.___A__qY__}s_[f___w^1_7W_E*_%eS`a' 2010/01/31 19:54:03| clientProcessRequest: Invalid Request 2010/01/31 19:58:41| clientParseRequestMethod: Unsupported method attempted by 172.16.100.56: This is not a bug. see squid.conf extension_methods 2010/01/31 19:58:41| clientParseRequestMethod: Unsupported method in request ';__w_o' 2010/01/31 19:58:41| clientProcessRequest: Invalid Request
Re: [squid-users] WARNING: redirector .....
Landy Landy wrote: Hello. Once again my 3.0.STABLE20 server on Lenny has stalled. This is the error: 2010/01/31 13:33:20| WARNING: redirector #2 (FD 808) exited 2010/01/31 13:33:20| Too few redirector processes are running 2010/01/31 13:33:20| Starting new helpers 2010/01/31 13:33:20| helperOpenServers: Starting 6/10 'python' processes 2010/01/31 13:33:21| WARNING: redirector #3 (FD 809) exited 2010/01/31 13:33:37| WARNING: redirector #4 (FD 810) exited There is something wrong with your redirector helpers. You need to find out what that is and stop it from happening. 2010/01/31 13:35:18| clientParseRequestMethod: Unsupported method attempted by 172.16.100.56: This is not a bug. see squid.conf extension_methods 2010/01/31 13:35:18| clientParseRequestMethod: Unsupported method in request '_g_g?^=__ k__...@_m_l_q_m___da_c7yx___3h_~_;P__P_'_ \!hn\_O_X' 2010/01/31 13:35:18| clientProcessRequest: Invalid Request The machine at 172.16.100.56 is broken and pushing garbage into Squid instead of HTTP. This is not fatal for you or Squid, but may cause the person who uses that machine to have a very bad web experience. 2010/01/31 13:38:55| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors Debian default is 1024 FD available per process. This seems not to be enough for your Squid. alter the /etc/default/squid config file to set a new limit. If that still fails, you may need to rebuild the package with ulimit setting FD to something high before ./configure is run. ... 2010/01/31 13:45:56| clientNatLookup: NF getsockopt(SO_ORIGINAL_DST) failed: (2) No such file or directory NAT failed to locate the real origin address for a client. Perhapse the port used for NAT interception 'transparent-proxy' requests is receiving direct forward-proxy requests. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 Current Beta Squid 3.1.0.15
Re: [squid-users] WARNING: redirector .....
how many redirectors are you using initially? also how many file descriptions does your OS support currently? I think something like cat /proc/sys/fs/file-max should tell you. Landy Landy wrote: Hello. Once again my 3.0.STABLE20 server on Lenny has stalled. This is the error: 2010/01/31 13:33:20| WARNING: redirector #2 (FD 808) exited 2010/01/31 13:33:20| Too few redirector processes are running 2010/01/31 13:33:20| Starting new helpers 2010/01/31 13:33:20| helperOpenServers: Starting 6/10 'python' processes 2010/01/31 13:33:21| WARNING: redirector #3 (FD 809) exited 2010/01/31 13:33:37| WARNING: redirector #4 (FD 810) exited 2010/01/31 13:35:18| clientParseRequestMethod: Unsupported method attempted by 172.16.100.56: This is not a bug. see squid.conf extension_methods 2010/01/31 13:35:18| clientParseRequestMethod: Unsupported method in request '_g_g?^=__ k__...@_m_l_q_m___da_c7yx___3h_~_;P__P_'_ \!hn\_O_X' 2010/01/31 13:35:18| clientProcessRequest: Invalid Request 2010/01/31 13:38:55| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:41:30| clientParseRequestMethod: Unsupported method attempted by 172.16.100.56: This is not a bug. see squid.conf extension_methods 2010/01/31 13:41:30| clientParseRequestMethod: Unsupported method in request 'NTK_;_C6r4_a___`_i_]_WB__bZ__#4_1__x__f`S|6s__?__$_%#a__ ___S_b__l___$__Cm' 2010/01/31 13:41:30| clientProcessRequest: Invalid Request 2010/01/31 13:45:09| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:45:29| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:45:45| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:45:56| clientNatLookup: NF getsockopt(SO_ORIGINAL_DST) failed: (2) No such file or directory 2010/01/31 13:46:01| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:46:17| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:46:33| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:46:51| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:47:07| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:47:23| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:47:39| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:48:14| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:49:50| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:52:06| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:56:13| clientParseRequestMethod: Unsupported method attempted by 172.16.100.56: This is not a bug. see squid.conf extension_methods 2010/01/31 13:56:13| clientParseRequestMethod: Unsupported method in request '__P_BY_y_B9r0_K)_k|__6_CIhL_u_`___/q___6___ $___t___Z_Ee[' 2010/01/31 13:56:13| clientProcessRequest: Invalid Request 2010/01/31 13:57:10| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:58:22| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 13:59:24| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 14:04:32| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 14:05:36| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 14:07:28| WARNING: redirector #5 (FD 811) exited 2010/01/31 14:07:30| WARNING: redirector #6 (FD 812) exited 2010/01/31 14:07:32| WARNING: redirector #1 (FD 877) exited 2010/01/31 14:08:20| WARNING: redirector #2 (FD 884) exited 2010/01/31 14:08:20| Too few redirector processes are running 2010/01/31 14:08:20| Starting new helpers Cache-Control: no-cache, no-store Expires: Thu, 01 Jan 1970 00:00:01 GMT Set-Cookie: TRG=Mz0tMSY0PTEmNT0yJjY9NCY3PTAmOT0zJjEwPTAmMTE9LTEmMTI9MSY0MC4yPTEmMTM9MSYxND0tMSYxNT05MTMxJjM5LjI9MSYxNj0zJjE3PTEmMTg9RE8mMTk9MCYyMD0tMSYyMT0xJ jIyPT} 2010/01/31 15:09:52| ctx: exit level 0 2010/01/31 15:09:52| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 15:10:08| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 15:10:24| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 15:10:40| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 15:10:56| client_side.cc(2843) WARNING! Your cache is running out of filedescriptors 2010/01/31 15:15:10| client_side.cc(2843) WARNING!
[squid-users] squid_ldap_group trouble
I am trying to supplement squid_kerb_auth with squid_ldap_group, from the cli, my external_acl_type string works fine, username and group pairs return expected results. Disregarding the ldap group check, the following authenticates correctly: acl auth proxy_auth REQUIRED http_access deny !auth http_access allow auth localnet http_access deny all But when I modify it as follows it breaks: external_acl_type ldapgroup %LOGIN /usr/lib64/squid/squid_ldap_group ... acl auth proxy_auth REQUIRED acl acl_ldap external ldapgroup adGroup http_access deny !auth http_access allow auth acl_ldap localnet http_access deny all Anyone see what I have done wrong? Thanks, jlc
Re: [squid-users] Squid, Exchange 2007 RPC, certificates and the rabbit hole
On Fri, Jan 29, 2010 at 11:52:03PM +1300, Amos Jeffries wrote: Was this with HTTPS-front-end or with full pass-thru? I think with a HTTPS front end - how could I tell for sure? I know that sounds dumb but I set the old one up a while ago, I cannot recall what I did. When I set up the owa 2007 one I just tweaked the destination. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.