Re: [squid-users] Question about SquidGuard and blocking pages
looks like a config is missing. in my setup i have prepared the internal access-denied page and put a fqdn on use an internal dns zone you have to resolv it. squid does pretty good on filtering, and it includes filter via IP. try to have the page with url resolved to a zone entry you have, and try it again. if not you can always whitelist the url. hope that helps. -Beavis On Thu, Jul 22, 2010 at 7:19 AM, Silamael silam...@coronamundi.de wrote: Hello! We're using SquidGuard for blocking certain URLs. Now, the problem is that SquidGuard redirects to some internal://.../error-access-denied URL, but in this page this internal URL is shown as blocked URL instead of the original URL. Is that any configuration problem or did i stumble over some Squid bug here? Thanks! -- Matthias -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments
[squid-users] AuthNTLMConfig (squid 3.0) unrecognised
Hi, I was successful in running ntlm_auth. (kerberos - OK, samba - OK) with the following config on my squid.conf auth_param ntlm program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate off auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid Proxy auth_param basic credentialsttl 5 hours acl ntlm proxy_auth REQUIRED http_access allow ntlm I can run Squid by issuing squid -D but it will still display the following error, and continue to run squid. 2009/07/01 18:37:14| AuthNTLMConfig::parse: unrecognised ntlm auth scheme parameter 'max_challenge_reuses' 2009/07/01 18:37:14| AuthNTLMConfig::parse: unrecognised ntlm auth scheme parameter 'max_challenge_lifetime' 2009/07/01 18:37:14| AuthNTLMConfig::parse: unrecognised ntlm auth scheme parameter 'use_ntlm_negotiate' any help would be awesomely appreciated. -b -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments
Re: [squid-users] AuthNTLMConfig (squid 3.0) unrecognised
thanks amos.. I actually took out those lines and it worked ok =) On Wed, Jul 1, 2009 at 6:54 PM, Amos Jeffriessqu...@treenet.co.nz wrote: On Wed, 1 Jul 2009 18:43:21 -0600, Beavis pfu...@gmail.com wrote: Hi, I was successful in running ntlm_auth. (kerberos - OK, samba - OK) with the following config on my squid.conf auth_param ntlm program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate off auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid Proxy auth_param basic credentialsttl 5 hours acl ntlm proxy_auth REQUIRED http_access allow ntlm I can run Squid by issuing squid -D but it will still display the following error, and continue to run squid. 2009/07/01 18:37:14| AuthNTLMConfig::parse: unrecognised ntlm auth scheme parameter 'max_challenge_reuses' 2009/07/01 18:37:14| AuthNTLMConfig::parse: unrecognised ntlm auth scheme parameter 'max_challenge_lifetime' 2009/07/01 18:37:14| AuthNTLMConfig::parse: unrecognised ntlm auth scheme parameter 'use_ntlm_negotiate' any help would be awesomely appreciated. -b http://www.mail-archive.com/squid-users@squid-cache.org/msg43675.html PS. I'm not sure why Visolve list it still in their manuals. They have lots of nice simple explanations, but its not very current. Amos -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments
[squid-users] ntlm group acl's
is it possible for squid to have the option where it can be tailored to apply ACL's based on groups on AD? any help would be awesomely appreciated. regards, -b -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments
[squid-users] Squid 3.0 STABLE16
Hi, I'm looking for the ldap_auth option for squid 3.0. all i see on the ./configure options are the following --enable-basic-auth-helpers= (OPTIONS: digest_auth, negotiate_auth, basic_auth, external_acl, ntlm_auth) --enable-auth= (OPTIONS: digest, ntlm, basic, negotiate) If someone can point me to the right direction, I would very much appreciate it. -b -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments
