Re: [squid-users] Squid 3.1.6 tracking image ?
On Tue, 17 Aug 2010 18:20:32 +1200 Amos Jeffries wrote: > It has been mentioned. Please be assured we do intend or use it as a > tracker. Could you please point me to the discution ? I think there is a typo in the second line ... it reads like you _do_ intend to use it as a tracker. > The image provided has a long a caching time to push it out as far > towards the client as possible. If working your Squid should be able to > cache it on the first error and display it's cached version to all > following clients. It sounds like a (new) install tracker, in that case. > It's pulled in via the CSS config file installed in your /etc/squid > directory and fully editable to remove or replace the branding if you > desire. I've already edited it ... In my opinion it is wrong as a default, as it adds another "oh, edit *that* on every upgrade/install" to the network administrator's tasks. Thank you for your answer and sorry if I seem to make a big deal out of nothing ...
Re: [squid-users] Squid 3.1.6 tracking image ?
John Michaels wrote: Hello everyone. First of all, let me begin by thanking the developer team for their hard work ... I've been using squid to improve network performance for a small network (~200 sistems) for some years. Recently, I've upgraded to 3.1.6 (from the Gentoo portage) and I was ... unpleasantly surprised to discover that the CSS used to generate errors pages (errorpage.css) contains a reference to 'http://www.squid-cache.org/Artwork/SN.png'. While i agree that the new error page looks better, I find it an odd choice to include an absolute url to an external site. Not only is this generating additional load on the squid-cache.org site, but it also makes every browser that encounters an error download this .PNG, possibly transmitting user agent and other identifying information. If this topic has already beed discused, please direct me to the relevant thread. If not, then I would like to heard your opinions/comments. It has been mentioned. Please be assured we do intend or use it as a tracker. The image provided has a long a caching time to push it out as far towards the client as possible. If working your Squid should be able to cache it on the first error and display it's cached version to all following clients. It's pulled in via the CSS config file installed in your /etc/squid directory and fully editable to remove or replace the branding if you desire. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1
[squid-users] Squid 3.1.6 tracking image ?
Hello everyone. First of all, let me begin by thanking the developer team for their hard work ... I've been using squid to improve network performance for a small network (~200 sistems) for some years. Recently, I've upgraded to 3.1.6 (from the Gentoo portage) and I was ... unpleasantly surprised to discover that the CSS used to generate errors pages (errorpage.css) contains a reference to 'http://www.squid-cache.org/Artwork/SN.png'. While i agree that the new error page looks better, I find it an odd choice to include an absolute url to an external site. Not only is this generating additional load on the squid-cache.org site, but it also makes every browser that encounters an error download this .PNG, possibly transmitting user agent and other identifying information. If this topic has already beed discused, please direct me to the relevant thread. If not, then I would like to heard your opinions/comments. PS: I know the tone of this post might seem somewhat agressive/paranoid. I'm not a native English speaker, so please do not read into it more than a simple request for clarification.
