[squid-users] Relative to the Skip IP6 addresses thread
Hi all, Relative to this thread: http://www.squid-cache.org/mail-archive/squid-users/201108/0161.html and relative to this bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593815 Since debian choose to pass bindv6only to 1 (/etc/sysctl.d/bindv6only.conf), we experiment timeout fallback problem (packages.debian.org, etc ...). Do an echo 0 /proc/sys/net/ipv6/bindv6only, and a squid3 -k reconfigure do the trick. Regards.
[squid-users] reverse proxy shows error 403 denied
hello, i have configured squid to reverse-proxy an internet connection going into my internal exchange server. the squid configuration section is like this one: ## # ip 10.0.1.1 - squid server # ip 10.0.1.2 - ms-exchange server https_port 10.0.1.1:443 cert=/etc/squid3/geotrust_cert.pem defaultsite=mail.my-domain.com cache_peer 10.0.1.2 parent 443 0 no-query originserver login=PASS ssl sslcert=/etc/squid3/selfsigned.pem name=exchangeServer acl EXCH dstdomain .rpc_domain_name cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer deny all never_direct allow EXCH http_access allow EXCH http_access deny all miss_access allow EXCH miss_access deny all ## but, when i try to connect from the internet i receive a denying page, and the cache log says: TCP_DENIED/403 3861 GET https://mail.my-domain.com/owa - NONE/- text/html thanks in advance for someone who could help me find what is wrong with that config. regards, sidnei
[squid-users] Authentication Prompts
I've been trying to model two different kinds of users in ACLs, where the kids are authenticated by one account, and the adults another. The kids are allowed to go only to a whitelist of websites, but I'd like the adults to be able to override this behavior for a while if they enter their credentials. I was also trying to wire this into a db-auth environment so I can alter the accounts from my desktop. Following the guide at http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F, I can keep the kids restricted to a site but the parents get stuck in an authentication loop or just denied access. Here's my config - can anyone help me figure this out? auth_param basic program /usr/lib64/squid/squid_db_auth --user squid --password squidward --plaintext --persist auth_param basic children 5 auth_param basic realm Web-Proxy auth_param basic credentialsttl 20 minute auth_param basic casesensitive off acl kids_sites dstdomain /etc/squid/kids_sites.txt acl parents proxy_auth sigmondMom acl db-auth proxy_auth REQUIRED http_access allow db-auth kids_sites http_access deny !parents all http_access allow db-auth # And finally deny all other access to this proxy http_access deny all
[squid-users] deep analysis of some request
Is there a way to analyze somehow deeper what's going on with this? tss# grep -c 'http://ecs.amazonaws.com/onca/xml?' access.log 3065 tss# grep 'http://ecs.amazonaws.com/onca/xml?' access.log | tail -1 66.55.138.70 - - [08/Sep/2011:18:59:26 +] GET http://ecs.amazonaws.com/onca/xml? HTTP/1.1 200 135861 - Mozilla/4.1 TCP_MISS:DIRECT tss# I'd like to capture it somehow so I can look what kind of request is that. -- http://alexus.org/
Re: [squid-users] Authentication Prompts
On 09/09/11 06:28, Matt Cochran wrote: I've been trying to model two different kinds of users in ACLs, where the kids are authenticated by one account, and the adults another. The kids are allowed to go only to a whitelist of websites, but I'd like the adults to be able to override this behavior for a while if they enter their credentials. I was also trying to wire this into a db-auth environment so I can alter the accounts from my desktop. Following the guide at http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F, I can keep the kids restricted to a site but the parents get stuck in an authentication loop or just denied access. Here's my config - can anyone help me figure this out? Notice that would allow the kids to get a popup and re-try with parents login to restricted sites without the parent being present. What you are asking for is this: # login required to go anywhere at all http_access deny !db-auth # kids to their sites http_access allow !parents kids_sites # parents anywhere http_access allow parents # challenge if not logged in with parents credentials http_access deny !parents # everything else is blocked. http_access deny all Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.11
[squid-users] any documents on eCAP?