[squid-users] Re: Squid 3.0 STABLE16
sorry for the noise .. i found it.. thanks again. On Tue, Jun 30, 2009 at 1:24 PM, Beavispfu...@gmail.com wrote: Hi, I'm looking for the ldap_auth option for squid 3.0. all i see on the ./configure options are the following --enable-basic-auth-helpers= (OPTIONS: digest_auth, negotiate_auth, basic_auth, external_acl, ntlm_auth) --enable-auth= (OPTIONS: digest, ntlm, basic, negotiate) If someone can point me to the right direction, I would very much appreciate it. -b -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments
[squid-users] Squid for Windows users **Best Practice**
All, I just want to get some views from folks that use squid on a windows environment. I'm looking at the following scenario. a.) running squid that can be use by windows users (auth via ldap, ntlm. AD) b.) site access is on a per group basis (squid auth or through squidguard) c.) Squid Redundancy. any help will be awesomely appreciated. -b -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments
Re: [squid-users] Squid for Windows users **Best Practice**
thanks for the reply amos.. I'm sorry it seems that i have not been clear on how i want to do this. I'm not planning to put squid on windows, my plan is to get some best practice from folks that have experience on using squid as a proxy for their windows network (with AD and all). I'm looking for some suggestions or common setup's on their squid where. a.) squid can determine the AD user's group and give them their own list of ACL's b.) redundancy setup's c.) recommended most common way of authenticating AD users to squid. (NTLM, LDAP, ADS) thanks again, -b On Tue, Jun 16, 2009 at 6:54 PM, Amos Jeffriessqu...@treenet.co.nz wrote: On Tue, 16 Jun 2009 17:29:33 -0600, Beavis pfu...@gmail.com wrote: All, I just want to get some views from folks that use squid on a windows environment. I'm looking at the following scenario. a.) running squid that can be use by windows users (auth via ldap, ntlm. AD) b.) site access is on a per group basis (squid auth or through squidguard) c.) Squid Redundancy. Being a squid linux admin with many users on windows I can say that none of the above require Squid to run on a windows box. Samba + the provided squid helpers handle windows authentications just fine from most non-windows OS. Amos -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments
[squid-users] NTLM on Squid
Hi list, Has anyone here able to deploy a successful NTLM Squid Setup? one that can separate Access to specific Resources, I'm sort of a newbie on squid's NTLM and would be more than great full if anyone can help me out. thanks, -B
[squid-users] Allow Streaming media through squid
hello list: I have a squid box version: Squid Cache: Version 2.6.STABLE16 configure options: '--prefix=/var/squid' '--enable-snmp' '--enable-arp-acl' '--enable-htcp' '--enable-follow-x-forwarded-for' '--enable-ssl' '--disable-wccp' '--disable-wccpv2' '--with-openssl=/usr' '--enable-icmp' '--enable-useragent-log' '--enable-referer-log' '--enable-forward-log' '--with-large-files' '--enable-kill-parent-hack' '--enable-multicast-miss' '--enable-pthreads' I have squidGuard and AdZap in place as filters. the filters worked great, but I would like to allow video streaming through squid as well. I have tried putting the URL on a whitelist but without any luck. I haven't set up any blocking method on streaming but it seems to be doing it. below are my logs. 1201525684.377222 172.20.0.253 TCP_CLIENT_REFRESH_MISS/304 313 GET http://www.cie.purdue.edu/cie.css - DIRECT/128.210.63.40 - 1201525684.478100 172.20.0.253 