Re: [squid-users] ldap fallback not working
On Mon, 16 Aug 2010 22:53:33 +, "Joseph L. Casale" wrote: > I have a working setup with squid_kerb_auth and squid_kerb_ldap for > authorization > with group membership, I want to add squid_ldap_auth for a basic > auth_param but > when a client falls back to basic and uses squid_ldap_auth, > squid_kerb_ldap errors > out. I have set the default domain in squid_kerb_ldap. Will > squid_kerb_ldap not > work without a kerb client? I thought it's authorization to AD was based > on the > servers machine account. > > Missing something obvious here... > > Thanks! > jlc I think its a matter of "username" (Basic) vs "dom...@username" (Kerberos). You can test this by replacing the group lookup with a fake external_acl_helper which logs the credentials passed to the group helper. Doing a few requests through both auth mechanisms will show you what difference the group helper sees. Amos
RE: [squid-users] Transparent proxy on LDAP_GROUP
Dear Amos, Thanks for yours always clear & bountiful answer. This really help the freshers of Squid like me. Best Regards Tony Fei -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: 2010年8月16日 19:54 To: squid-users@squid-cache.org Subject: Re: [squid-users] Transparent proxy on LDAP_GROUP tony@oocl.com wrote: > > Dear experts, > > I configed Squid with LDAP_Group authentication, each user in ProxyUsers > group of AD can surf after inputting user name/password when he open browser. > I'd like to know is there a way needn't user input id/passoword if he already > in ProxyUsers group, to say make Squid total transparent to users. Thanks > for sharing ! The popup is part of the web browsers security system. Squid has nothing to do with that. Modern browsers can be configured with a login cache for website and proxy logins. Once the master password is given the others are handed out as needed to the right places. Use of secure auth protocols (Digest, NTLM, Kerberos) can also help the browser send pre-encrypted tokens without needing a popup. Squid can participate there by being configured to use them. Basic auth protocol has the password in visible text form, so handing it out without user consent is a bad idea and browser wont do it. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1 IMPORTANT NOTICE Email from OOCL is confidential and may be legally privileged. If it is not intended for you, please delete it immediately unread. The internet cannot guarantee that this communication is free of viruses, interception or interference and anyone who communicates with us by email is taken to accept the risks in doing so. Without limitation, OOCL and its affiliates accept no liability whatsoever and howsoever arising in connection with the use of this email. Under no circumstances shall this email constitute a binding agreement to carry or for provision of carriage services by OOCL, which is subject to the availability of carrier's equipment and vessels and the terms and conditions of OOCL's standard bill of lading which is also available at http://www.oocl.com.
Re: [squid-users] Squid blocks web page in port 7779
On Mon, 16 Aug 2010 11:22:41 -0500, >p3dRø< wrote: > Hello, > > I've installed squid in transparent mode with proxy port: 3128 > What do you mean by "transparent"? that affects how you do things. A lot. > I have problems, my client can not connect to page: > ww4.essalud.gob.pe:7779/acredita > > When I connect to that page without the squid, it's all ok. So the > problem is the Proxy. It seems that you don't mean transparent interception. Unless your firewall config was intercepting ports other than 80. > In /etc/squid/squid.conf is configured: > acl Safe_ports port 7779 > http_access deny CONNECT !Safe_ports broken config right there. correct config is two separate lines: http_access deny !Safe_ports http_access deny CONNECT !SSL_ports Specifically; * block ALL access to unsafe ports (mail servers etc). and * block binary CONNECT tunnels to non- SSL-encrypted ports. > > The log send TCP_MISS/503 error: > TCP_MISS/503 0 CONNECT essalud.gob.pe:7779 > > What do you recommend to me to do ? CONNECT method is not permitted direct to origin servers. That request was intended for a proxy. So what you meant by "transparent" is very important. Amos
Re: [squid-users] transparent ftp proxy with squid
> 2010/8/16 Amos Jeffries : >> Mamadou Touré wrote: >>> >>> Hi all is it possible to make a transparent ftp proxy with squid ? >>> regards. >> >> No. FTP protcol is not HTTP protocol. >> >> Try Frox. The FTP proxy. >> On Mon, 16 Aug 2010 15:45:11 +, Mamadou Touré wrote: > when i specify the proxy setting in my browser i use squid port (3128) > for ftp proxy. ... and your web browser contacts the proxy using HTTP. No FTP involved outside the text in the browser address bar. You said "transparent" in your request. I assumed you meant, as most seem to, the firewall intercepting FTP native protocol port 20, 21, and also the randomized data channels then passing them to the proxy. Did you mean something else by that word? Amos
[squid-users] ldap fallback not working
I have a working setup with squid_kerb_auth and squid_kerb_ldap for authorization with group membership, I want to add squid_ldap_auth for a basic auth_param but when a client falls back to basic and uses squid_ldap_auth, squid_kerb_ldap errors out. I have set the default domain in squid_kerb_ldap. Will squid_kerb_ldap not work without a kerb client? I thought it's authorization to AD was based on the servers machine account. Missing something obvious here... Thanks! jlc
[squid-users] Error loading pdf behind squid
Users are needing access to the pdf's in http://ccemc.ca/process/guidelines such as http://ccemc.ca/_uploads/CCEMC-166-Proposal-Guide6.pdf but in ie8 and ff 3.6.8 the pdfs fail to render, w/o the proxy they seem to always load. I have tried in squid-3.0.STABLE20 and squid-3.1.4 and the issue is the same. Any known workarounds for this behavior, the config is nearly stock with the exception of a kerb auth params... Thanks! jlc
[squid-users] Squid_kerb_ldap intermittently failing auth
Hello,
I'm having an issue with squid_kerb_auth. It seems not all proxy
requests are getting serviced. When falling back on NTLM the requests
come though fine.
