Re: [squid-users] SQUID 3.1 + sslBump https interception and decryption
From: Franz Angeli [mailto:franz.ang...@gmail.com] I configured one debian box with squid 3.1 (compiling it with ssl support) enabling sslBump feature with a self signed certificate, obviously browser and applications warn about the certificate but all seems to work. Is there a way to use trusted certificate for removing that warning (sorry for this dumb question but some applications doesn't permit certificate exception list like firefox for example)? If you have the signed certificate for the URL you're developing for, then yes, you can use the certificate. For example, if your app is going to app.squid-cache.org and you have the signed certificate for app.squid-cache.org or *.squid-cache.org, then everything will be happy. But, if you're trying to intercept the traffic for a third-party domain, no, you can't. The best you can do, is to create your own CA and add the public certificate to the browser/application, if it even allows you to. Thank you for the informations And what about ICAP configuration? Some suggestion?
Re: [squid-users] Help about iptable squid
Dear All: iptables squid -v Squid Cache: Version 3.1.1 configure options: '--prefix=/var/squid' '--sysconfdir=/etc' '--enable-arp-acl' '--enable-linux-netfilter' '--enable-pthreads' '--enable-err-language=Simplify_Chinese' '--enable-storeio=ufs' '--enable-default-err-language=Simplify_Chinese' '--enable-auth=basic' '--enable-baisc-auth-helpers=NCSA' '--enable-underscore' --with-squid=/usr/local/src/squid-3.1.1 --enable-ltdl-convenience Why not Transparent proxy Help Me! Thanks! squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localhost src ::1/128 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl to_localhost dst ::1/128 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 192.168.2.100-192.168.2.200/32 # RFC1918 possible internal network #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.3.100-192.168.3.200/32 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines #acl SSL_ports port 443 #acl Safe_ports port 80 # http #acl Safe_ports port 21 # ftp #acl Safe_ports port 443# https #acl Safe_ports port 70 # gopher #acl Safe_ports port 210# wais #acl Safe_ports port 1025-65535 # unregistered ports #acl Safe_ports port 280# http-mgmt #acl Safe_ports port 488# gss-http #acl Safe_ports port 591# filemaker #acl Safe_ports port 777# multiling http #acl CONNECT method CONNECT cache_effective_user squid cache_effective_group squid dns_nameservers 192.168.1.10 dns_nameservers 168.95.1.1 dns_nameservers 168.95.192.1 dns_nameservers 211.72.67.226 dns_nameservers 216.146.35.35 dns_nameservers 216.146.36.36 ipcache_size 1024 ipcache_low 90 ipcache_high 95 cache_mem 128 MB cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log visible_hostname gw.efc.cory cache_mgr ka...@everfocus.com.cn # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports #http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports #http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost allow_underscore on # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/squid/var/cache 4096 16 256 # Leave coredumps in the first cache dir coredump_dir /var/squid/var/cache # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Thursday, April 22, 2010 1:27 PM Subject: Re: [squid-users] Help about iptable squid kavin wrote: Dear All: Linux has three card: One is 192.168.1.250 (Internet) by 192.168.1.1 The other two are: 192.168.2.1, 192.168.3.1 Client: 192.168.2.100-192.168.2.200 / IP 192.168.3.100-192.168.3.200 I have a few questions 1: I'm in the allocation of time, add squid --enable-underscore options But on a visit to the site is still has underlined That made no sense at all. Can you please describe the problem it another way? 2: why Teamviever software from external links, always break, then cannot connect But, I have broken the network ,configuration files below Again. Is that a question? Something called teamviewer does not work after you broke it? Please explain some more. snip httpd_accel_host virtual Squid 2.5 config. Please upgrade your software. 1) We have not supported 2.5 since more than 3 years now. 2) reverse proxy is quite difficult in that version. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
Re: [squid-users] SQUID3: Access denied connecting to one site
So, any chance to bypass it? 22.04.2010 8:29, Amos Jeffries пишет: Alexandr Dmitriev wrote: Ok, the headers are broken, but there is a way to make squid ignore them? About ssl - they also have another domain www.airbaltic.com which is not accessible either. Part of the point was that they are not even headers at all. Squid does not do anything with body data but pump through. The HTML code bits are just some other bytes of body data to Squid. Amos -- Alexandr Dmitrijev Head of IT Department Fashion Retail Ltd. Phone: +371 67560501 Fax: +371 67560502 GSM: +371 2771 E-mail:alexandr.dmitr...@mos.lv
Re: [squid-users] Help about iptable squid
