[squid-users] user auth / windows update
Hi, I didn't found any info in your archive . then i hope that someone could help me ;-). Ich must configure internet acces through user / password == here no pb to that .. But how can i configure squid to allow windows update without being identify under internet ? In other word : All our windows PC must always be on the last level from windows update without the user do anything When the user want to surf on internet he must be authentificated Any solution for me ? Thanks in advance -- SCHWOOB Sébastien ILS CONSULT FRANCE 200, Avenue de Colmar 67100 STRASBOURG Tél : +33 (0)3-88-79-79-50 Fax : +33 (0)3-88-79-79-59
Re: [squid-users] user auth / windows update
On 14/01/11 23:49, Schwoob Sebastien wrote: Hi, I didn't found any info in your archive . then i hope that someone could help me ;-). Ich must configure internet acces through user / password == here no pb to that .. But how can i configure squid to allow windows update without being identify under internet ? In other word : All our windows PC must always be on the last level from windows update without the user do anything When the user want to surf on internet he must be authentificated Any solution for me ? http://wiki.squid-cache.org/SquidFaq/WindowsUpdate Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
[squid-users] Connection error
Hi All, I am using Squid Cache: Version 3.1.8, configured NTLM scheme using samba, CLAM Av + ICAP and Squid guard. All of the clients are Windows machine joined in domain. The browser authenticates using ntlm scheme without pop up for password and everything working fine. We have two issues: 1.We are using many acls to allow and deny websites on the basis of the ADS groups using wbinfo.pl. Time to time the users are reporting that the authentication pop up occurs . In cache.log we can find the following 2011/01/14 12:27:50| WARNING: All ntlmauthenticator processes are busy. 2011/01/14 12:27:50| WARNING: 25 pending requests queued 2011/01/14 12:56:48| WARNING: All ntlmauthenticator processes are busy. 2011/01/14 12:56:48| WARNING: 25 pending requests queued 2011/01/14 12:57:36| WARNING: All ntlmauthenticator processes are busy. 2011/01/14 12:57:36| WARNING: 25 pending requests queued 2011/01/14 14:00:03| WARNING: All ntlmauthenticator processes are busy. 2011/01/14 14:00:03| WARNING: 25 pending requests queued 2011/01/14 14:00:06| WARNING: Closing open FD 229 2011/01/14 14:01:09| WARNING: All ntlmauthenticator processes are busy. We just increased it to 30 for ntlm and 30 for wbinfo(external) still it occurs. Does ntlm scheme has any new behaviour? 2.When we browse a website and leave browser idle for 30 - 60 minutes , cannot display page occurs. In squid.conf we have used following values half_closed_clients off client_persistent_connections off server_persistent_connections off Whether squid has this as default behaviour?, suggest s suitable options in squid conf to overcome it. Thanks Senthil
Re: [squid-users] size of squid binary
Hello, if accept loosing debug symbols and get stripped binary, can we say that stripped binary of squid will perform better? Thanks. -- King Regards Eda FLORAT 2011/1/13 Henrik Nordström hen...@henriknordstrom.net: mån 2010-12-27 klockan 11:00 -0600 skrev Orestes Leal R.: I've built squid 3.1.10 on openbsd4.6 sucessfuly but my squid binary it's 40M of size, then I do a: it's this size by default normal? Yes. squid gets a debug build by default? Yes, just as is done for virtually any Open Source software you can find. The memory usage is just the stripped size and disk space is cheap compared to the alternative. Without the debug info you can't analyze any crashes in a meaningful way. I kind of like the way this is handled in Fedora and perhaps other distributios as well, where packaged binaries is packaged with debug info kept separately from the binary and installed when needed. Gives the best of both. Regards Henrik
Re: [squid-users] size of squid binary
* Eda FLORAT edaflo...@gmail.com: Hello, if accept loosing debug symbols and get stripped binary, can we say that stripped binary of squid will perform better? Who said anything about performance? I kind of like the way this is handled in Fedora and perhaps other distributios as well, where packaged binaries is packaged with debug info kept separately from the binary and installed when needed. Gives the best of both. Ubuntu does this as well. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [squid-users] size of squid binary
Hello again, 2011/1/14 Ralf Hildebrandt ralf.hildebra...@charite.de: * Eda FLORAT edaflo...@gmail.com: Hello, if accept loosing debug symbols and get stripped binary, can we say that stripped binary of squid will perform better? Who said anything about performance? No one have said. I just ask to learn. Thanks. I kind of like the way this is handled in Fedora and perhaps other distributios as well, where packaged binaries is packaged with debug info kept separately from the binary and installed when needed. Gives the best of both. Ubuntu does this as well. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [squid-users] size of squid binary
* Eda FLORAT edaflo...@gmail.com: Hello, if accept loosing debug symbols and get stripped binary, can we say that stripped binary of squid will perform better? I think it performs pretty much the same, the only differences between the 2 binary files (apart from size) are the new section (sections?) for debugging (symbols sections allocated by the compiler because requested by the developer in the makefile), butI think that the memory space of the .text and .data section must be the same size. I'm not an expert in the subject so I might be wrong. best regards, LeaL
[squid-users] dear Amos Jeffries thanks for lookin at my conf!
