Re: [squid-users] TCP_DENIED/407 with SSL-Sites, but the site is accessible...
Well, for me it is not so much of a problem since I upstream to an ISP with content/malware protection etc, but it would be nice to be able report on all users of every method. Perhaps someone could enlighten this mail? My relevant squid.conf is as follows (I have the ACLs defined obviously...) ## GLOBAL DENY RULES http_access deny !Safe_ports http_access deny MSNMessenger CNP_172SUBNETS !IP_MSNMESSENGER http_access deny StopDirectIP !IP_CONNECTALLOW http_access deny CONNECT !SSL_Ports !CNP_172SUBNETS http_access deny POST !SSL_Ports !RTMP_ports !CNP_172SUBNETS # POST/CONNECT Method ALLOW # http_access allow CONNECT CNP_172SUBNETS http_access allow POST CNP_172SUBNETS ## USERS AUTHENTICATION ACL## http_access allow AuthenticatedUsers On 30/08/2010 11:39, "Tom Tux" wrote: >Hi Nick > >Thank you for this explanation. I think, you're right. Could this >eventually be a security-problem, to allow unauthenticated >https-traffic with "http_access allow CONNECT SSL_ports"? Might be >yes, might be no. Is this behaviour part of a fact with SSL/HTTPS or >could this be eventually solved with a future release of squid? Do you >allow the CONNECT-method in your setup? > >Regards, >Tom > >2010/8/28 Nick Cairncross : >> Tom, >> >> Just to say what I think (since you have almost the same setup as me I >>think): you will always get that 407 at the moment. Squid requires an >>authenticated user before allowing the page but you can't authenticate >>every method (at least that is what I have found) in my setup. >> >> Regardless of whether it is ntlm or Kerberos etc. Your rule about >>connect I think needs an allow connect ssl_ports ABOVE your allow >>INTERNET_ACCESS because you're just disallowing the CONNECT method (not >>the same as the GET method) using non-ssl ports otherwise. There's >>nothing talking about allowing it. >>> >> >> >> I think that's right >> Nick >> >> >> >> On 27 Aug 2010, at 10:09, "Tom Tux" wrote: >> >>> Hi Amos >>> >>> Thanks a lot for this informations. >>> >>> Is it usual/normal, that all https-requests have this error? >>> 1282899033.246 0 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT >>> mail.google.com:443 - NONE/- text/html >>> >>> As I already mentioned: The sites, which are denied in the access.log, >>> are normal accessible and appears correctly (this is, what I don't >>> understandmmmh). >>> I think, that I don't have rules, which explicitly require another >>> authentication instead of kerberos. Here is an extract of my >>> squid.conf: >>> >>> The ACL "INTERNET_ACCESS" is an external_acl with squid_kerb_ldap: >>> http_access deny !Safe_ports >>> http_access deny CONNECT !SSL_ports >>> >>> # Block invalid Users >>> http_access deny !INTERNET_ACCESS >>> http_access allow INTERNET_ACCESS >>> http_access deny all >>> >>> When I trace the http/https-traffic with httpfox (firefox-addon), then >>> I got also no errors or denies back. >>> >>> Thanks a lot for all helps. >>> Tom >>> >>> >>> 2010/8/27 Amos Jeffries : Tom Tux wrote: > > Hi > > For every HTTPS-Site I have the following tcp_denied/407-entry in the > access.log: > 282895826.492 1 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT > mail.google.com:443 - NONE/- text/html > 1282896033.320 1 xx.xx.xx.xx TCP_DENIED/407 3744 CONNECT > secure-www.novell.com:443 - NONE/- text/html > > The sites, which are denied in the access.log, are though accessible, > but I have this errors. For me it seems, that squid needs a user > authentication. But this should be given with >kerberos-authentication, > which works fine. > > I have the following directives configured (as default): > acl SSL_ports port 443 > acl CONNECT method CONNECT > http_access deny CONNECT !SSL_ports > > > Can someone explain me this behaviour? CONNECT requests to SSL ports (aka HTTPS) will get past that security barrier and move on to checkig your other rules. One of those other rules involves proxy authentication. All requests which require authentication but do not provide it get a 407 or 401 response challenging the browser to provided some credentials. This is true for all authentication types. Working browsers with access to the required credentials will send them on a followup request and get past that challenge. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.7 Beta testers wanted for 3.2.0.1 >> >> >> The information contained in this e-mail is of a confidential nature >>and is intended only for the addressee. If you are not the intended >>addressee, any disclosure, copying or distribution by you is prohibited >>and may be unlawful. Disclosure to any party other than the addressee, >>whether inadvertent or otherwise, is not intended to waive privilege or >>confidentiality. Internet communications are not secure and therefore >>Conde Nast d
[squid-users] C-ICAP+SquidGard : ACls problems
Dear I would like to know if anyone using C-ICAP+squidGuard on squid 3.1.x I have created a rule match acl an IP address : acl 192_168_1_240 src 192.168.1.240 it seems that always the first IP scanned by c-icap is the loopback ip (127.0.0.1) when the 192.168.1.240 IP pass trough c-icap, c-icap display : going to check addresses ip address: 127.0.0.1 192.168.1.240/255.255.255.255 Why 127.0.0.1 has prefix ?? According to this no rules match the acl and IP objects match always the default rule.. I have added an acl specific to the loopback "acl loopback src 127.0.0.1" and c-icap says correctly : going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255 The ci_acl_spec_t:loopback matches Where i'm wrong How to delete the 127.0.0.1 prefix in the connection link ?? Is it a squid.conf problem ?? or specific changes to squid method ?(using the 3.1.4 version) Here it is the C-ICAP debug logs : -- Check request with an access entry Access control: ALLOW pool hits:2 allocations: 1 Allocating from objects pool object 0 Requested service: url_check URL to host www.freesexvideos2k.com URL page www.freesexvideos2k.com/style.css Check request with an access entry Check request with ci_acl_spec_t:loopback going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255 The ci_acl_spec_t:loopback matches Check request with ci_acl_spec_t:loopback going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255 The ci_acl_spec_t:loopback matches Check request with ci_acl_spec_t:192_168_1_240 going to check addresses ip address: 127.0.0.1 192.168.1.240/255.255.255.255 Going to check the db W-1 for BLOCK sg_db W-1 is not open? Going to check the db F-1 for PASS sg_db: checking domain www.freesexvideos2k.com db_entry_exists does not exists: DB_NOTFOUND: No matching key/data pair found sg_db: checking url www.freesexvideos2k.com/style.css Going to check the db W-1 for BLOCK sg_db W-1 is not open? Going to check the db F-1 for PASS sg_db: checking domain www.freesexvideos2k.com db_entry_exists does not exists: DB_NOTFOUND: No matching key/data pair found sg_db: checking url www.freesexvideos2k.com/style.css Storing to objects pool object 0 Check request with an access entry Check request with ci_acl_spec_t:all going to check addresses ip address: 127.0.0.1 0.0.0.0/0.0.0.0 The ci_acl_spec_t:all matches Check request with ci_acl_spec_t:all going to check addresses ip address: 127.0.0.1 0.0.0.0/0.0.0.0 The ci_acl_spec_t:all matches Log request to access log file /var/log/c-icap/access.log c-icap.conf - PidFile /var/run/c-icap.pid CommandsSocket /var/run/c-icap/c-icap.ctl Timeout 300 MaxKeepAliveRequests 100 KeepAliveTimeout 600 StartServers 3 MaxServers 10 MinSpareThreads 10 MaxSpareThreads 20 ThreadsPerChild 10 MaxRequestsPerChild 0 MaxMemObject 131072 Port 1345 User squid Group squid ServerAdmin y...