Re: [squid-users] Squid bandwidth
Wake me up when September ends, Jeff! 2010/05/04 21:49:58 +0800 Jeff Pang => To badaim2 : JP> > Any real time example squid code is there for my bandwidth configuration? JP> From what I know you can't do that with current features of Squid. JP> You may need some customized code to Squid, this is the reason I once JP> asked squid developers to provide us a development API like Apache's. BTW, even with that time of reaction I mentioned for my solution on a previous post here, the couples of minutes, I was wishing squid to be able to log the long-time downloads by their parts completed to access.log which should probably make the reaction time to be of any reasonable since some of the downloads via squid may last for hours and days and access.log entry appears only after them completed. Needless to say how much helpful that may happen for user to override any traffic quotas/limits. There was a patch for partial logging, is it of any actual? Just can't find it again. By the time passed since that I think squid could find its own way about this problem though. Should be nice to know about that. 73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB 12F8 0CE1 4AAC A0E2 6627) -- http://vereshagin.org
[squid-users] FW: TCP/MISS 500
I start receiving the TCP_MISS/500: 1273224302.686 83 xxx.xxx.xxx.xxx TCP_MISS/500 539 GET http://domain.com/url - FIRST_UP_PARENT/kallisto text/html How can I prevent this error? The cache_peer is working quite well. If I request the site without using squid I don't receive any errors. my squid.conf --snip http_port 80 accel defaultsite=domain.com vhost cache_peer xxx.xxx.xxx.xxx parent 80 0 no-query originserver name=kallisto access_log /var/log/squid/access.log #cache_log /var/log/squid/cache.log #cache_store_log /var/log/squid/store.log #ACL acl all src 0.0.0.0/0.0.0.0 acl our_sites dstdom_regex .*domain.com.* allways_direct allow our_sites http_access allow our_sites cache_peer_access kallisto allow our_sites cache_peer_access kallisto deny all --snap - daniel
RE: [squid-users] Increasing File Descriptors
Hassan is correct. We currently pulled all three of our production servers offline because the last we can afford is to run out of FDs which causes serious issues to the users. We run an actual Squid count of around 1500 users on all three but some of those are NATed addresses of around 100 or more users each so it gives us around 5000 total. During peak usage two weeks ago when we pulled them out of the stream we were hitting the limit of 32,768 and it promptly hosed the clients. I will try the link and any and all suggestions and report back. The good thing is that when Squid works, it works well and we were saving about 20-40mbit/second of bandwidth by caching content and video (using Videocache). Management really wants it back in production but not with this problem. Thx Steve -Original Message- From: Nyamul Hassan [mailto:mnhas...@usa.net] Sent: Thursday, May 06, 2010 4:15 PM To: Squid Users Subject: Re: [squid-users] Increasing File Descriptors He needs more FDs because this single box is handling 5000 users over a 400mbps connection. We run around 2,000 users on generic hardware, and have seen FDs as high as 20k. We use CentOS 5 and the following guide is a good place to increase the FD limit: http://www.cyberciti.biz/faq/linux-increase-the-maximum-number-of-open-files/ The command "cat /proc/sys/fs/file-max" shows how many maximum FDs your OS can handle. After you've made sure that your OS is doing your desired FD limit, please re-run Squid. Squid shows how many FDs it is configured for in its "General Runtime Information" (mgr:info in cli) from the CacheMgr interface. If this still shows lower than the OS limit you just saw earlier, then you might need to recompile Squid with the '--with-maxfd=' flag set