My guess is subsequent GET requests made over Proxy_KeepAlive sessions
are not getting serviced. I confirmed this on a trace using Wireshark
where the client requests a page but Squid doesn't come back with an
answer. Is this a known issue?
I'm currently running squid3-3.1.6 and have seen this behavior both
with the include squid_kerb_auth and a seperately compiled binary.
squid.conf follows:
http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -d -s
HTTP/dc32-wgw01.nix.dom.lo...@ushs.dom.local
auth_param negotiate children 30
auth_param negotiate keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on
external_acl_type AD_US_TEMPS ttl=3600 negative_ttl=3600 %LOGIN
/usr/bin/squid_kerb_ldap -d -g te...@us.dom.local
external_acl_type AD_US_ITDEPT ttl=3600 negative_ttl=3600 %LOGIN
/usr/bin/squid_kerb_ldap -d -g itd...@us.dom.local
refresh_pattern ^ftp: 144020% 10080
refresh_pattern ^gopher:14400% 1440
refresh_pattern . 0 20% 4320
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl firefox_browser browser Firefox
acl UnrestrictedUsers external AD_US_ITDEPT
acl TempUsers external AD_US_TEMPS
acl AuthorizedUsers proxy_auth REQUIRED
acl hq-dmz src 10.50.192.0/24
acl hq-servers src 10.50.64.0/23 10.50.4.0/24
acl hq-services src 10.50.8.0/24 10.50.2.0/24
acl hq-dev src 10.50.66.0/24
acl ie_urls dstdomain "/etc/squid/ie_urls.allow"
acl service_urls dstdomain "/etc/squid/service_urls.allow"
acl dev_urls dstdomain "/etc/squid/dev_urls.allow"
acl hq-servers_urls dstdomain "/etc/squid/servers_urls.allow"
acl temp_urls dstdomain "/etc/squid/temp_urls.allow"
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow hq-servers hq-servers_urls
http_access deny hq-servers
http_access allow hq-services service_urls
http_access deny hq-services
http_access allow hq-dev dev_urls
http_access deny hq-dev
http_access allow TempUsers temp_urls
http_access deny TempUsers all
http_access allow UnrestrictedUsers
http_access deny UnrestrictedUsers all
http_access deny !AuthorizedUsers
http_access allow all
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr supp...@dom.local
coredump_dir /var/spool/squid
Thanks,
M. de Jong
Re: [squid-users] Squid blocks web page in port 7779
Hello Jorge, thanks for your answer. Yes, there is a firewall and 7779 port is open. So from the proxy I can connect: telnet ww4.essalud.gob.pe 7779 Trying 200.89.11.23... Connected to ww4.essalud.gob.pe. Escape character is '^]'. -- Pedro 2010/8/16 Pedro Valera : > Hello Jorge, thanks for your answer. > > Yes, there is a firewall and 7779 port is open. So from the proxy I can > connect: > > telnet ww4.essalud.gob.pe 7779 > Trying 200.89.11.23... > Connected to ww4.essalud.gob.pe. > Escape character is '^]'. > > -- > Pedro > > > > El día 16 de agosto de 2010 12:41, Jorge Armando Medina > escribió: >>>p3dRø< wrote: >>> Hello, >>> >>> I've installed squid in transparent mode with proxy port: 3128 >>> >>> I have problems, my client can not connect to page: >>> ww4.essalud.gob.pe:7779/acredita >>> >>> When I connect to that page without the squid, it's all ok. So the >>> problem is the Proxy. In /etc/squid/squid.conf is configured: >>> acl Safe_ports port 7779 >>> http_access deny CONNECT !Safe_ports >>> >>> The log send TCP_MISS/503 error: >>> TCP_MISS/503 0 CONNECT essalud.gob.pe:7779 >>> >>> What do you recommend to me to do ? >>> >> You get a 503 erro ( Service Unavailable). Can your squid box connect to >> that port? any firewall? >> >> Probably your upstream firewall is blocking that connection. >> >> You can test the connection using openssl client. >> >> Best regards. >>> -- >>> Pedro >>> >> >> >> -- >> Jorge Armando Medina >> Computación Gráfica de México >> Web: http://www.e-compugraf.com >> Tel: 55 51 40 72, Ext: 124 >> Email: jmed...@e-compugraf.com >> GPG Key: 1024D/28E40632 2007-07-26 >> GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632 >> >> >> >
