Re: [squid-users] Authentication to Sharepoint not happening
On 01/02/11 19:27, Saurabh Agarwal wrote: Hi All I am running Squid as a transparent proxy and can't authenticate to sharepoint server. If I bypass squid then everything works fine. I have not compiled Squid with any of the authentication related configurables --enable-auth="basic,digest,ntlm,negotiate" --enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL" --enable-negotiate-auth-helpers="squid_kerb_auth" --enable-cache-digests --enable-ntlm-auth-helpers="SMB,fakeauth" --enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_group". I see that sharepoint sends squid the following http headers in HTTP 401 response WWW-Authenticate: Negotiate\r\n WWW-Authenticate: NTLM\r\n But squid is not forwarding these headers to the client? If I bypass squid then everything works fine. Can someone please help here? Negotiate and NTLM both require HTTP/1.1 persistent connections and also some major hacks called connection pinning. Not all Squid support these equally. What version of Squid are you using? and with what configuration? Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
Re: [squid-users] SQUID transparent, HTTP/1.0, HTTP/1.1
On 01/02/11 16:29, Pandu Poluan wrote: Hello, I want to configure SQUID as a transparent proxy, but on a separate box from the Linux gateway (both boxes using Ubuntu Server 10.04) I found this howto: http://www.faqs.org/docs/Linux-mini/TransparentProxy.html Now, my questions are: 1. Is the howto (esp. sections 6.2 and 6.3) still applicable with the latest SQUID version? The whole of section 6.1 is a major security vulnerability "don't do it!" situation. Read CVE-2009-0801 for an explanation of what malware can do to trivially spread themselves across your whole client base. The currently available Squid do permit it with loud failure warnings in cache.log. We are planning on fully disabling the security hole in the near future. Section 6.2 and 6.3 are the recommended way if you have to do NAT interception. The real transparent proxy (TPROXY) in the more recent Squid does not work reliably on Ubuntu 10.04. 1a. If yes, which strategy should I be using? 2. Slightly tangential: Does SQUID fully support HTTP/1.1? squid-3.2 does. squid-3.1 and squid-2.7 almost do. other versions do not. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
[squid-users] Authentication to Sharepoint not happening
Hi All I am running Squid as a transparent proxy and can't authenticate to sharepoint server. If I bypass squid then everything works fine. I have not compiled Squid with any of the authentication related configurables --enable-auth="basic,digest,ntlm,negotiate" --enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL" --enable-negotiate-auth-helpers="squid_kerb_auth" --enable-cache-digests --enable-ntlm-auth-helpers="SMB,fakeauth" --enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_group". I see that sharepoint sends squid the following http headers in HTTP 401 response WWW-Authenticate: Negotiate\r\n WWW-Authenticate: NTLM\r\n But squid is not forwarding these headers to the client? If I bypass squid then everything works fine. Can someone please help here? Regards, Saurabh
Re: [squid-users] Squid proxy server - Client certificate (reverse proxy)
On 01/02/11 16:28, Qvalpro Solutions wrote: Hi Amos, Thanks for the response. I tried using: https_port 443 accel defaultsite=ccapi.client.qvalent.com cert=C:\certificate\mycert.pem cache_peer ccapi.client.qvalent.com parent 443 0 no-query login=PASS ssl sslcert=C:\payway\ccapi.pem The transactions still did not work and when I checked the Squid cache.log, I found a message that says "commBind: Cannot bind socket FD 15 to *:443: (10013) WSAEACCES, Permission denied" - please let me know if this is a problem and if there is a way to work around this issue. Ah, you need to run Squid as root or admin privileges to use ports under 1024. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
Re: [squid-users] Squid NTLM Authentication and Windows Update Server (WSUS 3.0)
On 01/02/11 16:01, John Treen wrote: Hi Everyone, I am having trouble getting WSUS 3.0 to communicate through Squid when using NTLM authentication. Back in early 2009 I did some testing and determined that 2.6.STABLE5 appears to be the last version that WSUS would successfully communicate through the proxy using NTLM. Yesterday I tried Squid 3.1.10 and WSUS still returns a 407 Proxy Authentication Required. If I uninstall 3.1.10 and then install 2.6.STABLE5 using the same configuration on my test machine WSUS works I'm a little suspicious of this. Mainly because we altered many small background options and behaviours to achieve almost complete HTTP/1.1 compliance in 3.1. If I comment out the auth_param ntlm lines (just leaving basic authentication enabled) WSUS works with 3.1.10, so I believe it could be something going wrong in the NTLM handshake. What is the best way to start debugging what the problem could be? The easy way is to take a full packet capture (tcpdump -s 0 ...) when using the working Squid and again with the non-working. Compare the two transactions headers in wireshark and see if anything appears. The hard way is to dredge the squid cache.log at debug_options 29,5 on the 3.1 install and see what is happening. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
Re: [squid-users] Connection error
On 01/02/11 16:30, Senthilkumar wrote: Hi Amos, Thanks for your response. By using kerberos instead of ntlm scheme can the pop up occurring rarely can be fixed? I don't know the answer to that until we find out what your problem was exactly. Negotiate has less complexity than NTLM so in theory less problems. The code in Squid is nearly identical though so most bugs are more likely to be shared. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
Re: [squid-users] Questions on SQUID peering/mesh
On 01/02/11 17:06, Pandu Poluan wrote: Hello again! I have 2 questions regarding SQUID peering: Q1: Should I use ICP or HTCP? If you have a choice HTCP. The packets are slightly bigger than ICP (they contain HTTP headers not just URLs) but the false-positives are much lower and thus routing choices are better. Q2: I plan on deploying 2 SQUID boxes in my LAN, say "A" and "B". They will peer with each other (sibling). I also have another SQUID at our ISP, say "C". I want only "A" to have "C" as the parent, "B" will have no parent. Is this possible? What should I configure on A, B, and C? And if A's connection to C gets interrupted, can A go direct? yes. exactly what you just described. yes. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
[squid-users] Questions on SQUID peering/mesh
Hello again! I have 2 questions regarding SQUID peering: Q1: Should I use ICP or HTCP? Q2: I plan on deploying 2 SQUID boxes in my LAN, say "A" and "B". They will peer with each other (sibling). I also have another SQUID at our ISP, say "C". I want only "A" to have "C" as the parent, "B" will have no parent. Is this possible? What should I configure on A, B, and C? And if A's connection to C gets interrupted, can A go direct? Rgds, -- Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com
Re: [squid-users] Connection error
Hi Amos, Thanks for your response. By using kerberos instead of ntlm scheme can the pop up occurring rarely can be fixed? Thanks Senthil Amos Jeffries wrote: On 31/01/11 18:44, Senthilkumar wrote: Thank you . We are using squid 3.1.8 with 100 children for ntlm scheme. We have about 500 users and around 75 req/sec. In the cache log rarely we see 100 pending ntlm requests and that time squid reconfigures automatically. Is it default behaviour of squid to reconfigure when ntlm are queued.? No, reconfigure only happens when the administrator or some operating system controls runs "squid -k reconfigure". You may be seeing a crash and restart? In the cache log we can see following errors also. 2011/01/31 10:59:02| AuthConfig::CreateAuthUser: Unsupported or unconfigured/inactive proxy-auth scheme, 'Basic bnByY1xzaHViaGFuZ2lkOmdhbGF4eUA1Nw==' 2011/01/31 10:59:18| AuthConfig::CreateAuthUser: Unsupported or unconfigured/inactive proxy-auth scheme, 'Basic bnByY1xzaHViaGFuZ2lkOmdhbGF4eUA1Nw==' Normal message for a proxy without Basic auth configured when the client send Basic credentials to it. Squid is supposed to pause requests during the configure time. So why this shows up is a problem that needs to be found. Amos Amos Jeffries wrote: On Tue, 25 Jan 2011 19:25:33 +0530, Senthilkumar wrote: Hi Amos, I have followed the suggestions provided by you and if use deny without "all" i am getting pop up when i access denied sites, it is suppressed when i use all. We use ntlm scheme to authenticate with domain users, all users can authenticate without any prompt, while browsing out of 350 users only 5-6 users getting prompt rarely(around 2-3 times a day) There is no specific website or time the prompt appears. Please suggest some troubleshooting ideas and cause for it. The cache.log does not show any errors I'm not sure exactly which deny line you are describing as producing a popup. The config below looks right. Where you deny based on group lookups the lines should end with "all", as you saw not having it there produces the popup. NTLM can suffer from a few issues on connections and some bugs in Squid. Though both of these problems have been worked on and reduced in newer releases. If one of the "allow" group lookups is somehow failing this may produce a popup. I am not sure how one would check for these in production environment. The things to watch out for are the HTTP auth headers for the request before during and after the prompt appears. Whether this is happening on a connection while it stays up, or if the connection drops out on the challenge. Whether it happened on a new connection using some non-NTLM auth (ie a Windows 7 machine trying an unexpected encryption, or some background application with the wrong keys). Amos
