Re: [squid-users] site cannot be accessed
Share your PAC file please. Regards,Sarfraz From: Simon Dcunha si...@baladia.gov.kw To: squid-users squid-us...@squid-cache.org Sent: Monday, January 12, 2015 11:41 AM Subject: [squid-users] site cannot be accessed Dear All, I have squid-3.1.10-22.el6_5.x86_64 running on centos 6.5 64 bit for quite sometime and working fine just a couple of days back some users reported an issue i have a intranet site which just stopped working . if I uncheck the proxy option in the browser the site works fine the above users also use internet and is working fine I am using the pac file to bypass local sites and the local intranet websites are alredy added in the pac file also i am quite sure the above intranet website were working before the squid log shows 1421053747.139 70984 172.16.6.21 TCP_MISS/000 0 GET http://10.101.101.10/ - DIRECT/10.101.101.10 - 1421053779.524 32021 172.16.6.21 TCP_MISS/000 0 GET http://10.101.101.10/ - DIRECT/10.101.101.10 - -- appreciate your advice and concern regards simon -- - Network Administrator Kuwait Municipality!!! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] FTP not connected through Squid
Still not able to connect. Regards, Sarfraz - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Cc: Sent: Tuesday, March 18, 2014 9:21 AM Subject: Re: [squid-users] FTP not connected through Squid On 18/03/2014 2:13 a.m., ***some text missing*** wrote: Hello Team, I am having error while connecting FTP from Filezilla behind the squid. My Scenario is my client is squid client trying to connect internet FTP on port 21 through FileZilla and from Webbrowser as well, but unable to access from both ways. I have monitored a specific IP in access.log but get no request from particular client. Error received on FileZilla is connection timed out Couldnot connect to Server How have you configured FileZilla to use Squid? Squid current releases only support receiving HTTP traffic. So you need specific configuration in both FileZilla and Squid for this to work. FileZilla: In the menu under Edit-Settings in the configuration UI box under Connection-FTP-Generic proxy selecting the entry HTTP/1.1 using CONNECT method then entering your Squid details. The site manager may also requires passive FTP to be used by the server. Adding to squid.conf this extra line: acl SSL_ports port 20 21 # FTP Amos
Re: [squid-users] IP Address routing through IP Tables
will you please assist to connect Filezilla FTP client behind the squid proxy. I am unable to connect. Regards, Sarfraz Aslam - Original Message - From: Eliezer Croitoru elie...@ngtech.co.il To: squid-users@squid-cache.org squid-users@squid-cache.org Cc: ***some text missing*** shoz...@yahoo.com Sent: Monday, March 17, 2014 9:28 PM Subject: Re: [squid-users] IP Address routing through IP Tables On 17/03/2014 17:53, ***some text missing*** wrote: I am online there with nick name Shozi what is yours? Elico. As I mentioned at the chat WPAD for forward proxy is the best but can be also defined in the browser manually. I was wondering if zentyal do provied WPAD option in their servers. Eliezer
Re: [squid-users] FTP not connected through Squid
I am getting this error in access.log. 0 10.25.40.121 TCP_DENIED/407 1728 CONNECT 115.186.92.227:21 - NONE/- text/html [Host: 115.186.92.227:21\r\nUser-Agent: FileZilla\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid\r\nDate: Tue, 18 Mar 2014 07:06:00 GMT\r\nContent-Type: text/html\r\nContent-Length: 1320\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: Negotiate\r\nX-Cache: MISS from squidkhi1.mailserver.mcb.com.pk\r\nX-Cache-Lookup: NONE from squidkhi1.mailserver.mcb.com.pk:8080\r\nVia: 1.0 squidkhi1.mailserver.mcb.com.pk:8080 (squid)\r\nConnection: close\r\n\r] 1395126365.205 0 10.25.40.121 TCP_DENIED/407 1728 CONNECT 115.186.92.227:21 - NONE/- text/html [Host: 115.186.92.227:21\r\nUser-Agent: FileZilla\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid\r\nDate: Tue, 18 Mar 2014 07:06:05 GMT\r\nContent-Type: text/html\r\nContent-Length: 1320\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: Negotiate\r\nX-Cache: MISS from squidkhi1.mailserver.mcb.com.pk\r\nX-Cache-Lookup: NONE from squidkhi1.mailserver.mcb.com.pk:8080\r\nVia: 1.0 squidkhi1.mailserver.mcb.com.pk:8080 (squid)\r\nConnection: close\r\n\r] Sarfraz - Original Message - From: ***some text missing*** shoz...@yahoo.com To: Amos Jeffries squ...@treenet.co.nz; squid-users@squid-cache.org squid-users@squid-cache.org Cc: Sent: Tuesday, March 18, 2014 11:55 AM Subject: Re: [squid-users] FTP not connected through Squid Still not able to connect. Regards, Sarfraz - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Cc: Sent: Tuesday, March 18, 2014 9:21 AM Subject: Re: [squid-users] FTP not connected through Squid On 18/03/2014 2:13 a.m., ***some text missing*** wrote: Hello Team, I am having error while connecting FTP from Filezilla behind the squid. My Scenario is my client is squid client trying to connect internet FTP on port 21 through FileZilla and from Webbrowser as well, but unable to access from both ways. I have monitored a specific IP in access.log but get no request from particular client. Error received on FileZilla is connection timed out Couldnot connect to Server How have you configured FileZilla to use Squid? Squid current releases only support receiving HTTP traffic. So you need specific configuration in both FileZilla and Squid for this to work. FileZilla: In the menu under Edit-Settings in the configuration UI box under Connection-FTP-Generic proxy selecting the entry HTTP/1.1 using CONNECT method then entering your Squid details. The site manager may also requires passive FTP to be used by the server. Adding to squid.conf this extra line: acl SSL_ports port 20 21 # FTP Amos
Re: [squid-users] FTP not connected through Squid
