Re: [squid-users] Squid 3.5: internal-static icons on ftp:// requests
On Thu, 21-May-2015 at 21:54:21 +1200, Amos Jeffries wrote: On 21/05/2015 5:35 p.m., Andre Albsmeier wrote: On Tue, 19-May-2015 at 19:52:14 +1200, Amos Jeffries wrote: On 19/05/2015 6:29 p.m., Andre Albsmeier wrote: When browsing e.g. ftp://ftp.mozilla.org/pub/thunderbird/releases/31.5.0/win32/en-GB/ snip and now the icons on ftp://ftp.mozilla.org/ appear but I wonder if it is really needed to patch squid for that... ;-). This is http://bugs.squid-cache.org/show_bug.cgi?id=4132. Thank you for the patch a slightly tweaked version (no extra debugs message) is now applied to Squid-4 and should be in the next releases. Great, thanks. Any chance for this to hit the 3.5 branch as well? -Andre Yes if it works for you it should be in the next release. It works! ;-) -Andre ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid 3.5: internal-static icons on ftp:// requests
When browsing e.g. ftp://ftp.mozilla.org/pub/thunderbird/releases/31.5.0/win32/en-GB/ I miss the internally generated icons and receive an error message in the logs: 2015/05/17 20:03:44 kid1| internalStart: unknown request: GET /squid-internal-static/icons/silk/arrow_up.png HTTP/1.1 Host: ftp.mozilla.org User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-gb;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive The corresponding request for getting the icon is ftp://ftp.mozilla.org/squid-internal-static/icons/silk/application.png and this fails. If I (manually) convert the request into a http request http://ftp.mozilla.org/squid-internal-static/icons/silk/application.png the icon gets loaded (this works as global_internal_static is set to on). Shouldn't all internal-static request be http instead of ftp? I have now patched my squid so it enforces http for internal stuff with this patch: --- src/client_side.cc.ORI 2015-03-28 11:58:05.0 +0100 +++ src/client_side.cc 2015-05-18 19:38:20.98216 +0200 @@ -2683,16 +2683,18 @@ ':' request-port); http-flags.internal = true; } else if (Config.onoff.global_internal_static internalStaticCheck(request-urlpath.termedBuf())) { debugs(33, 2, internal URL found: request-url.getScheme() :// request-GetHost() ':' request-port (global_internal_static on)); request-SetHost(internalHostname()); request-port = getMyPort(); http-flags.internal = true; +request-url.setScheme( AnyP::PROTO_HTTP ); +debugs(33, 2, NEW internal URL: request-url.getScheme() :// request-GetHost() ':' request-port (global_internal_static on)); } else debugs(33, 2, internal URL found: request-url.getScheme() :// request-GetHost() ':' request-port (not this proxy)); } if (http-flags.internal) request-login[0] = '\0'; and now the icons on ftp://ftp.mozilla.org/ appear but I wonder if it is really needed to patch squid for that... ;-). Thanks, -Andre ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid NTLM setup question
On Mon, 21-Sep-2009 at 22:58:40 +1200, Amos Jeffries wrote: Andre Albsmeier wrote: On Mon, 21-Sep-2009 at 00:30:46 +1200, Amos Jeffries wrote: Andre Albsmeier wrote: On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote: Andre Albsmeier wrote: On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: We have been using squid in our development environment. Squid has been forwarding all the internet bound traffic to a proxy server that did not need any authentication until now. But that has changed now and now we have use another proxy server that uses NTLM based authentication. Now our servers in this development environment only have local users (users logging in are not authenticated Windows AD). Does the Squid NTLM authentication setup still work in this setup? Can the NTLM setup be configured to use specified user (and password hopefully encrypted ) that can be specified in some configuration file. This is needed as many of our applications (Tomcat, ESB etc ) are headless (i mean not just a web browser) and they now need to go thru this new proxy server. If you want something like this: no authNTLM auth clients --- squid - NTLM based proxy --- world I think this is not possible with squid. I worked around this same problem with cntlm using: no authno authNTLM auth clients --- squid --- cntlm - NTLM based proxy --- world cntlm runs on the same machine as squid does. However, I were happy if the cntlm functionality could be brought into squid one day... Your wish is granted ;) Oh, that's good news, thanks! 3.2 will have Kerberos login to cache_peer servers. The code is already committed to the 3.HEAD alpha releases. Now I am confused: You talk about Kerberos, I thought of NTLM (NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash and it authenticates happily to its upstream. With Kerberos, I always think about tickets, krb-servers and so on. To be honest, I have never been into Windoze's NTLM stuff a lot (I am just happy it works) neither used Kerberos until now. Sorry. Mea culpa. Been looking at the back-end for too long. Nevermind. Maybe one day I will hack my own NTLMv2 implementation into squid. Shouldn't be too hard... Kerberos is the one Squid is getting. The old NTLM is deprecated by MS, the NTLMv2 will go out with XP before Squid 3.2 is ready for use. So you think it will take 5 years until 3.2 will be ready? :-) Shifted again has it? :) I was thinking XP is scheduled EOL for 2011 No idea, to be honest. I have heard something of an extended support until 2014... -Andre nowdays. Maybe wrong. 18 months is our ideal release timeframe. Starting last July when 3.1 was frozen. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13 -- I think there is a world market for maybe five computers. - Thomas Watson, chairman of IBM, 1943
Re: [squid-users] squid NTLM setup question