[squid-users] SQUID transparent, HTTP/1.0, HTTP/1.1
Hello, I want to configure SQUID as a transparent proxy, but on a separate box from the Linux gateway (both boxes using Ubuntu Server 10.04) I found this howto: http://www.faqs.org/docs/Linux-mini/TransparentProxy.html Now, my questions are: 1. Is the howto (esp. sections 6.2 and 6.3) still applicable with the latest SQUID version? 1a. If yes, which strategy should I be using? 2. Slightly tangential: Does SQUID fully support HTTP/1.1? Thanks for your time answering my questions. Rgds, -- -- Pandu E Poluan - IT Optimizer My website: http://pandu.poluan.info/
Re: [squid-users] Squid proxy server - Client certificate (reverse proxy)
Hi Amos, Thanks for the response. I tried using: https_port 443 accel defaultsite=ccapi.client.qvalent.com cert=C:\certificate\mycert.pem cache_peer ccapi.client.qvalent.com parent 443 0 no-query login=PASS ssl sslcert=C:\payway\ccapi.pem The transactions still did not work and when I checked the Squid cache.log, I found a message that says "commBind: Cannot bind socket FD 15 to *:443: (10013) WSAEACCES, Permission denied" - please let me know if this is a problem and if there is a way to work around this issue. Thanks, KB. On Tue, Feb 1, 2011 at 7:52 AM, Amos Jeffries wrote: > On 01/02/11 09:01, Qvalpro Solutions wrote: >> >> Hi Amos, >> >> Thanks for the detailed response. I tried configuring Squid, but >> couldn't get it working yet. >> >> Can you please elaborate "You setup Squid as a reverse-proxy and make >> old billing application believe Squid is the Payway system. Usually >> via DNS". Sorry if this sounds dumb. >> >> Steps followed by myself: >> 1. Downloaded Squid 2.7 STABLE8 (reverse proxy with SSL support) and >> installed it in my windows server which has the billing application >> 2. Started the Squid service and stored the Payway's digital >> certificate inside the "payway" directory in C: of the windows server >> 3. Added the following options to the squid.conf file: >> https_port accel defaultsite=https://ccapi.client.../ccapi >> cert=C:\payway\ccapi.pem > > defaultsite is the domain name only. ie defaultsite=ccapi.example.com > >> cache_peer ssl sslcert=C:\payway\ccapi.pem > > > > I presume this works like all the other web API billing systems I've seen. > With the client connects to you like so? > client -> billing -> squid -> payway > > In which case you would use: > https_port 443 accel defaultsite=ccapi.example.com > sslcert= > cache_peer ccapi.example.com parent 443 0 no-query ssl sslcert=... > > to produce: > client -> billing --(SSL internal unverified)--> squid --(SSL certificate > verified)--> payway > > > The sslcert= for the https_port line can be something self-signed that the > billing system trusts but nobody anywhere else knows about. By default squid > will accept any client who can perform SSL. > > > If the billing system can be configured to use a proxy for internet access > that is even better, you can remove the http_port line tricks and just use > "http_port 3128" and "never_direct allow all". > > OR, you could make the billing->squid section work without SSL at all. Just > make sure the billing system works with http:// URLs and setup http_port 80 > accel defaultsite=. > > >> 4. Tried to initiate a test transaction from the billing application, >> but it didn't work. >> >> Assumptions made: >> 1. I have stored the Payway related details (aforementioned https URL, >> username, password& Merchant ID for the API) in the billing system >> installed in the windows server. I hope that when the billing >> application tries to process a credit card payment, the proxy will >> automatically take over the transaction. >> 2. I have not added the username/password of the API to the Squid >> configuration. Please let me know if I need to add the details in >> Squid proxy too and if yes, kindly provide me the syntax to be used. >> > > Most types of auth you will only need "login=PASS" (exact text) on the > cache_peer line and the credentials at the billing system end point. > >> Please let me know if I am going in the right direction. >> >> Thanks, >> KB. >> >> On Fri, Jan 28, 2011 at 11:08 AM, Amos Jeffries >> wrote: >>> >>> On 28/01/11 07:48, Qvalpro Solutions wrote: Hi Folks, I just started exploring Squid proxy and I am clueless of how to use Squid in my setup. Some background on why I am trying to use the Squid proxy: I have a billing application installed in a windows server. This particular billing application uses some proprietary file system, which cannot be customized. I have purchased a Payway API account (Payway API is nothing but a payment processing system for credit cards) for using with the billing application. I just noticed that the Payway API needs a digital certificate to be installed for processing the payments. Unfortunately, my billing application doesn't allow any certificate installation. When I spoke to the billing application development company and Payway, they suggested me to use the Squid proxy to workaround the problem. I was also told that the Squid proxy can provide the client certificate. As I don't have adequate exposure to setting up proxy servers, I have the following questions: 1. Can I install the Squid proxy in the same server where my billing application is located? >>> >>> Yes. >>> >>> Additional problem though: Windows Squid builds only have experimental >>> SSL >>> support and are limited to squid-2.7 for now. >>> >>> If you need to do this for Windows please contact Guido at Acme >>> Consulting >>> (http://sq
[squid-users] Squid NTLM Authentication and Windows Update Server (WSUS 3.0)
Hi Everyone, I am having trouble getting WSUS 3.0 to communicate through Squid when using NTLM authentication. Back in early 2009 I did some testing and determined that 2.6.STABLE5 appears to be the last version that WSUS would successfully communicate through the proxy using NTLM. Yesterday I tried Squid 3.1.10 and WSUS still returns a 407 Proxy Authentication Required. If I uninstall 3.1.10 and then install 2.6.STABLE5 using the same configuration on my test machine WSUS works. If I comment out the auth_param ntlm lines (just leaving basic authentication enabled) WSUS works with 3.1.10, so I believe it could be something going wrong in the NTLM handshake. What is the best way to start debugging what the problem could be? Software versions from our working configuration: Samba - 3.5.1 Winbind - 3.5.1 Squid - 2.6-STABLE5 Authentication settings in squid.conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic realm Test Proxy Server auth_param basic children 5 auth_param basic credentialsttl 2 hours Regards, John Treen
Re: [squid-users] Decreasing the amount of data logged
On Tue, 1 Feb 2011 10:56:55 +1100, Jobst Schmalenbach wrote: > Hi. > > If I setup squid as a transparent proxy, a lot of traffic > goes through it including the following example: > > This is an entry from a flash application that is part of a music station > called "novafm". > > 1296479934.621125 192.168.0.241 TCP_MISS/200 934 POST > http://220.233.2.215:443/idle/GBQmdz02wSLWOu7S/4127 - > DIRECT/220.233.2.215 application/x-fcs > > Is there a way that I stop squid logging these entries? Yes. http://www.squid-cache.org/Doc/config/access_log > Is there a way to tell squid to just "let them through"? The log entry shows you already have allowed it through. If you mean not passing through Squid then that is a matter for your interception rules. Once the connection reaches Squid it is too late not to handle it. Amos
Re: [squid-users] Squid and SSL
On Thu, 27 Jan 2011 11:31:21 -0800, Anthony Saenz wrote: > I'm sure this has been brought up tons of times before but I simply > can't find the answer... My current setup is as follows: > > PC -> HAProxy -> Squid -> The World > > The reason why I'm using HAProxy is for development environment > switching which is based off cookies. (I inherited things this way) I'm > aware that browsers use CONNECT when setup to use a proxy for > connections but this isn't the case since I have HAProxy handling the > frontend. > > Is there any way to get SSL requests working through Squid without > configuring proxy settings on the browser and do a straight TCP pass? > HAProxy has this functionality but doesn't support dynamic backend hosts > which is the biggest problem. > > Any help would be appreciated! Hmm, tricky. Is HAPpoxy passing absolute URI to Squid? as in "GET http://example.com/ HTTP/1.1". If it is sending normal web server reformat requests ie "GET / HTTP/1.1\r\nHost: example.com", you could get away with the "protocol=https" option on http_port. This makes Squid treat the URL as https://example.com/ and things fix themselves up but breaks any non-HTTPS traffic arriving in that port. Amos
Re: [squid-users] Windows group authentication
