RE: [squid-users] Re: Re: Squid Kerberos authentication error
It's not all creating keytab. [root@lx work]# net ads keytab add HTTP -U administrator Processing principals to add... Enter administrator's password: [root@lx work]# ktutil ktutil: rkt /etc/krb5.keytab rkt: Unsupported key table format version number while reading keytab /etc/krb5.keytab No contents there at /etc/krb5.keytab Thanks, Br abusam -Original Message- From: Markus Moeller [mailto:hua...@moeller.plus.com] Sent: Sunday, June 24, 2012 9:39 PM To: squid-users@squid-cache.org Subject: [squid-users] Re: Re: Squid Kerberos authentication error You can use samba to create the keytab, but you mustn't use any samba daemon as the daemon will reset the key in AD after a predefined time and thereby invalidate the key in your keytab. Regards Markus Navas vmna...@gmail.com wrote in message news:4c9801cd520a$34f4ee30$9edeca90$@gmail.com... One more thing I am using Samba, I could not use mskutil. Is there any issue with Kerberos and Samba. OS: Redhat EL6.2 squid-3.1 thanks, -Original Message- From: Markus Moeller [mailto:hua...@moeller.plus.com] Sent: Sunday, June 24, 2012 2:59 PM To: squid-users@squid-cache.org Subject: [squid-users] Re: Squid Kerberos authentication error Can you check that the squid user has read access to the Kerberos keytab ? Did you set the environment variable KRB5_KTNAME pointing to the Kerberos keytab in the startup script ? Markus Navas vmna...@gmail.com wrote in message news:000301cd51e5$7f9e64e0$7edb2ea0$@gmail.com... Hi, I am trying to setup squid to authenticate as AD with kerberos as per the following document http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActive D irecto ry but I am getting following error in cache log, authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Unknown error' appreciated for your kind help .. thanks, abusam
[squid-users] Ask about delay pool?
Hi, How to limit bandwith user from subnet example 10.10.10.0/24 to maximal use of 20Mbit, and limit max use per client in that subnet to 1024 Kbit using delay pools. I read somewhere delay_pools is deprecated, is this true? If i activate zph does it disable delay pool? Thx
[squid-users] How can i prioritize Icap services?
using my icap server i implemented a basic url filtering mechanism with postgresql\mysql\sqlite. i want to know how icap services are prioritized in squid. regular acls are first hits... allow ... deny.. if i want to put the url filtering service above all other icap services on squid how would i do that? i have 5 icap services: ##config icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod adaptation_access service_req deny someacl adaptation_access service_req allow otheracl icap_service service_filter reqmod_precache bypass=0 icap://127.0.0.2:1344/reqmod?smpfilter adaptation_access service_filter allow all #end config i want all urls to be checked by the filtering system and if so the url is rewritten and i dont want any other icap service to match it. so what squid logic about icap? Thanks, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer at ngtech.co.il
[squid-users] ICP Performance issue from RFC 3143
Dear squid users, RFC 3143 brings the following ICP issue: ICP[4] exhibits O(n^2) scaling properties, where n is the number of participating peer proxies. This can lead ICP traffic to dominate HTTP traffic within a network. Is it yet persists on current squid implementation? Does anybody known some recent informations about that? Thanks in advance, Erico Guedes Msc Candidate in Computer Science Informatics Center, Federal University of Pernambuco - Brazil MoDCS Research Group - http://www.modcs.org
[squid-users] Re: Re: Re: Squid Kerberos authentication error