TCP_CLIENT_REFRESH_MISS/304 329 GET http://www.cie.purdue.edu/images/logo_purdue3.gif - DIRECT/128.210.63.40 - 1201525684.511 1366 172.20.0.253 TCP_MISS/200 19230 GET http://www.cie.purdue.edu/media/index.cfm - DIRECT/128.210.63.40 text/html 1201525684.581102 172.20.0.253 TCP_CLIENT_REFRESH_MISS/304 330 GET http://www.cie.purdue.edu/images/button_search.gif - DIRECT/128.210.63.40 - 1201525684.603216 172.20.0.253 TCP_CLIENT_REFRESH_MISS/304 324 GET http://www.cie.purdue.edu/images/logo_cie.gif - DIRECT/128.210.63.40 - 1201525684.606215 172.20.0.253 TCP_CLIENT_REFRESH_MISS/304 322 GET http://www.cie.purdue.edu/images/spacer.gif - DIRECT/128.210.63.40 - 1201525684.716135 172.20.0.253 TCP_CLIENT_REFRESH_MISS/304 328 GET http://www.cie.purdue.edu/images/arrow_links.gif - DIRECT/128.210.63.40 - 1201525684.728124 172.20.0.253 TCP_CLIENT_REFRESH_MISS/304 327 GET http://www.cie.purdue.edu/images/header_dot.gif - DIRECT/128.210.63.40 - 1201525684.728122 172.20.0.253 TCP_CLIENT_REFRESH_MISS/304 323 GET http://www.cie.purdue.edu/images/Petrin.jpg - DIRECT/128.210.63.40 - 1201525684.834237 172.20.0.253 TCP_CLIENT_REFRESH_MISS/304 324 GET http://www.cie.purdue.edu/images/bg_links.gif - DIRECT/128.210.63.40 - 1201525684.841124 172.20.0.253 TCP_CLIENT_REFRESH_MISS/304 326 GET http://www.cie.purdue.edu/images/wmp_small.gif - DIRECT/128.210.63.40 - 1201525684.842113 172.20.0.253 TCP_CLIENT_REFRESH_MISS/304 323 GET http://www.cie.purdue.edu/images/Bodner.jpg - DIRECT/128.210.63.40 - 1201525687.047242 172.20.0.253 TCP_MISS/200 7351 GET http://edge1.catalog.video.msn.com/videoByTag.aspx? - DIRECT/204.245.162.18 text/xml 1201525690.545159 172.20.0.253 TCP_MISS/200 221 POST http://mail.google.com/mail/channel/bind? - DIRECT/66.249.83.83 text/html 1201525693.612 4 172.20.0.253 TCP_IMS_HIT/304 249 GET http://www.cie.purdue.edu/images/close.gif - NONE/- image/gif 1201525693.614 1 172.20.0.253 TCP_IMS_HIT/304 248 GET http://www.cie.purdue.edu/images/spacer.gif - NONE/- image/gif 1201525693.618 4 172.20.0.253 TCP_IMS_HIT/304 249 GET http://www.cie.purdue.edu/images/helpful_links.gif - NONE/- image/gif 1201525693.692446 172.20.0.253 TCP_MISS/200 6953 GET http://www.cie.purdue.edu/media/play.cfm? - DIRECT/128.210.63.40 text/html 1201525693.821128 172.20.0.253 TCP_IMS_HIT/304 249 GET http://www.cie.purdue.edu/images/close_f2.gif - NONE/- image/gif 1201525693.822 0 172.20.0.253 TCP_IMS_HIT/304 249 GET http://www.cie.purdue.edu/images/close_f4.gif - NONE/- image/gif 1201525693.824 1 172.20.0.253 TCP_IMS_HIT/304 249 GET http://www.cie.purdue.edu/images/close_f3.gif - NONE/- image/gif 1201525694.469192 172.20.0.253 TCP_MISS/200 529 GET http://video.dis.purdue.edu/CIE/Petrin.wmv - DIRECT/128.210.13.134 video/x-ms-wvx 1201525694.666189 172.20.0.253 TCP_MISS/200 534 GET http://video.dis.purdue.edu/CIE/Petrin.wmv - DIRECT/128.210.13.134 video/x-ms-wvx is there any other setting I may need to put into my squid.conf directly in order to allow streaming? or does it do it by default(which if it does by default for some weird reason it's not working on mine). any help would be awesomely appreciated. -b
Re: [squid-users] proxy behind corporate proxy
Melanie if your using some flavor of *nix you might want to try setting this to your proxy box. export http_proxy=http://proxy-server-ip:port this will let you use your corporate proxy settings for browsing goodluck, beavis On Jan 11, 2008 5:08 AM, Melanie Pfefer [EMAIL PROTECTED] wrote: hello I have installed squid 3.0 behind a corporate proxy. what needs to be configured on this server so that it uses the corporate proxy? thanks ___ Yahoo! Answers - Got a question? Someone out there knows the answer. Try it now. http://uk.answers.yahoo.com/
Re: [squid-users] Opinions on Setup...