kavin wrote: Dear All: iptables squid -v Squid Cache: Version 3.1.1 configure options: snip '--enable-err-language=Simplify_Chinese' configure option --enable-err-language no longer exists. '--enable-default-err-language=Simplify_Chinese' Language name Simplify_Chinese no longer exists. Use zh-cn instead for Squid-3.1. (Although zh-cn may be changed to the correct zh-hans shortly.) '--enable-baisc-auth-helpers=NCSA' Spelling. basic '--enable-underscore' Nasty option. Underscore characters are not valid on Internet traffic and can confuse people about why they can reach a domain locally but not remotely. Avoid whenever possible please. Why not Transparent proxy Help Me! Your http_port needs the intercept flag to make it perform NAT lookups. Thanks! squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localhost src ::1/128 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl to_localhost dst ::1/128 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 192.168.2.100-192.168.2.200/32 # RFC1918 possible internal network #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.3.100-192.168.3.200/32 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines #acl SSL_ports port 443 #acl Safe_ports port 80 # http #acl Safe_ports port 21 # ftp #acl Safe_ports port 443# https #acl Safe_ports port 70 # gopher #acl Safe_ports port 210# wais #acl Safe_ports port 1025-65535 # unregistered ports #acl Safe_ports port 280# http-mgmt #acl Safe_ports port 488# gss-http #acl Safe_ports port 591# filemaker #acl Safe_ports port 777# multiling http #acl CONNECT method CONNECT cache_effective_user squid cache_effective_group squid dns_nameservers 192.168.1.10 dns_nameservers 168.95.1.1 dns_nameservers 168.95.192.1 dns_nameservers 211.72.67.226 dns_nameservers 216.146.35.35 dns_nameservers 216.146.36.36 Each entry of dns_nameservers replaces all previous instances. It's configured once and takes a list of multiple nameservers. Better solution is to use /etc/resolv.conf file so there is no difference between Squid and admin test tools run on the box. The bugs which broke resolv.conf in 2.6 and earlier are now gone. Squid can now read resolv.conf and properly act on all the relevant options. ipcache_size 1024 ipcache_low 90 ipcache_high 95 cache_mem 128 MB cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log Store log is mostly useless unless debugging. You can save yourself a lot of Disk IO by removing it from the config. visible_hostname gw.efc.cory Okay. but... always a but. I recommend making this a FQDN domain name which people can trace back to you for reporting errors. cache_mgr ka...@everfocus.com.cn # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports #http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports #http_access deny CONNECT !SSL_ports Removal of basic security settings is a Bad Idea. # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost allow_underscore on See above mention with the configure option matching this. # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 Adding intercept after the port number will enable traffic interception from NAT. NP: I also recommend using a port other than 3128 or 80 for receiving the traffic. It's only needing access by the local machines firewall. Bad things can happen when it's open for direct external access. If you have a new enough Linux kernel the tproxy option may be used instead to enable true proxy transparency. Different iptables config as well. see http://wiki.squid-cache.org/Feature/Tproxy4 # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/squid/var/cache 4096 16 256 # Leave
Re: [squid-users] how to set up expires header in squid?
hi, all that problem is resolved. it's due to there was a setting for header_access , that discard the expires header. thanks! On Thu, Apr 22, 2010 at 12:55 PM, 老邪 swansu...@gmail.com wrote: will try, thank you!!! will update here On Thu, Apr 22, 2010 at 12:36 PM, Jeff Pang pa...@arcor.de wrote: On Thu, Apr 22, 2010 at 12:28 PM, 老邪 swansu...@gmail.com wrote: the pic loads correctly, but as you can see, the expires header is gone (compare with visit apache directly). Squid normally doesn't discard the output headers from original server. max-age header should be there, like 126's: $ curl -D- -o /dev/null www.126.com HTTP/1.0 200 OK Date: Thu, 22 Apr 2010 04:17:04 GMT Server: Apache Accept-Ranges: bytes Cache-Control: max-age=3600 Expires: Thu, 22 Apr 2010 05:17:04 GMT Vary: Accept-Encoding Content-Length: 26281 Content-Type: text/html; charset=GB2312 Age: 946 X-Cache: HIT from mcache.163.com Connection: close So you may both check your httpd.conf to see if mod_expire handle the http 1.0 request correctly since squid forward the request with http/1.0 protocal. -- Jeff Pang http://home.arcor.de/pangj/
Re: [squid-users] Problems setting up Kerberos authentication
Hi all, Fabian Hugelshofer wrote: Markus Moeller wrote: Continuation needed means that the GSSAPI exchange has not finished and the server needs more data from the client. Can you see in wireshark if the token length is the one squid_kerb_auth says it is squid_kerb_auth: Got 'YRYI...' from squid (length: 3607) Update: I could find the reason for the error message. Even though it was a hierarchical domain structure, the proxy server performed a transit domain path verification. One domain of the path was not in the transited domains list. Not sure whether this is a Microsoft or Heimdal issue. As a workaround I manually spefified the list of transit domains in the [capatsh] section of krb5.conf. This made it work. For details see my posts on the Heimdal mailing list: https://list.sics.se/sympa/arc/heimdal-discuss/2010-03/msg00096.html Regards, Fabian
