Re: [squid-users] Squid pops up password dialog when remote site is not reachable
Hi, I only modified the helper line as follows: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp and added the following two statements, the rest of the file is unchanged. # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS acl authenticated proxy_auth REQUIRED http_access allow authenticated
RE: [squid-users] Re: SSO with Active Directory-Squid Clients
Dear Markus, Please i have few confusions which i want to satisfy. 1. If kerberos Authentication fails then what would be the fallback behavior would the Basic authentication to Ldap will be used instead? Does it need to be defined? what is the best strategy as Basic Authentication will be in clear text. In microsoft Environment the fallback is to NTLM authentication if kerberos fails isnt it a better strategy. 2. Isnt it better to use the combinition of kerberos/ldap only for SSO with active directory? Why winbind/Samba is referred in many tutorials while to me it look redundant? does it give any additional benefit or is it more stable? can u please enlighten me. regards, Bilal > To: squid-users@squid-cache.org > From: hua...@moeller.plus.com > Date: Sat, 3 Apr 2010 13:34:15 +0100 > Subject: [squid-users] Re: SSO with Active Directory-Squid Clients > > Have a look at > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos and > http://sourceforge.net/projects/squidkerbauth/files/squidkerbldap/squid_kerb_ldap-1.2.1/squid_kerb_ldap-1.2.1.tar.gz/download > > Regards > Markus > > "GIGO ." wrote in message > news:snt134-w171836624ce7937ad90d3eb9...@phx.gbl... > > Dear All/Amos, > > I want to allow certain(not all) Active Directory users to use squid by way > of SSO with Active Directory. So means when any one from those specific > users will login into Active Directory they should have automatically access > to internet via Squid Proxy. Other AD users which have not permissions > granted in Squid will be disallowed. Is it possible? How please guide in > detail. > > > This was my assumption of how it would be done: > > I needed to compile squid with these additional > options --enable-basic-auth-helpers="LDAP" > --enable-auth="basic,negotiate,ntlm" > --enable-external-acl-helpers="wbinfo_group,ldap_group" > --enable-negotiate-auth-helpers="squid_kerb_auth" > Right?? > > > I need to configure krb5.conf to point to AD as Default_realm on CENTOS 5.4 > to right? > > > I think that i must need to make Centos 5.4 member of the domain? Am i right > or its not necessary > > > How these specific AD users(with internet access allowed) will be > told/mentioned to the squid? > > > > I have also studied your article > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap?action=print > > However this is allowing all(not specific) Active Directory or LDAP users > internet access. This logic is just checking the validity of user account > with Active directory by popping up a login/password and if succeeded > network access is granted. Am i right? > > > > Bottom line is that i am completely lost and have not much idea what and how > to do it. We previously are using Microsoft ISA server and are about to move > to Squid and this requirement is very necessary. > > > regards, > > Bilal Aslam > > > > > > > > > > > _ > Hotmail: Free, trusted and rich email service. > https://signup.live.com/signup.aspx?id=60969 > > _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
[squid-users] page stalling w/ squid
I have this weird problem where if I go though squid, a page would stall until it hits the read timeout limit. This only happens on certain webservers. eg: read_timeout set to 120 seconds. 1. request page on browser 2. page load stalls 3. after 120 seconds, squid sends a fin, ack to http server 4. http server returns a HTTP 200 after receiving the fin,ack packet 5. browser gets the requested page. Sometimes, squid would load the page fine. Here's my squid build: Squid Cache: Version 2.7.STABLE9 configure options: '--enable-linux-netfilter' '--enable-follow-x-forwarded-for' '--enable-linux-tproxy' '--enable-epoll' '--enable-async-io' '--with-pthreads' '--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-removal-policies=lru,heap' '--enable-snmp' '--with-maxfd=65536' 'CFLAGS=-march=pentium3 -O2 -fomit-frame-pointer -pipe' 'CPPFLAGS=-march=pentium3 -O2 -fomit-frame-pointer -pipe' You can download tcpdump and squid config from http://mina.lolipower.org/mike/squid-stall.zip If I access the page directly on the browser, the page stalling doesn't happen. any ideas on addressing this issue? thx mike
Re: [squid-users] Squid v3.0Stable16 memory leak
