Re: [squid-users] Can't access www.permatanet.com using squid
cant access from LAN or PUBLIC ? On Mon, Jun 7, 2010 at 11:07 AM, Firdaus Tjahyadi daus...@gmail.com wrote: Dear All I had setup proxy using RHEL 5.4 and squid 2.7.STABLE9 but i can't access www.permatanet.com using this proxy, the browser is keep loading and never end But if i using my existing proxy that use RHEL 4.8 and squid 2.6.STABLE13 i can access www.permatanet.com anybody here can access www.permatanet.com using RHEL 5 Squid ? i think the problem is RHEL 5, not squid problem Thanks Regards -- -=-=-=-= hix nganggur maning... nganggur maning
Re: [squid-users] Can't access www.permatanet.com using squid
2010/6/7 Die~~ ٩๏̯͡๏۶ ̿ ̿ ̿ ̿ ̿̿’\̵͇̿̿\=(•̪●) ɹɐzǝupɐɥʞ ɐzɹıɯ mirz...@gmail.com: cant access from LAN or PUBLIC ? If we Set Proxy server user is access from LAN via Proxy Server Thanks Regards
Re: [squid-users] Can't access www.permatanet.com using squid
transparant ? paste iptables and squid.conf mark with on your squid.conf for security reason On Mon, Jun 7, 2010 at 2:12 PM, Firdaus Tjahyadi daus...@gmail.com wrote: 2010/6/7 Die~~ ٩๏̯͡๏۶ ̿ ̿ ̿ ̿ ̿̿’\̵͇̿̿\=(•̪●) ɹɐzǝupɐɥʞ ɐzɹıɯ mirz...@gmail.com: cant access from LAN or PUBLIC ? If we Set Proxy server user is access from LAN via Proxy Server Thanks Regards -- -=-=-=-= hix nganggur maning... nganggur maning
Re: [squid-users] Can't access www.permatanet.com using squid
2010/6/7 Die~~ ٩๏̯͡๏۶ ̿ ̿ ̿ ̿ ̿̿’\̵͇̿̿\=(•̪●) ɹɐzǝupɐɥʞ ɐzɹıɯ mirz...@gmail.com: transparant ? No Thanks Regards
Re: [squid-users] Re: Adaptation::AllRules() after squid -k reconfigure
Hi, Henrik Bug 2697 mentioned in this thread is considered fixed already in 3.1.4. It's OK!. Thank you! Sincerely, -- Mikio Kishi 2010/6/7 Henrik Nordström hen...@henriknordstrom.net: mån 2010-06-07 klockan 02:34 +0900 skrev Mikio Kishi: When will the fix be released ? Please tell me. When someone finds time to finish the fix. Finds time == finds the issue interesting to spend their spare time on, or have a paying customer wanting to have the issue fixed. Bug 2697 mentioned in this thread is considered fixed already in 3.1.4. Regards Henrik
Re: [squid-users] Squid + Windows 7 + itunes / BB / MobileMe
On Fri, Jun 4, 2010 at 6:56 PM, Alex Marsal alex.mar...@carglass.es wrote: Hi everyone, We are just migrating some machines to Windows 7 and we are having a big issue. We have some users running itunes, blackberry manager (sync), mobile me... and they are unable to connect to those services from windows 7 + squid proxy enable. If squid is disabled on the web browser it works like a charm. We have other users with the same configuration running xp + squid without having the issues. Actually we are running squid 3.0.STABLE24 from an OpenSuSE server. Could anyone help us with this issue? We'd need some more details. At a first glance it may seem an authentication-related issue: is the proxy requiring NTLM authentication? -- /kinkie
Re: [squid-users] Squid + Windows 7 + itunes / BB / MobileMe
Yes, we are using NTLM authentication to AD validation. If you need any further information please let me know. Thank you so much. Kinkie gkin...@gmail.com ha escrito: On Fri, Jun 4, 2010 at 6:56 PM, Alex Marsal alex.mar...@carglass.es wrote: Hi everyone, We are just migrating some machines to Windows 7 and we are having a big issue. We have some users running itunes, blackberry manager (sync), mobile me... and they are unable to connect to those services from windows 7 + squid proxy enable. If squid is disabled on the web browser it works like a charm. We have other users with the same configuration running xp + squid without having the issues. Actually we are running squid 3.0.STABLE24 from an OpenSuSE server. Could anyone help us with this issue? We'd need some more details. At a first glance it may seem an authentication-related issue: is the proxy requiring NTLM authentication? -- /kinkie AVISO: Este mensaje y todos los anexos transmitidos con el mismo han sido enviados para el uso exclusivo del destinatario y pueden contener informaci�n confidencial o privilegiada. Si su receptor no fuera el