@your.address ServerName debian TmpDir /var/lib/c_icap/temporary DebugLevel 11 ModulesDir /usr/lib/c_icap ServicesDir /usr/lib/c_icap TemplateDir /usr/share/c_icap/templates/ LoadMagicFile /etc/c-icap.magic TemplateDefaultLanguage en #TemplateReloadTime 360 #TemplateCacheSize 20 #TemplateMemBufSize 8192 acl all src 0.0.0.0/0.0.0.0 acl loopback src 127.0.0.1 RemoteProxyUsers on RemoteProxyUserHeader X-Authenticated-User RemoteProxyUserHeaderEncoded on LogFormat allFormat "%tl;%a;%un;%iu;%is;%huo" ServerLog /var/log/c-icap/server.log AccessLog /var/log/c-icap/access.log allFormat all GroupSourceByGroup hash:/etc/c-icap/c-icap-groups.txt GroupSourceByUser hash:/etc/c-icap/c-icap-user-groups.txt #ACLS FOR SQUIDGUARD RULE interne #IP Addresses acl 192_168_1_240 src 192.168.1.240 #Groups and users #no groups set #Sysloger Module logger sys_logger.so sys_logger.server_priority alert|crit|debug|emerg|err|info|notice|warning sys_logger.Prefix "C-ICAP:" sys_logger.Facility local1 Module common bdb_tables.so Module common dnsbl_tables.so Service url_check_module srv_url_check.so #Preload squidGuard databases# url_check.LoadSquidGuardDB W-1 /var/lib/squidguard/personal-categories/W-1/ url_check.LoadSquidGuardDB F-1 /var/lib/squidguard/personal-categories/filesblock-default/ url_check.LoadSquidGuardDB W-2 /var/lib/squidguard/personal-categories/W-2/ url_check.LoadSquidGuardDB F-2 /var/lib/squidguard/personal-categories/filesblock-interne/ url_check.LoadSquidGuardDB adult /var/lib/squidguard/adult/ url_check.LoadSquidGuardDB plus-adult-artica /var/lib/squidguard/blacklist-artica/adult/ url_check.LoadSquidGuardDB mixed_adult /var/lib/squidguard/mixed_adult/ url_check.LoadSquidGuardDB sexual_education /var/lib/squidguard/sexual_education/ url_check.LoadSquidGuardDB plus-sexual_education-artica /var/lib/squidguard/blacklist-artica/sexual_education/ url_check.LoadSquidGuardDB agressif /var/lib/squidguard/agressif/ #Define profiles for rule
[squid-users] Allow or deny HTCP CLR
Squid users, I am replacing ICP with HTCP in a configuration with 2 and one with 4 squid servers. When testing I can see that besides the HTCP_TST neighbor cache hit test it sometimes sends a HTCP_CLR to purge content on a neighbor. What I do not know is when or why it does this and if I want this behavior? All the documents I can find and information only covers HTCP_TST. Also I have read about warnings on forwarding HTCP_CLR commands because it might create a loop. It does seem to be what I would want when using 4 servers, does anyone have any experience with this? Kind regards, Thijs Stuurman System Administrator Security Officer Nxs Internet BV Kabelweg 37, 1014 BA, Amsterdam T. +31 (0) 20 58 11 088 F. +31 (0) 20 58 11 071 E. beheer.li...@nxs.nl Met vriendelijke groet, Thijs Stuurman System Administrator Security Officer Nxs Internet BV Kabelweg 37, 1014 BA, Amsterdam T. +31 (0) 20 58 11 088 F. +31 (0) 20 58 11 071 E. beheer.li...@nxs.nl
[squid-users] Strange problem with ACL and CONNECT method
Hi list. I have a strange problem with ACLs and http_access rules. Our squid are using winbind for NTLM auth. We need to achieve user's auth for https. Here is a example that makes problems for us: = 1) http_access allow CONNECT HTTPS_DOMAINS_BLACKLIST WebVIP 2) http_access allow CONNECT Webusers_whitelist_domains Webusers 3) http_access allow localnetwork CONNECT SSL_ports 4) http_access allow CONNECT WebVIP 5) http_access allow CONNECT Webusers = - WebVIP - users group from AD - Webusers - users group from AD - HTTPS_DOMAINS_BLACKLIST - black list for bad addresses - Webusers_whitelist_domains - white list for Webusers First two lines works as expected - only users from WebVIP and Webusers can access https sites from black/white lists. We can see they user ID's in squid's access.log. If I put last tree lines (4-5) before 3 then I got 407 errors in access.log, and no one is able to use https anymore. So there is a problem! That is why we need to use line Nr 3 - it just allows all CONNECT from our IP subnet without auth. I'm completely lost and frustrated. Why first two lines works and last two do not? Is there any hint? And may be some one knows - is there any third party tools to make squid.conf analyzing for logical errors? As more as I'm using Squid, as more I want to find some tool what will be able to catch logical errors according to squid's design. Any hint please? Thanks in advance.