Re: [squid-users] Restricting bandwidth usage through squid
> I have been looking around for a howto on this. Numerous google searches > have only lead me to half explanations, etc. Can anyone please point me > to a nice howto on setting this up. Depending on what exactly you want to achieve, you could, of course, also use some of the tc traffic shaping facilities (assuming you are running *nix). Andy
Re: [squid-users] Squid blocks web page in port 7779
>p3dRø< wrote: > Hello, > > I've installed squid in transparent mode with proxy port: 3128 > > I have problems, my client can not connect to page: > ww4.essalud.gob.pe:7779/acredita > > When I connect to that page without the squid, it's all ok. So the > problem is the Proxy. In /etc/squid/squid.conf is configured: > acl Safe_ports port 7779 > http_access deny CONNECT !Safe_ports > > The log send TCP_MISS/503 error: > TCP_MISS/503 0 CONNECT essalud.gob.pe:7779 > > What do you recommend to me to do ? > You get a 503 erro ( Service Unavailable). Can your squid box connect to that port? any firewall? Probably your upstream firewall is blocking that connection. You can test the connection using openssl client. Best regards. > -- > Pedro > -- Jorge Armando Medina Computación Gráfica de México Web: http://www.e-compugraf.com Tel: 55 51 40 72, Ext: 124 Email: jmed...@e-compugraf.com GPG Key: 1024D/28E40632 2007-07-26 GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632 signature.asc Description: OpenPGP digital signature
[squid-users] Squid blocks web page in port 7779
Hello, I've installed squid in transparent mode with proxy port: 3128 I have problems, my client can not connect to page: ww4.essalud.gob.pe:7779/acredita When I connect to that page without the squid, it's all ok. So the problem is the Proxy. In /etc/squid/squid.conf is configured: acl Safe_ports port 7779 http_access deny CONNECT !Safe_ports The log send TCP_MISS/503 error: TCP_MISS/503 0 CONNECT essalud.gob.pe:7779 What do you recommend to me to do ? -- Pedro
Re: [squid-users] Restricting bandwidth usage through squid
From: Paul Hennion > I have been looking around for a howto on this. Numerous google searches > have >only lead me to half explanations, etc. Can anyone please point me to a nice >howto on setting this up. Were those half explanations talking about delay pools? Did you check the squid documentation yet? http://wiki.squid-cache.org/Features/DelayPools?highlight=%28faqlisted.yes%29 JD
RE: [squid-users] Exchange Server 2007 + Outlook 2007 + Squid Proxy
3.0.Stable16 -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Saturday, August 14, 2010 12:01 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Exchange Server 2007 + Outlook 2007 + Squid Proxy It would be nice to know which versions of Squid you are having these problems with please. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1
[squid-users] Restricting bandwidth usage through squid
Hi All, I have been looking around for a howto on this. Numerous google searches have only lead me to half explanations, etc. Can anyone please point me to a nice howto on setting this up. TIA Paul
Re: [squid-users] transparent ftp proxy with squid
Mamadou Touré wrote: Hi all is it possible to make a transparent ftp proxy with squid ? regards. No. FTP protcol is not HTTP protocol. Try Frox. The FTP proxy. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1
Re: [squid-users] Transparent proxy on LDAP_GROUP