I usually use msktutil and I only know from samba what is documented here http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab Markus Navas vmna...@gmail.com wrote in message news:034901cd52d6$82b3c1b0$881b4510$@gmail.com... It's not all creating keytab. [root@lx work]# net ads keytab add HTTP -U administrator Processing principals to add... Enter administrator's password: [root@lx work]# ktutil ktutil: rkt /etc/krb5.keytab rkt: Unsupported key table format version number while reading keytab /etc/krb5.keytab No contents there at /etc/krb5.keytab Thanks, Br abusam -Original Message- From: Markus Moeller [mailto:hua...@moeller.plus.com] Sent: Sunday, June 24, 2012 9:39 PM To: squid-users@squid-cache.org Subject: [squid-users] Re: Re: Squid Kerberos authentication error You can use samba to create the keytab, but you mustn't use any samba daemon as the daemon will reset the key in AD after a predefined time and thereby invalidate the key in your keytab. Regards Markus Navas vmna...@gmail.com wrote in message news:4c9801cd520a$34f4ee30$9edeca90$@gmail.com... One more thing I am using Samba, I could not use mskutil. Is there any issue with Kerberos and Samba. OS: Redhat EL6.2 squid-3.1 thanks, -Original Message- From: Markus Moeller [mailto:hua...@moeller.plus.com] Sent: Sunday, June 24, 2012 2:59 PM To: squid-users@squid-cache.org Subject: [squid-users] Re: Squid Kerberos authentication error Can you check that the squid user has read access to the Kerberos keytab ? Did you set the environment variable KRB5_KTNAME pointing to the Kerberos keytab in the startup script ? Markus Navas vmna...@gmail.com wrote in message news:000301cd51e5$7f9e64e0$7edb2ea0$@gmail.com... Hi, I am trying to setup squid to authenticate as AD with kerberos as per the following document http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActive D irecto ry but I am getting following error in cache log, authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Unknown error' appreciated for your kind help .. thanks, abusam
Re: [squid-users] Ask about delay pool?
On 26.06.2012 01:32, Ibrahim Lubis wrote: Hi, How to limit bandwith user from subnet example 10.10.10.0/24 to maximal use of 20Mbit, and limit max use per client in that subnet to 1024 Kbit using delay pools. See http://www.squid-cache.org/Doc/config/delay_parameters/ I read somewhere delay_pools is deprecated, is this true? No. Delay pools is just a bit old with some issues due to its design (very limited IPv6 support, and strange effects when the TCP buffers are bloated[1]). But it is NOT deprecated. If i activate zph does it disable delay pool? No, both will limit the traffic to no more than their own rate. Delay pools limits read() operations from upstream network servers, ZPH/QoS flows limit delivery to the client according to whatever your external QoS management decides. NP: Squid-3.1+ no longer buffers large amounts of data from the server to drip-feed clients. Amos [1] http://www.bufferbloat.net/
[squid-users] Transparent Proxy / Authentication / Landing Page
Dear all, I need to implement a Proxy Solution that works as following: 1. Proxy should be implementable without any changes on the net, it should just replace the router 2. Proxy should log any traffic in a logfile with username, ip and connected site, should work for http, ftp, https. 3. Users should authenticate at the proxy before they’ll be granted any access to the internet. How ? Users are required to open the webbrowser, type in any page, be redirected to a landing page where they’re required to type in their username and password, that’s going to be checked from LDAP if correct they’ll granted internet access (that might work with mac-address ⇔ ip address ⇔ username coupling) after that combination changes the user is required to relogin. Has anyone any idea how to actually Implement that in a system ? Thanks, Markus
RE: [squid-users] Transparent Proxy / Authentication / Landing Page
Dear all, I need to implement a Proxy Solution that works as following: 1. Proxy should be implementable without any changes on the net, it should just replace the router 2. Proxy should log any traffic in a logfile with username, ip and connected site, should work for http, ftp, https. 3. Users should authenticate at the proxy before they’ll be granted any access to the internet. How ? Users are required to open the webbrowser, type in any page, be redirected to a landing page where they’re required to type in their username and password, that’s going to be checked from LDAP if correct they’ll granted internet access (that might work with mac-address ⇔ ip address ⇔ username coupling) after that combination changes the user is required to relogin. Has anyone any idea how to actually Implement that in a system ? I've done this with iptables and the 'recent' target in a public access wifi setup. The advantage of doing it at iptables level is that once you have authenticated to the login page, you can access the internet on any port so email etc works. 'recent' makes sure that the authentication times out after a period of inactivity, effectively logging the user off. If you google for 'captive portal' you might turn up some useful info on doing it in squid. James