Amos I can confirm that with the same kernal, v2.6STABLE21 works fine cheers Ivan On Tue, Mar 30, 2010 at 6:21 PM, Amos Jeffries wrote: > > Ivan . wrote: >> >> Hi >> >> Had this running on a RedHat EL5 64bit OS running Squid v3.0.STABLE16 >> for about 3 days, with 8GB of memory. Slowly but surely "top" shows >> the availble memory dropping down to 500MB, which concerned me a great >> deal. >> >> I am not caching, using the cache_dir null directive, so not sure what >> is going on other a memory leak. Restarting the squid process didn't >> help, so I bounced the box and low and behold available memory is >> around 7GB. > > Um ... Restarting Squid drops all the memory it has allocated, whether leaked > or not. Same as killing the process. > > This sounds very much like something I saw back in the 2.6.31 kernel last > year. Any app that used a lot of memory or connections slowly (relative) > leaked RAM into the kernel space somehow. Only a system restart or kernel > upgrade to 2.6.32 fixed it here. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.1
[squid-users] Fwd: Squid 2.7 with NTLM auth
We are Squid ported for windows and are experiencing issue with one particular service. GotoMeeting, GotoAssist, GotoWebinar(Citrix) We are unable to get users connected unless we add the individual IP Address of the servers individually: 216.115.208.0 / 20 216.219.112.0 / 20 66.151.158.0 / 24 66.151.150.160 / 27 66.151.115.128 / 26 64.74.80.0 / 24 202.173.24.0 / 21 67.217.64.0 / 19 78.108.112.0 / 20 68.64.0.0 / 19 206.183.100.0 / 22 The full list is above and there is no way we are typing individual IPs. We tried putting CIDR notation in the allowed_ip.txt but the it does not like that. Any advice on how to setup with the least administrative effort? We are kind of new to SQUID. Thanks for your advice.
Re: [squid-users] Squid proxy Setup in fail-over mode
tor 2010-03-18 klockan 13:35 + skrev GIGO .: > How to setup squid proxy to run in fail-over mode? Any guide. What you mean by fail-over? can mean many different things to different people.. Regards Henrik
Re: [squid-users] error libcap2 --
tor 2010-03-18 klockan 20:03 -0300 skrev Ariel: > Hello .. please someone can help me with this error because more than > a week ago that I'm swearing and I just realized I asked this > > in Centos 5.4 i386 kernel 2.6.30 iptables 1.4.5 > > it asks for libcap2 and libcap2-dev, but there in centos 5.3 and I am > following this guide to install > http://www.eu.squid-cache.org/mail-archive/squid-users/200906/0602.html > someone has way to fix this? The centos package is libcap-devel Regards Henrik
Re: [squid-users] Cache size is decreasing
sön 2010-04-04 klockan 10:44 +0300 skrev Mr. Issa(*): > Storage Swap size: 301573020 KB > 13107338 StoreEntries Monitor these two over time. > pr0xySRV:~# less /var/logs/squid/cache.log | grep store_swap_size > 2010/04/01 01:14:12| store_swap_size = 219740988k > 2010/04/01 15:09:14| store_swap_size = 231067008k > 2010/04/02 15:17:55| store_swap_size = 125951712k > 2010/04/02 15:25:56| store_swap_size = 251919768k > > as you can notice the last 2 values of store_swap_size they are > totally different Not sure, besides the issue mentioned earlier about your restart not being a clean restart. Regards Henrik
Re: [squid-users] Issue with reverse proxy and SSL cert/Intermediate/root
mån 2010-04-05 klockan 09:59 -0400 skrev Nick Duda: > The cert itself is installed, broken out with the server/key.pems, > runs fine. I need to install the other 2 as well. When I append the > cert.pem file on the proxy with the trustedroot cert and intermediate > cert, it still doesn't look like its working right. Is there a certain > order they must be in? You don't normally put the root cert in there, just the servers certificate followed by any intermediary certificates. You may put the root certificate there as well (last) but doing so adds more overhead to the SSL negotiation. You can also add the CA certificates via the ca= option to https_port I think, but not 100% sure this will work for announcing the certificate path to clients. Regards Henrik
Re: [squid-users] Squid pops up password dialog when remote site is not reachable
mån 2010-04-05 klockan 05:48 -0700 skrev Ayhan Molla: > I am using Squid 2.6 and also NTLM is configured. When the remote site > is available system works as expected. If the remote site is down or > if I type some unreachable address to the location bar such as > 22.33.44.55 the browser pops up a password dialog asking for > credentials. What do your http_access rules look like? Regards Henrik
Re: [squid-users] Offline mode for "mobile" internet kiosk?