[squid-users] proxy autoconfiguration
Hello all, my scenario: The proxy address was setted by group policy. Windows 2003 , Windows 2008 r2 , Windows 7 , Windows XP Problem: Some notebooks should be able to surfing internet from out of office but the client that was setted with proxy address then the user can not access Question: Can I configure proxy address by DHCP, automatically? Is there some other method? Thank You
[squid-users] Getting Source-IP
Hello, I'm using squid as accel proxy. Is there a posibility to inject the source IP into the http header send to webserver? I know that there is HTTP_X_FORWARDED_FOR but it seems that the content of this parameter is not clear if this parameter is already in the request header (e.g. the request already comes from a proxy). Sometimes I get a comma separated list, sometimes not. So I'm searching for an option to inject a custom parameter with the source IP into http header. Or is the a secure rule to extract the correct source IP of the request as just taking the last IP in the list? Kind regards, Andreas
Re: [squid-users] proxy autoconfiguration
On Thu, Apr 22, 2010 at 7:55 PM, Andrea Gallazzi andrea.galla...@live.com wrote: Question: Can I configure proxy address by DHCP, automatically? Is there some other method? What you wanted is transparnet proxy, try find the config samples on: http://wiki.squid-cache.org/ConfigExamples -- Jeff Pang http://home.arcor.de/pangj/
Re: [squid-users] Getting Source-IP
On Thu, Apr 22, 2010 at 8:19 PM, Andreas Müller amuel...@gmx.de wrote: Hello, I'm using squid as accel proxy. Is there a posibility to inject the source IP into the http header send to webserver? I know that there is HTTP_X_FORWARDED_FOR but it seems that the content of this parameter is not clear if this parameter is already in the request header (e.g. the request already comes from a proxy). Sometimes I get a comma separated list, sometimes not. Squid has done its best with X_FORWARDED_FOR. For other solution, you may get the real client's IP with some client technologies like Javascript. -- Jeff Pang http://home.arcor.de/pangj/
[squid-users] Pam_auth = Form based login how to .
Hello , Is it possible pam_auth form based login ? any option for it within squid extension like external_acls type ? -- ChetanM
[squid-users] Is there a way to get transparent proxy to work with Squid 2.7 stable 8 on Windows 2003 Server?
We have a squid 2.7 stable 8 running on Windows 2003 server on a VM. Is it possible to get transparent proxy working on this version or is still impossible for windows?
Re: [squid-users] proxy autoconfiguration
The users must be authenticated. :( -- From: Jeff Pang pa...@arcor.de Sent: Thursday, April 22, 2010 2:26 PM To: Squid Users squid-users@squid-cache.org Subject: Re: [squid-users] proxy autoconfiguration On Thu, Apr 22, 2010 at 7:55 PM, Andrea Gallazzi andrea.galla...@live.com wrote: Question: Can I configure proxy address by DHCP, automatically? Is there some other method? What you wanted is transparnet proxy, try find the config samples on: http://wiki.squid-cache.org/ConfigExamples -- Jeff Pang http://home.arcor.de/pangj/
Re: [squid-users] proxy autoconfiguration
Le jeudi 22 avril 2010 08:06:53, Andrea Gallazzi a écrit : The users must be authenticated. :( -- From: Jeff Pang pa...@arcor.de Sent: Thursday, April 22, 2010 2:26 PM To: Squid Users squid-users@squid-cache.org Subject: Re: [squid-users] proxy autoconfiguration On Thu, Apr 22, 2010 at 7:55 PM, Andrea Gallazzi andrea.galla...@live.com wrote: Question: Can I configure proxy address by DHCP, automatically? Is there some other method? What you wanted is transparnet proxy, try find the config samples on: http://wiki.squid-cache.org/ConfigExamples Easy, in place of seting hardcore proxy iip address set them a PAC/WPAD file with something like this: PROXY squid_ip;DIRECT; if squid_ip is unable, brwoser will trye directly each time you open a new instance of browser, and it will look for squid_ip every 20 minuts, (selon le protocole wpad). :)
Re: [squid-users] Getting Source-IP
On Thu, Apr 22, 2010 at 8:57 PM, Andreas Müller amuel...@gmx.de wrote: So I thought that the is an option to inject custom headers into the request. But if this is not possible than I have to do the best out of X_FORWARDED_FOR. From my experience, never much believe X_FORWARDED_FOR. -- Jeff Pang http://home.arcor.de/pangj/
[squid-users] wedged (newbie question)
Squid started taking a very long time to supply web pages. Switching Firefox to 'no proxy' worked, so I restarted squid. All better now (proxy back on). Do I need to set up a cron job to restart squid every few weeks? -- Glenn English g...@slsware.com
Re: [squid-users] wedged (newbie question)
On Thu, Apr 22, 2010 at 10:55 PM, Glenn English g...@slsware.com wrote: Squid started taking a very long time to supply web pages. Switching Firefox to 'no proxy' worked, so I restarted squid. All better now (proxy back on). Do I need to set up a cron job to restart squid every few weeks? I don't think so. You may watch cache.log to see what happened at that time. But rotating logs with crontab is fine. -- Jeff Pang http://home.arcor.de/pangj/
