Re: [squid-users] Configuring squid with custom authentication helper in accelerator mode (reverse proxy)
On 02/12/10 00:31, Soumadri Roy Chowdhury wrote:
I need to configure Squid as a reverse proxy with a custom
authentication helper for each incoming requests. Every request to
Squid is assumed to be with basic authentication. Any connection which
Don't assume. Be sure.
By only configuring squid with "auth_param basic" other auth types will
be identified as unusable.
fails the authentication, should be terminated. I am a newbie in
Squid. Following is the configuration script I have used. This sample
is to access "mindofaprogrammer.blog.com",
#Squid Configs
acl all src all
acl manager proto cache_object
http_port 80 accel defaultsite=mindofaprogrammer.blog.com
cache_peer mindofaprogrammer.blog.com parent 80 0 no-query
originserver name=myAccel
acl myblog dstdomain mindofaprogrammer.blog.com
http_access allow myblog
cache_peer_access myAccel allow myblog
cache_peer_access myAccel deny all
auth_param basic program C:/wamp/bin/php/php5.3.0/php.exe
"c:/squid/libexec/authhelper.php"
I suggest you don't use PHP. I spent a long while trying to and had to
abandon it due to constant changes in the timeouts of scripts. The gobal
and local overrides provided failed differently in every PHP version to
date.
The result is that helpers die and periodically they *all * die and take
Squid out too.
When the dev drop this automatic script lifetime stupidity for
command-line PHP the language will likely be usable again.
There are bundled DB and file helpers that should be usable for most
custom auth systems.
auth_param basic children 2
auth_param basic realm eReader
auth_param basic credentialsttl 5 hours
acl AuthUsers proxy_auth REQUIRED
http_access allow AuthUsers
access_log c:/squid/var/logs/access.log squid
coredump_dir c:/squid/var/cache
#End Configs
I have written the custom authentication helper in a PHP script. The
listing of the same is as follows,
The problem I am facing is, even after configuring this, only the
reverse proxy settings are working not the authentication. Am I doing
something wrong here?
Sounds like it. Try writing some debug information to STDERR and seeing
what shows up in your cache.log.
NP: since you have your own helper you could/should make it concurrent
and help Squid run a bit faster with it.
ie. I used to do that with:
while($line = fgets($stdin, 8192))
{
$line = trim($line);
if("\$shutdown" == $line) break;
$part = explode(" ",$line);
$id = $part[0]; // ID number
$username = rawurldecode($part[1]); //1738
$password = rawurldecode($part[2]); //1738
...
echo $id ." OK\n";
}
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.9
Beta testers wanted for 3.2.0.3
Re: [squid-users] Re: Optimizing Squid
On 02/12/10 03:50, Florian Bannasch wrote: Am 23.11.2010, schrieb Amos Jeffries: url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf Hmm, good time to ask I suppose. Why use squidguard? because you actually need the capacity to process hundreds of thousands of blocklist entries and respond wit a corporate denial page like some ISP? or because everyone else is doing it and the tutorials all say so? I use SquidGuard only to block ads, a denial Page is not needed. Do you now a better way? Using Squid's ACL perhapse. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
Re: [squid-users] Transparent proxying of https
On 02/12/10 17:17, Alex King wrote: I'm wanting to know whether this is a capability of squid, or if anyone knows another FOSS product that can do it. The scenario: I have an upstream firewall and proxy that I do not control, and the only access to the internet is via the proxy, which uses proxy basic authentication (and is probably running squid). I am running my own copy of squid on the network, passing through proxy authentication credentials to the upstream proxy. Some devices (android phones mostly) on the local network don't have a facility to specify a proxy server. For these devices, I intercept the http traffic at my squid box and send it to the upstream proxy with squid supplying a generic proxy password to the upstream proxy. Check if IPv6 traffic is placed under such harsh limits as IPv4 on your network. I have clients using Android which use IPv6 when their IPv4 is blocked. If you are lucky they will have new enough Android versions which rumour has it support zero-conf WPAD/PAC instead of manual configuration. The upstream proxy is represented by two