On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote: Andre Albsmeier wrote: On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: We have been using squid in our development environment. Squid has been forwarding all the internet bound traffic to a proxy server that did not need any authentication until now. But that has changed now and now we have use another proxy server that uses NTLM based authentication. Now our servers in this development environment only have local users (users logging in are not authenticated Windows AD). Does the Squid NTLM authentication setup still work in this setup? Can the NTLM setup be configured to use specified user (and password hopefully encrypted ) that can be specified in some configuration file. This is needed as many of our applications (Tomcat, ESB etc ) are headless (i mean not just a web browser) and they now need to go thru this new proxy server. If you want something like this: no authNTLM auth clients --- squid - NTLM based proxy --- world I think this is not possible with squid. I worked around this same problem with cntlm using: no authno authNTLM auth clients --- squid --- cntlm - NTLM based proxy --- world cntlm runs on the same machine as squid does. However, I were happy if the cntlm functionality could be brought into squid one day... Your wish is granted ;) Oh, that's good news, thanks! 3.2 will have Kerberos login to cache_peer servers. The code is already committed to the 3.HEAD alpha releases. Now I am confused: You talk about Kerberos, I thought of NTLM (NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash and it authenticates happily to its upstream. With Kerberos, I always think about tickets, krb-servers and so on. To be honest, I have never been into Windoze's NTLM stuff a lot (I am just happy it works) neither used Kerberos until now. Will there be some kind of How-To for using this new feature? Thanks a lot for your great work on squid, -Andre -- Note: No Micro$oft programs were used in the creation or distribution of this message. If you are using a Micro$oft program to view or forward this message, be forewarned that I am not responsible for any harm you may encounter as a result.
Re: [squid-users] squid NTLM setup question
On Mon, 21-Sep-2009 at 00:30:46 +1200, Amos Jeffries wrote: Andre Albsmeier wrote: On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote: Andre Albsmeier wrote: On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: We have been using squid in our development environment. Squid has been forwarding all the internet bound traffic to a proxy server that did not need any authentication until now. But that has changed now and now we have use another proxy server that uses NTLM based authentication. Now our servers in this development environment only have local users (users logging in are not authenticated Windows AD). Does the Squid NTLM authentication setup still work in this setup? Can the NTLM setup be configured to use specified user (and password hopefully encrypted ) that can be specified in some configuration file. This is needed as many of our applications (Tomcat, ESB etc ) are headless (i mean not just a web browser) and they now need to go thru this new proxy server. If you want something like this: no authNTLM auth clients --- squid - NTLM based proxy --- world I think this is not possible with squid. I worked around this same problem with cntlm using: no authno authNTLM auth clients --- squid --- cntlm - NTLM based proxy --- world cntlm runs on the same machine as squid does. However, I were happy if the cntlm functionality could be brought into squid one day... Your wish is granted ;) Oh, that's good news, thanks! 3.2 will have Kerberos login to cache_peer servers. The code is already committed to the 3.HEAD alpha releases. Now I am confused: You talk about Kerberos, I thought of NTLM (NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash and it authenticates happily to its upstream. With Kerberos, I always think about tickets, krb-servers and so on. To be honest, I have never been into Windoze's NTLM stuff a lot (I am just happy it works) neither used Kerberos until now. Sorry. Mea culpa. Been looking at the back-end for too long. Nevermind. Maybe one day I will hack my own NTLMv2 implementation into squid. Shouldn't be too hard... Kerberos is the one Squid is getting. The old NTLM is deprecated by MS, the NTLMv2 will go out with XP before Squid 3.2 is ready for use. So you think it will take 5 years until 3.2 will be ready? :-) Thanks, -Andre -- In a world without walls and fences, who needs windows and gates?
Re: [squid-users] squid NTLM setup question
On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: We have been using squid in our development environment. Squid has been forwarding all the internet bound traffic to a proxy server that did not need any authentication until now. But that has changed now and now we have use another proxy server that uses NTLM based authentication. Now our servers in this development environment only have local users (users logging in are not authenticated Windows AD). Does the Squid NTLM authentication setup still work in this setup? Can the NTLM setup be configured to use specified user (and password hopefully encrypted ) that can be specified in some configuration file. This is needed as many of our applications (Tomcat, ESB etc ) are headless (i mean not just a web browser) and they now need to go thru this new proxy server. If you want something like this: no authNTLM auth clients --- squid - NTLM based proxy --- world I think this is not possible with squid. I worked around this same problem with cntlm using: no authno authNTLM auth clients --- squid --- cntlm - NTLM based proxy --- world cntlm runs on the same machine as squid does. However, I were happy if the cntlm functionality could be brought into squid one day... -Andre -- Failure is not an option -- it comes bundled with Windows.