[squid-users] kerberos auth does not work for ftp traffic?
Hi, Kerberos is authenticating http/s traffic for me from certain client addresses just fine. However ftp is being rejected, does the browser+squid not auth ftp in the same way as http? If ftp does work with kerberos, is there a way (ACL) that ftp traffic can be excluded from kerberos auth? Thanks in advance, Sean
Re: [squid-users] squid 3.2 - squidclient - Connection refused
On 17/04/2013 6:05 p.m., Михаил wrote: Hi! I have some problem with squidclient. Please you look information below. # uname -a Linux ui-proxy 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Feb 20 12:17:37 EST 2013 x86_64 x86_64 x86_64 GNU/Linux # more /etc/redhat-release Red Hat Enterprise Linux Server release 6.4 (Santiago) # more /etc/hosts 192.168.177.134 ui-proxy.office.corpui-proxy 127.0.0.1 localhost.localdomain localhost ui-proxy ::1 localhost.localdomain localhost ui-proxy # squid -v Squid Cache: Version 3.2.9 configure options: '--prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--with-default-user=root' '--disable-ipv6' --enable-ltdl-convenience # squidclient -h localhost mgr:storedir assert "false" at line 689 Ip::Address invalid? with IsIPv4()=F, IsIPv6()=T ADDRESS: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 squidclient: Address.cc:689: void Ip::Address::GetAddrInfo(addrinfo*&, int) const: Assertion `false' failed. Aborted Can you help me? localhost resolves to the IPv6 address ::1 when using your system resolver as the squidclient tool does. You built your Squid with --disable-ipv6. Please take a look at the results of these commands: host localhost squidclient -v -h localhost mgr:storedir Amos
[squid-users] squid 3.2 - squidclient - Connection refused
Hi! I have some problem with squidclient. Please you look information below. # uname -a Linux ui-proxy 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Feb 20 12:17:37 EST 2013 x86_64 x86_64 x86_64 GNU/Linux # more /etc/redhat-release Red Hat Enterprise Linux Server release 6.4 (Santiago) # more /etc/hosts 192.168.177.134 ui-proxy.office.corpui-proxy 127.0.0.1 localhost.localdomain localhost ui-proxy ::1 localhost.localdomain localhost ui-proxy # squid -v Squid Cache: Version 3.2.9 configure options: '--prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--with-default-user=root' '--disable-ipv6' --enable-ltdl-convenience # grep localhost squid.conf http_access allow localhost manager # grep webserver squid.conf acl webserver src 192.168.177.134/32 http_access allow webserver manager # squidclient -h 192.168.177.134 mgr:storedir HTTP/1.1 200 OK Server: squid Mime-Version: 1.0 Date: Wed, 17 Apr 2013 06:00:07 GMT Content-Type: text/plain Expires: Wed, 17 Apr 2013 06:00:07 GMT Last-Modified: Wed, 17 Apr 2013 06:00:07 GMT X-Cache: MISS from ui-proxy.office.corp Via: 1.1 ui-proxy.office.corp (squid) Connection: close Store Directory Statistics: Store Entries : 197801 Maximum Swap Size : 8192000 KB Current Store Swap Size: 5338420.00 KB Current Capacity : 65.17% used, 34.83% free Store Directory #0 (ufs): /var/spool/squid FS Block Size 4096 Bytes First level subdirectories: 32 Second level subdirectories: 64 Maximum Size: 8192000 KB Current Size: 5338420.00 KB Percent Used: 65.17% Filemap bits in use: 197735 of 262144 (75%) Filesystem Space in use: 24778608/73440504 KB (34%) Filesystem Inodes in use: 460976/4669440 (10%) Flags: SELECTED Removal policy: lru LRU reference age: 1.81 days # squidclient -h 127.0.0.1 mgr:storedir client: ERROR: Cannot connect to 127.0.0.1:3128: Connection refused # squidclient -h localhost mgr:storedir assert "false" at line 689 Ip::Address invalid? with IsIPv4()=F, IsIPv6()=T ADDRESS: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 squidclient: Address.cc:689: void Ip::Address::GetAddrInfo(addrinfo*&, int) const: Assertion `false' failed. Aborted Can you help me?