different cache_peer lines in the config; the one used is selected by ACLs. This all works very well for http. However, I would like to do the same for https traffic. This should be quite do-able, but as far as I can tell squid can't do this? HTTPs traffic could be intercepted by iptables and sent to a port on which squid listens. Squid can find the original intended destination IP via a syscall, then supply the generic password to the upstream proxy and use a CONNECT to connect through to that address. Squid would not need to be "in the middle" and deal with decryption/encryption, it would simply pass through the data as it does when set as an https proxy in the normal case. Interesting. That might actually be doable. As long as there is absolutely zero touching of the internal encrypted traffic. My experience with SSL indicates that the IPs and maybe even the TCP ports are included in the actual transfer though, so there may be problems when the upstream proxy IP connects to the server with an (encrypted) client certificate containing the clients real IP. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
[squid-users] Transparent proxying of https
I'm wanting to know whether this is a capability of squid, or if anyone knows another FOSS product that can do it. The scenario: I have an upstream firewall and proxy that I do not control, and the only access to the internet is via the proxy, which uses proxy basic authentication (and is probably running squid). I am running my own copy of squid on the network, passing through proxy authentication credentials to the upstream proxy. Some devices (android phones mostly) on the local network don't have a facility to specify a proxy server. For these devices, I intercept the http traffic at my squid box and send it to the upstream proxy with squid supplying a generic proxy password to the upstream proxy. The upstream proxy is represented by two different cache_peer lines in the config; the one used is selected by ACLs. This all works very well for http. However, I would like to do the same for https traffic. This should be quite do-able, but as far as I can tell squid can't do this? HTTPs traffic could be intercepted by iptables and sent to a port on which squid listens. Squid can find the original intended destination IP via a syscall, then supply the generic password to the upstream proxy and use a CONNECT to connect through to that address. Squid would not need to be "in the middle" and deal with decryption/encryption, it would simply pass through the data as it does when set as an https proxy in the normal case. Can squid be configured to do this? What other options are there? Cheers, Alex
Re: [squid-users] Default Home Page
On Wed, 1 Dec 2010 15:21:49 +0300, Edmonds Namasenda wrote: > Hello Members. > > Can squid in transparent mode force all local (proxy LAN) http > requests to a certain default page? Possibly a locally made web > application or any other page! > How can this be done? http://wiki.squid-cache.org/ConfigExamples/Portal/Splash HTH Amos
[squid-users] Re: Optimizing Squid
Am 23.11.2010, schrieb Amos Jeffries: url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf Hmm, good time to ask I suppose. Why use squidguard? because you actually need the capacity to process hundreds of thousands of blocklist entries and respond wit a corporate denial page like some ISP? or because everyone else is doing it and the tutorials all say so? I use SquidGuard only to block ads, a denial Page is not needed. Do you now a better way? TIA, Flo
[squid-users] Default Home Page
Hello Members. Can squid in transparent mode force all local (proxy LAN) http requests to a certain default page? Possibly a locally made web application or any other page! How can this be done? -- Thank you and kind regards, I.P.N Edmonds ICT Practitioner & Consultant Cel: +256 70 227 3374 +256 71 227 3374 P.O. Box 22249, Kampala UGANDA Y! / MSN: zibiced | GMail: namasenda | Skype: edsend COMPUTER NETWORKS: WIRELESS; CABLED; VPNs | UNIX SERVERS: MAIL; FILE; PROXY; WEB; VoIP | WEBSITE DESIGN: STATIC; FLASH; DYNAMIC | CREATIVE GRAPHICS & IDENTITY MANAGEMENT | I.T SUPPORT & CONSULTANCY | ANTI-VIRUS
Re: [squid-users] refersh_pattern cache dynamic extensions
On 01/12/10 08:56, Ghassan Gharabli wrote:
Hello,
I have several questions to ask about refresh_pattern
sometimes I see configuration as
refresh_pattern -i *.ico$
Single extension for exact file path. Not matching when query ("?")