On Sun, 30 Jan 2011 15:25:56 -1000, Jean-Denis Girard wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi list, > > I have an old installation using squid-2.6.STABLE23 with ntlm_auth for > Windows XP users belonging to a group; it works like a charm, but I want > to upgrade it for various reasons (security, need to support Win7, ...). > > So I made a fresh Linux install (Mandriva-2010.2). It has > squid-3.1-14.1mdv2010.1 (but the log says Squid Cache version 3.1.4). > If you can get a hold of a 3.1.10 you may enjoy it more. We had a small audit of the NTLM and Kerberos handling with performance bug fixes leading up to that release. > Now I'm a bit confused about what is needed to achieve Windows > authentication (XP, then 7). From the documentation, I understood that > squid_kerb_auth should be enough, so I have this in squid.conf: > auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d > > The new server has joined the windows domain using mskutil (I'd like to > avoid samba if possible). The DSN is OK, ntp is working so no clock > problem. But authentication doesn't work, see log below. How should I > configure the Windows group? > > So my question is simple: do I need anything else besides > squid_kerb_auth for Windows group authentication? Are samba, ntlm_auth > still needed? Lets get the terminology right to start with then the answer may become clear to you... * groups CANNOT be authenticated. Because they do not have a password or key. * User CAN be authenticated, because they do have password or keys. * machines can have special user accounts with a key to identify them. * groups have users. * groups can only determine where a user is authorized to go or not to go. So back to your question, "what is needed to achieve Windows authentication". auth_param validates a users login. REQUIRED. squid_kerb_auth is how to authenticate Negotiate protocol users. ntlm_auth from Samba is how to authenticate NTLM protocol users. NOTE: these helpers ONLY check the one protocol each and have different sets of auth_param which can be used simultaneously. So it is entirely up to you whether you use only one or both. I suggest using both to start with so that software which has not been adapted to Kerberos yet may still be able to login via NTLM. Keep a watch on this and the main administrative task later will be fixing up these NTLM software to use Kerberos. ON TOP of this user authentication you can usually retain whatever group authorization you had for NTLM. Kerberos is effectively NTLM v3 or v4. Though it may require some extra parameters on the group checking helpers to make them accept the Kerberos username format. > 2011/01/07 10:10:43| squid_kerb_auth: DEBUG: Got 'YR YIIGJgYGKwYBBQU > [snip] > bkIUQRH' from squid (length: 2107). > 2011/01/07 10:10:43| squid_kerb_auth: DEBUG: Decode > 'YIIGJgYGKwYBBQUCoIIGGjCCBhagJDAiB > [snip] > 2011/01/07 10:10:43| squid_kerb_auth: ERROR: gss_acquire_cred() failed: > Unspecified GSS failure. Minor code may provide more information. Key > table entry not found This is the problem. The security key passed to Squid by the client is not known. There are some hints here: http://fixunix.com/kerberos/60700-kinit-key-table-entry-not-found-while-getting-initial-credentials.html Amos
[squid-users] Decreasing the amount of data logged
Hi. If I setup squid as a transparent proxy, a lot of traffic goes through it including the following example: This is an entry from a flash application that is part of a music station called "novafm". 1296479934.621125 192.168.0.241 TCP_MISS/200 934 POST http://220.233.2.215:443/idle/GBQmdz02wSLWOu7S/4127 - DIRECT/220.233.2.215 application/x-fcs Is there a way that I stop squid logging these entries? Is there a way to tell squid to just "let them through"? Thanks Jobst -- "Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man." - Mohandas K. Gandhi | |0| | Jobst Schmalenbach, jo...@barrett.com.au, General Manager | | |0| Barrett Consulting Group P/L & The Meditation Room P/L |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
Re: [squid-users] Problem with transparent authentication and restricted pages
On Mon, 31 Jan 2011 17:35:02 +, "Gonzalo Morera" wrote: > Thanks Chad > > I'll follow this instructions > > > > Gonzalo > > "Chad Naugle" 31-01-2011 >>> > You need to move all of your "deny" lines *before* your "allow" lines, > otherwise you will get the popup. > > FYI, if you plan on using eDirectory 8.8 based IP->User, I wrote a > C-based program for that, which is bundled with Squid 3.2-BETA, instead > of using a perl script. You can probably just build 3.2.X without > installing it and copy the executable to /usr/sbin, and use that for the > blind auth. > "Gonzalo Morera" 1/31/2011 11:16 AM >>> > Hi all > > After solving the squid_ldap_group issue, i'm still facing a little one > with users that are transparently authenticate thru a pl script against > edirectory. > > I've got this line: > > external_acl_type IPUser ttl=7200 %SRC > /etc/squid/squid_edir_iplookup.pl > (IPUser method) > > squid_edir_iplookup.pl is for users that have the novell client > installed. Thru this script, they network address is found and > authenticate without being prompted. This works fine as long as they do > not hit a forbidden page. > And here is my problem. When they hit a forbidden page, instead to get > the 403 forbidden, they prompt for authentication. If then enter a > username/password (they share passwords :-( ) with rights, they can go > to the page. > So my goal is that when this users are hitting a forbidden page, the > forbidden page comes and not the auth page. > > I can not find out how to do so or if the order of the rules are wrong > > Here is my squid.conf. Let me know if anything else is needed: > > ===snip > > > # Seemless automatic access based on IP address > # Access through the "IP User" external helper > acl Full_Access external IPUser internet_nr > acl Restricted_Access external IPUser internet_r > > # Access to users prompted with username/password dialogue > # Full access > acl lab_Full external ldap_group internet_nr > > # Restricted access > acl lab_Restricted external ldap_group internet_r > You have presented the settings for IPUser ACL but have omitted the ones for ldap_group ACL. I suspect you have cut-n-pasted one of the common examples for group lookup which rely on full client credentials authentication. Note that external ACL does not produce full-blown authentication credentials (yet). So they are not used for %LOGIN group checking. You need to use %EXT_USER instead and you do not have access to the external ACL password. Check this, but I expect you may find that the way you have defined the IPUser ACL lines the helper gets passed " " so you can do the full check in one step in the handler script with a single allow/block result. Amos
Re: [squid-users] TCP send/receive buffer tuning
On Mon, 31 Jan 2011 10:57:57 +0100, "Jack Falworth" wrote: > Hi squid-users, > > I have a question regarding the TCP send/receive buffer size Squid uses. > For my high-performance setup I increased both buffer sizes on my Ubuntu > 10.04 system. Unfortunately I found out that Squid 2.7 (as well as 3.x) > limits the receive buffer to 64K and the send buffer to 32K in the > configure.in script. > > In addition I found this bug report regarding this check: > http://bugs.squid-cache.org/show_bug.cgi?id=1075 > > I couldn't really figure out the problem with Squid using higher buffer > sizes if it is the intention of the administrator to increase those values. > This check was included in CVS rev. 1.303 back in 2005, thus it's quite > old. > > Is this some legacy check or is it still important with today's systems? > Can I safely remove this check or will this have some side-effects, e.g. > say the some internal data structures won't be able to cope with higher > values? Note that setting ONLY affects the TCP buffers so 64K worth of packets can sit outside of Squid in the networking stack. This has side-effects on the ACK packets. While they are waiting in that buffer they are possibly ACKed but not actually received by Squid. If anything causes Squid to stop, crash or slow down on its read()'s and accept()'s the client can be left with incorrect information about the state of those bytes. There is a separate problem internal to Squid-3.x which may be hitting you harder than the TCP stack size. By default we set Squid to pull a minimum 1KB. Unfortunately if the client is fast enough to read all of that reply and empty the buffer before the next server read there is no reason for Squid to grow it beyond 1KB, so is left with a relatively slow cycle doing small 1KB hunks. We are still looking for a good way to avoid this and make the server reads grow for larger objects. Amos
Re: [squid-users] Connection Pinning in 3.1.x
On 01/02/2011, at 12:50 AM, Chad Naugle wrote: > Is the cache_peer parent, also 3.1.10 or another type of proxy? > This is running in a test environment so I have tried a few different parents but the result is always the same. I have tried squid-3.0.STABLE19, squid-3.1.10 and ISA2006 as the parents. Michael Hendrie 1/31/2011 12:50 AM >>> > Hello List, > > I need to use a version with connection pinning and was hoping to use > 3.1.10 but I've run into a problem using a cache_peer that requires NTLM > authentication. In my tests I'm able to get 3 authenticated requests > through the parent (access.log on parent shows they have been > authenticated) before the client starts to receive a pop-up to enter > credentials. In the test, child and parent are on the same LAN segment > so there is nothing in between doing any port translations, etc. > > The relevant parts of my config: > > cache_peer 172.16.50.45 parent 8080 0 no-query proxy-only default > login=PASS > never_direct allow all > persistent_connection_after_error on > > I have also tried adding "connection-auth=on" to both the cache_peer > and http_port directives but this hasn't helped the situation. > > Testing with squid-2.7STABLE9 doesn't show the above issue, connection > pinning seems to work perfectly to the parent proxy. I have also tried > 3.1.9 and 3.1.8 in case it was something that was unexpectedly > introduced in the latest version but they fail also. > > I should point out that in my tests using 3.1.x talking to an origin > server requiring NTLM works perfectly, only to a cache_peer fails. > > Does anyone have any ideas as to why this is failing, or a 3.1.x > talking to an NTLM parent and if so could you please share your exact > 3.1.x version and relevant config. > > Thanks > Mick > > > > > > Travel Impressions made the following annotations > - > "This message and any attachments are solely for the intended recipient > and may contain confidential or privileged information. If you are not > the intended recipient, any disclosure, copying, use, or distribution of > the information included in this message and any attachments is > prohibited. If you have received this communication in error, please > notify us by reply e-mail and immediately and permanently delete this > message and any attachments. > Thank you."