Thank you for reviewing my conf, very re-assuring to have a pro give it a once over, I have upgraded to Squid 3.0 and cache is now working perfectly. Im getting avg of 25% in cache hits in the first 48 hours of production. I will share my conf with others now. -- fix thefi...@electroniktribulationarmy.com Electronik Tribulation Army
[squid-users] Reverse Proxy for multiple SSL sites on same server
I am struggling with a setup where I am adding a parent web server behind my reverse proxy that has multiple ssl sites running under the same name but on different ports. The site on the default port 443 works, but I can't get it to forward to the parent on the second site running on port 444. The server is already running several ssl sites on 443 using a UCC SSL cert with subject alternative names Here are the relevant parts of the setup: https_port 10.50.20.10:443 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=www.mydomain.com vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 https_port 10.50.20.10:444 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=secure.mydomain.com:444 vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 acl ssl_secure proto HTTPS acl securesite444 url_regex -i ^https://secure.mydomain.com:444/ acl securesite url_regex -i ^https://secure.mydomain.com/ acl parentserver dst 10.20.10.62/32 http_access deny securesite444 !ssl_secure http_access allow securesite444 ssl_secure http_access deny securesite !ssl_secure http_access allow securesite ssl_secure http_access allow parentserver ssl_secure http_access deny ssl_secure cache_peer 10.20.10.62 parent 444 0 ssl no-query originserver name=parent444 sslcapath=/usr/local/share/certs sslflags=DONT_VERIFY_PEER cache_peer_domain parent444 secure.mydomain.com cache_peer_access parent444 allow securesite444 ssl_secure cache_peer 10.20.10.62 parent 443 0 ssl no-query originserver name=parent sslcapath=/usr/local/share/certs sslflags=DONT_VERIFY_PEER cache_peer_domain parent secure.mydomain.com cache_peer_access parent allow securesite ssl_secure The logs show both the SSL listening ports were started, and both parents configured, however when accessing https://secure.mydomain.com:444/ it reports that it was unable to select source. 2011/01/14 13:49:51| Accepting HTTPS connections at 10.50.20.10:443, FD 71. 2011/01/14 13:49:51| Accepting HTTPS connections at 10.50.20.10:444, FD 72. 2011/01/14 13:49:51| Configuring Parent 10.20.10.62/443/0 2011/01/14 13:49:51| Configuring Parent 10.20.10.62/444/0 2011/01/14 13:49:51| Ready to serve requests. -BEGIN SSL SESSION PARAMETERS- MIGMAgEBAgIDAQQCAC8EIBe26zUEsTBKHRt+Bvw3c9j5XNAArlUDi0Zq6qSncolM BDCuSmhFVdKHBuflZ2nY/N1UPGY8syDnGlUyDEIQdwFdMveOyawuMJmqeVePI2NI eKOhBgIETTCo5aIEAgIBLKQCBACmGQQXb3JzY2hlbG5oci5vcnNjaGVsbi5jb20= -END SSL SESSION PARAMETERS- 2011/01/14 13:49:57| Failed to select source for 'https://secure.mydomain.com:444/' 2011/01/14 13:49:57| always_direct = 0 2011/01/14 13:49:57|never_direct = 0 2011/01/14 13:49:57|timedout = 0 Does anyone have any idea what I am missing in the parent configuration or access rule list that is not allowing the reverse proxy to find and use the parent server? Thanks, Dean Weimer
Re: [squid-users] Connection error
On 15/01/11 07:35, Senthilkumar wrote: Hi All, I am using Squid Cache: Version 3.1.8, configured NTLM scheme using samba, CLAM Av + ICAP and Squid guard. All of the clients are Windows machine joined in domain. The browser authenticates using ntlm scheme without pop up for password and everything working fine. We have two issues: 1.We are using many acls to allow and deny websites on the basis of the ADS groups using wbinfo.pl. Time to time the users are reporting that the authentication pop up occurs . In cache.log we can find the following 2011/01/14 12:27:50| WARNING: All ntlmauthenticator processes are busy. 2011/01/14 12:27:50| WARNING: 25 pending requests queued 2011/01/14 12:56:48| WARNING: All ntlmauthenticator processes are busy. 2011/01/14 12:56:48| WARNING: 25 