tony@oocl.com wrote: Dear experts, I configed Squid with LDAP_Group authentication, each user in ProxyUsers group of AD can surf after inputting user name/password when he open browser. I'd like to know is there a way needn't user input id/passoword if he already in ProxyUsers group, to say make Squid total transparent to users. Thanks for sharing ! The popup is part of the web browsers security system. Squid has nothing to do with that. Modern browsers can be configured with a login cache for website and proxy logins. Once the master password is given the others are handed out as needed to the right places. Use of secure auth protocols (Digest, NTLM, Kerberos) can also help the browser send pre-encrypted tokens without needing a popup. Squid can participate there by being configured to use them. Basic auth protocol has the password in visible text form, so handing it out without user consent is a bad idea and browser wont do it. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1
Re: [squid-users] filedescriptor usage observation in 3.2.0.1
* Henrik Nordström : > mån 2010-08-16 klockan 12:57 +0200 skrev Ralf Hildebrandt: > > > Not anymore, but when I first observed the leak I was using diskd > > Which version? There was one fd leak with identical symptoms fixed some > year ago and I think this was visible with diskd as well. 3.1.6 I think > After that I am not aware of anyone seeing this leak when using diskd. > But maybe there are. Chances are pretty high the fd leak is generic and > not tied to aufs. I can easily switch back and forth between aufs & diskd - I'm not seeing any significant performance difference. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [squid-users] Re: ident authentication and follow_x_forwarded_for
Ricpelo wrote: Hi! I'm trying to set up the following configuration: Client => Squid A => DansGuardian => Squid B => Internet Squid A does Ident authentication, and then forwards the request to the DansGuardian with the following line in its /etc/squid/squid.conf: cache_peer 192.168.0.1 parent 8080 0 no-query no-digest default login=*:foobar where 192.168.0.1:8080 is the DansGuardian's IP address and port. Squid A correctly logs the Client's username in its /var/log/squid/access.log file, which it's great. However, DansGuardian doesn't log the username in /var/log/dansguardian/access.log. When I set up Ident authplugin in /etc/dansguardian/dansguardian.conf, then DansGuardian logs "proxy" username into their logs, instead of the correct user name. If I use another authplugin (proxy-basic, proxy-digest, proxy-ntlm or ip), DansGuardian simply doesn't logs any user name in their log files. Is there a way to get DansGuardian logs the right username in their logs, as Squid does? Is Squid giving the wrong username to DansGuardian? May I fix the Squid's configuration? Thank you very much in advance, Ricardo. To receive usernames from Squid-A the correct DansGuardian the module is probably that "proxy-basic" one. Most Squid still passes login= credentials as Basic protocol auth headers. (Only the latest releases allow Negotiate as well). I think you will find the problem is that IDENT is not a full authentication scheme. So the nickname does not get passed on as one in the HTTP headers. Just logged and permitted in ACL tests. Squid will sort of trust an external_acl_type helper to send back usernames for passing out. So you can build a work-around helper which takes the IDENT nickname as input parameter and returns "OK user=" and the received IDENT nickname. PS: your mailer seems to be slightly broken. It mailed the list many times. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1
Re: [squid-users] filedescriptor usage observation in 3.2.0.1
mån 2010-08-16 klockan 12:57 +0200 skrev Ralf Hildebrandt: > Not anymore, but when I first observed the leak I was using diskd Which version? There was one fd leak with identical symptoms fixed some year ago and I think this was visible with diskd as well. After that I am not aware of anyone seeing this leak when using diskd. But maybe there are. Chances are pretty high the fd leak is generic and not tied to aufs. Regards Henrik
[squid-users] transparent ftp proxy with squid
Hi all is it possible to make a transparent ftp proxy with squid ? regards.