Re: [squid-users] SSL reverse proxy for phpmyadmin problems
On Mon, 31 Jan 2011 19:59:55 +0100, Tobias Reckhard wrote: > Hi > > I'm having a bit of trouble implementing a Squid3 reverse HTTPS proxy > for, among others, phpmyadmin. The initial connection to the phpmyadmin > login page using HTTPS works fine, but after I enter my credentials, > phpmyadmin redirects my browser to http://, using a "302 Moved > Temporarily" code and a "Location: http://" header. Although that > succeeds, since the Apache web server hosting phpmyadmin is in fact > accessible unencrypted via port 80, it's not what I want. > > Does anyone here know how I can keep phpmyadmin from redirecting the > browser away from HTTPS to HTTP? > > Cheers, > Tobias That would be a configuration issue on your server: http://www.phpmyadmin.net/localized_docs/en_GB/Documentation.html#faq1_39 Amos
Re: [squid-users] Connection Pinning in 3.1.x
On Mon, 31 Jan 2011 16:20:45 +1030, Michael Hendrie wrote: > Hello List, > > I need to use a version with connection pinning and was hoping to use > 3.1.10 but I've run into a problem using a cache_peer that requires NTLM > authentication. In my tests I'm able to get 3 authenticated requests > through the parent (access.log on parent shows they have been > authenticated) before the client starts to receive a pop-up to enter > credentials. In the test, child and parent are on the same LAN segment so > there is nothing in between doing any port translations, etc. > > The relevant parts of my config: > > cache_peer 172.16.50.45 parent 8080 0 no-query proxy-only default > login=PASS > never_direct allow all > persistent_connection_after_error on > > I have also tried adding "connection-auth=on" to both the cache_peer and > http_port directives but this hasn't helped the situation. > > Testing with squid-2.7STABLE9 doesn't show the above issue, connection > pinning seems to work perfectly to the parent proxy. I have also tried > 3.1.9 and 3.1.8 in case it was something that was unexpectedly introduced > in the latest version but they fail also. > > I should point out that in my tests using 3.1.x talking to an origin > server requiring NTLM works perfectly, only to a cache_peer fails. > > Does anyone have any ideas as to why this is failing, or a 3.1.x talking > to an NTLM parent and if so could you please share your exact 3.1.x version > and relevant config. > > Thanks > Mick 3.1.10 has one known situation. When the server replies with unknown-length or chunked replies squid has no choice but to close the TCP link at the end of the object transfer. Breaking NTLM pinning. This is very common with dynamic content websites. Other than that situation it should be working. You can get a debug trace of the keep-alive actions with "debug_options 33,2 88,5" search for "clientReplyStatus:" and "clientBuildReplyHeader:" Amos
Re: [squid-users] Squid proxy server - Client certificate (reverse proxy)
On 01/02/11 09:01, Qvalpro Solutions wrote: Hi Amos, Thanks for the detailed response. I tried configuring Squid, but couldn't get it working yet. Can you please elaborate "You setup Squid as a reverse-proxy and make old billing application believe Squid is the Payway system. Usually via DNS". Sorry if this sounds dumb. Steps followed by myself: 1. Downloaded Squid 2.7 STABLE8 (reverse proxy with SSL support) and installed it in my windows server which has the billing application 2. Started the Squid service and stored the Payway's digital certificate inside the "payway" directory in C: of the windows server 3. Added the following options to the squid.conf file: https_port accel defaultsite=https://ccapi.client.../ccapi cert=C:\payway\ccapi.pem defaultsite is the domain name only. ie defaultsite=ccapi.example.com cache_peer ssl sslcert=C:\payway\ccapi.pem I presume this works like all the other web API billing systems I've seen. With the client connects to you like so? client -> billing -> squid -> payway In which case you would use: https_port 443 accel defaultsite=ccapi.example.com sslcert= cache_peer ccapi.example.com parent 443 0 no-query ssl sslcert=... to produce: client -> billing --(SSL internal unverified)--> squid --(SSL certificate verified)--> payway The sslcert= for the https_port line can be something self-signed that the billing system trusts but nobody anywhere else knows about. By default squid will accept any client who can perform SSL. If the billing system can be configured to use a proxy for internet access that is even better, you can remove the http_port line tricks and just use "http_port 3128" and "never_direct allow all". OR, you could make the billing->squid section work without SSL at all. Just make sure the billing system works with http:// URLs and setup http_port 80 accel defaultsite=. 4. Tried to initiate a test transaction from the billing application, but it didn't work. Assumptions made: 1. I have stored the Payway related details (aforementioned https URL, username, password& Merchant ID for the API) in the billing system installed in the windows server. I hope that when the billing application tries to process a credit card payment, the proxy will automatically take over the transaction. 2. I have not added the username/password of the API to the Squid configuration. Please let me know if I need to add the details in Squid proxy too and if yes, kindly provide me the syntax to be used. Most types of auth you will only need "login=PASS" (exact text) on the cache_peer line and the credentials at the billing system end point. Please let me know if I am going in the right direction. Thanks, KB. On Fri, Jan 28, 2011 at 11:08 AM, Amos Jeffries wrote: On 28/01/11 07:48, Qvalpro Solutions wrote: Hi Folks, I just started exploring Squid proxy and I am clueless of how to use Squid in my setup. Some background on why I am trying to use the Squid proxy: I have a billing application installed in a windows server. This particular billing application uses some proprietary file system, which cannot be customized. I have purchased a Payway API account (Payway API is nothing but a payment processing system for credit cards) for using with the billing application. I just noticed that the Payway API needs a digital certificate to be installed for processing the payments. Unfortunately, my billing application doesn't allow any certificate installation. When I spoke to the billing application development company and Payway, they suggested me to use the Squid proxy to workaround the problem. I was also told that the Squid proxy can provide the client certificate. As I don't have adequate exposure to setting up proxy servers, I have the following questions: 1. Can I install the Squid proxy in the same server where my billing application is located? Yes. Additional problem though: Windows Squid builds only have experimental SSL support and are limited to squid-2.7 for now. If you need to do this for Windows please contact Guido at Acme Consulting (http://squid.acmeconsulting.it/) for support. 2. How do I connect the billing application to the Squid Proxy? Do I need to use some port for this and how am I supposed to connect the Squid Proxy to the Payway API? You setup Squid as a reverse-proxy and make old billing application believe Squid is the Payway system. Usually via DNS. Squid handles the rest once requests are arriving nicely to it. Start with this: http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator it covers the very simple config just to get an accelerator working. Stuff like SSL require additional config. 3. How do I install the digital certificate provided by Payway in the Squid proxy and what format of digital certificate is to be used - .net or PHP or ASP or something else? Squid uses .PEM format certificates. After doing the setup from your question 2. You configure Squid to use them
Re: [squid-users] Squid proxy server - Client certificate (reverse proxy)
Hi Amos, Thanks for the detailed response. I tried configuring Squid, but couldn't get it working yet. Can you please elaborate "You setup Squid as a reverse-proxy and make old billing application believe Squid is the Payway system. Usually via DNS". Sorry if this sounds dumb. Steps followed by myself: 1. Downloaded Squid 2.7 STABLE8 (reverse proxy with SSL support) and installed it in my windows server which has the billing application 2. Started the Squid service and stored the Payway's digital certificate inside the "payway" directory in C: of the windows server 3. Added the following options to the squid.conf file: https_port accel defaultsite=https://ccapi.client.../ccapi cert=C:\payway\ccapi.pem cache_peer ssl sslcert=C:\payway\ccapi.pem 4. Tried to initiate a test transaction from the billing application, but it didn't work. Assumptions made: 1. I have stored the Payway related details (aforementioned https URL, username, password & Merchant ID for the API) in the billing system installed in the windows server. I hope that when the billing application tries to process a credit card payment, the proxy will automatically take over the transaction. 2. I have not added the username/password of the API to the Squid configuration. Please let me know if I need to add the details in Squid proxy too and if yes, kindly provide me the syntax to be used. Please let me know if I am going in the right direction. Thanks, KB. On Fri, Jan 28, 2011 at 11:08 AM, Amos Jeffries wrote: > On 28/01/11 07:48, Qvalpro Solutions wrote: >> >> Hi Folks, >> >> I just started exploring Squid proxy and I am clueless of how to use >> Squid in my setup. >> >> Some background on why I am trying to use the Squid proxy: >> I have a billing application installed in a windows server. This >> particular billing application uses some proprietary file system, >> which cannot be customized. I have purchased a Payway API account >> (Payway API is nothing but a payment processing system for credit >> cards) for using with the billing application. I just noticed that the >> Payway API needs a digital certificate to be installed for processing >> the payments. Unfortunately, my billing application doesn't allow any >> certificate installation. When I spoke to the billing application >> development company and Payway, they suggested me to use the Squid >> proxy to workaround the problem. I was also told that the Squid proxy >> can provide the client certificate. >> >> As I don't have adequate exposure to setting up proxy servers, I have >> the following questions: >> 1. Can I install the Squid proxy in the same server where my billing >> application is located? > > Yes. > > Additional problem though: Windows Squid builds only have experimental SSL > support and are limited to squid-2.7 for now. > > If you need to do this for Windows please contact Guido at Acme Consulting > (http://squid.acmeconsulting.it/) for support. > > >> 2. How do I connect the billing application to the Squid Proxy? Do I >> need to use some port for this and how am I supposed to connect the >> Squid Proxy to the Payway API? > > You setup Squid as a reverse-proxy and make old billing application believe > Squid is the Payway system. Usually via DNS. Squid handles the rest once > requests are arriving nicely to it. > > Start with this: > http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator > it covers the very simple config just to get an accelerator working. Stuff > like SSL require additional config. > >> 3. How do I install the digital certificate provided by Payway in the >> Squid proxy and what format of digital certificate is to be used - >> .net or PHP or ASP or something else? > > Squid uses .PEM format certificates. > > After doing the setup from your question 2. You configure Squid to use them > with additional options on the cache_peer line. > Set the "ssl" flag to enable SSL on the link then any of the other ssl*= > options as needed by the Payway system. > > http://www.squid-cache.org/Doc/config/cache_peer/ > > (snipped Q4-6 since they are answerd above as well). > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.10 > Beta testers wanted for 3.2.0.4 >
Re: [squid-users] Re: Why TCP_MISS with simple request/response and aggressive refresh_pattern?