during "./configure" As a side note, if you are using Squid as a forward proxy, you might have better results with Squid 2.7x. Regards HASSAN On Fri, May 7, 2010 at 00:53, George Herbert wrote: > > Do this: > > ulimit -Hn > > If the values is 32768 that's your current kernel/sys max value and > you're stuck. > > If it's more than 32768 (and my RHEL 5.3 box says 65536) then you > should be able to increase up to that value. Unless there's an > internal signed 16-bit int involved in FD tracking inside the Squid > code then something curious is happening... > > However - I'm curious as to why you'd need that many. I've had top > end systems with Squid clusters running with compiles of 16k file > descriptors and only ever really used 4-5k. What are you doing that > you need more than 32k? > > > -george > > On Thu, May 6, 2010 at 10:32 AM, Bradley, Stephen W. Mr. > wrote: > > Unfortunately won't work for me above 32768. > > > > I have the ulimit in the startup script and that works okay but I need more > > the 32768. > > > > :-( > > > > > > > > -Original Message- > > From: Ivan . [mailto:ivan...@gmail.com] > > Sent: Thursday, May 06, 2010 5:17 AM > > To: Bradley, Stephen W. Mr. > > Cc: squid-users@squid-cache.org > > Subject: Re: [squid-users] Increasing File Descriptors > > > > worked for me > > > > http://paulgoscicki.com/archives/2007/01/squid-warning-your-cache-is-running-out-of-filedescriptors/ > > > > no recompile necessary > > > > > > On Thu, May 6, 2010 at 7:13 PM, Bradley, Stephen W. Mr. > > wrote: > >> I can't seem to get increase the number above 32768 no matter what I do. > >> > >> Ulimit during compile, sysctl.conf and everything else but no luck. > >> > >> > >> I have about 5,000 users on a 400mbit connection. > >> > >> Steve > >> > >> RHEL5 64bit with Squid 3.1.1 > > > > > > -- > -george william herbert > george.herb...@gmail.com >
[squid-users] Re: squid_ldap_auth
So I guess the only way to get it to work like NTLM is to use NTLM? Well, I'm not sure what we're going to do when we can't use it any longer, but that will work for now. Thanks all, David -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-ldap-auth-tp2126169p2134106.html Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] Increasing File Descriptors - Fixed!!
Got it resolved! cat /proc/sys/fs/file-max showed that I could go as high as 3,138,830 FDs. I changed the compile options to --with-maxfd=128000 and recompiled and installed it. I changed the line in my /etc/init.d/squid script to ulimit -HSn 128000 and restarted. I thought I had tried all this before but evidently not. If it almost held the load at 32,768 then at 128,000 I should have enough head room to keep us safe, for now. Thanks to all who responded. steve -Original Message- From: Nyamul Hassan [mailto:mnhas...@usa.net] Sent: Thursday, May 06, 2010 4:15 PM To: Squid Users Subject: Re: [squid-users] Increasing File Descriptors He needs more FDs because this single box is handling 5000 users over a 400mbps connection. We run around 2,000 users on generic hardware, and have seen FDs as high as 20k. We use CentOS 5 and the following guide is a good place to increase the FD limit: http://www.cyberciti.biz/faq/linux-increase-the-maximum-number-of-open-files/ The command "cat /proc/sys/fs/file-max" shows how many maximum FDs your OS can handle. After you've made sure that your OS is doing your desired FD limit, please re-run Squid. Squid shows how many FDs it is configured for in its "General Runtime Information" (mgr:info in cli) from the CacheMgr interface. If this still shows lower than the OS limit you just saw earlier, then you might need to recompile Squid with the '--with-maxfd=' flag set during "./configure" As a side note, if you are using Squid as a forward proxy, you might have better results with Squid 2.7x. Regards HASSAN On Fri, May 