mån 2010-04-05 klockan 00:02 -0400 skrev Chris Woodfield: > All, > > Forgive me if I'm misremembering, but I have a vague recollection of > some discussion on this list of some individuals or organization using > squid's offline mode as a way to bring a (admittedly limited) subset > of internet content to a remote internet-inaccessible areas - a > bookmobile for the information age of sorts. Anyone have any details > on who/where this was being done? Squid is not the right tool for that. wwwoffle is the tool usually used for that purpose. http://www.gedanken.demon.co.uk/wwwoffle/ Regards Henrik
[squid-users] Issue with reverse proxy and SSL cert/Intermediate/root
This is a pretty noob question, but I think I'm doing what I read correctly. I have 3 certs: - The cert itself - TrustedRoot cert - Intermediate cert The cert itself is installed, broken out with the server/key.pems, runs fine. I need to install the other 2 as well. When I append the cert.pem file on the proxy with the trustedroot cert and intermediate cert, it still doesn't look like its working right. Is there a certain order they must be in? Squid Cache: Version 2.7.STABLE7 configure options: '--enable-auth=ntlm,basic' '--enable-external-acl-helpers=wbinfo_group' '--enable-snmp' '--enable-storeio=aufs' '--enable-ssl' - Nick
[squid-users] Squid pops up password dialog when remote site is not reachable
Hi, I am using Squid 2.6 and also NTLM is configured. When the remote site is available system works as expected. If the remote site is down or if I type some unreachable address to the location bar such as 22.33.44.55 the browser pops up a password dialog asking for credentials. I tried searching the mail archieves for keyword "password dialog" but the results returned was unrelated to this issue. Has anyone got an idea about that?
[squid-users] Re: Authentication caching
"Henrik Nordström" wrote in message news:1270330950.9955.60.ca...@localhost.localdomain... lör 2010-03-27 klockan 18:42 +0100 skrev Khaled Blah: Hi all, I'm developing an authentication helper (Negotiate/NTLM) for squid and I am trying to understand more how squid handles this process internally. Most of all I'd like to know how and how long squid caches authentication results. I have looked at the debug logs and they show that squid seems to do "less caching" for Negotiate/NTLM than it does for Basic/Digest authentication. Due to the nature of NTLM & Negotate authentication it's the helper performing the Negotiate/NTLM handshake, and because of this there is no cache in Squid for these schemes as there is nothing to use as cache key. basic & digest auth is handled internally by Squid, and enables Squid to cache the credentials validity. In theory we could implement NTLM in similar manner, but it would then not be possible to integrate with Windows domain controllers / active directory. Don't know enough of Kerberos to tell what possibilities there may be to cache in Negotiate auth. In the case of Kerberos each request which has the Negotiate header has data encrypted with the key which is stored in the keytab. The server will just decrypt the data with the key from the keytab and if successful return the username contained in the decrypted data. There is no possibility to cache anything. I am wondering whether I can do something about this so that a once verified user will only get his credentials re-verified after a certain time and not all during. I am grateful to any insight the list can give me. Thanks in advance! In 2.7 there is a generic auth cache based on source IP, useful when the clients are single-user workstations. Regards Henrik