I am now able to connect to FTP site through filezilla by allowing FTP port with CONNECT method but unable to view directory listings. Filezilla Error; 150. Opening binary mode data connection. error. connection timed out access.log; 1395127370.117 20775 10.25.40.121 TCP_MISS/000 0 CONNECT 115.186.92.227:58682 - NONE/- - [Host: 115.186.92.227:58682\r\nProxy-Authorization: Basic c2FyZnJhei5hc2xhbUBtY2IuY29tLnBrOlJSb290QEREb21haW4=\r\nUser-Agent: FileZilla\r\n] [] 1395127370.117 22121 10.25.40.121 TCP_MISS/200 395 CONNECT 115.186.92.227:21 - DIRECT/115.186.92.227 - [Host: 115.186.92.227:21\r\nProxy-Authorization: Basic c2FyZnJhei5hc2xhbUBtY2IuY29tLnBrOlJSb290QEREb21haW4=\r\nUser-Agent: FileZilla\r\n] [] Sarfraz - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: ***some text missing*** shoz...@yahoo.com; squid-users@squid-cache.org squid-users@squid-cache.org Cc: Sent: Tuesday, March 18, 2014 12:06 PM Subject: Re: [squid-users] FTP not connected through Squid On 18/03/2014 7:55 p.m., ***some text missing*** wrote: Still not able to connect. Regards, Sarfraz Strange both software have been working fine for me for months with that exact configuration. Amos
Re: [squid-users] FTP not connected through Squid
After adding lines in squid.conf as suggested. still unable to retrieve directory listing. access.log 1395132611.648 22122 10.25.40.121 TCP_MISS/200 395 CONNECT 115.186.92.227:21 - DIRECT/115.186.92.227 - [Host: 115.186.92.227:21\r\nUser-Agent: FileZilla\r\n] [ ] 1395132611.648 20766 10.25.40.121 TCP_MISS/000 0 CONNECT 115.186.92.227:59953 - NONE/- - [Host: 115.186.92.227:59953\r\nUser-Agent: FileZilla\r\n] []Sarfraz ASlam - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Cc: Sent: Tuesday, March 18, 2014 1:37 PM Subject: Re: [squid-users] FTP not connected through Squid On 18/03/2014 9:01 p.m., ***some text missing*** wrote: We are using both kerberos and basic authentication mode. I am now able to connect to FTP site through filezilla by allowing FTP port with CONNECT method but unable to view directory listings. below are both errors. Filezilla Error; 150. Opening binary mode data connection. error. connection timed out access.log; 1395127370.117 20775 10.25.40.121 TCP_MISS/000 0 CONNECT 115.186.92.227:58682 - NONE/- - [Host: 115.186.92.227:58682\r\nProxy-Authorization: Basic c2FyZnJhei5hc2xhbUBtY2IuY29tLnBrOlJSb290QEREb21haW4=\r\nUser-Agent: FileZilla\r\n] [] 1395127370.117 22121 10.25.40.121 TCP_MISS/200 395 CONNECT 115.186.92.227:21 - DIRECT/115.186.92.227 - [Host: 115.186.92.227:21\r\nProxy-Authorization: Basic c2FyZnJhei5hc2xhbUBtY2IuY29tLnBrOlJSb290QEREb21haW4=\r\nUser-Agent: FileZilla\r\n] [] Looks like port 20 (ftp-data) was not enough for you. If you can't convince FileZilla to use port 20, you may have to add this to squid.conf: acl SSL_ports port 1024-65535 # FTP data Amos
Re: [squid-users] FTP not connected through Squid
Just need to confirm is IP TABLES also causing such type of problem ? Sarfraz - Original Message - From: ***some text missing*** shoz...@yahoo.com To: Amos Jeffries squ...@treenet.co.nz; squid-users@squid-cache.org squid-users@squid-cache.org Cc: Sent: Tuesday, March 18, 2014 1:55 PM Subject: Re: [squid-users] FTP not connected through Squid After adding lines in squid.conf as suggested. still unable to retrieve directory listing. access.log 1395132611.648 22122 10.25.40.121 TCP_MISS/200 395 CONNECT 115.186.92.227:21 - DIRECT/115.186.92.227 - [Host: 115.186.92.227:21\r\nUser-Agent: FileZilla\r\n] [ ] 1395132611.648 20766 10.25.40.121 TCP_MISS/000 0 CONNECT 115.186.92.227:59953 - NONE/- - [Host: 115.186.92.227:59953\r\nUser-Agent: FileZilla\r\n] []Sarfraz ASlam - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Cc: Sent: Tuesday, March 18, 2014 1:37 PM Subject: Re: [squid-users] FTP not connected through Squid On 18/03/2014 9:01 p.m., ***some text missing*** wrote: We are using both kerberos and basic authentication mode. I am now able to connect to FTP site through filezilla by allowing FTP port with CONNECT method but unable to view directory listings. below are both errors. Filezilla Error; 150. Opening binary mode data connection. error. connection timed out access.log; 1395127370.117 20775 10.25.40.121 TCP_MISS/000 0 CONNECT 115.186.92.227:58682 - NONE/- - [Host: 115.186.92.227:58682\r\nProxy-Authorization: Basic c2FyZnJhei5hc2xhbUBtY2IuY29tLnBrOlJSb290QEREb21haW4=\r\nUser-Agent: FileZilla\r\n] [] 1395127370.117 22121 10.25.40.121 TCP_MISS/200 395 CONNECT 115.186.92.227:21 - DIRECT/115.186.92.227 - [Host: 115.186.92.227:21\r\nProxy-Authorization: Basic c2FyZnJhei5hc2xhbUBtY2IuY29tLnBrOlJSb290QEREb21haW4=\r\nUser-Agent: FileZilla\r\n] [] Looks like port 20 (ftp-data) was not enough for you. If you can't convince FileZilla to use port 20, you may have to add this to squid.conf: acl SSL_ports port 1024-65535 # FTP data Amos
Re: [squid-users] FTP not connected through Squid
yes I did. Sarfraz - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Cc: Sent: Tuesday, March 18, 2014 2:14 PM Subject: Re: [squid-users] FTP not connected through Squid On 18/03/2014 9:55 p.m., ***some text missing*** wrote: After adding lines in squid.conf as suggested. still unable to retrieve directory listing. Well, I'm not seeing anything else that might be a clue. Except maybe the absence of auth header on the data CONNECT. Though the port 21 CONNECT this time omits one too. You did restart/reconfigure Squid right? Amos access.log 1395132611.648 22122 10.25.40.121 TCP_MISS/200 395 CONNECT 115.186.92.227:21 - DIRECT/115.186.92.227 - [Host: 115.186.92.227:21\r\nUser-Agent: FileZilla\r\n] [ ] 1395132611.648 20766 10.25.40.121 TCP_MISS/000 0 CONNECT 115.186.92.227:59953 - NONE/- - [Host: 115.186.92.227:59953\r\nUser-Agent: FileZilla\r\n] []Sarfraz ASlam - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Cc: Sent: Tuesday, March 18, 2014 1:37 PM Subject: Re: [squid-users] FTP not connected through Squid On 18/03/2014 9:01 p.m., ***some text missing*** wrote: We are using both kerberos and basic authentication mode. I am now able to connect to FTP site through filezilla by allowing FTP port with CONNECT method but unable to view directory listings. below are both errors. Filezilla Error; 150. Opening binary mode data connection. error. connection timed out access.log; 1395127370.117 20775 10.25.40.121 TCP_MISS/000 0 CONNECT 115.186.92.227:58682 - NONE/- - [Host: 115.186.92.227:58682\r\nProxy-Authorization: Basic c2FyZnJhei5hc2xhbUBtY2IuY29tLnBrOlJSb290QEREb21haW4=\r\nUser-Agent: FileZilla\r\n] [] 1395127370.117 22121 10.25.40.121 TCP_MISS/200 395 CONNECT 115.186.92.227:21 - DIRECT/115.186.92.227 - [Host: 115.186.92.227:21\r\nProxy-Authorization: Basic c2FyZnJhei5hc2xhbUBtY2IuY29tLnBrOlJSb290QEREb21haW4=\r\nUser-Agent: FileZilla\r\n] [] Looks like port 20 (ftp-data) was not enough for you. If you can't convince FileZilla to use port 20, you may have to add this to squid.conf: acl SSL_ports port 1024-65535 # FTP data Amos