[squid-users] Squid Quicktime RTPS 401 unauthorized error
When I try to access a quicktime video through my squid proxy I get the 401 unauthorized error. In my searches I see that 4 years ago people were referencing that 2.5 didn't support RTSP. Now that we're up to 3.x, is RTSP supported? If not, is there a work around to play these videos? Thanks Scott
Re: [squid-users] Squid Quicktime RTPS 401 unauthorized error
In times gone buy I created an acl for the quicktime browser and disabled authentication for the quicktime user-agent as it would completely break on my macs. N On 22/04/2010 16:02, Johnson, S sjohn...@edina.k12.mn.us wrote: When I try to access a quicktime video through my squid proxy I get the 401 unauthorized error. In my searches I see that 4 years ago people were referencing that 2.5 didn't support RTSP. Now that we're up to 3.x, is RTSP supported? If not, is there a work around to play these videos? Thanks Scott ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
RE: [squid-users] Squid Quicktime RTPS 401 unauthorized error
I didn't know I could create an ACL for a browser service. Do you by chance have an example I could reference? (sorry about the dup message; forgot to hit reply all...) -Original Message- From: Nick Cairncross [mailto:nick.cairncr...@condenast.co.uk] Sent: Thursday, April 22, 2010 10:10 AM To: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] Squid Quicktime RTPS 401 unauthorized error In times gone buy I created an acl for the quicktime browser and disabled authentication for the quicktime user-agent as it would completely break on my macs. N On 22/04/2010 16:02, Johnson, S sjohn...@edina.k12.mn.us wrote: When I try to access a quicktime video through my squid proxy I get the 401 unauthorized error. In my searches I see that 4 years ago people were referencing that 2.5 didn't support RTSP. Now that we're up to 3.x, is RTSP supported? If not, is there a work around to play these videos? Thanks Scott ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [squid-users] Squid 3.1.0.14 uses considerably more memory than 2.7.x or 3.0
* Amos Jeffries squ...@treenet.co.nz: Wow. I think you have hit some big memory problem then. I do see a lot of wasted memory usage, but still only a few dozen MB. If you are able to help us track this down it would be a great help. For starters there is the cachemgr memory report of pooled memory: squidclient mgr:mem Find some output from % squidclient mgr:mem for 3.0 here http://www.arschkrebs.de/bugs/mgr-mem.3.0.txt.gz and from % squidclient mgr:mem for 3.1 here http://www.arschkrebs.de/bugs/mgr-mem.3.1.txt.gz What I did: 3.0 was running for a whole day, I then used squidclient mgr:mem Then I replaced 3.0 with 3.1 and restarted. I then let it run for about 15 minutes and issued squidclient mgr:mem several times
Re: [squid-users] Squid Quicktime RTPS 401 unauthorized error
Turn on user-agent logging on squid: useragent_log /pathtoyoursquidlogs/useragent.log squid Tail -f /pathtoyoursquidlogs/useragent.log This will show you your user-agents hitting squid in realtime Acl to create (I had a file I put user-agents for Apple in) - you can use whichever method you want: acl AppleUserAgents browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_APPLE.txt Put the user-agent you want i.e. Quicktime into the txt file Create your allow rule: http_access allow AppleUserAgents cheers On 22/04/2010 16:47, Johnson, S sjohn...@edina.k12.mn.us wrote: I didn't know I could create an ACL for a browser service. Do you by chance have an example I could reference? (sorry about the dup message; forgot to hit reply all...) -Original Message- From: Nick Cairncross [mailto:nick.cairncr...@condenast.co.uk] Sent: Thursday, April 22, 2010 10:10 AM To: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] Squid Quicktime RTPS 401 unauthorized error In times gone buy I created an acl for the quicktime browser and disabled authentication for the quicktime user-agent as it would completely break on my macs. N On 22/04/2010 16:02, Johnson, S sjohn...@edina.k12.mn.us wrote: When I try to access a quicktime video through my squid proxy I get the 401 unauthorized error. In my searches I see that 4 years ago people were referencing that 2.5 didn't support RTSP. Now that we're up to 3.x, is RTSP supported? If not, is there a work around to play these videos? Thanks Scott ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
Re: [squid-users] squid mysql authentication
Le mardi 2 mars 2010 11:13:27, Henrik Nordstrom a écrit : tis 2010-03-02 klockan 16:36 +0100 skrev Taco Walstra: auth_param basic program /usr/sbin/squid_db_auth --user bla --password bla --plaintext --persist with additional lines as described on the website, but I only get access denied as reply. What additional lines did you add? ANd where? Regards Henrik Just adding to this question i saw db_auth only spports plaintext :) i will change it to add md5 passwords as soon as possible (this week jejej) . Or does anyone has already done this in order to dont wate time LD
Re: [squid-users] Can't get my Squid proxy to use my c:\windows\system32\drivers\etc\hosts file.