7, 2010 at 00:53, George Herbert wrote: > > Do this: > > ulimit -Hn > > If the values is 32768 that's your current kernel/sys max value and > you're stuck. > > If it's more than 32768 (and my RHEL 5.3 box says 65536) then you > should be able to increase up to that value. Unless there's an > internal signed 16-bit int involved in FD tracking inside the Squid > code then something curious is happening... > > However - I'm curious as to why you'd need that many. I've had top > end systems with Squid clusters running with compiles of 16k file > descriptors and only ever really used 4-5k. What are you doing that > you need more than 32k? > > > -george > > On Thu, May 6, 2010 at 10:32 AM, Bradley, Stephen W. Mr. > wrote: > > Unfortunately won't work for me above 32768. > > > > I have the ulimit in the startup script and that works okay but I need more > > the 32768. > > > > :-( > > > > > > > > -Original Message- > > From: Ivan . [mailto:ivan...@gmail.com] > > Sent: Thursday, May 06, 2010 5:17 AM > > To: Bradley, Stephen W. Mr. > > Cc: squid-users@squid-cache.org > > Subject: Re: [squid-users] Increasing File Descriptors > > > > worked for me > > > > http://paulgoscicki.com/archives/2007/01/squid-warning-your-cache-is-running-out-of-filedescriptors/ > > > > no recompile necessary > > > > > > On Thu, May 6, 2010 at 7:13 PM, Bradley, Stephen W. Mr. > > wrote: > >> I can't seem to get increase the number above 32768 no matter what I do. > >> > >> Ulimit during compile, sysctl.conf and everything else but no luck. > >> > >> > >> I have about 5,000 users on a 400mbit connection. > >> > >> Steve > >> > >> RHEL5 64bit with Squid 3.1.1 > > > > > > -- > -george william herbert > george.herb...@gmail.com >
Re: [squid-users] Re: squid_ldap_auth
What about kerberos auth and use the the squid_kerb_ldap lookup? cheers On 07/05/2010 13:45, "burbankmarc" wrote: So I guess the only way to get it to work like NTLM is to use NTLM? Well, I'm not sure what we're going to do when we can't use it any longer, but that will work for now. Thanks all, David -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-ldap-auth-tp2126169p2134106.html Sent from the Squid - Users mailing list archive at Nabble.com. ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
[squid-users] Compile errors on Ubuntu 10.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I suspect I'm doing something wrong as I'm new to Ubuntu, 3.1.3 works fine on my Slackware box :) Thanks! If it's relevant... OpenSSL 0.9.8k 25 Mar 2009 g++ (Ubuntu 4.4.3-4ubuntu5) 4.4.3 Configure options: /configure --enable-ssl --enable-linux-netfilter --enable-htcp - --enable-snmp --enable-storeio=ufs,diskd,aufs --enable-async-io - --with-aio --with-large-files --enable-removal-policies=heap Appears to bomb here: g++ -DHAVE_CONFIG_H -I../.. -I../../include -I../../src -I../../include - -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -D_REENTRANT - -m32 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -MT AsyncCall.lo - -MD -MP -MF .deps/AsyncCall.Tpo -c AsyncCall.cc -fPIC -DPIC -o .libs/AsyncCall.o In file included from ../../src/squid.h:272, from AsyncCall.cc:5: ../../src/ssl_support.h:58: error: expected constructor, destructor, or type conversion before ?*? token In file included from ../../src/squid.h:272, from AsyncCall.cc:5: ../../src/ssl_support.h:61: error: expected constructor, destructor, or type conversion before ?