Re: [squid-users] FTP not connected through Squid
Yes it is good indeed. Details are below. * I have squid on Linux as a forward proxy with 2 NICs 1 connected with local LAN and 2nd with Internet * I configured squid as a forward proxy, not transparent proxy (users manually enter proxy address in there browser to access internet) * I have a requirement to allow access to remote FTP through File Zilla client by using squid proxy. * Now when my client user connect through file zilla by using squid proxy, he is getting error while listing directory, however when user trying to connect same FTP by using ISA firewall client, he is able to access. * I am getting below logs from access.log when Filezilla show error Failed to retrieve directory listing [root@squidkhi1 ~]# tail -f /var/logs/access.log | grep 10.1.40.11 1395158045.715 39655 10.1.40.11 TCP_MISS/000 0 CONNECT 115.186.92.227:65273 - NONE/- - [Host: 115.186.92.227:65273\r\nUser-Agent: FileZilla\r\n] []If any thing confusing you, please let me know.Sarfraz Aslam - Original Message - From: Eliezer Croitoru elie...@ngtech.co.il To: squid-users@squid-cache.org Cc: Sent: Tuesday, March 18, 2014 7:35 PM Subject: Re: [squid-users] FTP not connected through Squid lets start from 0 once again. You have filezilla as a client and some remote ftp server. You configure in squid to allow access from the client IP address. You point the client towards squid from a browser and try to browse some web site and only then try to use filezilla client. What is the resulst and steps for each and one of the steps? Take your time with it, it will help to understand the issue. Eliezer On 18/03/2014 11:17, ***some text missing*** wrote: Just need to confirm is IP TABLES also causing such type of problem ? Sarfraz
[squid-users] FTP not connected through Squid
Hello Team, I am having error while connecting FTP from Filezilla behind the squid. My Scenario is my client is squid client trying to connect internet FTP on port 21 through FileZilla and from Webbrowser as well, but unable to access from both ways. I have monitored a specific IP in access.log but get no request from particular client. Error received on FileZilla is connection timed out Couldnot connect to Server Any help. Regards, Sarfraz
[squid-users] IP Address routing through IP Tables
Can i route any client IP address directly to internet from IP Tables? that bypass squid proxy. Regards, Sarfraz
[squid-users] IP Address routing through IP Tables
Can i route any client IP address directly to internet from IP Tables? that bypass squid proxy. Regards, Sarfraz
Re: [squid-users] IP Address routing through IP Tables
Thank you for your reply. Please guide me with IP Tables rule. Thank you in advance. Regards, Sarfraz - Original Message - From: Eliezer Croitoru elie...@ngtech.co.il To: squid-users@squid-cache.org Cc: Sent: Monday, March 17, 2014 7:09 PM Subject: Re: [squid-users] IP Address routing through IP Tables yes indeed. Eliezer On 17/03/2014 15:42, ***some text missing*** wrote: Can i route any client IP address directly to internet from IP Tables? that bypass squid proxy. Regards, Sarfraz
Re: [squid-users] IP Address routing through IP Tables
Rule # 1 require.. My client IP address is 10.25.40.121 and want to access IP directly 115.186.92.227 on port 21 bypass squid. Rule # 2 require.. My client IP address is 10.25.40.121 need to by pass squid for direct internet access. Below is my IP Tables*** -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT #-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.1.12.250 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.25.23.103 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.1.40.25 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.1.40.11 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.25.40.121 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.1.42.63 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.1.82.0/24 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.25.88.0/24 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.0.101.50 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.0.101.51 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.0.101.52 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.0.101.53 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.0.101.55 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p ICMP --icmp-type any -j DROP #-A RH-Firewall-1-INPUT -p 50 -j ACCEPT #-A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.1.12.250 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.1.40.25 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.25.40.31 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.1.40.11 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.1.42.63 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.1.42.55 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.25.40.121 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.25.88.0/24 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 8080 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 161 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 162 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 162 -j ACCEPT -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT Regards, Sarfraz - Original Message - From: Eliezer Croitoru elie...@ngtech.co.il To: squid-users@squid-cache.org squid-users@squid-cache.org Cc: shoz...@yahoo.com Sent: Monday, March 17, 2014 7:22 PM Subject: Re: [squid-users] IP Address routing through IP Tables You can add a rule to the iptables with -j ACCEPT at the begining of the mangle table and it will forward this IP address with no interception.. If you have iptables rules and IP I can write to you some rule. Eliezer On 17/03/2014 16:17, ***some text missing*** wrote: Thank you for your reply. Please guide me with IP Tables rule. Thank you in advance. Regards, Sarfraz