pending requests queued 2011/01/14 12:57:36| WARNING: All ntlmauthenticator processes are busy. 2011/01/14 12:57:36| WARNING: 25 pending requests queued 2011/01/14 14:00:03| WARNING: All ntlmauthenticator processes are busy. 2011/01/14 14:00:03| WARNING: 25 pending requests queued 2011/01/14 14:00:06| WARNING: Closing open FD 229 2011/01/14 14:01:09| WARNING: All ntlmauthenticator processes are busy. We just increased it to 30 for ntlm and 30 for wbinfo(external) still it occurs. Does ntlm scheme has any new behaviour? Also, wbinfo has a maximum capacity limit of only ~256 lookups, shared across all helpers AFAIK. When this limit is exceeded the lookups get queued. When queue fills clients are rejected. 2.When we browse a website and leave browser idle for 30 - 60 minutes , cannot display page occurs. strange. In squid.conf we have used following values half_closed_clients off client_persistent_connections off server_persistent_connections off Whether squid has this as default behaviour?, suggest s suitable options in squid conf to overcome it. Eek! Firstly, NTLM schemes authenticates a TCP connection, *not* a user. Secondly, NTLM scheme requires *three* HTTP full requests to be performed to authenticate and fetch an object. So... without persistent connections your Squid and its client browsers are consuming up to 3x the amount of traffic (and bandwidth) they normally would be. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
Re: [squid-users] size of squid binary
On 15/01/11 09:20, Orestes Leal R. wrote: * Eda FLORAT edaflo...@gmail.com: Hello, if accept loosing debug symbols and get stripped binary, can we say that stripped binary of squid will perform better? I think it performs pretty much the same, the only differences between the 2 binary files (apart from size) are the new section (sections?) for debugging (symbols sections allocated by the compiler because requested by the developer in the makefile), butI think that the memory space of the .text and .data section must be the same size. I'm not an expert in the subject so I might be wrong. You are correct. Modern compilers make sure the symbols are separate and OS don't even load those areas of the binary unless they need to answer a stack trace OS call. All it means is a (much) larger binary size on disk. Running under a debugger is slightly different, where the debugger will manually load the symbols separately for its own uses. The reason distros such as Debian and Ubuntu strip symbols is to improve their disk package sizes and install times. They also often provide a second package with the non-stripped binary named *-dbg. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
[squid-users] RE: Help Cant Compile squid 3.1.10
./configure --prefix=/usr/local/squid3 --enable-kill-parent-hack --with-large-files --with-openssl --enable-auth=basic,ntlm,digest,negotiate --enable-basic-auth-helpers=DB,getpwnam,MSNT,SMB,YP --enable-ntlm-auth-helpers=fakeauth,mswin_sspi,no_check,smb_lm --enable-digest-auth-helpers=eDirectory,ldap,password --enable-negotiate-auth-helpers=mswin_sspi,squid_kerb_auth --enable-follow-x-forwarded-for --enable-linux-tproxy --enable-linux-netfilter --enable-pf-transparent --enable-ipf-transparent --enable-ipfw-transparent --enable-cache-digests --enable-ssl In file included from libntlmssp.c:20: ntlm.h:22:21: error: windows.h: No such file or directory ntlm.h:23:18: error: sspi.h: No such file or directory ntlm.h:24:22: error: security.h: No such file or directory libntlmssp.c:24:16: error: lm.h: No such file or directory libntlmssp.c:25:22: error: ntsecapi.h: No such file or directory cc1: warnings being treated as errors libntlmssp.c:29: error: no previous prototype for ‘Valid_Group’ libntlmssp.c: In function ‘Valid_Group’: libntlmssp.c:31: error: ‘FALSE’ undeclared (first use in this function) libntlmssp.c:31: error: (Each undeclared identifier is reported only once libntlmssp.c:31: error: for each function it appears in.) libntlmssp.c:32: error: ‘WCHAR’ undeclared (first use in this function) libntlmssp.c:32: error: expected ‘;’ before ‘wszUserName’ libntlmssp.c:33: error: expected ‘;’ before ‘wszGroup’ libntlmssp.c:35: error: ‘LPLOCALGROUP_USERS_INFO_0’ undeclared (first use in this function) libntlmssp.c:35: error: expected ‘;’ before ‘pBuf’ libntlmssp.c:36: error: expected ‘;’ before ‘pTmpBuf’ libntlmssp.c:37: error: ‘DWORD’ undeclared (first use in this function) libntlmssp.c:37: error: expected ‘;’ before ‘dwLevel’ libntlmssp.c:38: error: expected ‘;’ before ‘dwFlags’ libntlmssp.c:39: error: expected ‘;’ before ‘dwPrefMaxLen’ libntlmssp.c:40: error: expected ‘;’ before ‘dwEntriesRead’ libntlmssp.c:41: error: expected ‘;’ before ‘dwTotalEntries’ libntlmssp.c:42: error: ‘NET_API_STATUS’ undeclared (first use in this function) libntlmssp.c:42: error: expected ‘;’ before ‘nStatus’ libntlmssp.c:43: error: expected ‘;’ before ‘i’ libntlmssp.c:44: error: expected ‘;’ before ‘dwTotalCount’ libntlmssp.c:48: error: implicit declaration of function ‘MultiByteToWideChar’ libntlmssp.c:48: error: ‘CP_ACP’ undeclared (first use in this function) libntlmssp.c:49: error: implicit declaration of function ‘strlen’ libntlmssp.c:49: error: incompatible implicit declaration of built-in function ‘strlen’ libntlmssp.c:49: error: ‘wszUserName’ undeclared (first use in this function) libntlmssp.c:52: error: ‘wszGroup’ undeclared (first use in this function) libntlmssp.c:62: error: ‘nStatus’ undeclared (first use in this function) libntlmssp.c:62: error: implicit declaration of function ‘NetUserGetLocalGroups’ libntlmssp.c:64: error: ‘dwLevel’ undeclared (first use in this function) libntlmssp.c:65: error: ‘dwFlags’ undeclared (first use in this function) libntlmssp.c:66: error: ‘LPBYTE’ undeclared (first use in this function) libntlmssp.c:66: error: expected expression before ‘)’ token libntlmssp.c:70: error: ‘NERR_Success’ undeclared (first use in this function) libntlmssp.c:71: error: ‘pTmpBuf’ undeclared (first use in this function) libntlmssp.c:71: error: ‘pBuf’ undeclared (first use in this function) libntlmssp.c:72: error: ‘i’ undeclared (first use in this function) libntlmssp.c:72: error: ‘dwEntriesRead’ undeclared (first use in this function) libntlmssp.c:77: error: implicit declaration of function ‘wcscmp’ libntlmssp.c:78: error: ‘TRUE’ undeclared (first use in this function) libntlmssp.c:82: error: ‘dwTotalCount’ undeclared (first use in this function) libntlmssp.c:91: error: implicit declaration of function ‘NetApiBufferFree’ libntlmssp.c: At top level: libntlmssp.c:96: error: expected ‘)’ before ‘LsaStr’ libntlmssp.c:118: error: no previous prototype for ‘GetDomainName’ libntlmssp.c: In function ‘GetDomainName’: libntlmssp.c:121: error: ‘LSA_HANDLE’ undeclared (first use in this function) libntlmssp.c:121: error: expected ‘;’ before ‘PolicyHandle’ libntlmssp.c:122: error: ‘LSA_OBJECT_ATTRIBUTES’ undeclared (first use in this function) libntlmssp.c:122: error: expected ‘;’ before ‘ObjectAttributes’ libntlmssp.c:123: error: ‘NTSTATUS’ undeclared (first use in this function) libntlmssp.c:123: error: expected ‘;’ before ‘status’ libntlmssp.c:124: error: ‘PPOLICY_PRIMARY_DOMAIN_INFO’ undeclared (first use in this function) libntlmssp.c:124: error: expected ‘;’ before ‘ppdiDomainInfo’ libntlmssp.c:125: error: ‘PWKSTA_INFO_100’ undeclared (first use in this function) libntlmssp.c:125: error: expected ‘;’ before ‘pwkiWorkstationInfo’ libntlmssp.c:126: error: ‘DWORD’ undeclared (first use in this function) libntlmssp.c:126: error: expected ‘;’ before ‘netret’ libntlmssp.c:132: error: implicit declaration of function ‘memset’ libntlmssp.c:132: error: incompatible implicit declaration of built-in function ‘memset’
Re: [squid-users] Reverse Proxy for multiple SSL sites on same server