Re: [squid-users] C-ICAP+SquidGard : ACls problems
Le mardi 31 août 2010 07:26:29, David Touzeau a écrit : > Dear > > I would like to know if anyone using C-ICAP+squidGuard on squid 3.1.x > > > I have created a rule match acl an IP address : > > acl 192_168_1_240 src 192.168.1.240 > > it seems that always the first IP scanned by c-icap is the loopback ip > (127.0.0.1) > > when the 192.168.1.240 IP pass trough c-icap, c-icap display : > going to check addresses ip address: 127.0.0.1 > 192.168.1.240/255.255.255.255 > > Why 127.0.0.1 has prefix ?? > According to this no rules match the acl and IP objects match always the > default rule.. > > > I have added an acl specific to the loopback "acl loopback src > 127.0.0.1" and c-icap says correctly : > > going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255 > The ci_acl_spec_t:loopback matches > > Where i'm wrong How to delete the 127.0.0.1 prefix in the > connection link ?? > Is it a squid.conf problem ?? or specific changes to squid method > ?(using the 3.1.4 version) > > > Here it is the C-ICAP debug logs : > -- > > Check request with an access entry > Access control: ALLOW > pool hits:2 allocations: 1 > Allocating from objects pool object 0 > Requested service: url_check > URL to host www.freesexvideos2k.com > URL page www.freesexvideos2k.com/style.css > Check request with an access entry > Check request with ci_acl_spec_t:loopback > going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255 > The ci_acl_spec_t:loopback matches > Check request with ci_acl_spec_t:loopback > going to check addresses ip address: 127.0.0.1 127.0.0.1/255.255.255.255 > The ci_acl_spec_t:loopback matches > Check request with ci_acl_spec_t:192_168_1_240 > going to check addresses ip address: 127.0.0.1 > 192.168.1.240/255.255.255.255 > Going to check the db W-1 for BLOCK > sg_db W-1 is not open? > Going to check the db F-1 for PASS > sg_db: checking domain www.freesexvideos2k.com > db_entry_exists does not exists: DB_NOTFOUND: No matching key/data pair > found > sg_db: checking url www.freesexvideos2k.com/style.css > Going to check the db W-1 for BLOCK > sg_db W-1 is not open? > Going to check the db F-1 for PASS > sg_db: checking domain www.freesexvideos2k.com > db_entry_exists does not exists: DB_NOTFOUND: No matching key/data pair > found > sg_db: checking url www.freesexvideos2k.com/style.css > Storing to objects pool object 0 > Check request with an access entry > Check request with ci_acl_spec_t:all > going to check addresses ip address: 127.0.0.1 0.0.0.0/0.0.0.0 > The ci_acl_spec_t:all matches > Check request with ci_acl_spec_t:all > going to check addresses ip address: 127.0.0.1 0.0.0.0/0.0.0.0 > The ci_acl_spec_t:all matches > Log request to access log file /var/log/c-icap/access.log > > > c-icap.conf > - > > PidFile /var/run/c-icap.pid > CommandsSocket /var/run/c-icap/c-icap.ctl > Timeout 300 > MaxKeepAliveRequests 100 > KeepAliveTimeout 600 > StartServers 3 > MaxServers 10 > MinSpareThreads 10 > MaxSpareThreads 20 > ThreadsPerChild 10 > MaxRequestsPerChild 0 > MaxMemObject 131072 > Port 1345 > User squid > Group squid > ServerAdmin y...@your.address > ServerName debian > TmpDir /var/lib/c_icap/temporary > DebugLevel 11 > ModulesDir /usr/lib/c_icap > ServicesDir /usr/lib/c_icap > TemplateDir /usr/share/c_icap/templates/ > LoadMagicFile /etc/c-icap.magic > TemplateDefaultLanguage en > #TemplateReloadTime 360 > #TemplateCacheSize 20 > #TemplateMemBufSize 8192 > > acl all src 0.0.0.0/0.0.0.0 > acl loopback src 127.0.0.1 > > RemoteProxyUsers on > RemoteProxyUserHeader X-Authenticated-User > RemoteProxyUserHeaderEncoded on > LogFormat allFormat "%tl;%a;%un;%iu;%is;%huo" > ServerLog /var/log/c-icap/server.log > AccessLog /var/log/c-icap/access.log allFormat all > > GroupSourceByGroup hash:/etc/c-icap/c-icap-groups.txt > GroupSourceByUser hash:/etc/c-icap/c-icap-user-groups.txt > > > #ACLS FOR SQUIDGUARD RULE interne > > #IP Addresses > acl 192_168_1_240 src 192.168.1.240 > > #Groups and users > #no groups set > > #Sysloger > Module logger sys_logger.so > > sys_logger.server_priority alert|crit|debug|emerg|err|info|notice|warning > > sys_logger.Prefix "C-ICAP:" > sys_logger.Facility local1 > > Module common bdb_tables.so > Module common dnsbl_tables.so > Service url_check_module srv_url_check.so > > > #Preload squidGuard databases# > url_check.LoadSquidGuardDB W-1 /var/lib/squidguard/personal-categories/W-1/ > url_check.LoadSquidGuardDB F-1 > /var/lib/squidguard/personal-categories/filesblock-default/ > url_check.LoadSquidGuardDB W-2 /var/lib/squidguard/personal-categories/W-2/ > url_check.LoadSquidGuardDB F-2 > /var/lib/squidguard/personal-categories/filesblock-interne/ > url_check.LoadSquidGuardDB adult /var/lib/squidguard/adult/ > url_check.LoadSquidGuardDB plus-adult-artica > /var/lib/squidguard/blacklist-artica/ad