*? token ../../src/ssl_support.h:74: error: ?SSL? was not declared in this scope ../../src/ssl_support.h:74: error: ?ssl? was not declared in this scope ../../src/ssl_support.h:77: error: typedef ?SSLGETATTRIBUTE? is initialized (use decltype instead) ../../src/ssl_support.h:77: error: ?SSL? was not declared in this scope ../../src/ssl_support.h:77: error: expected primary-expression before ?,? token ../../src/ssl_support.h:77: error: expected primary-expression before ?const? ../../src/ssl_support.h:80: error: ?SSLGETATTRIBUTE? does not name a type ../../src/ssl_support.h:83: error: ?SSLGETATTRIBUTE? does not name a type ../../src/ssl_support.h:86: error: ?SSL? was not declared in this scope ../../src/ssl_support.h:86: error: ?ssl? was not declared in this scope ../../src/ssl_support.h:89: error: ?SSL? was not declared in this scope ../../src/ssl_support.h:89: error: ?ssl? was not declared in this scope In file included from ../../src/squid.h:318, from AsyncCall.cc:5: ../../src/structs.h:615: error: ISO C++ forbids declaration of ?SSL_CTX? with no type ../../src/structs.h:615: error: expected ?;? before ?*? token ../../src/structs.h:959: error: ISO C++ forbids declaration of ?SSL_CTX? with no type ../../src/structs.h:959: error: expected ?;? before ?*? token ../../src/structs.h:960: error: ISO C++ forbids declaration of ?SSL_SESSION? with no type ../../src/structs.h:960: error: expected ?;? before ?*? token make[3]: *** [AsyncCall.lo] Error 1 make[3]: Leaving directory `/usr/src/squid-3.1.3/src/base' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/usr/src/squid-3.1.3/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/usr/src/squid-3.1.3/src' make: *** [all-recursive] Error 1 - -- Chris Horry zer...@wibble.co.uk http://www.wibble.co.uk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvkLWEACgkQnAAeGCtMZU5CwwCgnCuGAsZGXHutJqhJ3tv+t8pc ZTUAmgJYder8HTuCL9p5y8eDH3MZZ5NH =KbFI -END PGP SIGNATURE-
Re: [squid-users] Compile errors on Ubuntu 10.4
On Fri, May 7, 2010 at 5:10 PM, Chris Horry wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > I suspect I'm doing something wrong as I'm new to Ubuntu, 3.1.3 works > fine on my Slackware box :) Your Ubuntu box is probably missing some openssl-related header files. Please check that you have installed the openssl-dev package. -- /kinkie
[squid-users] weird problem with gmail, firefox and squid 2.7
Hi List, I am having a weird problem with gmail. When I tried to load the gmail page using firefox 3.5.x and squid 2.7.7 the login form of the page does not appear. If I use IE it works, regardless the squid version. If I use Firefox 2.X it works, regardless the squid version. If I use firefox 3.5.x and Squid 2.6.6 it works. This only happens with firefox 3.5.x and squid 2.7.7. Any help ? Thanks Galle
[squid-users] HTTPS and Squid
Typically, all of our proxy clients connect to our Squid servers via HTTP (TCP/80). If they request a HTTPS site, Squid will CONNECT to the site and tunnel the data back to the client via HTTP. I have a scenario now where the entire stream needs to be HTTPS: (HTTPS)-(HTTPS) How would I support this in Squid? Would I need to add a "https_port" and install a SSL certificate on the proxy server? Would the proxy server then decrypt data from the and rencrypt it using SSL certificate on the way out to the Internet? Thanks, Josh
Re: [squid-users] Compile errors on Ubuntu 10.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/05/10 11:21, Kinkie wrote: > On Fri, May 7, 2010 at 5:10 PM, Chris Horry wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> I suspect I'm doing something wrong as I'm new to Ubuntu, 3.1.3 works >> fine on my Slackware box :) > > Your Ubuntu box is probably missing some openssl-related header files. > Please check that you have installed the openssl-dev package. Yes that's exactly what it was. In case anyone else is having issue, the package is called "libssl-dev". Thanks, Chris - -- Chris Horry zer...@wibble.co.uk http://www.wibble.co.uk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvkWjwACgkQnAAeGCtMZU5h7ACfWaaICGlfDO12y/dMHYaLD5tX ON8AniNz2XrR9/2DohgHm5Fal3woxGxv =qddE -END PGP SIGNATURE-
[squid-users] RE: HTTPS and Squid