lör 2010-04-10 klockan 15:22 -0700 skrev Phillip Pi: However, I still could not get it to work in my activated 64-bit W7 HP's IE8 client PC. I even tried public internet Web sites like: 157.166.255.19 msnbc.com So client's IE8 should take me to CNN's Web site instead of www.msnbc.com, but it didn't (gave me MSNBC's Web site). I tried rebooting both PCs, restarting Squid service, etc. Please note that host names are exact matches. msnbc.com != www.msnbc.com Regards Henrik
[squid-users] Single Forest Multiple Domains kebreos setup (squid_kerb_ldap)
Dear Markus/All, Please guide me on the matter discussed below: Single Forest Multiple Domain setup A / \ / \ BC Problem: Single FOrest Multiple domains where as Root A is empty with no users. Domain B C have no trust configured between each other. The internet users belong to Domain B Domain C. We want to enable users from both domains to authenticate via Kerberos and authrorized through LDAP. Guides and Helpers used: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos http://mailman.mit.edu/pipermail/kerberos/2009-March/014751.html squid_kerb_ldap readme file If you serve multiple Kerberos realms add a HTTP/f...@realm service principal per realm to the HTTP.keytab file and use the -s GSS_C_NO_NAME option with squid_kerb_auth.. i think this is the only change required in squid configuration to authenticate and authorize from multiple domains? Please confirm that am i to create SPN as below for this setup to work. (SPNs for both the domains) Creation of keytab/SPN/Computerobject for Domain A: msktutil -c -b CN=COMPUTERS -s HTTP/squidlhr.b.com -h squidlhr.b.com -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/squidlhr.b.com --server dcofbdomain.b.com --verbose Appending in the same keytab SPN/keys for Domain B: msktutil -c -b CN=COMPUTERS -s HTTP/squidlhr.c.com -h squidlhr.c.com -k /etc/squid/HTTP.keytab --computer-name whatever-http --upn HTTP/squidlhr.c.com --server dcofcdomain.c.com --verbose PLease guide me on the changes that would be required in the krb5.conf file ? My working krb5.conf file as per the guidance of Markus ( kerberos working authorizaton portion yet to implement ) [libdefaults] default_realm = B.COM dns_lookup_realm = false dns_lookup_kdc = false default_keytab_name = /etc/krb5.keytab ; for windows 2003 encryption type configuration. default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 [realms] B.COM = { kdc = b.com admin_server = dc.b.com } [domain_realm] .linux.home = B.COM .b.com = B.COM b.com = B.COM [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/kdc.log - regards, Bilal _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
[squid-users] Joomla DB authentication support hits Squid! :)
HI all As a requirement of one client, he wants to use joomla user database to let squid authenticate. I did patch squid_db_auth that Henrik has written in order to support joomla hash conditions. I did add one usefull option to script --joomla in order to activate joomla hashing. Other options are identical. Please test :) Ammos, I'd like if you can include this in 3.1.2 LD --- helpers/basic_auth/DB/squid_db_auth.in 2010-03-29 12:02:56.0 +0200 +++ helpers/basic_auth/DB/squid_db_auth.in.dlucio 2010-04-22 22:27:00.0 +0200 @@ -3,6 +3,7 @@ use DBI; use Getopt::Long; use Pod::Usage; +use Digest::MD5 qw(md5 md5_hex md5_base64); $|=1; =pod @@ -22,6 +23,8 @@ my $db_cond = enabled = 1; my $plaintext = 0; my $persist = 0; +my $isjoomla = 0; +my $debug = 0; =pod @@ -85,9 +88,12 @@ 'cond=s' = \$db_cond, 'plaintext' = \$plaintext, 'persist' = \$persist, + 'joomla' = \$isjoomla, + 'debug' = \$debug, ); -my ($_dbh, $_sth); +$db_cond = enabled = 1 if $isjoomla; + sub close_db() { @@ -113,10 +119,17 @@ { my ($password, $key) = @_; -return 1 if crypt($password, $key) eq $key; +if ($isjoomla){ +my salt; +my $key2; +($key2,$salt) = (/:/, $key); +return 1 if md5_hex($password.$salt).':'.$salt eq $key; +} +else{ +return 1 if crypt($password, $key) eq $key; -return 1 if $plaintext $password eq $key; - +return 1 if $plaintext $password eq $key; +} return 0; } @@ -155,8 +168,9 @@ =head1 COPYRIGHT Copyright (C) 2007 Henrik Nordstrom hen...@henriknordstrom.net +Copyright (C) 2010 Luis Daniel Lucio Quiroz dlu...@okay.com.mx (Joomla support) + This program is free software. You may redistribute copies of it under the terms of the GNU General Public License version 2, or (at youropinion) any later version. - =cut
[squid-users] Re: Joomla DB authentication support hits Squid! :)
Le jeudi 22 avril 2010 15:49:55, Luis Daniel Lucio Quiroz a écrit : HI all As a requirement of one client, he wants to use joomla user database to let squid authenticate. I did patch squid_db_auth that Henrik has written in order to support joomla hash conditions. I did add one usefull option to script --joomla in order to activate joomla hashing. Other options are identical. Please test :) Ammos, I'd like if you can include this in 3.1.2 LD I have a typo in my salt should be my $salt sorry
Re: [squid-users] Getting Source-IP