Re: [squid-users] Strange problem with ACL and CONNECT method
Dmitrijs Demidovs wrote: Hi list. I have a strange problem with ACLs and http_access rules. Our squid are using winbind for NTLM auth. We need to achieve user's auth for https. Here is a example that makes problems for us: = 1) http_access allow CONNECT HTTPS_DOMAINS_BLACKLIST WebVIP 2) http_access allow CONNECT Webusers_whitelist_domains Webusers 3) http_access allow localnetwork CONNECT SSL_ports 4) http_access allow CONNECT WebVIP 5) http_access allow CONNECT Webusers = - WebVIP - users group from AD - Webusers - users group from AD - HTTPS_DOMAINS_BLACKLIST - black list for bad addresses - Webusers_whitelist_domains - white list for Webusers First two lines works as expected - only users from WebVIP and Webusers can access https sites from black/white lists. We can see they user ID's in squid's access.log. They don't code those policy statement though. To describe the first two lines accurately remove the word "only" from your statement. Since for users NOT in those two groups Squid will simply skip past those lines and check the next one. If I put last tree lines (4-5) before 3 then I got 407 errors in access.log, and no one is able to use https anymore. So there is a problem! That is why we Oh? I take it your localnetwork users don't have logins at all then? Thats all 407 means. need to use line Nr 3 - it just allows all CONNECT from our IP subnet without auth. I'm completely lost and frustrated. Why first two lines works and last two do not? Are the WebVIP or Webusers blocked when trying to get to a site not black/white-listed? That is the only possible "not working" lines (4) and (5) have. Lines (1) and (2) will also request login details (407) from a localnetwork user if they attempt to contact a black/white-listed site. Is there any hint? Squid processes lines top-down. First to match wins. Your lines only say allow. Never deny. So people who are not allowed to do one thing will be tested for permission to do the next etc, etc. They way I'd write those rules is this: # stop them nasty ones getting unlimited bypass from security. 0) http_access deny CONNECT !SSL_ports # "only users from WebVIP ... can access blackwhite listed sites" # implies: nobody else is allowed to. 1) http_access deny CONNECT HTTPS_DOMAINS_BLACKLIST !WebVIP 2) http_access deny CONNECT Webusers_whitelist_domains !Webusers # local network users don't have any authentication credentials. 3) http_access allow localnetwork CONNECT # people who can enter WebVIP and Webuser credentials have wide access. 4) http_access allow CONNECT WebVIP 5) http_access allow CONNECT Webusers 5b) http_access deny CONNECT And may be some one knows - is there any third party tools to make squid.conf analyzing for logical errors? As more as I'm using Squid, as more I want to find some tool what will be able to catch logical errors according to squid's design. Any hint please? There was one made a year or so ago. I forget how to find it though. Maybe a post in the mailing list archives about a validator (NP: the one I wrote way back is dead now). Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.7 Beta testers wanted for 3.2.0.1
Re: [squid-users] C-ICAP+SquidGard : ACls problems
On 31/08/2010 16:27, Luis Daniel Lucio Quiroz wrote: Le mardi 31 août 2010 07:26:29, David Touzeau a écrit : Dear C-icap will report the ip of the source that connects to it, in this case 127.0.0.1 because they are in same box. That is normal. Thanks Louis for this information, so did you know why the acl did not match the IP ??