Re: [squid-users] IP Address routing through IP Tables
I am unable to connect. Would appreciate if you guide me here. Thank you in advance. Sarfraz - Original Message - From: Eliezer Croitoru elie...@ngtech.co.il To: squid-users@squid-cache.org squid-users@squid-cache.org Cc: ***some text missing*** shoz...@yahoo.com Sent: Monday, March 17, 2014 7:40 PM Subject: Re: [squid-users] IP Address routing through IP Tables I'm at the IRC channel of the project at chat.freenode.net #squid. I seems to me like it will be better there... There are web clients for freenode. Eliezer On 17/03/2014 16:36, ***some text missing*** wrote: Rule # 1 require.. My client IP address is 10.25.40.121 and want to access IP directly 115.186.92.227 on port 21 bypass squid. Rule # 2 require.. My client IP address is 10.25.40.121 need to by pass squid for direct internet access. Below is my IP Tables*** -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT #-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.1.12.250 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.25.23.103 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.1.40.25 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.1.40.11 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.25.40.121 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.1.42.63 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.1.82.0/24 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.25.88.0/24 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.0.101.50 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.0.101.51 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.0.101.52 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.0.101.53 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -s 10.0.101.55 -p ICMP --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p ICMP --icmp-type any -j DROP #-A RH-Firewall-1-INPUT -p 50 -j ACCEPT #-A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.1.12.250 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.1.40.25 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.25.40.31 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.1.40.11 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.1.42.63 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.1.42.55 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.25.40.121 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.25.88.0/24 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 8080 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 161 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 162 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 162 -j ACCEPT -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT Regards, Sarfraz - Original Message - From: Eliezer Croitoruelie...@ngtech.co.il To:squid-users@squid-cache.org squid-users@squid-cache.org Cc:shoz...@yahoo.com Sent: Monday, March 17, 2014 7:22 PM Subject: Re: [squid-users] IP Address routing through IP Tables You can add a rule to the iptables with -j ACCEPT at the begining of the mangle table and it will forward this IP address with no interception.. If you have iptables rules and IP I can write to you some rule. Eliezer On 17/03/2014 16:17, ***some text missing*** wrote
Re: [squid-users] IP Address routing through IP Tables
I am online there with nick name Shozi what is yours? - Original Message - From: Eliezer Croitoru elie...@ngtech.co.il To: squid-users@squid-cache.org squid-users@squid-cache.org Cc: ***some text missing*** shoz...@yahoo.com Sent: Monday, March 17, 2014 8:46 PM Subject: Re: [squid-users] IP Address routing through IP Tables On 17/03/2014 17:03, ***some text missing*** wrote: I am unable to connect. Would appreciate if you guide me here. Thank you in advance. Sarfraz http://webchat.freenode.net/ in the channel use #squid to and enter the recaptcha login and thats it. Eliezer
Re: [squid-users] squid queue overload. request rejected
Not able to follow your reply. Please suggest solution. Regards, Sarfraz - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Cc: Sent: Wednesday, March 5, 2014 10:37 AM Subject: Re: [squid-users] squid queue overload. request rejected On 4/03/2014 8:53 p.m., ***some text missing*** wrote: Hello, From last week I am getting messages in my cache.log squid queue overload. request rejected and most of my users unable to browse the webpages. I have configured squid with external helper ACL and using squid stable version squid2.7 stable 9. Any idea about this error. You have named the ACL squid and the helper is not able to cope with the amount of req/sec your Squid proxy is needing to pass to it. Amos
[squid-users] squid queue overload. request rejected
Hello, From last week I am getting messages in my cache.log squid queue overload. request rejected and most of my users unable to browse the webpages. I have configured squid with external helper ACL and using squid stable version squid2.7 stable 9. Any idea about this error. Regards, Sarfraz
[squid-users] Squid for Windows
Hi all, I want to use squid proxy services on MS Windows Server 2008, Please let me know the latest version of squid and useful link how to install squid on windows. Require your suggestion regarding performance of squid on Windows vs Linux. Regards, Sarfraz Aslam
Re: [squid-users] Website contents loading problem through squid proxy