Jeff Pang wrote: On Thu, Apr 22, 2010 at 8:19 PM, Andreas Müller amuel...@gmx.de wrote: Hello, I'm using squid as accel proxy. Is there a posibility to inject the source IP into the http header send to webserver? I know that there is HTTP_X_FORWARDED_FOR but it seems that the content of this parameter is not clear if this parameter is already in the request header (e.g. the request already comes from a proxy). Sometimes I get a comma separated list, sometimes not. Squid has done its best with X_FORWARDED_FOR. For other solution, you may get the real client's IP with some client technologies like Javascript. XFF was created for exactly thispurpose. It is always a comma-separated list of IP addresses (both IPv4 and IPv6 now). What seems to be confusing you is the terminal comma being optional. X-Forwarded-For: A.B.C.D is a list describing two machines. The machine which connected to your server then machine A.B.C.D on the other side of it. Each proxy along the way adds the address of the machine which connected to it onto the end of the list. As Jeff said, it's not to be trusted at face value. Clients can easily forge it. What needs to be done is check each IP in the list to see if you trust what it has added to the list. Starting with the machine which is passing it to you directly. If you do trust the middle proxy (I would expect you to at least trust your own internal one) then repeat for the next address on the list. If you do not trust any given middle proxy then consider it to be the real client and perform security assuming it's maybe lied about the rest of the XFF header contents. Wikipedia have a list of large ISP proxies they have been informed about or uncovered if you want a seed group of ISP proxies you can trust to tell you the real client IPs. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
Re: [squid-users] Is there a way to get transparent proxy to work with Squid 2.7 stable 8 on Windows 2003 Server?
Milan wrote: We have a squid 2.7 stable 8 running on Windows 2003 server on a VM. Is it possible to get transparent proxy working on this version or is still impossible for windows? Not easy for Windows. I read something about a proprietary NAT library or something being available at great expense for Windows. But we can't build it into Squid ourselves. The simple fix is to run Squid on a non-Windows system. VMware has a Squid device available. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
Re: [squid-users] Pam_auth = Form based login how to .
Chetan Muneshwar - BetterLabs wrote: Hello , Is it possible pam_auth form based login ? any option for it within squid extension like external_acls type ? Possible yes. You will have to code it though. Carefully decide which of the HTTP header and connection details you trust enough to replace both username and password. (Note: real IP address is erased by NAT, any HTTP header is easily forged in transit). Then configure your external_acl_type helper to take those details in and produce a OK user= line or ERR result. A deny_info line to redirect ERR result for the ACL out to your form page. How the helper works you will have to figure out. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
Re: [squid-users] squid mysql authentication
Luis Daniel Lucio Quiroz wrote: Le mardi 2 mars 2010 11:13:27, Henrik Nordstrom a écrit : tis 2010-03-02 klockan 16:36 +0100 skrev Taco Walstra: auth_param basic program /usr/sbin/squid_db_auth --user bla --password bla --plaintext --persist with additional lines as described on the website, but I only get access denied as reply. What additional lines did you add? ANd where? Regards Henrik Just adding to this question i saw db_auth only spports plaintext :) i will change it to add md5 passwords as soon as possible (this week jejej) . Or does anyone has already done this in order to dont wate time Patches welcome. Please base on the 3.HEAD code and send to squid-dev mailing list. By MD5 passwords, do you mean Basic authentication with MD5 encrypted password transferred? or making it support one of the other authentication schemes? Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
Re: [squid-users] Re: Joomla DB authentication support hits Squid! :)
Luis Daniel Lucio Quiroz wrote: Le jeudi 22 avril 2010 15:49:55, Luis Daniel Lucio Quiroz a écrit : HI all As a requirement of one client, he wants to use joomla user database to let squid authenticate. I did patch squid_db_auth that Henrik has written in order to support joomla hash conditions. I did add one usefull option to script --joomla in order to activate joomla hashing. Other options are identical. Please test :) Ammos, I'd like if you can include this in 3.1.2 Mumble. How do other users feel about it? Useful enough to cross the security bugs and regressions only freeze? LD I have a typo in my salt should be my $salt sorry Can you make the option --md5 instead please? Possibilities are not limited to Joomla and they may change someday. The option needs to be added to the documentation sections of the helper as well. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