On Sun, Jan 30, 2011 at 3:37 PM, Amos Jeffries wrote: > On 31/01/11 07:09, Yang Zhang wrote: >> >> On Fri, Jan 28, 2011 at 3:59 PM, Amos Jeffries >> wrote: >>> >>> On 29/01/11 07:06, Yang Zhang wrote: I was confused by your reply until I realized that in my email I managed to omit the one important change I made to my config: # refresh_pattern .>->-0>20%>4320 # commented this line out refresh_pattern . 525600 100% 525600 ignore-private So it *should* be caching dynamic pages now, no? >>> >>> If you have the QEURY acl still in the config then no. >>> >>> That bing API result *is* a cacheable response and does not need any >>> overrides. You need only to follow the wiki instructions about removing >>> the >>> storage block (QUERY acl) and adding the right cgi and ? refresh pattern >>> to >>> cope with any old or broken dynamic sites your clients visit. >> >> Thanks, commenting out the line: >> >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> >> did the trick. (http://wiki.squid-cache.org/ConfigExamples/DynamicContent) >> > > That line exists solely to prevent caching of objects which the Squid > version is not able to validate correctly. > > It looks like your 3.0 is not able to handle the finer Date and Age related > calculations needed to store that dynamic response. > Several problems like this have been fixed in the 3.1 series. Sounds like > its time for you to upgrade. > > FWIW; I provide package ports of the latest production version for Ubuntu at > https://launchpad.net/~yadi/+archive/ppa. Ubuntu 10.04 lacks functionality > for some of the more interesting 3.1 features, so don't expect TPROXY or > eCAP to be fully functional but everything you use now in 3.0 should work. Thanks, I was wondering if this existed. This should really be added to the Squid download page > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.10 > Beta testers wanted for 3.2.0.4 > -- Yang Zhang http://yz.mit.edu/
[squid-users] SSL reverse proxy for phpmyadmin problems
Hi I'm having a bit of trouble implementing a Squid3 reverse HTTPS proxy for, among others, phpmyadmin. The initial connection to the phpmyadmin login page using HTTPS works fine, but after I enter my credentials, phpmyadmin redirects my browser to http://, using a "302 Moved Temporarily" code and a "Location: http://" header. Although that succeeds, since the Apache web server hosting phpmyadmin is in fact accessible unencrypted via port 80, it's not what I want. Does anyone here know how I can keep phpmyadmin from redirecting the browser away from HTTPS to HTTP? Cheers, Tobias
Re: [squid-users] Problem with transparent authentication and restricted pages
Thanks Chad I'll follow this instructions Gonzalo >>> "Chad Naugle" 31-01-2011 >>> You need to move all of your "deny" lines *before* your "allow" lines, otherwise you will get the popup. FYI, if you plan on using eDirectory 8.8 based IP->User, I wrote a C-based program for that, which is bundled with Squid 3.2-BETA, instead of using a perl script. You can probably just build 3.2.X without installing it and copy the executable to /usr/sbin, and use that for the blind auth. >>> "Gonzalo Morera" 1/31/2011 11:16 AM >>> Hi all After solving the squid_ldap_group issue, i'm still facing a little one with users that are transparently authenticate thru a pl script against edirectory. I've got this line: external_acl_type IPUser ttl=7200 %SRC /etc/squid/squid_edir_iplookup.pl (IPUser method) squid_edir_iplookup.pl is for users that have the novell client installed. Thru this script, they network address is found and authenticate without being prompted. This works fine as long as they do not hit a forbidden page. And here is my problem. When they hit a forbidden page, instead to get the 403 forbidden, they prompt for authentication. If then enter a username/password (they share passwords :-( ) with rights, they can go to the page. So my goal is that when this users are hitting a forbidden page, the forbidden page comes and not the auth page. I can not find out how to do so or if the order of the rules are wrong Here is my squid.conf. Let me know if anything else is needed: ===snip #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443 563# https, snews acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT #Mis reglas #acl redlocal src 192.168.0.0/255.255.255.0 #acl redsynergy proxy_auth REQUIRED #acl redsynergy proxy_auth REQUIRED redlocal # # Hosts that are not required to authenticate acl Auth_Not_Required src "/etc/squid/auth_not_required.txt" # Domains accessible to all PC's #acl Open_Domains dstdomain "/etc/squid/open_domains.txt" acl Open_Domains url_regex -i "/etc/squid/open_domains.txt" # Hosts & domains that are denied to restricted users #acl Banned_Hosts dst "/etc/squid/banned_hosts.txt" #acl Banned_Domains dstdomain "/etc/squid/banned_domains.txt" acl Banned_URLs url_regex -i "/etc/squid/banned_urls.txt" #acl Banned_Extensions url_regex "/etc/squid/banned_extensions.txt" # Seemless automatic access based on IP address # Access through the "IP User" external helper acl Full_Access external IPUser internet_nr acl Restricted_Access external IPUser internet_r # Access to users prompted with username/password dialogue # Full access acl lab_Full external ldap_group internet_nr # Restricted access acl lab_Restricted external ldap_group internet_r # TAG: http_access #Allowing or Denying access based on defined access lists # #Access to the HTTP port: #http_access allow|deny [!]aclname ... # #NOTE on default values: # #If there are no "access" lines present, the default is to deny #the request. # #If none of the "access" lines cause a match, the default is the #opposite of the last line in the list. If the last line was #deny, the default is allow. Conversely, if the last line #is allow, the default will be deny. For these reasons, it is a #good idea to have an "deny all" or "allow all" entry at the end #of your access lists to avoid potential confusion. # #Default: # http_access deny all # #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Domains free to all users without needing to authenticate. http_access allow Open_Domains # IP addresses of hosts that don?t need to authenticate (usually automation hosts #performing automated downloads and without a Novell client. http_access allow Auth_Not_Required # Let users with full Internet access discovered by the IPUser method go anywhere. http_access allow Full_Access # Let users with restricted Internet access discovered by the IPUser method go #anywhere except for the ban list http_access allow Restricted_Access !Banned_URLs # If the IPUser method fails the
Re: [squid-users] Problem with transparent authentication and restricted pages
You need to move all of your "deny" lines *before* your "allow" lines, otherwise you will get the popup. FYI, if you plan on using eDirectory 8.8 based IP->User, I wrote a C-based program for that, which is bundled with Squid 3.2-BETA, instead of using a perl script. You can probably just build 3.2.X without installing it and copy the executable to /usr/sbin, and use that for the blind auth. >>> "Gonzalo Morera" 1/31/2011 11:16 AM >>> Hi all After solving the squid_ldap_group issue, i'm still facing a little one with users that are transparently authenticate thru a pl script against edirectory. I've got this line: external_acl_type IPUser ttl=7200 %SRC /etc/squid/squid_edir_iplookup.pl (IPUser method) squid_edir_iplookup.pl is for users that have the novell client installed. Thru this script, they network address is found and authenticate without being prompted. This works fine as long as they do not hit a forbidden page. And here is my problem. When they hit a forbidden page, instead to get the 403 forbidden, they prompt for authentication. If then enter a username/password (they share passwords :-( ) with rights, they can go to the page. So my goal is that when this users are hitting a forbidden page, the forbidden page comes and not the auth page. I can not find out how to do so or if the order of the rules are wrong Here is my squid.conf. Let me know if anything else is needed: ===snip #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443 563# https, snews acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT #Mis reglas #acl redlocal src 192.168.0.0/255.255.255.0 #acl redsynergy proxy_auth REQUIRED #acl redsynergy proxy_auth REQUIRED redlocal # # Hosts that are not required to authenticate acl Auth_Not_Required src "/etc/squid/auth_not_required.txt" # Domains accessible to all PC's #acl Open_Domains dstdomain "/etc/squid/open_domains.txt" acl Open_Domains url_regex -i "/etc/squid/open_domains.txt" # Hosts & domains that are denied to restricted users #acl Banned_Hosts dst "/etc/squid/banned_hosts.txt" #acl Banned_Domains dstdomain "/etc/squid/banned_domains.txt" acl Banned_URLs url_regex -i "/etc/squid/banned_urls.txt" #acl Banned_Extensions url_regex "/etc/squid/banned_extensions.txt" # Seemless automatic access based on IP address # Access through the "IP User" external helper acl Full_Access external IPUser internet_nr acl Restricted_Access external IPUser internet_r # Access to users prompted with username/password dialogue # Full access acl lab_Full external ldap_group internet_nr # Restricted access acl lab_Restricted external ldap_group internet_r # TAG: http_access #Allowing or Denying access based on defined access lists # #Access to the HTTP port: #http_access allow|deny [!]aclname ... # #NOTE on default values: # #If there are no "access" lines present, the default is to deny #the request. # #If none of the "access" lines cause a match, the default is the #opposite of the last line in the list. If the last line was #deny, the default is allow. Conversely, if the last line #is allow, the default will be deny. For these reasons, it is a #good idea to have an "deny all" or "allow all" entry at the end #of your access lists to avoid potential confusion. # #Default: # http_access deny all # #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Domains free to all users without needing to authenticate. http_access allow Open_Domains # IP addresses of hosts that don?t need to authenticate (usually automation hosts #performing automated downloads and without a Novell client. http_access allow Auth_Not_Required # Let users with full Internet access discovered by the IPUser method go anywhere. http_access allow Full_Access # Let users with restricted Internet access discovered by the IPUser method go #anywhere except for the ban list http_access allow Restricted_Access !Banned_URLs # If the IPUser method fails then we need to revert to username/password #authentication # Let users with full access who
