[squid-users] allowed sites acl gives problem
Dear All, I been using using for quite some time and itsa excellent stable product by the way I do have some diffculty I want to allow only specific sites to specific machines let me explain i have 3 machines with ip of 172.16.2.22, 172.16.2.23, 172.16.2.24 these three machine have to be able to have acceo only a few sites like www.yahoo.com, www.google.com and www.cnn.com and probably a couple will be added latter so i did add a acl like below acl sunray_allowed src 172.16.2.22 172.16.2.23 172.16.2.24 acl good_sites url_regex "/etc/squid/allowed-sites.squid" http_access allow sunray_allowed good_sites here is my allowed-sites.squid file .yahoo.com .google.com .cnn.com now when i go to www.google.com it works fine but when i go to yahoo or cnn the page is not displayed properly the squid access.log says - 287745303.890 0 172.16.2.23 TCP_DENIED/403 1311 GET http://i.cdn.turner.com/cnn/.element/js/3.0/s_code.js - NONE/- text/html 1287745303.903 0 172.16.2.23 TCP_DENIED/403 1309 GET http://content.dl-rms.com/rms/mother/5721/nodetag.js - NONE/- text/html 1287745303.911 0 172.16.2.23 TCP_DENIED/403 1333 GET http://i.cdn.turner.com/cnn/.element/js/3.0/hpsectiontracking.js - NONE/- text/html 1287745303.916 0 172.16.2.23 TCP_DENIED/403 1285 GET http://i.cdn.turner.com/cnn/images/1.gif - NONE/- text/html 1287745303.917 0 172.16.2.23 TCP_DENIED/403 1275 GET http://js.revsci.net/gateway/gw.js? - NONE/- text/html 1287745303.917997 172.16.2.23 TCP_MISS/000 0 GET http://www.cnn.com/ght= - DIRECT/157.166.224.26 - 1287745304.086724 172.16.2.23 TCP_MISS/302 730 GET http://www.cnn.com/.element/img/3.0/1px.gif - DIRECT/157.166.226.25 text/html 1287745304.999913 172.16.2.23 TCP_REFRESH_HIT/304 426 GET http://edition.cnn.com/.element/img/3.0/1px.gif - DIRECT/157.166.224.45 image/gif 1287745305.346327 172.16.2.23 TCP_REFRESH_MISS/302 727 GET http://www.cnn.com/tools/search/cnncom.xml - DIRECT/157.166.226.25 text/html other sites are denied as normal which is perfect. i also tried usin dstdomain in place of url_regex but the same problem I would really apprecite if someone could help me regards simon -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [squid-users] help on squid setup
Thanks guys, I really apprecite your quick reply i will try out your advices and check it out and Mr Kaya u dont have to apologize at all . I should be indeed so grateful to you that u spent your precious valuble time to read my mail n to reply to it. Thanks once again guys regards simon > [...] >> >> I want to implement linux squid proxy server so that i have better >> controls that is ( time based restrictions , ip based restrictions and >> block certain web sites ) through squid ACLS >> >> I think i have to implement squid as a transparent proxy server with 2 >> lan cards on the squid server >> > [...] > > Hi Simon, you should be able to do all this from within the router if it > is a fairly good one > > The Cisco 88x and 89x series definitely do this very well and as for the > 88x are ADSL capable! The 89x can be plugged into an ADSL modem or even > Metro Ethernet solution or alternately backup line. > > http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml > {for ACLs} > > Anyhow what I'm trying to say is that it should take off the load of > adding extra machines and also reduce overall cost too. > > However if you must use a Squid solution then here are some places to > start: > > http://www.visolve.com/squid/ > > http://www.squid-cache.org/Doc/config/ > > and some config examples here: > > http://wiki.squid-cache.org/ConfigExamples/ > > apologies for not being able to help further, however I only use squid > as reverse proxy in my network environment :-) > > Hope this gets you started though! > > Regards, > > Kaya > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] help on squid setup
Dear All, I have used Squid before but im little confused on as how to implement squid on the following setup current setup as follows DSL router with a public Ip for the WAN ( connection to the ISP) lan ip address on dsl router is 192.168.1.254 local network 192.168.100.0/24 right now the clients have the gateway as 192.168.1.254 and they are able to access internet fine I want to implement linux squid proxy server so that i have better controls that is ( time based restrictions , ip based restrictions and block certain web sites ) through squid ACLS I think i have to implement squid as a transparent proxy server with 2 lan cards on the squid server apprecite if someone could advise me as how to go about the setup or some links which do explain about the setup i like to implement thanks and regards simon -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [squid-users] direct access for local intranet urls