Hi, Any update. Regards, Sarfraz - Original Message - From: ***some text missing*** shoz...@yahoo.com To: Amos Jeffries squ...@treenet.co.nz; squid-users@squid-cache.org squid-users@squid-cache.org Cc: Sent: Friday, January 31, 2014 7:08 PM Subject: Re: [squid-users] Website contents loading problem through squid proxy Below is my squid.conf configuration. #-Network Defined acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 # for servers like wsus others ipbased access is required. acl ipbslhe src /etc/squid/iusers/lhe/ipbasedservers.list acl ipbskhi src /etc/squid/iusers/khi/ipbasedservers.list # Executive ip clients acl ipbcelhe src /etc/squid/iusers/lhe/ipbcfullaccess.list acl ipbcekhi src /etc/squid/iusers/khi/ipbcfullaccess.list acl isa src /etc/squid/iusers/lhe/isa.list # Restricted IP based clients acl ipbclhe src /etc/squid/iusers/lhe/ipbasedclients.list acl ipbckhi src /etc/squid/iusers/khi/ipbasedclients.list # Temporary IP Based clients acl templhe src /etc/squid/iusers/lhe/tempusers.list acl tempkhi src /etc/squid/iusers/khi/tempusers.list #Special users that require torrnet access acl allportslhe src /etc/squid/iusers/lhe/allportscl.list acl allportskhi src /etc/squid/iusers/khi/allportscl.list # For MCB visa update department which require quality of service. acl visaupdaterskhi src /etc/squid/iusers/khi/visaupdaters.list acl impsitessubnets src /etc/squid/iusers/khi/impsitessubnets.list # Branches that have access to only few specific sites related to biz. # In the next phase the branches related to Khi should be moved to Karachi Proxy. acl ipbizlhe src /etc/squid/iusers/lhe/ipbizlhe.list #acl ipbizkhi src /etc/squid/iusers/lhe/ipbizkhi.list acl ipbizkhi src /etc/squid/iusers/khi/ipbizkhi.list acl ipbizisb src /etc/squid/iusers/lhe/ipbizisb.list acl filos src /etc/squid/iusers/lhe/filos.list acl niftusers src /etc/squid/iusers/lhe/niftusers.list #acl nadra_bkoffice_lhe src /etc/squid/iusers/lhe/nadra.list #acl nadra_bkoffice_khi src /etc/squid/iusers/khi/nadra.list #- banned sites for specific users- acl special_clients src /etc/squid/dacls/special_client_ips.list acl bad_domains dstdomain /etc/squid/dacls/bad_domains.list # RFC1918 internal network acl localnet src 10.0.0.0/8 acl proxykhi src 10.25.88.175 acl serversubnet src 10.1.82.0/24 acl SSL_ports port 443 # HTTPS #acl SSL_ports port 9443 # HTTPS acl SSL_ports port 4443 # HTTPS acl SSL_ports port 137 # VPN acl SSL_ports port 138 # VPN acl SSL_ports port 1900 # VPN acl SSL_ports port 5 # VPN acl SSL_ports port 139 # VPN acl SSL_ports port 8443 #AD Manager/Audit #acl SSL_ports port 9045 #TPM acl Safe_ports port 80 # http acl Safe_ports port 4443 # HTTPS Lotus Protector acl Safe_ports port 138 # VPN acl Safe_ports port 137 # VPN acl Safe_ports port 1900 # VPN acl Safe_ports port 5 # VPN acl Safe_ports port 139 # VPN #acl Safe_ports port # http #acl Safe_ports port 89 # http acl Safe_ports port 21 # ftp acl Safe_ports port 8443 # Ad manager acl Safe_ports port 443 # https #acl Safe_ports port 9443 # https #acl Safe_ports port 9045 #TPM HTTPs acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl FTP proto FTP acl GET method GET acl POST method POST #---Necessary ACLs defined- http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access allow !Safe_ports allportslhe http_access allow !Safe_ports allportskhi http_access deny !Safe_ports # Deny CONNECT to other than SSL ports # For utorrentz to work the below directive is to comment but thats not safe. http_access allow !SSL_ports allportslhe http_access allow !SSL_ports allportskhi http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access allow FTP # --Local servers configurations- acl localservers dstdomain .mcb.com.pk always_direct allow localservers cache deny localservers #-cache peer if any- #cache_peer 10.1.82.205 parent 8080 0 default no-digest no-query #never_direct allow all # Fault tolering the internet connection for business sites that are to be accessed from branches. #cache_peer squidlhe1.mailserver.mcb.com.pk parent 8080 0 proxy-only #prefer_direct on #nonhierarchical_direct off #cache_peer_access squidlhe1.mailserver.mcb.com.pk deny proxykhi #cache_peer_access squidlhe1.mailserver.mcb.com.pk allow all #cache_peer_access squidkhi1.mailserver.mcb.com.pk allow bizsites # Nadra Setup #cache_peer 10.1.82.16 parent 8080 0 default no-query no-digest #acl nadra_sites dst 10.10.10.11
Re: [squid-users] Website contents loading problem through squid proxy
changed to simply http_access. futher RD required. # Deny Streaming to Restricted Clients http_access deny msgroup3 Movies http_access deny msgroup3 MP3s #http_access deny msgroup3 FTP http_access deny msgroup3 MP3url http_access deny msgroup3 mediamms http_access deny msgroup3 mediaprmms http_access deny msgroup3 PornSites http_access deny msgroup3 mediaasf http_access deny msgroup3 mediaprasf #Streaming youtube block for msgourp3(sarfraz 1-1-11 #http_access deny msgroup3 mediaflv http_reply_access deny mediaflv msgroup3 #http_access deny msgroup3 mediaprflv http_access deny msgroup3 RealAudio_url http_access deny POST msgroup3 RealAudio_mime http_access deny msgroup3 mediams-hdr http_access deny msgroup3 mediax-fcs #http_access deny msgroup3 youtube_domains #http_access deny msgroup1 facebook_sites #http_access deny msgroup3 facebook_sites http_access deny msgroup3 entdownloads http_access deny msgroup3 sdownloads #http_access deny msgroup3 torrentSeeds #http_access deny msgroup3 dlSites #http_access deny msgroup1 nadra #http_access deny msgroup3 nadra http_access allow msgroup1 #http_access allow msgroup2 http_access allow msgroup3 #ACLs Section for bts Clients-- #http_access deny btsgroup3 msnd #http_access deny btsgroup3 msn #http_access deny btsgroup3 msn1 #http_access deny btsgroup3 numeric_IPs #http_access deny btsgroup3 Skype_UA #http_access deny btsgroup3 ym #http_access deny btsgroup3 ymregex #http_access deny btsgroup3 Movies #http_access deny btsgroup3 MP3s #http_access deny btsgroup3 FTP #http_access deny btsgroup3 MP3url #http_access deny btsgroup3 flashvideo #http_access deny btsgroup3 youtube_domains #http_access deny btsgroup3 facebook_sites #http_access deny btsgroup3 downloads #http_access deny btsgroup3 torrentSeeds #http_access deny btsgroup3 dlSites #http_access allow btsgroup1 bizsites wdays whours #http_access allow btsgroup1 nadra wdays whours http_access deny all Regards, Sarfraz - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: ***some text missing*** shoz...@yahoo.com; squid-users@squid-cache.org squid-users@squid-cache.org Cc: Sent: Wednesday, January 29, 2014 2:44 PM Subject: Re: [squid-users] Website contents loading problem through squid proxy On 29/01/2014 10:02 p.m., ***some text missing*** wrote: Can you please guide me the way to troubleshoot this issue. You could share your squid.conf and we might be able to find something. Amos