Ok, perhaps I misunderstood how CONNECT works. When Squid CONNECT's to a remote webserver via HTTPS, the tunnel is created between the user and the remote server.. so is all data sent over HTTPS (from the remote server to the client using the squid proxy)? Thanks, Josh -Original Message- From: Baird, Josh Sent: Friday, May 07, 2010 1:17 PM To: 'squid-users@squid-cache.org' Subject: HTTPS and Squid Typically, all of our proxy clients connect to our Squid servers via HTTP (TCP/80). If they request a HTTPS site, Squid will CONNECT to the site and tunnel the data back to the client via HTTP. I have a scenario now where the entire stream needs to be HTTPS: (HTTPS)-(HTTPS) How would I support this in Squid? Would I need to add a "https_port" and install a SSL certificate on the proxy server? Would the proxy server then decrypt data from the and rencrypt it using SSL certificate on the way out to the Internet? Thanks, Josh
Re: [squid-users] weird problem with gmail, firefox and squid 2.7
Hi there, There are a lot of issues at the moment with FireFox 3.x.x It has issues in so many areas, especially with some java applets I would investigate that if I were you. I could well be a Firefox problem rather than a Squid issue. Try and use Firefox from somewhere else and see what happens Regards Adam - Original Message - From: "Diego" To: Sent: Friday, May 07, 2010 6:23 PM Subject: [squid-users] weird problem with gmail, firefox and squid 2.7 Hi List, I am having a weird problem with gmail. When I tried to load the gmail page using firefox 3.5.x and squid 2.7.7 the login form of the page does not appear. If I use IE it works, regardless the squid version. If I use Firefox 2.X it works, regardless the squid version. If I use firefox 3.5.x and Squid 2.6.6 it works. This only happens with firefox 3.5.x and squid 2.7.7. Any help ? Thanks Galle
Re: [squid-users] Re: Joomla DB authentication support hits Squid! :)
Le samedi 1 mai 2010 20:57:22, Amos Jeffries a écrit : > Luis Daniel Lucio Quiroz wrote: > > Le vendredi 23 avril 2010 00:20:13, Amos Jeffries a écrit : > >> Luis Daniel Lucio Quiroz wrote: > >>> Le jeudi 22 avril 2010 20:09:57, Amos Jeffries a écrit : > Luis Daniel Lucio Quiroz wrote: > > Le jeudi 22 avril 2010 15:49:55, Luis Daniel Lucio Quiroz a écrit : > >> HI all > >> > >> As a requirement of one client, he wants to use joomla user database > >> to let squid authenticate. > >> > >> I did patch squid_db_auth that Henrik has written in order to > >> support joomla hash conditions. > >> > >> I did add one usefull option to script > >> > >> --joomla > >> > >> in order to activate joomla hashing. Other options are identical. > >> Please test :) > >> > >> Ammos, I'd like if you can include this in 3.1.2 > > Mumble. > > How do other users feel about it? Useful enough to cross the security > bugs and regressions only freeze? > > >> LD > > > > I have a typo in > > my salt > > > > should be > > my $salt > > > > sorry > > Can you make the option --md5 instead please? > > Possibilities are not limited to Joomla and they may change someday. > > The option needs to be added to the documentation sections of the > helper as well. > > Amos > >>> > >>> I dont get you about "cross the security", > >> > >> 3.1 is under feature freeze. Anything not a security fix or regression > >> needs to have some good reasons to be committed. > >> > >> I'm trying to stick to the freeze a little more with 3.1 than with 3.0, > >> to get back into the habit of it. Particularly since we look like having > >> a good foothold on the track for 12-month releases now. > >> > >>> what i did is that --joomla flag do diferent sql request and because > >>> joomla hass is like this: > >>> hash:salt > >>> i did split and compare. by default joomla uses md5 (i'm not a joomla > >>> master, i dont know when joomla uses other hashings) > >> > >> I intend to use this auth helper myself for other systems, and there are > >> others who ask about a DB helper occasionally. > >> > >> > >> Taking a better look at your changes ... > >> > >> The first one: db_conf = "block = 0" seems to be useless. All it does > >> is hard-code a different default value for the --cond option. > >> > >>For Joomla the squid.conf should instead contain: > >> --cond " block=0 " > >> > >> Which leaves the salted/non-salted hash change. > >> > >> Adding this: > >>--salt-delimiter D > >> > >> To configure character(s) between the hash and salt values. Will not to > >> lock people into the specific Joomla syntax of colon. There are > >> examples and tutorials out there for app design that use other > >> delimiters. > >> > >> Doing both of those changes Joomla would be configured with: > >>... --cond " block=0 " --salt-delimiter ":" > >>> > >>> if you want, latter i may add also --md5 to store md5 password, and > >>> --digest- auth to support diggest authentication :) but later jejeje > >> > >> Amos > > > > HI > > i've just update my patch to fit 3.1.2 > > > > > > I hope this could be included since it is based on todays snapshot. > > > > Regards, > > > > LD > > Thank you. > > You still have the --joomla flag. I thought you agreed to call it > something like the --salt and take the delim character ? > > Amos Amos + team, i was adding salt support and i realize of this line return 1 if crypt($password, $key) eq $key; as far as i know this is impossible, becausecrypt using a salt wont be eq to that key, because there are many scenarios i did let this line in my patch and add another to use static salt I also add a --sql option to let user specify complex querys. As i was needint it to work with an INNER JOIN. I hope you can review it. LD --- helpers/basic_auth/DB/squid_db_auth.in.orig 2010-05-03 18:36:22.0 +0200 +++ helpers/basic_auth/DB/squid_db_auth.in 2010-05-07 22:54:50.0 +0200 @@ -1,8 +1,9 @@ #...@perl@ -use strict; +#use strict; use DBI; use Getopt::Long; use Pod::Usage; +use Digest::MD5 qw(md5 md5_hex md5_base64); $|=1; =pod @@ -22,6 +23,10 @@ my $db_cond = "enabled = 1"; my $plaintext = 0; my $persist = 0; +my $isjoomla = 0; +my $debug = 0; +my $hashsalt = undef; +my $sql = undef; =pod @@ -62,15 +67,30 @@ =item B<--cond> Condition, defaults to enabled=1. Specify 1 or "" for no condition +If you use --joomla flag, this condition will be changed to block=0 =item B<--plaintext> Database contains plain-text passwords +=item B<--salt> + +Selects the correct salt to evaluate passwords + =item B<--persist> Keep a persistent database connection open between queries. +=item B<--joomla> + +Tells helper that user database is joomla db. So salt hasing is +understood. + +=item
[squid-users] spaces with helpers
/usr/lib64/squid/squid_db_auth --dsn=DBI:mysql:joomla:localhost --user=root -- table=jos15_users --usercol=username --passwdcol=password --cond=block=0 -- plaintext --sql='select jos15_users.password from jos15_users INNER JOIN jos15_acctexp_subscr ON jos15_users.id = jos15_acctexp_subscr.userid WHERE (jos15_acctexp_subscr.status LIKE "Active" OR jos15_acctexp_subscr.status LIKE "Excluded") AND jos15_users.username = ?' this helper in command line works, but when writing it to squid it fails. I know it is bause i add the --sql param but i dont gethow shall i escape that sentense to make it work inside squid any help please? LD
[squid-users] Re: spaces with helpers