Re: [squid-users] filedescriptor usage observation in 3.2.0.1
* Henrik Nordström : > mån 2010-08-16 klockan 09:15 +0200 skrev Ralf Hildebrandt: > > * Henrik Nordström : > > > lör 2010-08-14 klockan 14:30 +0200 skrev Ralf Hildebrandt: > > > > > > > It's leaking FDs. See my bugreports. > > > > > > Yes. aufs in Squid-3 is known to leak FDs somewhat. Exact cause has not > > > yet been identified but it's worked on. > > > > I think diskd is also affected. > > Are you using diskd? Not anymore, but when I first observed the leak I was using diskd -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [squid-users] filedescriptor usage observation in 3.2.0.1
mån 2010-08-16 klockan 09:15 +0200 skrev Ralf Hildebrandt: > * Henrik Nordström : > > lör 2010-08-14 klockan 14:30 +0200 skrev Ralf Hildebrandt: > > > > > It's leaking FDs. See my bugreports. > > > > Yes. aufs in Squid-3 is known to leak FDs somewhat. Exact cause has not > > yet been identified but it's worked on. > > I think diskd is also affected. Are you using diskd? Regards Henrik
Re: [squid-users] squid transparent feature
I've no problem any more. i had problem on configuring on bridge because i had not put ebtable rules. And i turn arround for one week without finding any support. regards. 2010/8/16 Matus UHLAR - fantomas : > On 12.08.10 09:33, Mamadou Touré wrote: >> Hi, all is there other trasparent feature than tproxy for squid ? > > why? Do you have problems with tproxy? > >> i'd like to implement a transparent proxy that doesn't modifie the src >> ip address so the destination serveur could see the user ip adress. >> regards. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Christian Science Programming: "Let God Debug It!". >
[squid-users] Re: ident authentication and follow_x_forwarded_for
Hi! I'm trying to set up the following configuration: Client => Squid A => DansGuardian => Squid B => Internet Squid A does Ident authentication, and then forwards the request to the DansGuardian with the following line in its /etc/squid/squid.conf: cache_peer 192.168.0.1 parent 8080 0 no-query no-digest default login=*:foobar where 192.168.0.1:8080 is the DansGuardian's IP address and port. Squid A correctly logs the Client's username in its /var/log/squid/access.log file, which it's great. However, DansGuardian doesn't log the username in /var/log/dansguardian/access.log. When I set up Ident authplugin in /etc/dansguardian/dansguardian.conf, then DansGuardian logs "proxy" username into their logs, instead of the correct user name. If I use another authplugin (proxy-basic, proxy-digest, proxy-ntlm or ip), DansGuardian simply doesn't logs any user name in their log files. Is there a way to get DansGuardian logs the right username in their logs, as Squid does? Is Squid giving the wrong username to DansGuardian? May I fix the Squid's configuration? Thank you very much in advance, Ricardo. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ident-authentication-and-follow-x-forwarded-for-tp2190693p2326628.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] ident authentication and follow_x_forwarded_for
Hi! I'm trying to set up the following configuration: Client => Squid A => DansGuardian => Squid B => Internet Squid A does Ident authentication, and then forwards the request to the DansGuardian with the following line in its /etc/squid/squid.conf: cache_peer 192.168.0.1 parent 8080 0 no-query no-digest default login=*:foobar where 192.168.0.1:8080 is the DansGuardian's IP address and port. Squid A correctly logs the Client's username in its /var/log/squid/access.log file, which it's great. However, DansGuardian doesn't log the username in /var/log/dansguardian/access.log. When I set up Ident authplugin in /etc/dansguardian/dansguardian.conf, then DansGuardian logs "proxy" username into their logs, instead of the correct user name. If I use another authplugin (proxy-basic, proxy-digest, proxy-ntlm or ip), DansGuardian simply doesn't logs any user name in their log files. Is there a way to get DansGuardian logs the right username in their logs, as Squid does? Is Squid giving the wrong username to DansGuardian? May I fix the Squid's configuration? Thank you very much in advance, Ricardo.