Hi, After keep waitting for the reply from the mailing list of eCAP for a period of time, feel pity that not any a single piece of reply. I decide to post this question here, that is: Is there any documents on eCAP program? There is not much info on eCAP.org. and also most nothing on google neither. Hope it will be helpful. THAKNS for any reply. -- Fr Lin Youhuang
Re: [squid-users] deep analysis of some request
On 09/09/11 07:02, alexus wrote: Is there a way to analyze somehow deeper what's going on with this? tss# grep -c 'http://ecs.amazonaws.com/onca/xml?' access.log 3065 tss# grep 'http://ecs.amazonaws.com/onca/xml?' access.log | tail -1 66.55.138.70 - - [08/Sep/2011:18:59:26 +] GET http://ecs.amazonaws.com/onca/xml? HTTP/1.1 200 135861 - Mozilla/4.1 TCP_MISS:DIRECT tss# I'd like to capture it somehow so I can look what kind of request is that. Data retrieval from an amazon online API. You have stripped the query parameters from the logged information so there is no way to tell how many different requests are being bunched together in that 3065 count. The above line count has about the same meaning as: grep -c 'http://ecs.amazonaws.com/' access.log (and probably a similar count.) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.11
Re: [squid-users] reverse proxy shows error 403 denied
On 09/09/11 02:29, Sidnei Moreira wrote: hello, i have configured squid to reverse-proxy an internet connection going into my internal exchange server. the squid configuration section is like this one: ## # ip 10.0.1.1 - squid server # ip 10.0.1.2 - ms-exchange server https_port 10.0.1.1:443 cert=/etc/squid3/geotrust_cert.pem defaultsite=mail.my-domain.com All requests entering through this port are re-written with the domain name mail.my-domain.com. Update your EXCH ACL to permit mail.my-domain.com and ensure that the exchange server believes its public domain name is mail.my-domain.com. cache_peer 10.0.1.2 parent 443 0 no-query originserver login=PASS ssl sslcert=/etc/squid3/selfsigned.pem name=exchangeServer acl EXCH dstdomain .rpc_domain_name cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer deny all never_direct allow EXCH http_access allow EXCH http_access deny all miss_access allow EXCH miss_access deny all ## but, when i try to connect from the internet i receive a denying page, and the cache log says: TCP_DENIED/403 3861 GET https://mail.my-domain.com/owa - NONE/- text/html That looks like an OWA request. They require some different peer configuration than RPC. http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess IIRC it had something to do with OWA doing client certificate verification. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.11
Re: [squid-users] RE: Help with squid3 auth schemes and updates v 3.1.15
On 08/09/11 07:59, a a wrote: My name is Shawn caron. I run a squid3 proxy server v 3.1.15. on ubuntu 11.04. I am having some trouble getting it to run as i want it to. First question is, do you know what is the most secure scheme in squid 3. Currently running digest with user name and password. http://wiki.squid-cache.org/Features/Authentication#Can_I_use_different_authentication_mechanisms_together.3F Second question is. using aptitude and apt-get and antivirus updates through squid 3. Updates are for linux computers running a cron job connecting via command line only. Anything they support. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.11
Re: [squid-users] any documents on eCAP?
在 2011-09-09五的 08:57 +0800,铀煌林写道: Hi, After keep waitting for the reply from the mailing list of eCAP for a period of time, feel pity that not any a single piece of reply. I decide to post this question here, that is: Is there any documents on eCAP program? There is not much info on eCAP.org. and also most nothing on google neither. Hope it will be helpful. THAKNS for any reply. seems that the eCAP.org domain is outdated.try http://www.e-cap.org/Documentation; plz. -- Best regards, Sharl.Jimh.Tsin (From China **Obviously Taiwan INCLUDED**) Using Gmail? Please read this important notice: http://www.fsf.org/campaigns/jstrap/gmail?10073.
[squid-users] Single slow site
Hi All, I am experiencing a slow down on one particular site: https://www.my.commbank.com.au/netbank/Logon/Logon.aspx I can access this web site fine however it takes approx. 30 seconds to load, and if I bypass squid it takes 1 second. Currently running version 3.1.15, can someone point me in the right direct to further troubleshoot this one? Cheers, JLK
Re: [squid-users] deep analysis of some request
Hallo, alexus, Du meintest am 08.09.11: Is there a way to analyze somehow deeper what's going on with this? tss# grep 'http://ecs.amazonaws.com/onca/xml?' access.log | tail -1 66.55.138.70 - - [08/Sep/2011:18:59:26 +] GET http://ecs.amazonaws.com/onca/xml? HTTP/1.1 200 135861 - Mozilla/4.1 TCP_MISS:DIRECT That line shows that the machine 66.55.138.70 tries to get a document from http://ecs.amazonaws.com/onca/xml And it gets the document (with about 130 kByte). 66.55.138.70 belongs to Alexusbiz Corp - seems to be one of your IP addresses. Seems that this request is no squid problem. Viele Gruesse! Helmut