destinatario o persona que se responsabilice de su entrega al mismo, por el presente se le informa que la difusi�n, distribuci�n, copia u otro uso de este mensaje o sus anexos esta estrictamente prohibida. Si hubiera recibido este mensaje por error, rogamos lo notifique, al remitente de inmediato, nos lo haga saber y lo elimine de su ordenador. Queda prohibida la utilizaci�n o difusi�n no autorizada de este mensaje. Le recordamos que las comunicaciones a trav�s de Internet no son seguras, pudiendo ser interceptadas por terceros. Por favor, considere su responsabilidad con el medio ambiente antes de imprimir este correo electr�nico. DISCLAIMER: The e-mail message and all attachments transmitted with it are intended solely for the use of the addressee and may contain legally privileged and confidential information. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to this message and please delete it from your computer. Any use or retransmission without proper authorisation is prohibited. You are cautioned that any communication over the Internet is not secure and may be intercepted by third parties. Please consider your environmental responsibility before printing this e-mail.
Re: [squid-users] Squid + Windows 7 + itunes / BB / MobileMe
On Mon, Jun 7, 2010 at 10:21 AM, Alex Marsal alex.mar...@carglass.es wrote: Yes, we are using NTLM authentication to AD validation. If you need any further information please let me know. Thank you so much. What helper are you using on Squid's side? It's possible that Win7 by default tightens the set of NTLM protocol variants it accepts to talk, and that the helper on squid's side doesn't match them properly. You may need to change helper on squid's side, or to issue a GPO telling Win7 hosts to talk more NLTM protocol variants. -- /kinkie
Re: [squid-users] Squid + Windows 7 + itunes / BB / MobileMe
I think actually we're using this one: /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp Which other helper should we use? Maybe it'll be easier for us to set up the gpo. Do you know exactly which gpo setting do we need to change? thanx for your help mate Kinkie gkin...@gmail.com ha escrito: On Mon, Jun 7, 2010 at 10:21 AM, Alex Marsal alex.mar...@carglass.es wrote: Yes, we are using NTLM authentication to AD validation. If you need any further information please let me know. Thank you so much. What helper are you using on Squid's side? It's possible that Win7 by default tightens the set of NTLM protocol variants it accepts to talk, and that the helper on squid's side doesn't match them properly. You may need to change helper on squid's side, or to issue a GPO telling Win7 hosts to talk more NLTM protocol variants. -- /kinkie AVISO: Este mensaje y todos los anexos transmitidos con el mismo han sido enviados para el uso exclusivo del destinatario y pueden contener informaci�n confidencial o privilegiada. Si su receptor no fuera el destinatario o persona que se responsabilice de su entrega al mismo, por el presente se le informa que la difusi�n, distribuci�n, copia u otro uso de este mensaje o sus anexos esta estrictamente prohibida. Si hubiera recibido este mensaje por error, rogamos lo notifique, al remitente de inmediato, nos lo haga saber y lo elimine de su ordenador. Queda prohibida la utilizaci�n o difusi�n no autorizada de este mensaje. Le recordamos que las comunicaciones a trav�s de Internet no son seguras, pudiendo ser interceptadas por terceros. Por favor, considere su responsabilidad con el medio ambiente antes de imprimir este correo electr�nico. DISCLAIMER: The e-mail message and all attachments transmitted with it are intended solely for the use of the addressee and may contain legally privileged and confidential information. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to this message and please delete it from your computer. Any use or retransmission without proper authorisation is prohibited. You are cautioned that any communication over the Internet is not secure and may be intercepted by third parties. Please consider your environmental responsibility before printing this e-mail.