[squid-users] Re: ident authentication and follow_x_forwarded_for
Hi! I'm trying to set up the following configuration: Client => Squid A => DansGuardian => Squid B => Internet Squid A does Ident authentication, and then forwards the request to the DansGuardian with the following line in its /etc/squid/squid.conf: cache_peer 192.168.0.1 parent 8080 0 no-query no-digest default login=*:foobar where 192.168.0.1:8080 is the DansGuardian's IP address and port. Squid A correctly logs the Client's username in its /var/log/squid/access.log file, which it's great. However, DansGuardian doesn't log the username in /var/log/dansguardian/access.log. When I set up Ident authplugin in /etc/dansguardian/dansguardian.conf, then DansGuardian logs "proxy" username into their logs, instead of the correct user name. If I use another authplugin (proxy-basic, proxy-digest, proxy-ntlm or ip), DansGuardian simply doesn't logs any user name in their log files. Is there a way to get DansGuardian logs the right username in their logs, as Squid does? Is Squid giving the wrong username to DansGuardian? May I fix the Squid's configuration? Thank you very much in advance, Ricardo. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ident-authentication-and-follow-x-forwarded-for-tp2190693p2326623.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Transparent proxy on LDAP_GROUP
Dear experts, I configed Squid with LDAP_Group authentication, each user in ProxyUsers group of AD can surf after inputting user name/password when he open browser. I'd like to know is there a way needn't user input id/passoword if he already in ProxyUsers group, to say make Squid total transparent to users. Thanks for sharing ! Best Regards Tony Fei IMPORTANT NOTICE Email from OOCL is confidential and may be legally privileged. If it is not intended for you, please delete it immediately unread. The internet cannot guarantee that this communication is free of viruses, interception or interference and anyone who communicates with us by email is taken to accept the risks in doing so. Without limitation, OOCL and its affiliates accept no liability whatsoever and howsoever arising in connection with the use of this email. Under no circumstances shall this email constitute a binding agreement to carry or for provision of carriage services by OOCL, which is subject to the availability of carrier's equipment and vessels and the terms and conditions of OOCL's standard bill of lading which is also available at http://www.oocl.com.
[squid-users] Webalizer Squid Problem
Hello, i use Webalizer 2.21 to get statistics from the access.log of Squid. Everything's running fine, but in the Top 10 URL List, there are no full URLS. The Top-Level Domains are missing: i.e. "/pagead/show_ads.js" what to do?? Karl Hensch
Re: [squid-users] squid transparent feature
On 12.08.10 09:33, Mamadou Touré wrote: > Hi, all is there other trasparent feature than tproxy for squid ? why? Do you have problems with tproxy? > i'd like to implement a transparent proxy that doesn't modifie the src > ip address so the destination serveur could see the user ip adress. > regards. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!".
Re: [squid-users] filedescriptor usage observation in 3.2.0.1
* Henrik Nordström : > lör 2010-08-14 klockan 11:17 +0200 skrev Ralf Hildebrandt: > > > Coulod it be that squid is not freeing or expiring cacheClients > > properly? On the weekend there are only few people working at the > > hospital, thus the number I saw a few minutes ago, immediately before > > the restart were totall unrealistic: cacheClients was at 4.500 for all > > 4 proxies, meaning that everybody @charite was using the proxy... > > cacheClients is a little dampened to preserve information. Clients may > stay in there for up to 25 hours after last access. OK, that would explain the numbers :) In my settin that would mean that I'd get a saturation, since everybody (or rather: every machine) uses the proxy at least once per day. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [squid-users] filedescriptor usage observation in 3.2.0.1
* Henrik Nordström : > lör 2010-08-14 klockan 14:30 +0200 skrev Ralf Hildebrandt: > > > It's leaking FDs. See my bugreports. > > Yes. aufs in Squid-3 is known to leak FDs somewhat. Exact cause has not > yet been identified but it's worked on. I think diskd is also affected. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