Andy, you're setup looks plausible, i have little experience with carp (i use them for firewalls and the fw' sessions get sync pretty well on both machines) my only question would how will carp be able to tell the sessions initiated/managed by squid? all of them will come in through port 3128 right? and carp will just sync that on the other box. once the query is processed it's being handled entirely by squid, But I might be wrong as well. anyways, I would recommend to just do DNS round-robin on both squid boxes. my .2cents -beavis On Jan 9, 2008 9:20 AM, Andy McCall [EMAIL PROTECTED] wrote: Hi Folks, A few weeks ago I posted a message on this list about setting up two squid-caching-only servers for two WebMarshal content-checking-only servers for around 120 school. I was pointed in the general direction by Amos and I have finally come to a configuration that may work and was hoping for some input. The squid servers will be on the same network, and running RedHat Linux Enterprise 5. I was then going to configure two CARP interfaces on them, e.g. 192.168.0.1 and 192.168.0.2. A single DNS entry for squid-proxy.domain.gov.uk will point to 192.168.0.1 and 192.168.0.2 and the squid cache's will be set up as cache_peer's of each other. Can anyone think of any issues I will have with this set up, or can anyone think of anything else that will help my setup? Thanks, Andy McCall Senior Technical Officer -- ICT Printing, The Unity Partnership... ...working with Oldham Metropolitan Borough Council Civic Centre West Street Oldham OL1 1UU -- Telephone: 0161 770 8814 Fax: 0161770 3998 Email: [EMAIL PROTECTED] -- ** The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you have received it in error, please notify us immediately by replying to this e-mail and then delete it from your system. This note confirms that this email message has been swept for the presence of computer viruses, however we advise that in keeping with good IT practice the recipient should ensure that the e-mail together with any attachments are virus free by running a virus scan themselves. We cannot accept any responsibility for any damage or loss caused by software viruses. The Unity Partnership Ltd, registered in England at West Hall, Parvis Road, West Byfleet, Surrey UK KT14 6EZ. Registered No : 5916336. VAT No : 903761336. **
Re: [squid-users] allow audio on sites in squid
thanks for the reply guys.. appreciate it!!.. I'll work on this one today. peace, beavis On Dec 14, 2007 2:16 AM, Amos Jeffries [EMAIL PROTECTED] wrote: Beavis wrote: hi guys, Is there a rule to be able to detect most of the audio and video mostly podcasts to pass through squid? I currently have squid stable 16 setup on my environment and we have internal sites that play back .wav files that we're automatically loaded on the browser via window mediaplayer. but for some weird reason it gets blocked and people aren't able to hear them. I'm basically looking for a general rule that will be able to pass these mime types through the proxy. The rep_mime_type ACL for each mime type linked with http_reply_access should do it easily. If you already have the default http_reply_access low all then I woud suggest looking at your http_acces rules closer since its ikely the INPUT side blocking before the OUTPUT side ever gets any data. Amos
[squid-users] allow audio on sites in squid
hi guys, Is there a rule to be able to detect most of the audio and video mostly podcasts to pass through squid? I currently have squid stable 16 setup on my environment and we have internal sites that play back .wav files that we're automatically loaded on the browser via window mediaplayer. but for some weird reason it gets blocked and people aren't able to hear them. I'm basically looking for a general rule that will be able to pass these mime types through the proxy. regards, beavis
Re: [squid-users] NIC and Squid
I'm not sure if it's possible to bind it to a physical interface but you can sure bind it to an IP address http://www.squid-cache.org/Versions/v2/2.6/cfgman/tcp_outgoing_address.html regards, -pf On 11/6/07, stephane lepain aka riganta [EMAIL PROTECTED] wrote: Hi Guys, I am wondering if there is any possibilities for me to tell squid to act only on one NIC. Indeed, I have two of them on my PC and would like Squid to use only one. -- Stephen Cordialement, Best Regards
Re: [squid-users] Bandwidth savings?