[squid-users] Re: Error while loading web page in squid
Early response would be highly appreciated. Regards, Sarfraz Aslam - Original Message - From: ***some text missing*** shoz...@yahoo.com To: Markus Moeller hua...@moeller.plus.com; squid-users@squid-cache.org squid-users@squid-cache.org Cc: Sent: Tuesday, January 28, 2014 1:35 PM Subject: Fw: Error while loading web page in squid Hi Experts, I am having this error while click on button Resource interpreted as Document but transferred with MIME type application/json on squid, while same is working fine other than squid. Please help me to resolve this error. Dialogue box open show in this format while i click on button. Thanks in advance. {uploader:div id=\file_uploader\ class=\pageContents\\n\tiframe name=\upload_iframe\ id=\upload_iframe\ frameBorder=\0\ class=\group\\/iframe\n\tdiv class=\button_bar ui-dialog-titlebar ui-widget-header ui-corner-all ui-helper-clearfix\\n\t\ta href=\#\ class=\edit_modal filebrowser cancel\ id=\cancel_changes\Cancel Changes\/a\n\t\timg src=\http:\/\/198.20.224.135\/themes\/cp_global_images\/\/indicator_upload.gif\ alt=\Loading...\ class=\before_upload visualEscapism loading\ \/\n\t\tinput type=\submit\ class=\before_upload disabled-btn\ name=\upload_file\ value=\Upload File\ id=\upload_file\ \/\n\t\tinput type=\submit\ class=\file_exists submit\ name=\rename_file\ value=\Rename File\ id=\rename_file\ \/\n\t\ta href=\#\ class=\after_upload filemanager cancel\ id=\browse_files\Browse Files\/a\n\t\ta href=\#\ class=\after_upload filemanager submit\ id=\edit_file\Edit File\/a\n\t\ta href=\#\ class=\after_upload filemanager submit\ id=\edit_image\Edit Image\/a\n\t\tinput type=\submit\ class=\after_upload filebrowser submit\ name=\edit_file_modal\ value=\Edit File\ id=\edit_file_modal\ \/\n\t\tinput type=\submit\ class=\edit_modal filebrowser submit\ name=\save_file\ value=\Save File\ id=\save_file\ \/\n\t\tinput type=\submit\ class=\after_upload edit_modal filebrowser submit\ name=\choose_file\ value=\Use Uploaded File\ id=\choose_file\ \/\n\t\/div\n\/div\nscript\n\/\/ This is a super clean and not at all silly fix for bug #19196.\nfunction _EE_uploader_attached()\n{\n\t$.ee_fileuploader.setSource('#upload_iframe', 'index.php?S=88ccf2c741eed94ce6a1eb4735289194D=cpC=content_files_modal');\n}\n\/script\n\n\n} Regards, Sarfraz Aslam
Re: [squid-users] Re: Error while loading web page in squid
Any update. Regards, Sarfraz Aslam - Original Message - From: ***some text missing*** shoz...@yahoo.com To: Markus Moeller hua...@moeller.plus.com; squid-users@squid-cache.org squid-users@squid-cache.org Cc: Sent: Tuesday, January 28, 2014 1:37 PM Subject: [squid-users] Re: Error while loading web page in squid Early response would be highly appreciated. Regards, Sarfraz Aslam - Original Message - From: ***some text missing*** shoz...@yahoo.com To: Markus Moeller hua...@moeller.plus.com; squid-users@squid-cache.org squid-users@squid-cache.org Cc: Sent: Tuesday, January 28, 2014 1:35 PM Subject: Fw: Error while loading web page in squid Hi Experts, I am having this error while click on button Resource interpreted as Document but transferred with MIME type application/json on squid, while same is working fine other than squid. Please help me to resolve this error. Dialogue box open show in this format while i click on button. Thanks in advance. {uploader:div id=\file_uploader\ class=\pageContents\\n\tiframe name=\upload_iframe\ id=\upload_iframe\ frameBorder=\0\ class=\group\\/iframe\n\tdiv class=\button_bar ui-dialog-titlebar ui-widget-header ui-corner-all ui-helper-clearfix\\n\t\ta href=\#\ class=\edit_modal filebrowser cancel\ id=\cancel_changes\Cancel Changes\/a\n\t\timg src=\http:\/\/198.20.224.135\/themes\/cp_global_images\/\/indicator_upload.gif\ alt=\Loading...\ class=\before_upload visualEscapism loading\ \/\n\t\tinput type=\submit\ class=\before_upload disabled-btn\ name=\upload_file\ value=\Upload File\ id=\upload_file\ \/\n\t\tinput type=\submit\ class=\file_exists submit\ name=\rename_file\ value=\Rename File\ id=\rename_file\ \/\n\t\ta href=\#\ class=\after_upload filemanager cancel\ id=\browse_files\Browse Files\/a\n\t\ta href=\#\ class=\after_upload filemanager submit\ id=\edit_file\Edit File\/a\n\t\ta href=\#\ class=\after_upload filemanager submit\ id=\edit_image\Edit Image\/a\n\t\tinput type=\submit\ class=\after_upload filebrowser submit\ name=\edit_file_modal\ value=\Edit File\ id=\edit_file_modal\ \/\n\t\tinput type=\submit\ class=\edit_modal filebrowser submit\ name=\save_file\ value=\Save File\ id=\save_file\ \/\n\t\tinput type=\submit\ class=\after_upload edit_modal filebrowser submit\ name=\choose_file\ value=\Use Uploaded File\ id=\choose_file\ \/\n\t\/div\n\/div\nscript\n\/\/ This is a super clean and not at all silly fix for bug #19196.\nfunction _EE_uploader_attached()\n{\n\t$.ee_fileuploader.setSource('#upload_iframe', 'index.php?S=88ccf2c741eed94ce6a1eb4735289194D=cpC=content_files_modal');\n}\n\/script\n\n\n} Regards, Sarfraz Aslam
[squid-users] Fw: Error while loading web page in squid