RE: [squid-users] Slow tranfert speed over ADSL internet connection
For your Cisco 837 DSL config, try some of the following: interface Dialer0 ip mtu 1492 If you are using a bridging interface for the 4 ports on the back into a VLAN, also try the following interface BVI1 ip tcp adjust-mss 1452 Whilst I have ADSL2+ here, I get nowhere near 2+ speeds thanks to copper pair distance due to its path from exchange quality: sh dsl interface | i Speed Speed (kbps): 0 3634 0 819 Using speedtest.net via Chrome/W7 through Squid 3.1.1 on CentOS 5.4 x86_64 running on a VM (can provide source RPM if needed): Download: 1.96Mb/s Upload: 0.54Mb/s Via Chrome/W7 without Squid: Download: 3.12Mb/s Upload: 0.68Mb/s From another Linux system: export http_proxy=http://x.x.x.x:3128 wget wget http://cache-203.39.198.135.files.bigpond.com/software/network/browsers/Fire foxPortable_3.6.3_English.paf.exe --11:36:40-- http://cache-203.39.198.135.files.bigpond.com/software/network/browsers/Fire foxPortable_3.6.3_English.paf.exe = `FirefoxPortable_3.6.3_English.paf.exe' Connecting to 192.168.0.5:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 9,616,696 (9.2M) [application/octet-stream] 100%[=== ] 9,616,696375.53K/sETA 00:00 11:37:07 (362.46 KB/s) - `FirefoxPortable_3.6.3_English.paf.exe' saved [9616696/9616696] Squid Log: 1271986638.443 26802 X.X.X.X TCP_MISS/200 9617229 GET http://cache-203.39.198.135.files.bigpond.com/software/network/browsers/Fire foxPortable_3.6.3_English.paf.exe - DIRECT/203.39.198.135 application/octet-stream Not bad given my connection quite poor performance for what it costs me per month but thats another story. Also check Cisco's site for ADSL firmware updates for your router to improve DSLAM compatibility as well - it may help. Hope all of the above helps. Alex -Original Message- From: francis aubut [mailto:fugitif...@gmail.com] Sent: Thursday, 22 April 2010 8:38 AM To: squid-users@squid-cache.org Subject: Fwd: [squid-users] Slow tranfert speed over ADSL internet connection -- Forwarded message -- From: francis aubut fau...@infogfa.com Date: 2010/4/21 Subject: Re: [squid-users] Slow tranfert speed over ADSL internet connection To: Amos Jeffries squ...@treenet.co.nz Cc : squid-users@squid-cache.org What I can add is when IE is not connected to the proxy, it goes at 2,5 mbps and I connect to the proxy it goes down to 500 kbps. At home the speed is the same 10 mbps on both tests. I'll check for the DNS, could the cisco 837 router limit speed somehow? Tanks, Francis. 2010/4/20 Amos Jeffries squ...@treenet.co.nz: On Tue, 20 Apr 2010 11:49:05 -0400, francis aubut fugitif...@gmail.com wrote: Hi,I configured Squid, first with Ubuntu server and then on CentOS 5 the problem is the same, I get very slow speed on a network connected with a ADSL internet connection and when I bring the computer at home it goes well, I have a Cable Modem connection, what could be wrong? Francis. Your experiments as described pretty conclusively confirm that the problems is: a) difference in network lag (its conceivable that your ADSL is simply slower than Cable, I know mine is by a whole order of magnitude or two). b) site-specific configuration somewhere in your setup. Resulting in the box going a long way to get stuff, ie a DNS server from the cable connection being used when on ADSL etc. Amos
Re: [squid-users] Re: Joomla DB authentication support hits Squid! :)
Le jeudi 22 avril 2010 20:09:57, Amos Jeffries a écrit : Luis Daniel Lucio Quiroz wrote: Le jeudi 22 avril 2010 15:49:55, Luis Daniel Lucio Quiroz a écrit : HI all As a requirement of one client, he wants to use joomla user database to let squid authenticate. I did patch squid_db_auth that Henrik has written in order to support joomla hash conditions. I did add one usefull option to script --joomla in order to activate joomla hashing. Other options are identical. Please test :) Ammos, I'd like if you can include this in 3.1.2 Mumble. How do other users feel about it? Useful enough to cross the security bugs and regressions only freeze? LD I have a typo in my salt should be my $salt sorry Can you make the option --md5 instead please? Possibilities are not limited to Joomla and they may change someday. The option needs to be added to the documentation sections of the helper as well. Amos I dont get you about cross the security, what i did is that --joomla flag do diferent sql request and because joomla hass is like this: hash:salt i did split and compare. by default joomla uses md5 (i'm not a joomla master, i dont know when joomla uses other hashings) if you want, latter i may add also --md5 to store md5 password, and --digest- auth to support diggest authentication :) but later jejeje
Re: [squid-users] Re: Joomla DB authentication support hits Squid! :)