[squid-users] Problem with transparent authentication and restricted pages
Hi all After solving the squid_ldap_group issue, i'm still facing a little one with users that are transparently authenticate thru a pl script against edirectory. I've got this line: external_acl_type IPUser ttl=7200 %SRC /etc/squid/squid_edir_iplookup.pl (IPUser method) squid_edir_iplookup.pl is for users that have the novell client installed. Thru this script, they network address is found and authenticate without being prompted. This works fine as long as they do not hit a forbidden page. And here is my problem. When they hit a forbidden page, instead to get the 403 forbidden, they prompt for authentication. If then enter a username/password (they share passwords :-( ) with rights, they can go to the page. So my goal is that when this users are hitting a forbidden page, the forbidden page comes and not the auth page. I can not find out how to do so or if the order of the rules are wrong Here is my squid.conf. Let me know if anything else is needed: ===snip #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT #Mis reglas #acl redlocal src 192.168.0.0/255.255.255.0 #acl redsynergy proxy_auth REQUIRED #acl redsynergy proxy_auth REQUIRED redlocal # # Hosts that are not required to authenticate acl Auth_Not_Required src "/etc/squid/auth_not_required.txt" # Domains accessible to all PC's #acl Open_Domains dstdomain "/etc/squid/open_domains.txt" acl Open_Domains url_regex -i "/etc/squid/open_domains.txt" # Hosts & domains that are denied to restricted users #acl Banned_Hosts dst "/etc/squid/banned_hosts.txt" #acl Banned_Domains dstdomain "/etc/squid/banned_domains.txt" acl Banned_URLs url_regex -i "/etc/squid/banned_urls.txt" #acl Banned_Extensions url_regex "/etc/squid/banned_extensions.txt" # Seemless automatic access based on IP address # Access through the "IP User" external helper acl Full_Access external IPUser internet_nr acl Restricted_Access external IPUser internet_r # Access to users prompted with username/password dialogue # Full access acl lab_Full external ldap_group internet_nr # Restricted access acl lab_Restricted external ldap_group internet_r # TAG: http_access # Allowing or Denying access based on defined access lists # # Access to the HTTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: # # If there are no "access" lines present, the default is to deny # the request. # # If none of the "access" lines cause a match, the default is the # opposite of the last line in the list. If the last line was # deny, the default is allow. Conversely, if the last line # is allow, the default will be deny. For these reasons, it is a # good idea to have an "deny all" or "allow all" entry at the end # of your access lists to avoid potential confusion. # #Default: # http_access deny all # #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Domains free to all users without needing to authenticate. http_access allow Open_Domains # IP addresses of hosts that don?t need to authenticate (usually automation hosts #performing automated downloads and without a Novell client. http_access allow Auth_Not_Required # Let users with full Internet access discovered by the IPUser method go anywhere. http_access allow Full_Access # Let users with restricted Internet access discovered by the IPUser method go #anywhere except for the ban list http_access allow Restricted_Access !Banned_URLs # If the IPUser method fails then we need to revert to username/password #authentication # Let users with full access who entered username/password go anywhere http_access allow lab_Full # Ban list again #http_access deny Banned_Hosts #http_access deny Banned_Domains http_access deny Banned_URLs #http_access deny Banned_Extensions # Let users with restricted access who entered username/
Re: [squid-users] squid_ldap_group
In case somebody is interested, indeed changing the query made it work. Now username/password in the browser works fine and users are correctly authenticated Thanks Gonzalo >>> Gonzalo Morera 31/1/2011 11:24 AM >>> I've found an old post taking about edirectory, so i modified the query like that: usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=cn=%g,o=laboratorio))" -h 192.168.0.205 -p 389 and now just entering username groupname shows OK. So it looks like on the ldap filter, for the groupname i had to specify manually the context where it is, even if it is under the search base. Now i have to test it on the browser login page. Thanks Gonzalo >>> "Gonzalo Morera" 31/1/2011 10:32 AM >>> I saw now that if i enter the query on the bash: usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389 when cursor blinks i enter: username group Then i've got squid_ldap_group Warning, ldap search error "invalid dn syntax" So it looked like the query sent is incorrect. But if i enter: username cn=groupname,o=context Then i';ve got Connected OK and groupfilter OK So it looks like this is my issue, the query sent is incorrect. From bash i can easily modify it and add cn=group,o=context to perform the search but how can i apply that to the acl? here im lost. Thanks a lot Gonzalo >>> "Gonzalo Morera" 31/1/2011 09:45 AM >>> Hi all After getting familiar with the squid_ldap_auth, i'm still having some issues with squid_ldpa_groups. I'm getting familiar with squid acl ( i've been working last years with novell bordermanager what is quiet different) and i can not make it work I've got two groups, internet_r and internet_nr. I'm using a pl file to allows users with the novell client installed, transparently access internet. That works fine as the pl scrip gets the network ip address of the client. But, with no novell client install, the default ldap_auth method has to be used, so users get a log in page to enter name and password. After done it, same page appears and after 3 times and access denied is seen. No matter if i use a user on group internet_r (with access) or internet _nr ( no access) the results are the same. THe login page keeps returning till the access denied. so i'm doing something wrong with squid_ldap_group and acl. Looking at lan traces, i saw nothing and access.log file showed no errors, only the url user wanted to go. Var/log/message showed as well no indication of any error. So how can i see in more details what is happening? This is my squid.conf #Recommended minimum configuration: auth_param basic program /usr/sbin/squid_ldap_auth -Z -D cn=squid,o=laboratorio -w novell -b o=laboratorio -s sub -f "(&(objectclass=User)(cn=%s))" -h 192.168.0.205 -p 389 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off #Default: # none #external_acl_type directory_group %LOGIN /usr/sbin/squid_ldap_group -R -b "ou=servicios,o=laboratorio" -D "cn=admin,o=laboratorio" -w "synergy" -f (&(objectClass=person)(uid=%v)(groupMembership=cn=%a,ou=servicios,o=laboratorio))" -h 192.168.0.205 -p 389 # external_acl_type IPUser ttl=7200 %SRC /etc/squid/squid_edir_iplookup.pl # #este vale external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -R -b "o=laboratorio" -D "cn=squid,o=laboratorio" -w "novell" -f (&(objectClass=inetOrgPerson)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389 external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389 Message looks good when loading: Jan 27 12:26:59 oes2sp1 squid[11312]: Squid Parent: child process 11314 started Jan 27 12:26:59 oes2sp1 squid[11314]: Starting Squid Cache version 2.5.STABLE12 for i686-pc-linux-gnu... Jan 27 12:26:59 oes2sp1 squid[11314]: Process ID 11314 Jan 27 12:26:59 oes2sp1 squid[11314]: With 4096 file descriptors available Jan 27 12:26:59 oes2sp1 squid[11314]: DNS Socket created at 0.0.0.0, port 32788, FD 6 Jan 27 12:26:59 oes2sp1 squid[11314]: Adding nameserver 192.168.0.26 from /etc/resolv.conf Jan 27 12:26:59 oes2sp1 squid[11314]: helperOpenServers: Starting 8 'squidGuard' processes Jan 27 12:26:59 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_ldap_auth' processes Jan 27 12:27:00 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_edir_iplookup.pl' processes Jan 27 12:27:00 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_ldap_group' processes Jan 27 12:27:00 oes2sp1 squid[11314]: User-Agent logging is disabled. Jan 27 12:27:00 oes2sp1 squid[11314]: Referer logging is disabled. Jan 27 12:27:01 oes2sp1 squid[113
Re: [squid-users] Connection Pinning in 3.1.x
Is the cache_peer parent, also 3.1.10 or another type of proxy? >>> Michael Hendrie 1/31/2011 12:50 AM >>> Hello List, I need to use a version with connection pinning and was hoping to use 3.1.10 but I've run into a problem using a cache_peer that requires NTLM authentication. In my tests I'm able to get 3 authenticated requests through the parent (access.log on parent shows they have been authenticated) before the client starts to receive a pop-up to enter credentials. In the test, child and parent are on the same LAN segment so there is nothing in between doing any port translations, etc. The relevant parts of my config: cache_peer 172.16.50.45 parent 8080 0 no-query proxy-only default login=PASS never_direct allow all persistent_connection_after_error on I have also tried adding "connection-auth=on" to both the cache_peer and http_port directives but this hasn't helped the situation. Testing with squid-2.7STABLE9 doesn't show the above issue, connection pinning seems to work perfectly to the parent proxy. I have also tried 3.1.9 and 3.1.8 in case it was something that was unexpectedly introduced in the latest version but they fail also. I should point out that in my tests using 3.1.x talking to an origin server requiring NTLM works perfectly, only to a cache_peer fails. Does anyone have any ideas as to why this is failing, or a 3.1.x talking to an NTLM parent and if so could you please share your exact 3.1.x version and relevant config. Thanks Mick Travel Impressions made the following annotations - "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you."