Re: [squid-users] Squid + Windows 7 + itunes / BB / MobileMe
Alex Marsal wrote: I think actually we're using this one: /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp Which other helper should we use? For NTLM the Samba helper (looks like that one) is the best to use. The problem may be that Win7 and these apps in particular no longer support NTLM by default. Microsoft had an announcement a while back to the effect that they were phasing out NTLM over the Vista lifespan and it would be officially dead in Win7. That seems to have been roughly accurate going by peoples experiences. Here is a KB article on the LMv2 disabling http://support.microsoft.com/kb/976918 If your plan is to have the network Win7 based then Kerberos is recommended as the protocol to migrate to. It's more secure by way of better encryption and less network heavy than NTLM. If you wish to retain XP on most and simply migrate a few Win7 boxes, you get stuck doing these setting changes. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.4
Re: [squid-users] Squid + Windows 7 + itunes / BB / MobileMe
Actually we are not migrate all our boxes, just introducing Windows7 and found this problem. What would be the best to fix this? I found this (not sure if that's the same issue): Run local GP on W7. Look for local machine policy- computer config-windows setting-local policies-security option-Network security: LAN Manager authentication level Set LM NTLM - Use NTLMv2 session if negotited Can I fix it with gpo settings? Which ones? thank you guys Amos Jeffries squ...@treenet.co.nz ha escrito: Alex Marsal wrote: I think actually we're using this one: /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp Which other helper should we use? For NTLM the Samba helper (looks like that one) is the best to use. The problem may be that Win7 and these apps in particular no longer support NTLM by default. Microsoft had an announcement a while back to the effect that they were phasing out NTLM over the Vista lifespan and it would be officially dead in Win7. That seems to have been roughly accurate going by peoples experiences. Here is a KB article on the LMv2 disabling http://support.microsoft.com/kb/976918 If your plan is to have the network Win7 based then Kerberos is recommended as the protocol to migrate to. It's more secure by way of better encryption and less network heavy than NTLM. If you wish to retain XP on most and simply migrate a few Win7 boxes, you get stuck doing these setting changes. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.4 AVISO: Este mensaje y todos los anexos transmitidos con el mismo han sido enviados para el uso exclusivo del destinatario y pueden contener informaci�n confidencial o privilegiada. Si su receptor no fuera el destinatario o persona que se responsabilice de su entrega al mismo, por el presente se le informa que la difusi�n, distribuci�n, copia u otro uso de este mensaje o sus anexos esta estrictamente prohibida. Si hubiera recibido este mensaje por error, rogamos lo notifique, al remitente de inmediato, nos lo haga saber y lo elimine de su ordenador. Queda prohibida la utilizaci�n o difusi�n no autorizada de este mensaje. Le recordamos que las comunicaciones a trav�s de Internet no son seguras, pudiendo ser interceptadas por terceros. Por favor, considere su responsabilidad con el medio ambiente antes de imprimir este correo electr�nico. DISCLAIMER: The e-mail message and all attachments transmitted with it are intended solely for the use of the addressee and may contain legally privileged and confidential information. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to this message and please delete it from your computer. Any use or retransmission without proper authorisation is prohibited. You are cautioned that any communication over the Internet is not secure and may be intercepted by third parties. Please consider your environmental responsibility before printing this e-mail.
[squid-users] Can Squid Version 2.7.STABLE7 do transparent FTP proxy like HTTP?
Hi Can someone tell if squid can do transparent FTP proxy just like it does for HTTP? How? Regards, Saurabh
Re: [squid-users] Re: Advices for a squid cluster with kerberos auth
Le Fri, 21 May 2010 10:03:57 +0200, Emmanuel Lesouef e.leso...@crbn.fr a écrit : Le Thu, 20 May 2010 21:51:08 +0100, Markus Moeller hua...@moeller.plus.com a écrit : It will work with the right setup (e.g. you have to copy the Kerberos keytab to all machines and use the -s HTTP/RR-DNS-name or -s GSS_C_NO_NAME option with squid_kerb_auth). Regards Markus Understood. Thanks Markus. I didn't know it was possible to have a RR DNS Name in the service name. I'm raising this topic up because it seems that there is a problem creating the keytab : r...@server1:~# msktutil -c -b CN=COMPUTERS -s HTTP/proxy.xx.yy -h proxy.xx.yy -k /etc/squid/HTTP.keytab --computer-name proxy --upn HTTP/proxy.xx.yy --server dc1.xx.yy --verbose --enctypes 28 [...] -- ldap_get_base_dn: Determining default LDAP base: dc=xx,dc=yy Error: No reverse DNS entry found for %2prox Error: complete_hostname failed Error: finalize_exec failed -- krb5_cleanup: Destroying Kerberos Context -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure Any advices ? -- Emmanuel Lesouef
Re: [squid-users] Can Squid Version 2.7.STABLE7 do transparent FTP proxy like HTTP?