Le vendredi 7 mai 2010 16:45:11, Luis Daniel Lucio Quiroz a écrit : > /usr/lib64/squid/squid_db_auth --dsn=DBI:mysql:joomla:localhost --user=root > -- table=jos15_users --usercol=username --passwdcol=password > --cond=block=0 -- plaintext --sql='select jos15_users.password from > jos15_users INNER JOIN jos15_acctexp_subscr ON jos15_users.id = > jos15_acctexp_subscr.userid WHERE (jos15_acctexp_subscr.status LIKE > "Active" OR jos15_acctexp_subscr.status LIKE "Excluded") AND > jos15_users.username = ?' > > this helper in command line works, but when writing it to squid it fails. > I know it is bause i add the --sql param but i dont gethow shall i escape > that sentense to make it work inside squid > > any help please? > > LD odd this should be documented spaces should need to be escaped \ --sql=select\ jos15_users.password\ from\ jos15_users\ INNER\ JOIN\ jos15_acctexp_subscr\ ON\ jos15_users.id\ =\ jos15_acctexp_subscr.userid\ WHERE\ \(jos15_acctexp_subscr.status\ LIKE\ \"Active\"\ OR\ jos15_acctexp_subscr.status\ LIKE\ \"Excluded\"\)\ AND\ jos15_users.username\ \=\ \? this is how it works
[squid-users] Squid NTLM authentication against Windows 2008 R2 AD
My organization is about to upgrade our Windows 2000 AD to Windows 2008 R2. I use winbind in Samba 3.0.30 with Squid and NTLM to authenticate my users. Today I joined my test Squid server to the Windows 2008 R2 domain for testing. Joining the domain worked but authentication using the Samba tools (ntlm_auth/wbinfo) does not. I've read this may be a known problem. I've also read that upgrading to Samba 3.3x might fix it. Can anyone confirm this is a known issue and what options there are to fix it? I understand this isn't a Squid problem, but I figured someone here must of run into this by now. -Mike
Re: [squid-users] RE: HTTPS and Squid
2010/5/8 Baird, Josh : > Ok, perhaps I misunderstood how CONNECT works. > > When Squid CONNECT's to a remote webserver via HTTPS, the tunnel is > created between the user and the remote server.. Not thus. If so squid isn't a proxy. That's what the job STunnel(.org) will do. -- Tech support agent in China http://duxieweb.com/
Re: [squid-users] weird problem with gmail, firefox and squid 2.7
2010/5/8 Diego : > > Hi List, > I am having a weird problem with gmail. > When I tried to load the gmail page using firefox 3.5.x and squid 2.7.7 the > login form of the page does not appear. > > If I use IE it works, regardless the squid version. > If I use Firefox 2.X it works, regardless the squid version. > If I use firefox 3.5.x and Squid 2.6.6 it works. > > This only happens with firefox 3.5.x and squid 2.7.7. > Try to use HttpFox (for firefox) to capture the request headers and response haeders to see what happened between Squid and your browser. -- Tech support agent in China http://duxieweb.com/
Re: [squid-users] RE: HTTPS and Squid
Hi! On Fri, May 7, 2010 at 2:14 PM, Baird, Josh wrote: > Ok, perhaps I misunderstood how CONNECT works. > > When Squid CONNECT's to a remote webserver via HTTPS, the tunnel is > created between the user and the remote server.. so is all data sent > over HTTPS (from the remote server to the client using the squid proxy)? When a client request a https page, it does a CONNECT method, and thus: squid opens the connection to the remote ip:port and start passing thru the data to the client's connection. That's all. If a client request a "normal" web page (http), all communication is unencrypted, from client to proxy and from proxy to remote server, and the server download things, and then send them to the client. > > Thanks, > > Josh > > -Original Message- > From: Baird, Josh > Sent: Friday, May 07, 2010 1:17 PM > To: 'squid-users@squid-cache.org' > Subject: HTTPS and Squid > > Typically, all of our proxy clients connect to our Squid servers via > HTTP (TCP/80). If they request a HTTPS site, Squid will CONNECT to the > site and tunnel the data back to the client via HTTP. > > I have a scenario now where the entire stream needs to be HTTPS: > > (HTTPS)-(HTTPS) Internet> > > How would I support this in Squid? Would I need to add a "https_port" > and install a SSL certificate on the proxy server? Would the proxy > server then decrypt data from the and rencrypt it using > SSL certificate on the way out to the Internet? > > Thanks, > > Josh > >