Re: [squid-users] DNS search not working - Squid Cache: Version 3.3.3
On 17/04/2013 4:07 p.m., Kris Glynn wrote: Hi, Given the following why doesn't DNS search work given that my nameserver 1.1.1.1 contain valid DNS entries for test.blue.internal and test2.green.internal GET http://test/ GET http://test2/ .. both return DNS entry not found in squid. In the current Squid you need to explicitly turn on this type of searching in squid.conf. http://www.squid-cache.org/Doc/config/dns_defnames/ Amos
[squid-users] DNS search not working - Squid Cache: Version 3.3.3
Hi, Given the following why doesn't DNS search work given that my nameserver 1.1.1.1 contain valid DNS entries for test.blue.internal and test2.green.internal GET http://test/ GET http://test2/ .. both return DNS entry not found in squid. /etc/resolv.conf options rotate search blue.internal green.internal nameserver 1.1.1.1 squidclient -p 8080 mgr:idns Internal DNS Statistics: Nameservers: IP ADDRESS # QUERIES # REPLIES 1.1.1.1 205 205 *snip* Search list: blue.internal green.internal *snip* I do not have append_domain set in squid.conf - I've tried adding it but it only accepts one domain not two.. Clearly running " squidclient -p 8080 mgr:idns" shows that squid has consumed my /etc/resolv.conf and I can nslookup test and test2 from the bash shell.. [root@squid]# nslookup > test Server: 1.1.1.1 Address:1.1.1.1#53 Name: test.blue.internal Address: 192.168.48.41 > [root@squid]# nslookup > test2 Server: 1.1.1.1 Address:1.1.1.1#53 Name: test2.green.internal Address: 192.168.48.42 > The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com
Re: [squid-users] ACL based on auth type
On 16/04/2013 8:09 p.m., Alan wrote: Is there any way to construct an ACL that checks the authentication mechanism used (eg: radius/kerberos)? No. But ... I want to allow radius authentication only for FTP users, since there is no FTP client (that I know of) that works with Scalquid using kerberos authentication, but I want to enable it only for FTP and not HTTP. Or even better, anybody knows of a graphical FTP client that can authenticate to Squid using kerberos? ... I have a plan on how to add it if you are interested in sponsoring the feature development. Alternatively if you are able to offer RADIUS with Basic auth scheme, why no offer it to all clients? they are supposed to select the most secure scheme they can support and most do (modulo a few bugs in old IE and recent Firefox) Amos
Re: [squid-users] squid code
- Original Message - From: Amos Jeffries On 16/04/2013 6:59 a.m., Saad Ahmed wrote: where is socket listen bind accept response from client to server written in squid ? please tell me filename and function? In tproxy mode What are you trying to do? Amos On 16/04/2013 6:29 p.m., Saad Ahmed wrote: I want to implement my own content filtering module on top of squid in transparent mode Okay. What you want is to write an eCAP module which can be loaded by Squid, or an ICAP service which Squid can relay traffic to. You do not need to know or touch the Squid code in any way to use these interfaces. Also, they are common interfaces also available in other proxies than Squid so your product is not tied to Squid installations. http://www.e-cap.org/Documentation http://c-icap.sourceforge.net/software.html Amos
Re: [squid-users] high traffic with google
Thanks, what do you mean by adding some headers? Regards Alex 2013/4/12 Eliezer Croitoru : > I suggest you to contact squid and adding some headers will might help in > this case. > > Regards, > Eliezer > > - Original Message - > From: "Alexandre Chappaz" > To: squid-users@squid-cache.org > Sent: Thursday, April 11, 2013 6:38:04 PM > Subject: [squid-users] high traffic with google > > Hi, > > we are handling a rather large network ( ~140Kusers ) and we use one > unique public IP address for internet traffic. This lead google to get > suspicious with us ( captcha with each search ) > > Do you know if google can whitelist us in some way? where to contact > them? any way to smartly bypass this behavior? > > > Thanks > Alex
[squid-users] ACL based on auth type
Is there any way to construct an ACL that checks the authentication mechanism used (eg: radius/kerberos)? I want to allow radius authentication only for FTP users, since there is no FTP client (that I know of) that works with Scalquid using kerberos authentication, but I want to enable it only for FTP and not HTTP. Or even better, anybody knows of a graphical FTP client that can authenticate to Squid using kerberos?