parameters are present. Case does not matter.
refresh_pattern -i .(css|js|xml) #multiple extensions
Any string containing at least three bytes. Containing "js" or "css" or
"xml" anywhere after the first byte. Case does not matter.
refresh_pattern \.(css|js|xml)
Any string containing at least three bytes. Three of which are ".js" or
four of which are ".css" or ".xml". Lower case only.
refresh_pattern \.(css|js|xml)$
Any string containing at least three bytes. Three of which are ".js" or
four of which are ".css" or ".xml". Lower case only. Might match the end
of a domain name or query ("?") parameters.
refresh_pattern -i .(css|js|xml)$
Any string containing at least three bytes. Ending with "js" or "css" or
"xml". Case does not matter. Might match the end of a domain name or
query ("?") parameters.
refresh_pattern .(\?.*)?$
Any string. Absolutely *everything*.
The above is a equivalent to: .
Please can anyone explain what is the difference between each example
and I have also another question like how to cache multiple extensions
using the same rule incase it was dynamic or static
The pattern style I'm recommending for modern traffic is this:
refresh_pattern -i \.(a|b|c|d)(?.*)?$
to match the files with extension .a .b .c or .d regardless of case or
whether parameter garbage has been appended.
Web2.0 download sites use parameters a lot more for two reasons:
* to hide the file extension away from people using the old pattern to
break the sites.
* to add extra details which may be useful for caching variants. ie
two sizes of the same image or two high/low definition of the same video.
example :
#I know this rule catches dynamic website or file but i dont know how
to deal with multiple extensions like gif , jpeg , png
refresh_pattern .(\?.*)?$
Why we put $ , ? or \?.*
They are part of regex code.
Please search the web for tutorials on regex patterns (POSIX extended
regex to be precise) and learn how they work and how to use them before
going any further. Making a mistake with them has big trouble as a
consequence.
Note how many of my explanations start with the words "Any string".
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.9
Beta testers wanted for 3.2.0.3
[squid-users] Configuring squid with custom authentication helper in accelerator mode (reverse proxy)
I need to configure Squid as a reverse proxy with a custom authentication helper for each incoming requests. Every request to Squid is assumed to be with basic authentication. Any connection which fails the authentication, should be terminated. I am a newbie in Squid. Following is the configuration script I have used. This sample is to access "mindofaprogrammer.blog.com", #Squid Configs acl all src all acl manager proto cache_object http_port 80 accel defaultsite=mindofaprogrammer.blog.com cache_peer mindofaprogrammer.blog.com parent 80 0 no-query originserver name=myAccel acl myblog dstdomain mindofaprogrammer.blog.com http_access allow myblog cache_peer_access myAccel allow myblog cache_peer_access myAccel deny all auth_param basic program C:/wamp/bin/php/php5.3.0/php.exe "c:/squid/libexec/authhelper.php" auth_param basic children 2 auth_param basic realm eReader auth_param basic credentialsttl 5 hours acl AuthUsers proxy_auth REQUIRED http_access allow AuthUsers access_log c:/squid/var/logs/access.log squid coredump_dir c:/squid/var/cache #End Configs I have written the custom authentication helper in a PHP script. The listing of the same is as follows, The problem I am facing is, even after configuring this, only the reverse proxy settings are working not the authentication. Am I doing something wrong here? -- Soumadri Roy Software Engineer http://mindofaprogrammer.wordpress.com/ http://thesubconsciousblogger.in/
Re: [squid-users] squid-3.1 client POST buffering
Hello, I am convinced that this is a serious bug, so I have entered a proper bug report. It is bug 3113: http://bugs.squid-cache.org/show_bug.cgi?id=3113