Hi Experts, I am having this error while click on button Resource interpreted as Document but transferred with MIME type application/json on squid, while same is working fine other than squid. Please help me to resolve this error. Dialogue box open show in this format while i click on button. Thanks in advance. {uploader:div id=\file_uploader\ class=\pageContents\\n\tiframe name=\upload_iframe\ id=\upload_iframe\ frameBorder=\0\ class=\group\\/iframe\n\tdiv class=\button_bar ui-dialog-titlebar ui-widget-header ui-corner-all ui-helper-clearfix\\n\t\ta href=\#\ class=\edit_modal filebrowser cancel\ id=\cancel_changes\Cancel Changes\/a\n\t\timg src=\http:\/\/198.20.224.135\/themes\/cp_global_images\/\/indicator_upload.gif\ alt=\Loading...\ class=\before_upload visualEscapism loading\ \/\n\t\tinput type=\submit\ class=\before_upload disabled-btn\ name=\upload_file\ value=\Upload File\ id=\upload_file\ \/\n\t\tinput type=\submit\ class=\file_exists submit\ name=\rename_file\ value=\Rename File\ id=\rename_file\ \/\n\t\ta href=\#\ class=\after_upload filemanager cancel\ id=\browse_files\Browse Files\/a\n\t\ta href=\#\ class=\after_upload filemanager submit\ id=\edit_file\Edit File\/a\n\t\ta href=\#\ class=\after_upload filemanager submit\ id=\edit_image\Edit Image\/a\n\t\tinput type=\submit\ class=\after_upload filebrowser submit\ name=\edit_file_modal\ value=\Edit File\ id=\edit_file_modal\ \/\n\t\tinput type=\submit\ class=\edit_modal filebrowser submit\ name=\save_file\ value=\Save File\ id=\save_file\ \/\n\t\tinput type=\submit\ class=\after_upload edit_modal filebrowser submit\ name=\choose_file\ value=\Use Uploaded File\ id=\choose_file\ \/\n\t\/div\n\/div\nscript\n\/\/ This is a super clean and not at all silly fix for bug #19196.\nfunction _EE_uploader_attached()\n{\n\t$.ee_fileuploader.setSource('#upload_iframe', 'index.php?S=88ccf2c741eed94ce6a1eb4735289194D=cpC=content_files_modal');\n}\n\/script\n\n\n} Regards, Sarfraz Aslam
[squid-users] Website contents loading problem through squid proxy
Hello, I am experiencing problem while browsing through squid that one of our website content not loading properly and other than squid every thing is fine. Please help me to troubleshoot this issue. Regards, Sarfraz Aslam
Re: [squid-users] Keytab client not found in kerberos database
Experts, Early response would be appreciated. Regards, Sarfraz - Original Message - From: ***some text missing*** shoz...@yahoo.com To: squid-users@squid-cache.org squid-users@squid-cache.org Cc: Sent: Friday, January 3, 2014 12:20 PM Subject: [squid-users] Keytab client not found in kerberos database Hi, Today i am having error in squid cache.log error while initialising credentials from keytab client not found in kerberos database squid.. My clients that are authenticating through Active Directory fails to browse internet on other hand IP Based access is working fine. Please help to resolve this error. Thanks. Regards, Sarfraz
Re: [squid-users] Re: Keytab client not found in kerberos database
Hello Markus, Thank you for your reply. As suggest below are result of klist -kt. Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal - 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk one thing to be add, may be it helps!! i am facing this problem after raising Forest and Domain functional level to 2008, before this user authentication was working fine. Regards, Sarfraz - Original Message - From: Markus Moeller hua...@moeller.plus.com To: squid-users@squid-cache.org Cc: Sent: Friday, January 3, 2014 5:35 PM Subject: [squid-users] Re: Keytab client not found in kerberos database Hi Sarfraz, Which helpers do you run ? The message you see is most probably from the kerberos_ldap_group helper and means that when the helper tries to authenticate to AD the AD entry with an attribute userprincipalname=HTTP/squid-fqdn can not be found. squid-fqdn being the name you have in your squid keytab ( You can check with klist -kt squid.keytab if you use MIT or ktutil -k squid.keytab list for Heimdal). Markus ***some text missing*** wrote in message news:1388733659.571.yahoomail...@web162403.mail.bf1.yahoo.com... Hi, Today i am having error in squid cache.log error while initialising credentials from keytab client not found in kerberos database squid.. My clients that are authenticating through Active Directory fails to browse internet on other hand IP Based access is working fine. Please help to resolve this error. Thanks. Regards, Sarfraz
Re: [squid-users] Re: Keytab client not found in kerberos database
here is the helper lines external_acl_type squid_kerb_ldap_msgroup1 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetg...@mailserver.mcb.com.pk external_acl_type squid_kerb_ldap_msgroup3 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetg...@mailserver.mcb.com.pk Below entry exists in AD userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk klist -ekt [root@squidkhi1 ~]# klist -ekt /etc/squid/HTTP.keytab Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal - 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (DES cbc mode with CRC-32) 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (DES cbc mode with RSA-MD5) 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (ArcFour with HMAC/md5) Regards, Sarfraz Aslam - Original Message - From: Markus Moeller hua...@moeller.plus.com To: squid-users@squid-cache.org Cc: Sent: Friday, January 3, 2014 6:31 PM Subject: [squid-users] Re: Keytab client not found in kerberos database Hi Sarfraz, You didn't say which helper you are running and with which options. The message you get should have nothing to do with authentication but with authorisation (if you use kerberos_ldap_group). You may get a similar message on the Windows client as part of the Kerberos exchange in the TGS reply. Can you do an AD search for an entry with userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk ? What encryption types you get when running klist -ekt squid.keytab ? 2008 may require AES ( If you check the wiki http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberosyou will see how to create a keytab for 2008 ) Regards Markus ***some text missing*** wrote in message news:1388753727.91771.yahoomail...@web162406.mail.bf1.yahoo.com... Hello Markus, Thank you for your reply. As suggest below are result of klist -kt. Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal - 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk one thing to be add, may be it helps!! i am facing this problem after raising Forest and Domain functional level to 2008, before this user authentication was working fine. Regards, Sarfraz - Original Message - From: Markus Moeller hua...