Unfortunately not. Squid only sports an ftp ftp client. On 6/7/10, Saurabh Agarwal saurabh.agar...@citrix.com wrote: Hi Can someone tell if squid can do transparent FTP proxy just like it does for HTTP? How? Regards, Saurabh -- /kinkie
Re: [squid-users] FTP authenticated using explorer 8
On Wed, 02 Jun 2010 00:31:17 + Amos Jeffries squ...@treenet.co.nz wrote: 3.1+ will run the HTTP authentication stuff for Basic auth when FTP needs a login and one is not provided as above. I had a go with 3.1.4 (It takes some time a some tests during the week-end for it's a production machine :). Now it works flawlessly with almost any browser under XP (but IE). It still has problems under W Seven where it works only with FFx and Opera (not Internet Explorer nor Safari). Is it just me? Regards to all, luciano. -- /\ /Via A. Salaino, 7 - 20144 Milano (Italy) \ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250 X AGAINST HTML MAIL/ E-MAIL: posthams...@sublink.sublink.org / \ AND POSTINGS/ WWW: http://www.mannucci.ORG/
[squid-users] Re: Re: Advices for a squid cluster with kerberos auth
Hi Emmanuel, Can you resolve proxy.xx.yy and then resolve the ip-address you get to a name ? Markus Emmanuel Lesouef e.leso...@crbn.fr wrote in message news:20100607153001.53b90...@nienor.local... Le Fri, 21 May 2010 10:03:57 +0200, Emmanuel Lesouef e.leso...@crbn.fr a écrit : Le Thu, 20 May 2010 21:51:08 +0100, Markus Moeller hua...@moeller.plus.com a écrit : It will work with the right setup (e.g. you have to copy the Kerberos keytab to all machines and use the -s HTTP/RR-DNS-name or -s GSS_C_NO_NAME option with squid_kerb_auth). Regards Markus Understood. Thanks Markus. I didn't know it was possible to have a RR DNS Name in the service name. I'm raising this topic up because it seems that there is a problem creating the keytab : r...@server1:~# msktutil -c -b CN=COMPUTERS -s HTTP/proxy.xx.yy -h proxy.xx.yy -k /etc/squid/HTTP.keytab --computer-name proxy --upn HTTP/proxy.xx.yy --server dc1.xx.yy --verbose --enctypes 28 [...] -- ldap_get_base_dn: Determining default LDAP base: dc=xx,dc=yy Error: No reverse DNS entry found for %2prox Error: complete_hostname failed Error: finalize_exec failed -- krb5_cleanup: Destroying Kerberos Context -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure Any advices ? -- Emmanuel Lesouef
Re: [squid-users] Squid configuration for NTLM
Hi Amos, I am trying to host the domain controller and domain user on the same machine. Is it possible. When I do a net rpc join -Uusername, I get a create user account failed because the account already exists. How to overcome this error? Regards, Prashant - Original Message From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Thu, 3 June, 2010 9:55:29 AM Subject: Re: [squid-users] Squid configuration for NTLM On Wed, 2 Jun 2010 20:56:42 -0700 (PDT), Prashant K.S ksprash...@yahoo.com wrote: Hi Amos, One more question. My primary purpose is to test a NTLM client that I have developed against Linux Squid proxy. If I cannot configure squid proxy, is there any openly available squid proxy that uses NTLM and for which I can register myself and get a user name and password which I can use for authentication and test my NTLM client. Regards, Prashant Oh, that is a different prospect. If you are just testing that the protocol coding etc is valid you can use the fakeauth NTLM helper: http://wiki.squid-cache.org/ConfigExamples/Authenticate/LoggingOnly#NTLM_Authentication It does NTLM challenges with random tokens and validates the client reply blobs are self-consistent, but does not use any domain to check the coded password/username actually match valid ones. If the authentication blobs or connection handling are broken they will show up with this handler. If you need deeper checks the that username/token were being transferred from the client to DC, then you will need a full real domain linkage setup. Amos - Original Message From: Prashant K.S ksprash...