> On 27.05.09 18:55, RoLaNd RoLaNd wrote: >> Subject: [squid-users] direct access for local intranet urls > >> i'm not sure how to do this, though i want to make sure that my local >> intranet sites aren't cached with squid. > if you need to bypass the squid server and access your local internet sites there are 2 ways 1) in your browser use option bypass local sites and specify the sites to be bypassed which is very immature 2) the professiona; way is using a proxy.pac file which i been using since we have over 1000 users and about a dozen intranet servers regards simon > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. >One OS to rule them all, One OS to find them, > One OS to bring them all and into darkness bind them > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] block a particular country with squid acl
Dear all, I have squid proxy server working fine and all my users goin through squid . i would like to block all sites in china and korea since we dont want any users going to any of these countries websites cause of the language issues and to reduce unneccessary load or attacks .. we did recently have one now i was just googlin arround but did not help me much apprecite if someone can help me how could i do it with squid acl thanks in advance regards simon -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] Thnaks Re: [squid-users] squid and proxy.pac file query
> Benedict simon wrote: >> Dear All, >> >> >> I am sorry if i posting it to the wrong group >> I have Centos OS 5.2 server with squid-2.6.STABLE6-5.el5_1.3 running >> perfect for quite some time >> >> we have a couple of local intranet web sites which are working with or >> without the bypass proxy server for local address in their browsers. >> >> now our intranet sites gonna increase by about 10 more servers and would >> like to implement a proxy.pac file >> >> after googling and trying out a couple of options i am still not able to >> get it workin succesfully >> >> here below r my details >> >> proxy.pac file in /var/www/html .. the apache root >> - >> # >> function FindProxyForURL(url, host) >> { >> // variable strings to return >> var proxy_yes = "PROXY proxy.baladia.gov.kw:3128"; >> var proxy_no = "DIRECT"; >> if (shExpMatch(url, "http://www.baladia.gov.kw*";)) { return proxy_no; } >> if (shExpMatch(url, "http://host.kmun.gov.kw*";)) { return proxy_no; } >> if (shExpMatch(url, "http://km_online*";)) { return proxy_no; } >> // Proxy anything else >> return proxy_yes; >> } >> --- >> >> apache is workin fine cause if i run the command in the browser address >> http://proxy.baladia.gov.kw/proxy.pac I do get a prompt to save or open >> the proxy.pac file >> >> >> i have added the followin in /etc/mimetypes >> >> application/x-ns-proxy-autoconfig pac >> >> also in my /etc/http/conf/httpd.conf file i have >> >> AddType application/x-ns-proxy-autoconfig .pac >> >> now in my client browser IE 6 i have in lan setting ==>Use automatic >> configuration script selected n >> have..http://proxy.baladia.gov.kw/proxy.pac >> >> now when i start the browser on the client i am not able to browse >> >> i check the apache access log >> >> every time i start the browser i get one line of log >> >> 172.16.2.21 - - [06/Apr/2009:18:24:16 +0300] "GET /proxy.pac HTTP/1.1" >> 200 >> 414 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" >> >> also in my squid access logs i dont see anything >> > > This indicates there is a problem with the PAC file itself. > >> cant figure out what i could be missing or where i could be goin wrong >> i would highly apprecite if you someone could help me out >> > > Try a simplified file, such as... > > function FindProxyForURL(url,host) > { > return "PROXY proxy.baladia.gov.kw:3128"; > } > > ...which should cause the browser to use proxy for everything. > >> regards >> >> simon >> > > Chris Thanks Chris and apprecite your quick reply. i will try the siple version of pac file and check it out rgards simon > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] squid and proxy.pac file query