@moeller.plus.com To: squid-users@squid-cache.org Cc: Sent: Friday, January 3, 2014 5:35 PM Subject: [squid-users] Re: Keytab client not found in kerberos database Hi Sarfraz, Which helpers do you run ? The message you see is most probably from the kerberos_ldap_group helper and means that when the helper tries to authenticate to AD the AD entry with an attribute userprincipalname=HTTP/squid-fqdn can not be found. squid-fqdn being the name you have in your squid keytab ( You can check with klist -kt squid.keytab if you use MIT or ktutil -k squid.keytab list for Heimdal). Markus ***some text missing*** wrote in message news:1388733659.571.yahoomail...@web162403.mail.bf1.yahoo.com... Hi, Today i am having error in squid cache.log error while initialising credentials from keytab client not found in kerberos database squid.. My clients that are authenticating through Active Directory fails to browse internet on other hand IP Based access is working fine. Please help to resolve this error. Thanks. Regards, Sarfraz
Re: [squid-users] Re: Keytab client not found in kerberos database
I really appreciate your support Markus. Thanks Regards, Sarfraz - Original Message - From: Markus Moeller hua...@moeller.plus.com To: squid-users@squid-cache.org Cc: Sent: Friday, January 3, 2014 7:03 PM Subject: [squid-users] Re: Keytab client not found in kerberos database Hi Sarfraz, I suggest you re-create the keytab as mentioned on the wiki for a 2008 AD server ( i.e. use --enctypes 28 with msktutil ) Markus ***some text missing*** wrote in message news:1388756850.35698.yahoomail...@web162401.mail.bf1.yahoo.com... here is the helper lines external_acl_type squid_kerb_ldap_msgroup1 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetg...@mailserver.mcb.com.pk external_acl_type squid_kerb_ldap_msgroup3 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetg...@mailserver.mcb.com.pk Below entry exists in AD userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk klist -ekt [root@squidkhi1 ~]# klist -ekt /etc/squid/HTTP.keytab Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal - 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (DES cbc mode with CRC-32) 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (DES cbc mode with RSA-MD5) 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (ArcFour with HMAC/md5) Regards, Sarfraz Aslam - Original Message - From: Markus Moeller hua...@moeller.plus.com To: squid-users@squid-cache.org Cc: Sent: Friday, January 3, 2014 6:31 PM Subject: [squid-users] Re: Keytab client not found in kerberos database Hi Sarfraz, You didn't say which helper you are running and with which options. The message you get should have nothing to do with authentication but with authorisation (if you use kerberos_ldap_group). You may get a similar message on the Windows client as part of the Kerberos exchange in the TGS reply. Can you do an AD search for an entry with userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk ? What encryption types you get when running klist -ekt squid.keytab ? 2008 may require AES ( If you check the wiki http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberosyouwill see how to create a keytab for 2008 ) Regards Markus ***some text missing*** wrote in message news:1388753727.91771.yahoomail...@web162406.mail.bf1.yahoo.com... Hello Markus, Thank you for your reply. As suggest below are result of klist -kt. Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal - 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk one thing to be add, may be it helps!! i am facing this problem after raising Forest and Domain functional level to 2008, before this user authentication was working fine. Regards, Sarfraz - Original Message - From: Markus Moeller hua...@moeller.plus.com To: squid-users@squid-cache.org Cc: Sent: Friday, January 3, 2014 5:35 PM Subject: [squid-users] Re: Keytab client not found in kerberos database Hi Sarfraz, Which helpers do you run ? The message you see is most probably from the kerberos_ldap_group helper and means that when the helper tries to authenticate to AD the AD entry with an attribute userprincipalname=HTTP/squid-fqdn can not be found. squid-fqdn being the name you have in your squid keytab ( You can check with klist -kt squid.keytab if you use MIT or ktutil -k squid.keytab list for Heimdal). Markus ***some text missing*** wrote in message news:1388733659.571.yahoomail...@web162403.mail.bf1.yahoo.com... Hi, Today i am having error in squid cache.log error while initialising credentials from keytab client not found in kerberos database squid.. My clients that are authenticating through Active Directory fails to browse internet on other hand IP Based access is working fine. Please help to resolve this error. Thanks. Regards, Sarfraz
[squid-users] Keytab client not found in kerberos database
Hi, Today i am having error in squid cache.log error while initialising credentials from keytab client not found in kerberos database squid.. My clients that are authenticating through Active Directory fails to browse internet on other hand IP Based access is working fine. Please help to resolve this error. Thanks. Regards, Sarfraz
[squid-users] Fw: Risks by raising Active Directory Functional Level to 2008 R2
Hi, I have installed RHEL 5.5 with Stable Version of Squid and integrated with Active Directory for user based authentication. Now we have to plan to raise our active directory functional level to 2008. What might be the risks on users based authentication while upgrading active directory. Early response will be appreciated. Regards, Sarfraz
[squid-users] Risks by raising Active Directory Functional Level to 2008 R2
Hi, I have installed RHEL 5.5 with Stable Version of Squid and integrated with Active Directory for user based authentication. Now we have to plan to raise our active directory functional level to 2008. What might be the risks on users based authentication while upgrading active directory. Early response will be appreciated. Regards, Sarfraz