A few comments inline with your text... On 15/01/11 09:29, Dean Weimer wrote: I am struggling with a setup where I am adding a parent web server behind my reverse proxy that has multiple ssl sites running under the same name but on different ports. The site on the default port 443 works, but I can't get it to forward to the parent on the second site running on port 444. The server is already running several ssl sites on 443 using a UCC SSL cert with subject alternative names Here are the relevant parts of the setup: https_port 10.50.20.10:443 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=www.mydomain.com vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 https_port 10.50.20.10:444 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=secure.mydomain.com:444 vhost options=NO_SSLv2 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2 acl ssl_secure proto HTTPS acl securesite444 url_regex -i ^https://secure.mydomain.com:444/ acl securesite url_regex -i ^https://secure.mydomain.com/ To do this I would add a name= option to http_port for 444 and an ACL that tested for it on traffic. Alternatively you may be able to use the port ACL. (*NOT* the myport one) acl securesite dstdomain secure.mydomain.com acl port444 port 444 or http_port 10.50.20.10:444 ... name=444 acl port444 portname 444 acl securesite dstdomain secure.mydomain.com acl parentserver dst 10.20.10.62/32 http_access deny securesite444 !ssl_secure http_access allow securesite444 ssl_secure http_access deny securesite !ssl_secure http_access allow securesite ssl_secure http_access allow parentserver ssl_secure http_access deny ssl_secure Bit faster config that will save you four slow regex matches: # if it is not HTTPS reject http_access deny !ssl_secure # if it is destined to the local domain or to the local server allow http_access allow securesite http_access allow parentserver http_access deny all NP: this relies on all your traffic being HTTPS and that http_access does not care about the port. In your stated config only the peer selection cares about the port. cache_peer 10.20.10.62 parent 444 0 ssl no-query originserver name=parent444 sslcapath=/usr/local/share/certs sslflags=DONT_VERIFY_PEER cache_peer_domain parent444 secure.mydomain.com cache_peer_access parent444 allow securesite444 ssl_secure cache_peer 10.20.10.62 parent 443 0 ssl no-query originserver name=parent sslcapath=/usr/local/share/certs sslflags=DONT_VERIFY_PEER cache_peer_domain parent secure.mydomain.com cache_peer_access parent allow securesite ssl_secure Use either cache_peer_domain OR cache_peer_access not both. With the above suggestions these would become: cache_peer_access parent444 allow port444 securesite cache_peer_access parent444 deny all cache_peer_access parent allow !port444 cache_peer_access parent deny all Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
Re: [squid-users] RE: Help Cant Compile squid 3.1.10
On 15/01/11 14:47, Shawn wrote: ./configure --prefix=/usr/local/squid3 --enable-kill-parent-hack --with-large-files --with-openssl --enable-auth=basic,ntlm,digest,negotiate --enable-basic-auth-helpers=DB,getpwnam,MSNT,SMB,YP --enable-ntlm-auth-helpers=fakeauth,mswin_sspi,no_check,smb_lm --enable-digest-auth-helpers=eDirectory,ldap,password --enable-negotiate-auth-helpers=mswin_sspi,squid_kerb_auth --enable-follow-x-forwarded-for --enable-linux-tproxy NP: --enable-linux-tproxy is a deprecated option the feature it enables (TPROXY version 2) is no longer supported by the current Linux kernels. --enable-linux-netfilter --enable-pf-transparent --enable-ipf-transparent --enable-ipfw-transparent --enable-cache-digests --enable-ssl In file included from libntlmssp.c:20: ntlm.h:22:21: error: windows.h: No such file or directory ntlm.h:23:18: error: sspi.h: No such file or directory ntlm.h:24:22: error: security.h: No such file or directory libntlmssp.c:24:16: error: lm.h: No such file or directory libntlmssp.c:25:22: error: ntsecapi.h: No such file or directory cc1: warnings being treated as errors snip You don't provide any details about your environment. It looks like the configuration file produced from running ./configure contains garbage. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