@yahoo.com To: Amos Jeffries squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thu, 3 June, 2010 9:11:09 AM Subject: Re: [squid-users] Squid configuration for NTLM Hi Amos, The domain I am talking about is my office network domain and my computer cannot be a part of that domain. Is it possible to host myself a domain or be a part of some domain that is available in open(Not sure how risky is it). Regards, Prashant - Original Message From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Thu, 3 June, 2010 9:05:48 AM Subject: Re: [squid-users] Squid configuration for NTLM On Wed, 2 Jun 2010 20:30:51 -0700 (PDT), Prashant K.S ksprash...@yahoo.com wrote: Hi Amos, Thanks for your reply. I want to correct my words. I do have access to some NT domain. But just that I have the user and password to authenticate against that domain. But my computer is not part of that domain. Will I able to achieve NTLM authentication with Squid using this setup. And If yes can you please let me know the configuration. Okay good. You won't be able to do it without making the proxy a machine account on the domain. Apparently the winbindd manual page has details on how the Linux machine needs to be configured into the domain. Details on the Squid and Samba setup can be found here: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm Amos
Re: [squid-users] public squid proxy
Hi James, Thanks a lot for the suggestions. I will definitely give it a try. I have around 1.25 GDB RAM with Pentium 4 processor. Would that be sufficient? Can I use VmWare? Which virtualization do you suggest. I have a Windows XP machine and have a Vmware with Ubuntu for the virtual machine? Would that be fine? Regards, Prashant - Original Message From: James Zuelow james_zue...@ci.juneau.ak.us To: squid-users@squid-cache.org squid-users@squid-cache.org Sent: Fri, 4 June, 2010 9:48:43 PM Subject: RE: [squid-users] public squid proxy Prashant K.S mailto:ksprash...@yahoo.com scribbled on Thursday, June 03, 2010 5:43 PM: Hi Henrik, I have a NTLM client which I have to test against a squid proxy. Regards, Prashant Prashant: For you to test against a public proxy with NTLM, the operator would have to give you domain credentials to use so you could test a successful authentication. You would also need permission to see the server logs. You couldn't just point your client at a random NTLM proxy and test. It's best to have all of the pieces of your test under your control. It wouldn't be difficult or very expensive. Get an evaluation version of a recent Windows Server offering. Evaluation versions are easy to find, and typically come wrapped with handy documentation. For example [1] and [2] will both provide an eval version. Install it on a virtual machine and create a domain. For a simple domain controller you won't need a very powerful virtual machine. Install squid on a second virtual machine and point it at your domain. Again, this squid instance (together with any Samba components you need) will not need a lot of resources if you're just testing authentication. Test away. You could put the virtual Windows server and the virtual squid proxy on a single PC running something like VirtualBox. I would try to get at least 2GB of RAM for the PC, but you could probably scrape by with less if you don't have that much available. Remember that Microsoft will suggest a certain amount of memory for their server products but in your case you are just performing domain authentication for tests so you could get away with much less than their recommendations. Bonus: You'll learn a lot more about how all the pieces fit together as you test than if you just borrow someone else's infrastructure. If you decide NTLM is old and wantThanks Th to try Kerberos, you already have all the bits in place and can modify your client accordingly. Cheers, James [1] http://www.amazon.com/MCITP-Self-Paced-Training-Exam-70-646/dp/0735625107/ [2] http://www.amazon.com/MCTS-Self-Paced-Training-Exam-70-640/dp/0735625131/
[squid-users] Squid 3.1.4 log rotate by squid user not permitted
Hi, I have just installed Squid 3.1.4 on my CentOS 5.4 machine. I started squid using root and have the following 2 lines in squid.conf. cache_effective_user squid cache_effective_group squid When I switch user from root to squid and issue a squid -k rotate, the following error occurred. squid: ERROR: Could not send signal 10 to process 5997: (1) Operation not permitted Log rotation using squid user works in Squid 3.0 and 2.7. Does anyone know the solution for Squid 3.1? thanks, David