Dear All, I am sorry if i posting it to the wrong group I have Centos OS 5.2 server with squid-2.6.STABLE6-5.el5_1.3 running perfect for quite some time we have a couple of local intranet web sites which are working with or without the bypass proxy server for local address in their browsers. now our intranet sites gonna increase by about 10 more servers and would like to implement a proxy.pac file after googling and trying out a couple of options i am still not able to get it workin succesfully here below r my details proxy.pac file in /var/www/html .. the apache root - # function FindProxyForURL(url, host) { // variable strings to return var proxy_yes = "PROXY proxy.baladia.gov.kw:3128"; var proxy_no = "DIRECT"; if (shExpMatch(url, "http://www.baladia.gov.kw*";)) { return proxy_no; } if (shExpMatch(url, "http://host.kmun.gov.kw*";)) { return proxy_no; } if (shExpMatch(url, "http://km_online*";)) { return proxy_no; } // Proxy anything else return proxy_yes; } --- apache is workin fine cause if i run the command in the browser address http://proxy.baladia.gov.kw/proxy.pac I do get a prompt to save or open the proxy.pac file i have added the followin in /etc/mimetypes application/x-ns-proxy-autoconfig pac also in my /etc/http/conf/httpd.conf file i have AddType application/x-ns-proxy-autoconfig .pac now in my client browser IE 6 i have in lan setting ==>Use automatic configuration script selected n have..http://proxy.baladia.gov.kw/proxy.pac now when i start the browser on the client i am not able to browse i check the apache access log every time i start the browser i get one line of log 172.16.2.21 - - [06/Apr/2009:18:24:16 +0300] "GET /proxy.pac HTTP/1.1" 200 414 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" also in my squid access logs i dont see anything cant figure out what i could be missing or where i could be goin wrong i would highly apprecite if you someone could help me out regards simon -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] AD authentiction with squid]
Thanks guys for your earlier replies but jus create a new post so that i can explain myself more clearly we have Centos OS server running squid for quite sometime with no problems we also have a win2003 AD Server Centos 5 squid-2.6.STABLE6-5.el5_1.3 we do hav a official plan to implement domain for all users for example: A USER HAS TO LOG ON TO DOMAIN TO GET INTERNET . if a user does not logon the ADS internet access will be denied but he can access the local network after googling arround i start to work on the below http://www.itinfusion.ca/linux/squid-proxy-server-with-windows-ad-authentication/ i managed wellto have my linux box to authenticate with AD server runing the following command /usr/lib/squid/squid_ldap_auth -v 3 -b "dc=baladia,dc=local" -D "cn=Administrator,cn=Users,dc=baladia,dc=local" -w "xx" -f sAMAccountName=%s -h aa.aa.aa.aa where xxx is the password of administrator aa.aa.aa.aa is the IP address of AD server after i put the username n password i get OK so authentication is OK now i implemented the above in squid and the dialog box pops up as usual when i access a website . if i put the username n password correct of the user existing in my ADS internet is allowed if its not correct internet access is not allowed this is fine but whether the user logs in to DOMAIN OR NOT he is allowed internet through the squid proxy as long as he enters the user name and password corectly of the ADS user. but my main purpose is to allow internet only if he logs into ADS and if he does not login to ADS he should be denied internet access apprecite your kind help or some links which will help me or will the above link help me to achieve this since im already worked on the above for quite sometime regards simon regards n thnks once again simon -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [squid-users] Re: AD authentiction with squid
> In more detail the required steps for squid_kerb_auth (from > https://sourceforge.net/project/showfiles.php?group_id=196348 or from > latest > squid distribution) are: > > 1) Install kerberos client package > 2) Install msktutil package from > http://dag.wieers.com/rpm/packages/msktutil/ > 3) Configure krb5.conf > 4) Configure squid by adding > auth_param negotiate program /usr/sbin/squid_kerb_auth > auth_param negotiate children 10 > auth_param negotiate keep_alive on > 5) Create keytab for HTTP/fqdn with msktutil. > a) kinit administra...@domain > b) msktutil -c -b "CN=COMPUTERS" -s HTTP/ -h -k > /etc/squid/HTTP.keytab --computer-name squid-HTTP --upn HTTP/ > --server > --verbose > > 6) Add the following to thw squid startup script >KRB5_KTNAME=/etc/squid/HTTP.keytab > export KRB5_KTNAME > > 7) Done > > Markus > > Thanks Markus apprecite your quick reply. actually i was jus workin on plain text authentication with my win2003 AD server bascially following from http://www.itinfusion.ca/linux/squid-proxy-server-with-windows-ad-authentication/ i jus managed to have my linux box to authenticate with AD server runing the following command /usr/lib/squid/squid_ldap_auth -v 3 -b "dc=baladia,dc=local" -D "cn=Administrator,cn=Users,dc=baladia,dc=local" -w "xx" -f sAMAccountName=%s -h aa.aa.aa.aa where xxx is the password of administrator aa.aa.aa.aa is the IP address of AD server after i put the username n password i get OK so authentication is OK i will jus try having acls in my squid conf n testing it out regards n thnks once again simon > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [squid-users] AD authentiction with squid