RE: [squid-users] Re: Re: Squid Kerberos authentication error
I could solve the issue by creating keytabs within the MS server and exported to Linux machine and is working fine with msktutils itself... Still do not find out the reason for not created it in Linux machine ! -Original Message- From: Markus Moeller [mailto:hua...@moeller.plus.com] Sent: Sunday, June 24, 2012 9:39 PM To: squid-users@squid-cache.org Subject: [squid-users] Re: Re: Squid Kerberos authentication error You can use samba to create the keytab, but you mustn't use any samba daemon as the daemon will reset the key in AD after a predefined time and thereby invalidate the key in your keytab. Regards Markus Navas vmna...@gmail.com wrote in message news:4c9801cd520a$34f4ee30$9edeca90$@gmail.com... One more thing I am using Samba, I could not use mskutil. Is there any issue with Kerberos and Samba. OS: Redhat EL6.2 squid-3.1 thanks, -Original Message- From: Markus Moeller [mailto:hua...@moeller.plus.com] Sent: Sunday, June 24, 2012 2:59 PM To: squid-users@squid-cache.org Subject: [squid-users] Re: Squid Kerberos authentication error Can you check that the squid user has read access to the Kerberos keytab ? Did you set the environment variable KRB5_KTNAME pointing to the Kerberos keytab in the startup script ? Markus Navas vmna...@gmail.com wrote in message news:000301cd51e5$7f9e64e0$7edb2ea0$@gmail.com... Hi, I am trying to setup squid to authenticate as AD with kerberos as per the following document http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActive D irecto ry but I am getting following error in cache log, authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Unknown error' appreciated for your kind help .. thanks, abusam
Re: [squid-users] Transparent Proxy / Authentication / Landing Page
On 26/06/2012 4:19 p.m., Markus Thüs wrote: Dear all, I need to implement a Proxy Solution that works as following: 1. Proxy should be implementable without any changes on the net, it should just replace the router Aka You are now required to perform an MITM attack on your clients. Otherwise known as traffic interception proxy. 2. Proxy should log any traffic in a logfile with username, ip and connected site, should work for http, ftp, https. * HTTP supports MITM attacks / interception. * FTP protocol inbound is not supported by Squid at all. * HTTPS is designed to prevent MITM attacks / interception. However, see the notes at the end of this email. 3. Users should authenticate at the proxy before they’ll be granted any access to the internet. How ? Users are required to open the webbrowser, type in any page, be redirected to a landing page where they’re required to type in their username and password, that’s going to be checked from LDAP if correct they’ll granted internet access (that might work with mac-address ⇔ ip address ⇔ username coupling) after that combination changes the user is required to relogin. Has anyone any idea how to actually Implement that in a system ? Search for information on Captive Portal. Here is some info on the splash page with Squid http://wiki.squid-cache.org/ConfigExamples/Portal/Splash If you want to do it with MAC addersses I suggest getting the squid-3.2 beta series code. It has quite a few enhancements around EUI-48 (aka MAC) address handling. BUT, it is a better idea to avoid that (1) requirement and setup auto-config. Clients capable of auto-detecting the proxy using it explicitly will have HTTP, FTP and HTTPS and other services that can tunnel over HTTP proxy available through it. As a bonus this will enable your clients to use real HTTP authentication. http://wiki.squid-cache.org/ConfigExamples/Portal/ZeroConfUpgrade details how to easily bootstrap your network from a no-proxy or transparent-proxy environment into an auto-configured proxy environment. Amos
Re: [squid-users] Is Squid Multi-Tenant?