Re: [squid-users] Connection error
On 31/01/11 18:44, Senthilkumar wrote: Thank you . We are using squid 3.1.8 with 100 children for ntlm scheme. We have about 500 users and around 75 req/sec. In the cache log rarely we see 100 pending ntlm requests and that time squid reconfigures automatically. Is it default behaviour of squid to reconfigure when ntlm are queued.? No, reconfigure only happens when the administrator or some operating system controls runs "squid -k reconfigure". You may be seeing a crash and restart? In the cache log we can see following errors also. 2011/01/31 10:59:02| AuthConfig::CreateAuthUser: Unsupported or unconfigured/inactive proxy-auth scheme, 'Basic bnByY1xzaHViaGFuZ2lkOmdhbGF4eUA1Nw==' 2011/01/31 10:59:18| AuthConfig::CreateAuthUser: Unsupported or unconfigured/inactive proxy-auth scheme, 'Basic bnByY1xzaHViaGFuZ2lkOmdhbGF4eUA1Nw==' Normal message for a proxy without Basic auth configured when the client send Basic credentials to it. Squid is supposed to pause requests during the configure time. So why this shows up is a problem that needs to be found. Amos Amos Jeffries wrote: On Tue, 25 Jan 2011 19:25:33 +0530, Senthilkumar wrote: Hi Amos, I have followed the suggestions provided by you and if use deny without "all" i am getting pop up when i access denied sites, it is suppressed when i use all. We use ntlm scheme to authenticate with domain users, all users can authenticate without any prompt, while browsing out of 350 users only 5-6 users getting prompt rarely(around 2-3 times a day) There is no specific website or time the prompt appears. Please suggest some troubleshooting ideas and cause for it. The cache.log does not show any errors I'm not sure exactly which deny line you are describing as producing a popup. The config below looks right. Where you deny based on group lookups the lines should end with "all", as you saw not having it there produces the popup. NTLM can suffer from a few issues on connections and some bugs in Squid. Though both of these problems have been worked on and reduced in newer releases. If one of the "allow" group lookups is somehow failing this may produce a popup. I am not sure how one would check for these in production environment. The things to watch out for are the HTTP auth headers for the request before during and after the prompt appears. Whether this is happening on a connection while it stays up, or if the connection drops out on the challenge. Whether it happened on a new connection using some non-NTLM auth (ie a Windows 7 machine trying an unexpected encryption, or some background application with the wrong keys). Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
Re: [squid-users] squid_ldap_group
I've found an old post taking about edirectory, so i modified the query like that: usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=cn=%g,o=laboratorio))" -h 192.168.0.205 -p 389 and now just entering username groupname shows OK. So it looks like on the ldap filter, for the groupname i had to specify manually the context where it is, even if it is under the search base. Now i have to test it on the browser login page. Thanks Gonzalo >>> "Gonzalo Morera" 31/1/2011 10:32 AM >>> I saw now that if i enter the query on the bash: usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389 when cursor blinks i enter: username group Then i've got squid_ldap_group Warning, ldap search error "invalid dn syntax" So it looked like the query sent is incorrect. But if i enter: username cn=groupname,o=context Then i';ve got Connected OK and groupfilter OK So it looks like this is my issue, the query sent is incorrect. From bash i can easily modify it and add cn=group,o=context to perform the search but how can i apply that to the acl? here im lost. Thanks a lot Gonzalo >>> "Gonzalo Morera" 31/1/2011 09:45 AM >>> Hi all After getting familiar with the squid_ldap_auth, i'm still having some issues with squid_ldpa_groups. I'm getting familiar with squid acl ( i've been working last years with novell bordermanager what is quiet different) and i can not make it work I've got two groups, internet_r and internet_nr. I'm using a pl file to allows users with the novell client installed, transparently access internet. That works fine as the pl scrip gets the network ip address of the client. But, with no novell client install, the default ldap_auth method has to be used, so users get a log in page to enter name and password. After done it, same page appears and after 3 times and access denied is seen. No matter if i use a user on group internet_r (with access) or internet _nr ( no access) the results are the same. THe login page keeps returning till the access denied. so i'm doing something wrong with squid_ldap_group and acl. Looking at lan traces, i saw nothing and access.log file showed no errors, only the url user wanted to go. Var/log/message showed as well no indication of any error. So how can i see in more details what is happening? This is my squid.conf #Recommended minimum configuration: auth_param basic program /usr/sbin/squid_ldap_auth -Z -D cn=squid,o=laboratorio -w novell -b o=laboratorio -s sub -f "(&(objectclass=User)(cn=%s))" -h 192.168.0.205 -p 389 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off #Default: # none #external_acl_type directory_group %LOGIN /usr/sbin/squid_ldap_group -R -b "ou=servicios,o=laboratorio" -D "cn=admin,o=laboratorio" -w "synergy" -f (&(objectClass=person)(uid=%v)(groupMembership=cn=%a,ou=servicios,o=laboratorio))" -h 192.168.0.205 -p 389 # external_acl_type IPUser ttl=7200 %SRC /etc/squid/squid_edir_iplookup.pl # #este vale external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -R -b "o=laboratorio" -D "cn=squid,o=laboratorio" -w "novell" -f (&(objectClass=inetOrgPerson)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389 external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389 Message looks good when loading: Jan 27 12:26:59 oes2sp1 squid[11312]: Squid Parent: child process 11314 started Jan 27 12:26:59 oes2sp1 squid[11314]: Starting Squid Cache version 2.5.STABLE12 for i686-pc-linux-gnu... Jan 27 12:26:59 oes2sp1 squid[11314]: Process ID 11314 Jan 27 12:26:59 oes2sp1 squid[11314]: With 4096 file descriptors available Jan 27 12:26:59 oes2sp1 squid[11314]: DNS Socket created at 0.0.0.0, port 32788, FD 6 Jan 27 12:26:59 oes2sp1 squid[11314]: Adding nameserver 192.168.0.26 from /etc/resolv.conf Jan 27 12:26:59 oes2sp1 squid[11314]: helperOpenServers: Starting 8 'squidGuard' processes Jan 27 12:26:59 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_ldap_auth' processes Jan 27 12:27:00 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_edir_iplookup.pl' processes Jan 27 12:27:00 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_ldap_group' processes Jan 27 12:27:00 oes2sp1 squid[11314]: User-Agent logging is disabled. Jan 27 12:27:00 oes2sp1 squid[11314]: Referer logging is disabled. Jan 27 12:27:01 oes2sp1 squid[11314]: Unlinkd pipe opened on FD 34 Jan 27 12:27:01 oes2sp1 squid[11314]: Swap maxSize 1048576 KB, estimated 80659 objects Jan 27 12:27:01 oes2sp1 squid[11314]: Target number of buckets: 4032 Jan 27 12:27:01 oes2sp1 squid[11
Re: [squid-users] TCP send/receive buffer tuning
We have an ISP deployment in which we reach performance limits in Squid, so we try to tune anything possible to get more performance. I would like to know if there is a reason why this check has been implemented (e.g. possible side-effects, etc.) or that it can be removed safely. Upgrading to squid 3.x is unfortunately no option since COSS support is missing and Rockstore isn't ready for testing yet. Original-Nachricht > Datum: Mon, 31 Jan 2011 12:08:55 +0200 > Von: Eliezer > An: squid-users@squid-cache.org > Betreff: Re: [squid-users] TCP send/receive buffer tuning > i dont know how high performance your system is but i think you can try > the new version 3.1.10 on your system and after you will get real > performance > issues you can try to recompile it with less strick option.. or .. just > compile one with limit and one without limit and change the binary if > you dont get results. > > as long as i know 64k is really more then many systems needs for a > buffer. > > > > On 31/01/2011 11:57, Jack Falworth wrote: > > > Hi squid-users, > > > > I have a question regarding the TCP send/receive buffer size Squid uses. > > For my high-performance setup I increased both buffer sizes on my Ubuntu > 10.04 system. Unfortunately I found out that Squid 2.7 (as well as 3.x) > limits the receive buffer to 64K and the send buffer to 32K in the > configure.in script. > > > > In addition I found this bug report regarding this check: > > http://bugs.squid-cache.org/show_bug.cgi?id=1075 > > > > I couldn't really figure out the problem with Squid using higher buffer > sizes if it is the intention of the administrator to increase those values. > > This check was included in CVS rev. 1.303 back in 2005, thus it's quite > old. > > > > Is this some legacy check or is it still important with today's systems? > > Can I safely remove this check or will this have some side-effects, e.g. > say the some internal data structures won't be able to cope with higher > values? > > > > Regards, > > JackF > > -- Neu: GMX De-Mail - Einfach wie E-Mail, sicher wie ein Brief! Jetzt De-Mail-Adresse reservieren: http://portal.gmx.net/de/go/demail
Re: [squid-users] TCP send/receive buffer tuning
i dont know how high performance your system is but i think you can try the new version 3.1.10 on your system and after you will get real performance issues you can try to recompile it with less strick option.. or .. just compile one with limit and one without limit and change the binary if you dont get results. as long as i know 64k is really more then many systems needs for a buffer. On 31/01/2011 11:57, Jack Falworth wrote: Hi squid-users, I have a question regarding the TCP send/receive buffer size Squid uses. For my high-performance setup I increased both buffer sizes on my Ubuntu 10.04 system. Unfortunately I found out that Squid 2.7 (as well as 3.x) limits the receive buffer to 64K and the send buffer to 32K in the configure.in script. In addition I found this bug report regarding this check: http://bugs.squid-cache.org/show_bug.cgi?id=1075 I couldn't really figure out the problem with Squid using higher buffer sizes if it is the intention of the administrator to increase those values. This check was included in CVS rev. 1.303 back in 2005, thus it's quite old. Is this some legacy check or is it still important with today's systems? Can I safely remove this check or will this have some side-effects, e.g. say the some internal data structures won't be able to cope with higher values? Regards, JackF
[squid-users] TCP send/receive buffer tuning