Le jeudi 22 avril 2010 20:09:57, Amos Jeffries a écrit : Luis Daniel Lucio Quiroz wrote: Le jeudi 22 avril 2010 15:49:55, Luis Daniel Lucio Quiroz a écrit : HI all As a requirement of one client, he wants to use joomla user database to let squid authenticate. I did patch squid_db_auth that Henrik has written in order to support joomla hash conditions. I did add one usefull option to script --joomla in order to activate joomla hashing. Other options are identical. Please test :) Ammos, I'd like if you can include this in 3.1.2 Mumble. How do other users feel about it? Useful enough to cross the security bugs and regressions only freeze? LD I have a typo in my salt should be my $salt sorry Can you make the option --md5 instead please? Possibilities are not limited to Joomla and they may change someday. The option needs to be added to the documentation sections of the helper as well. Amos I did fix some warnings it works, tested with joomla 1.5.14 :) --- helpers/basic_auth/DB/squid_db_auth.in 2010-03-29 12:02:56.0 +0200 +++ helpers/basic_auth/DB/squid_db_auth.in.dlucio 2010-04-23 05:04:40.0 +0200 @@ -1,8 +1,9 @@ #...@perl@ -use strict; +#use strict; use DBI; use Getopt::Long; use Pod::Usage; +use Digest::MD5 qw(md5 md5_hex md5_base64); $|=1; =pod @@ -22,6 +23,8 @@ my $db_cond = enabled = 1; my $plaintext = 0; my $persist = 0; +my $isjoomla = 0; +my $debug = 0; =pod @@ -62,6 +65,7 @@ =item B--cond Condition, defaults to enabled=1. Specify 1 or for no condition +If you use --joomla flag, this condition will be changed to block=0 =item B--plaintext @@ -71,6 +75,10 @@ Keep a persistent database connection open between queries. +=item B--joomla + +Tell helper that user database is joomla db. So salt hasing is understood. + =back =cut @@ -85,14 +93,18 @@ 'cond=s' = \$db_cond, 'plaintext' = \$plaintext, 'persist' = \$persist, + 'joomla' = \$isjoomla, + 'debug' = \$debug, ); -my ($_dbh, $_sth); +$db_cond = block = 0 if $isjoomla; + sub close_db() { return if !defined($_dbh); $_dbh-disconnect(); +$_sth-finish(); undef $_dbh; undef $_sth; } @@ -113,10 +125,17 @@ { my ($password, $key) = @_; -return 1 if crypt($password, $key) eq $key; +if ($isjoomla){ +my $salt; +my $key2; +($key2,$salt) = split (/:/, $key); +return 1 if md5_hex($password.$salt).':'.$salt eq $key; +} +else{ +return 1 if crypt($password, $key) eq $key; -return 1 if $plaintext $password eq $key; - +return 1 if $plaintext $password eq $key; +} return 0; } @@ -155,8 +174,9 @@ =head1 COPYRIGHT Copyright (C) 2007 Henrik Nordstrom hen...@henriknordstrom.net +Copyright (C) 2010 Luis Daniel Lucio Quiroz dlu...@okay.com.mx (Joomla support) + This program is free software. You may redistribute copies of it under the terms of the GNU General Public License version 2, or (at youropinion) any later version. - =cut
Re: [squid-users] Re: Joomla DB authentication support hits Squid! :)
Luis Daniel Lucio Quiroz wrote: Le jeudi 22 avril 2010 20:09:57, Amos Jeffries a écrit : Luis Daniel Lucio Quiroz wrote: Le jeudi 22 avril 2010 15:49:55, Luis Daniel Lucio Quiroz a écrit : HI all As a requirement of one client, he wants to use joomla user database to let squid authenticate. I did patch squid_db_auth that Henrik has written in order to support joomla hash conditions. I did add one usefull option to script --joomla in order to activate joomla hashing. Other options are identical. Please test :) Ammos, I'd like if you can include this in 3.1.2 Mumble. How do other users feel about it? Useful enough to cross the security bugs and regressions only freeze? LD I have a typo in my salt should be my $salt sorry Can you make the option --md5 instead please? Possibilities are not limited to Joomla and they may change someday. The option needs to be added to the documentation sections of the helper as well. Amos I dont get you about cross the security, 3.1 is under feature freeze. Anything not a security fix or regression needs to have some good reasons to be committed. I'm trying to stick to the freeze a little more with 3.1 than with 3.0, to get back into the habit of it. Particularly since we look like having a good foothold on the track for 12-month releases now. what i did is that --joomla flag do diferent sql request and because joomla hass is like this: hash:salt i did split and compare. by default joomla uses md5 (i'm not a joomla master, i dont know when joomla uses other hashings) I intend to use this auth helper myself for other systems, and there are others who ask about a DB helper occasionally. Taking a better look at your changes ... The first one: db_conf = block = 0 seems to be useless. All it does is hard-code a different default value for the --cond option. For Joomla the squid.conf should instead contain: --cond block=0 Which leaves the salted/non-salted hash change. Adding this: --salt-delimiter D To configure character(s) between the hash and salt values. Will not to lock people into the specific Joomla syntax of colon. There are examples and tutorials out there for app design that use other delimiters. Doing both of those changes Joomla would be configured with: ... --cond block=0 --salt-delimiter : if you want, latter i may add also --md5 to store md5 password, and --digest- auth to support diggest authentication :) but later jejeje Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1