Dear Amos, Thanks and really apprecite for ur quick reply i will try the link and n check it out. me too a novice in Ldap n not a professional in ADS regards simon > Benedict simon wrote: >> Dear All, >> >> >> i have squid Proxy server on Centos 5 working perfectly for a quite >> sometime and now we would like to have squid authenticating with ADS for >> more control . >> so that only users that have logged into domain are asked allowed for >> internet and others who dont log in have internet access denied but only >> local network services avaliable. >> i am not a professional in ADS so wd really apprecite your help >> i have been googling arround and tried but was only able to authenticate >> with squid by getting the popup window but not accept the password. >> i would like plain text authentication since i guess its the easiest one >> >> the setup >> >> Centos 5 >> Squid stable 2.6 >> >> the domain is ADS WINDOWS 2003 >> Domain Name: baladia.local >> computer name :kmun >> >> jus cut and paste some squid entries . >> >> >> auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b >> "dc=baladia,dc=local" -D "cn=Administrator,cn=Users,dc=baladia,dc=local" >> -w "" -f sAMAccountName=%s -h 172.16.2.227 >> auth_param basic children 5 >> auth_param basic realm PROXY SERVER >> auth_param basic credentialsttl 5 minutes >> >> where is the administrtor password >> 172.16.2.227 is the IP address of the domain >> >> will the above help me to authenticate user with ADS >> >> when i log into the domain and user my browser the window pops up but >> when >> i enter the username and password it ask me the same dialog again >> >> also if i dont log into domain its the same >> >> the squid accesslog error is >> >> 1237471571.612 13 xx.xx.xx.xx TCP_DENIED/407 1761 GET >> http://vcs2.msg.yahoo.com/capacity testuser >> >> where testuser is the username on my domain >> >> apprecite if someone can help me with example or some links with >> examples >> >> thanks and really wd apprecite your kinf help >> > > http://wiki.squid-cache.org/ConfigExamples has a section for > authentication templates and how-tos. > > I'm not clued up on LDAP or AD requirements so can;t help any further on > this. > > Amos > -- > Please be using >Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 >Current Beta Squid 3.1.0.6 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] AD authentiction with squid
Dear All, i have squid Proxy server on Centos 5 working perfectly for a quite sometime and now we would like to have squid authenticating with ADS for more control . so that only users that have logged into domain are asked allowed for internet and others who dont log in have internet access denied but only local network services avaliable. i am not a professional in ADS so wd really apprecite your help i have been googling arround and tried but was only able to authenticate with squid by getting the popup window but not accept the password. i would like plain text authentication since i guess its the easiest one the setup Centos 5 Squid stable 2.6 the domain is ADS WINDOWS 2003 Domain Name: baladia.local computer name :kmun jus cut and paste some squid entries . auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=baladia,dc=local" -D "cn=Administrator,cn=Users,dc=baladia,dc=local" -w "" -f sAMAccountName=%s -h 172.16.2.227 auth_param basic children 5 auth_param basic realm PROXY SERVER auth_param basic credentialsttl 5 minutes where is the administrtor password 172.16.2.227 is the IP address of the domain will the above help me to authenticate user with ADS when i log into the domain and user my browser the window pops up but when i enter the username and password it ask me the same dialog again also if i dont log into domain its the same the squid accesslog error is 1237471571.612 13 xx.xx.xx.xx TCP_DENIED/407 1761 GET http://vcs2.msg.yahoo.com/capacity testuser where testuser is the username on my domain apprecite if someone can help me with example or some links with examples thanks and really wd apprecite your kinf help if any more queries are required i be most grateful to forward them to you regards simon -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.