My requirement is to address different configuration files to a single squid server, through which I can use multiple configuration with separate rules/filters/users ~ DP On Fri, Jun 22, 2012 at 12:30 AM, Robert Collins robe...@squid-cache.org wrote: On Fri, Jun 22, 2012 at 5:18 AM, Deepak Panigrahy deepak.ii...@gmail.com wrote: I am a newbie to Squid and was wondering if Squid is multi-tenant? If yes, how can we achieve multi-tenancy in Squid? This depends almost entirely on what you mean. Can you describe what multi-tenant means to you? -Rob
Fw: Re: [squid-users] Video Streaming Access with Delay Pools
Dear All, I am still unable to setup ACLS correctly...! Anyway Now I have decided to setup Delay Pools for Fixed-Bandwidth (No Time Restriction) for youtube/videos/streaming etc. Please share your experience. Here's details: 1. No Bandwidth Restriction on OpenIPs for example acl OpenIPs src /etc/squid3/AlwaysOpenIPs.txt 2. 5 Mbps Bandwidth Restriction on FixBandwidthIPs i.e acl FixBandwidthIPs src /etc/squid3/FixBandwidthIPs.txt 3. Deny All other to access youtube/videos/streaming i.e http_reply_access deny deny_rep_mime_flashvideo Thank you very much for your time and kind help. --- On Thu, 6/21/12, Anonymous eletters_m...@yahoo.com wrote: From: Anonymous eletters_m...@yahoo.com Subject: Re: [squid-users] Time based Video Streaming Access To: Amos Jeffries squ...@treenet.co.nz, Odhiambo Washington odhia...@gmail.com Cc: squid-users@squid-cache.org Date: Thursday, June 21, 2012, 10:43 AM Thank you very much for detailed information with examples. I have setup ACL as given below: # -Start Here acl OpenIPs src /etc/squid3/AlwaysOpenIPs.txt acl TimedTubed src /etc/squid3/TimeBasedIPs.txt acl NoTubeTime time SMTWHFA 09:00-14:59 acl deny_rep_mime_flashvideo rep_mime_type video/x-flv http_reply_access allow OpenIPs http_reply_access allow TimedTubed NoTubeTime http_reply_access deny deny_rep_mime_flashvideo http_reply_access allow all # -End Here Now TimedTubed (Time based youtube/video streaming access) can access all other web sites BUT after the restricted time (09:00-14:59) @ 15:00, they can not access the you tube website. I want to allow the TimedTubed IPs to access you tube only from 15:00 till 08:59. Thank you very much for your time and kind help. Regards. - --- On Thu, 6/21/12, Amos Jeffries squ...@treenet.co.nz wrote: From: Amos Jeffries squ...@treenet.co.nz Subject: Re: [squid-users] Time based Video Streaming Access To: Anonymous eletters_m...@yahoo.com Cc: squid-users@squid-cache.org Date: Thursday, June 21, 2012, 4:27 AM On 20.06.2012 20:31, Anonymous wrote: Dear Amos Jeffries and All, Thank you very much for great help. I am trying to understand the actual working of http_reply_access [allow|deny] and http_access [allow|deny]. Can you please tell me the format, especailly the ORDER of ACL Statements, as http_reply_access [allow|deny] and http_access [allow|deny] are bit tricky and I am confused howto set the order of acl statements. http_access lines are tested as soon as the HTTP request is received. Using only the TCP connection and HTTP request details (no HTTP reply details). To decide whether Squid is going to reject the request or try to handle it. http_reply_access is tested as soon the HTTP reply is received. Using TCP connection details, HTTP request and reply details. To decide whether Squid is going to deliver the response or send an error instead. There is no configuration relevant in ordering of between http_access and http_reply_access lines. Each one will be separated in to a sequence of its own type of line. eg http_access allow A http_reply_access deny B http_access allow C is the same as: http_access allow A http_access allow C http_reply_access deny B acl directive lines are just definitions of how to run a particular test. The only ordering they have is to be listed in the config before they are used on any other directive lines. Lines for each access directive type (eg, http_access) are processed top-to-bottom first matching whole line does its action. Individual ACL on each line are tested left-to-right with first mis-matching ACL stopping that lines test. For example: http_access allow A B C http_access deny D E means: if A *and* B *and* C tests all match, ALLOW the request OR, if D *and* E tests all match, DENY the request OR do the opposite of DENY With some logic performance tricks like: If B does not match the whole first line will not match so C will not be tested. (one less test == faster handling time). More details can be found at http://wiki.squid-cache.org/SquidFaq/SquidAcl HTH Amos Thank you very much for your time and help. --- On Wed, 6/20/12, Amos Jeffries squ...@treenet.co.nz wrote: From: Amos Jeffries squ...@treenet.co.nz Subject: Re: [squid-users] Time based Video Streaming Access To: squid-users@squid-cache.org Date: Wednesday, June 20, 2012, 7:23 AM On 19.06.2012 23:57, Anonymous wrote: Hello Respected All, I want to setup Time based Video Streaming Access for different IPs (same subnet), few IPs are allowed every time