nick, you can always try to do a test without squid and compare your graphs generated by cacti. (with and without squid). this is quite common and always raises management's eyebrows but .. i guess it's part of the Layer 9 (political layer) jk!. cheers, -pf On 11/2/07, Nick Duda [EMAIL PROTECTED] wrote: What is a good utility to determine how much bandwidth in bits/sec or mb is being saved using squid. I'm using the templates for squid in Cacti and its showing some numbers that are showing a good saving and management is having a hard time believing it.
[squid-users] web-based email always reloads on SQUID
has anyone here encountered an issue with how squid handles web-based emails? (gmail, yahoo, hotmail) Im running squid 2.6-stable16 on a openbsd box. everytime i try to logged into gmail, yahoo or any other web-based email service all i see is the page that reloads all the time.. without ever really getting through the site. below are my logs: 1192557563.121 1825 172.16.100.50 TCP_MISS/200 4910 CONNECT www.google.com:443 - DIRECT/209.85.165.104 - 1192557563.230103 172.16.100.50 TCP_MISS/302 867 GET http://mail.google.com/mail/? - DIRECT/209.85.133.18 text/html 1192557563.592360 172.16.100.50 TCP_MISS/200 2385 GET http://mail.google.com/mail/? - DIRECT/209.85.133.83 text/html 1192557563.826149 172.16.100.50 TCP_MISS/200 352 GET http://mail.google.com/mail/? - DIRECT/209.85.133.19 text/html 1192557563.846168 172.16.100.50 TCP_MISS/200 352 GET http://mail.google.com/mail/? - DIRECT/209.85.133.83 text/html any help would be awesomely appreciated. thanks, -pf
Re: [squid-users] web-based email always reloads on SQUID
thanks for the reply alexandre ... i found what the issue was .. there's something funked with the header_access options that a collegue of mine put into the config file. he basically wanted squid to act as a elite proxy, and not give away x-for and http-via keys. he did succeed but it broke gmail, yahoo and the rest of the webmails... I was able to get it to work by removing the header_access and just configure the following options. via off forwarded_for off regards, -pf On 10/16/07, Alexandre Correa [EMAIL PROTECTED] wrote: gmail uses HTTPS .. i think yahoo too !! On 10/16/07, Beavis [EMAIL PROTECTED] wrote: has anyone here encountered an issue with how squid handles web-based emails? (gmail, yahoo, hotmail) Im running squid 2.6-stable16 on a openbsd box. everytime i try to logged into gmail, yahoo or any other web-based email service all i see is the page that reloads all the time.. without ever really getting through the site. below are my logs: 1192557563.121 1825 172.16.100.50 TCP_MISS/200 4910 CONNECT www.google.com:443 - DIRECT/209.85.165.104 - 1192557563.230103 172.16.100.50 TCP_MISS/302 867 GET http://mail.google.com/mail/? - DIRECT/209.85.133.18 text/html 1192557563.592360 172.16.100.50 TCP_MISS/200 2385 GET http://mail.google.com/mail/? - DIRECT/209.85.133.83 text/html 1192557563.826149 172.16.100.50 TCP_MISS/200 352 GET http://mail.google.com/mail/? - DIRECT/209.85.133.19 text/html 1192557563.846168 172.16.100.50 TCP_MISS/200 352 GET http://mail.google.com/mail/? - DIRECT/209.85.133.83 text/html any help would be awesomely appreciated. thanks, -pf -- Sds. Alexandre J. Correa Onda Internet / OPinguim.net http://www.ondainternet.com.br http://www.opinguim.net