Hi squid-users, I have a question regarding the TCP send/receive buffer size Squid uses. For my high-performance setup I increased both buffer sizes on my Ubuntu 10.04 system. Unfortunately I found out that Squid 2.7 (as well as 3.x) limits the receive buffer to 64K and the send buffer to 32K in the configure.in script. In addition I found this bug report regarding this check: http://bugs.squid-cache.org/show_bug.cgi?id=1075 I couldn't really figure out the problem with Squid using higher buffer sizes if it is the intention of the administrator to increase those values. This check was included in CVS rev. 1.303 back in 2005, thus it's quite old. Is this some legacy check or is it still important with today's systems? Can I safely remove this check or will this have some side-effects, e.g. say the some internal data structures won't be able to cope with higher values? Regards, JackF -- Neu: GMX De-Mail - Einfach wie E-Mail, sicher wie ein Brief! Jetzt De-Mail-Adresse reservieren: http://portal.gmx.net/de/go/demail
Re: [squid-users] squid_ldap_group
I saw now that if i enter the query on the bash: usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389 when cursor blinks i enter: username group Then i've got squid_ldap_group Warning, ldap search error "invalid dn syntax" So it looked like the query sent is incorrect. But if i enter: username cn=groupname,o=context Then i';ve got Connected OK and groupfilter OK So it looks like this is my issue, the query sent is incorrect. From bash i can easily modify it and add cn=group,o=context to perform the search but how can i apply that to the acl? here im lost. Thanks a lot Gonzalo >>> "Gonzalo Morera" 31/1/2011 09:45 AM >>> Hi all After getting familiar with the squid_ldap_auth, i'm still having some issues with squid_ldpa_groups. I'm getting familiar with squid acl ( i've been working last years with novell bordermanager what is quiet different) and i can not make it work I've got two groups, internet_r and internet_nr. I'm using a pl file to allows users with the novell client installed, transparently access internet. That works fine as the pl scrip gets the network ip address of the client. But, with no novell client install, the default ldap_auth method has to be used, so users get a log in page to enter name and password. After done it, same page appears and after 3 times and access denied is seen. No matter if i use a user on group internet_r (with access) or internet _nr ( no access) the results are the same. THe login page keeps returning till the access denied. so i'm doing something wrong with squid_ldap_group and acl. Looking at lan traces, i saw nothing and access.log file showed no errors, only the url user wanted to go. Var/log/message showed as well no indication of any error. So how can i see in more details what is happening? This is my squid.conf #Recommended minimum configuration: auth_param basic program /usr/sbin/squid_ldap_auth -Z -D cn=squid,o=laboratorio -w novell -b o=laboratorio -s sub -f "(&(objectclass=User)(cn=%s))" -h 192.168.0.205 -p 389 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off #Default: # none #external_acl_type directory_group %LOGIN /usr/sbin/squid_ldap_group -R -b "ou=servicios,o=laboratorio" -D "cn=admin,o=laboratorio" -w "synergy" -f (&(objectClass=person)(uid=%v)(groupMembership=cn=%a,ou=servicios,o=laboratorio))" -h 192.168.0.205 -p 389 # external_acl_type IPUser ttl=7200 %SRC /etc/squid/squid_edir_iplookup.pl # #este vale external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -R -b "o=laboratorio" -D "cn=squid,o=laboratorio" -w "novell" -f (&(objectClass=inetOrgPerson)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389 external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389 Message looks good when loading: Jan 27 12:26:59 oes2sp1 squid[11312]: Squid Parent: child process 11314 started Jan 27 12:26:59 oes2sp1 squid[11314]: Starting Squid Cache version 2.5.STABLE12 for i686-pc-linux-gnu... Jan 27 12:26:59 oes2sp1 squid[11314]: Process ID 11314 Jan 27 12:26:59 oes2sp1 squid[11314]: With 4096 file descriptors available Jan 27 12:26:59 oes2sp1 squid[11314]: DNS Socket created at 0.0.0.0, port 32788, FD 6 Jan 27 12:26:59 oes2sp1 squid[11314]: Adding nameserver 192.168.0.26 from /etc/resolv.conf Jan 27 12:26:59 oes2sp1 squid[11314]: helperOpenServers: Starting 8 'squidGuard' processes Jan 27 12:26:59 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_ldap_auth' processes Jan 27 12:27:00 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_edir_iplookup.pl' processes Jan 27 12:27:00 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_ldap_group' processes Jan 27 12:27:00 oes2sp1 squid[11314]: User-Agent logging is disabled. Jan 27 12:27:00 oes2sp1 squid[11314]: Referer logging is disabled. Jan 27 12:27:01 oes2sp1 squid[11314]: Unlinkd pipe opened on FD 34 Jan 27 12:27:01 oes2sp1 squid[11314]: Swap maxSize 1048576 KB, estimated 80659 objects Jan 27 12:27:01 oes2sp1 squid[11314]: Target number of buckets: 4032 Jan 27 12:27:01 oes2sp1 squid[11314]: Using 8192 Store buckets Jan 27 12:27:01 oes2sp1 squid[11314]: Max Mem size: 102400 KB Jan 27 12:27:01 oes2sp1 squid[11314]: Max Swap size: 1048576 KB Jan 27 12:27:01 oes2sp1 squid[11314]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec Jan 27 12:27:01 oes2sp1 squid[11314]: Rebuilding storage in /var/cache/squid (DIRTY) Jan 27 12:27:01 oes2sp1 squid[11314]: Using Least Load store dir selection Jan 27 12:27:01 oes2sp1 squid[11314]: Set Current Directory to /var/cache/squid Jan 27 12:27:01 oes2sp1 squid[11314]: Loaded Icons. Jan 27 12:27:01 oes2sp1 squid[113
[squid-users] squid_ldap_group
Hi all After getting familiar with the squid_ldap_auth, i'm still having some issues with squid_ldpa_groups. I'm getting familiar with squid acl ( i've been working last years with novell bordermanager what is quiet different) and i can not make it work I've got two groups, internet_r and internet_nr. I'm using a pl file to allows users with the novell client installed, transparently access internet. That works fine as the pl scrip gets the network ip address of the client. But, with no novell client install, the default ldap_auth method has to be used, so users get a log in page to enter name and password. After done it, same page appears and after 3 times and access denied is seen. No matter if i use a user on group internet_r (with access) or internet _nr ( no access) the results are the same. THe login page keeps returning till the access denied. so i'm doing something wrong with squid_ldap_group and acl. Looking at lan traces, i saw nothing and access.log file showed no errors, only the url user wanted to go. Var/log/message showed as well no indication of any error. So how can i see in more details what is happening? This is my squid.conf #Recommended minimum configuration: auth_param basic program /usr/sbin/squid_ldap_auth -Z -D cn=squid,o=laboratorio -w novell -b o=laboratorio -s sub -f "(&(objectclass=User)(cn=%s))" -h 192.168.0.205 -p 389 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off #Default: # none #external_acl_type directory_group %LOGIN /usr/sbin/squid_ldap_group -R -b "ou=servicios,o=laboratorio" -D "cn=admin,o=laboratorio" -w "synergy" -f (&(objectClass=person)(uid=%v)(groupMembership=cn=%a,ou=servicios,o=laboratorio))" -h 192.168.0.205 -p 389 # external_acl_type IPUser ttl=7200 %SRC /etc/squid/squid_edir_iplookup.pl # #este vale external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -R -b "o=laboratorio" -D "cn=squid,o=laboratorio" -w "novell" -f (&(objectClass=inetOrgPerson)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389 external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389 Message looks good when loading: Jan 27 12:26:59 oes2sp1 squid[11312]: Squid Parent: child process 11314 started Jan 27 12:26:59 oes2sp1 squid[11314]: Starting Squid Cache version 2.5.STABLE12 for i686-pc-linux-gnu... Jan 27 12:26:59 oes2sp1 squid[11314]: Process ID 11314 Jan 27 12:26:59 oes2sp1 squid[11314]: With 4096 file descriptors available Jan 27 12:26:59 oes2sp1 squid[11314]: DNS Socket created at 0.0.0.0, port 32788, FD 6 Jan 27 12:26:59 oes2sp1 squid[11314]: Adding nameserver 192.168.0.26 from /etc/resolv.conf Jan 27 12:26:59 oes2sp1 squid[11314]: helperOpenServers: Starting 8 'squidGuard' processes Jan 27 12:26:59 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_ldap_auth' processes Jan 27 12:27:00 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_edir_iplookup.pl' processes Jan 27 12:27:00 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_ldap_group' processes Jan 27 12:27:00 oes2sp1 squid[11314]: User-Agent logging is disabled. Jan 27 12:27:00 oes2sp1 squid[11314]: Referer logging is disabled. Jan 27 12:27:01 oes2sp1 squid[11314]: Unlinkd pipe opened on FD 34 Jan 27 12:27:01 oes2sp1 squid[11314]: Swap maxSize 1048576 KB, estimated 80659 objects Jan 27 12:27:01 oes2sp1 squid[11314]: Target number of buckets: 4032 Jan 27 12:27:01 oes2sp1 squid[11314]: Using 8192 Store buckets Jan 27 12:27:01 oes2sp1 squid[11314]: Max Mem size: 102400 KB Jan 27 12:27:01 oes2sp1 squid[11314]: Max Swap size: 1048576 KB Jan 27 12:27:01 oes2sp1 squid[11314]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec Jan 27 12:27:01 oes2sp1 squid[11314]: Rebuilding storage in /var/cache/squid (DIRTY) Jan 27 12:27:01 oes2sp1 squid[11314]: Using Least Load store dir selection Jan 27 12:27:01 oes2sp1 squid[11314]: Set Current Directory to /var/cache/squid Jan 27 12:27:01 oes2sp1 squid[11314]: Loaded Icons. Jan 27 12:27:01 oes2sp1 squid[11314]: Accepting HTTP connections at 0.0.0.0, port 3128, FD 36. Jan 27 12:27:01 oes2sp1 squid[11314]: Accepting ICP messages at 0.0.0.0, port 3130, FD 37. Jan 27 12:27:01 oes2sp1 squid[11314]: HTCP Disabled. Jan 27 12:27:01 oes2sp1 squid[11314]: Accepting SNMP messages on port 3401, FD 38. Jan 27 12:27:01 oes2sp1 squid[11314]: WCCP Disabled. Jan 27 12:27:02 oes2sp1 squid[11314]: Ready to serve requests. Jan 27 12:27:02 oes2sp1 squid[11314]: Done reading /var/cache/squid swaplog (1864 entries) Jan 27 12:27:02 oes2sp1 squid[11314]: Finished rebuilding storage from disk. Jan 27 12:27:02 oes2sp1 squid[11314]: 1864 Entries scanned Jan 27 12:27:02 oes2sp1 squid[11314]: 0 Invalid entries. Jan 27 12:27:02 oes2sp1 squid[11314]: 0 With inv
Re: [squid-users] getting mgr:info over SSL port
On 31/01/11 17:38, Deepak Rao wrote: Hi, I am trying to run the squidclient command 'squidclient -p 443 mgr:info', but this is failing. Is there a way to run the command over SSL port? My squid setup (reverse proxy) has only port 443 open& no non-ssl port is open. Please suggest any alternative. The squidclient tool does not support SSL encryption. You will have to pass requests through an encryption layer like stunnel. AMos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