[squid-users] WCCP for 443 port
Hello Dears, How can I configure my squid for intercept https port using= wccp? I configured my squid for use wccp but it only intercept ht= tp port. When I try access 443 port I get error in access.log. Regards, Luciano Rangel Please help Logica to respect the environment by not printing this email / Pour contribuer comme Logica au respect de l'environnement, merci de ne pas imprimer ce mail / Bitte drucken Sie diese Nachricht nicht aus und helfen Sie so Logica dabei, die Umwelt zu schützen. / Por favor ajude a Logica a respeitar o ambiente nao imprimindo este correio electronico. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [squid-users] Kerberos / SASL for squid_ldap_group
> On Mon, 30 Aug 2010 16:32:51 +0200, Maxim Burgerhout > wrote: >> Of course I just bumped into that little gem *after* I sent the >> previous message to this list... >> >> It has the downside of not being included in, or supported by >> downstream distro's though. The major upside of having Kerberos >> support in Squid's ldap_group helper would be the fact that downstream >> distro's (the Red Hats, Canonicals and Novells of this world) would be >> more likely to support it. But I just checked out the squidkerbldap >> project, and it seems to work ok. The fact it handles the Kerberos >> cache in memory is especially nice. > > ... yet. Markus submitted it for bundling and its just passed our upstream > QA. It hit Squid-3.2 beta bundles under the name > ext_kerberos_ldap_group_acl as of a few days ago. Along with a lot of > Kerberos support in other auth-related areas of Squid and associated tools. > > Amos Amos, Re: 3.2 Does this means an NTLM and Kerberos authentication helper wrapped in one..? So no need for two helpers..? Thanks The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
RE: [squid-users] Ho w to Bypass selected client computer fro m squid 2
Dear Amos, Thank you, for your reply. Any other way to bypass selected computer from squid via ACL. Regards, Ashraf. > Date: Mon, 30 Aug 2010 23:43:43 + > From: squ...@treenet.co.nz > To: squid-users@squid-cache.org > Subject: RE: [squid-users] How to Bypass selected client computer from squid > 2 > > On Mon, 30 Aug 2010 15:44:57 +, Mohamed Ashraf > wrote: > > Dear Hassan, > > > > I am using client side configuration, means proxy server ip and port is > > there all IE > > Regards, > > Ashraf > > Correct proxy configuration permits SSL_ports to be contacted. > > Example default: > http_access deny CONNECT !SSL_ports > http_access allow localnet > http_access deny all > > Amos > > > > > > >> From: mnhassan > >> Subject: Re: [squid-users] How to Bypass selected client computer from > >> squid 2 > >> > >> Are you using interception, or client side configuration? > >> > >> Regards > >> HASSAN > >> > >> > >> On 2010-08-29, Mohamed Ashraf wrote: > >> > > >> > Dear Odhiambo, > >> > > >> > Thank you for your replay. > >> > > >> > I have enabled the setting but no luck not working. please help me to > >> > bypass… (Squid 2) > >> > > >> > Ashraf. > >> > > >> >> Hi All > >> >> > >> >> Who can help me regarding squid proxy server...!!! > >> >> > >> >> My Problem is: I want to bypass particular client computer from my > >> >> proxy > >> >> server because, one of my client want to access SSL , but my proxy > is > >> >> not > >> >> allowing. Please help to bypass from proxy. > >> >> > >> >> Thanks and regards, > >> >> Ashraf > >> > > > Amos
Re: [squid-users] Allow or deny HTCP CLR
What version of Squid? Regards, On 31/08/2010, at 10:35 PM, Thijs Stuurman wrote: > Squid users, > > I am replacing ICP with HTCP in a configuration with 2 and one with 4 squid > servers. > When testing I can see that besides the HTCP_TST neighbor cache hit test it > sometimes sends a HTCP_CLR to purge content on a neighbor. > What I do not know is when or why it does this and if I want this behavior? > > All the documents I can find and information only covers HTCP_TST. > Also I have read about warnings on forwarding HTCP_CLR commands because it > might create a loop. > It does seem to be what I would want when using 4 servers, does anyone have > any experience with this? > > Kind regards, > > Thijs Stuurman > System Administrator > Security Officer > > Nxs Internet BV > Kabelweg 37, 1014 BA, Amsterdam > T. +31 (0) 20 58 11 088 > F. +31 (0) 20 58 11 071 > E. beheer.li...@nxs.nl > > > Met vriendelijke groet, > > Thijs Stuurman > System Administrator > Security Officer > > Nxs Internet BV > Kabelweg 37, 1014 BA, Amsterdam > T. +31 (0) 20 58 11 088 > F. +31 (0) 20 58 11 071 > E. beheer.li...@nxs.nl > -- Mark Nottingham m...@yahoo-inc.com
[squid-users] Squid running on Windows Server 2008
I have configured a Squid 2.7 on a windows OS, but adding with authentication, squid_ldap_auth helper doesn't work. Is there a support for this helper in windows?
