[squid-users] Splash page -- detect if client is mobile?
Is there a way for a splash page to detect if it is being displayed on a mobile device, and to be able to redirect or show a different page that is reformatted to fit the much smaller display area of the mobile screen? I don't know if this is really a squid-related question, or if this can all be handled through the magic of javascript, independent of squid. -- Dale Mahalko
[squid-users] Splash page -- detect if auto-proxy config worked?
I am trying to set up a two-layer proxy for public mobile devices, offering transparent access for the mobile devices that are too stupid to auto-detect proxy settings via proxy.pac / wpad . I want an easy way for end-users to find out if their device is using transparent or auto-detected settings, after they have connected to the public wireless with no password. The only way I can see for doing that is to have a splash page that attempts an HTTPS connection when they first connect, using that to find out if auto-detect worked or not. And if it fails, then I can have a way to direct them to IT support to see what needs to be done to get proxied access working. I don't really like this method though, because if they are on the transparent proxy, there will be a long delay until the HTTPS attempt finally times out and fails. Is there some established way to for a splash page to quickly identify if transparent or auto-detect proxy settings are being used? Can a web browser page somehow interact with the squid cache to discover this? - Dale Mahalko
Re: [squid-users] prevent squid from temporarily disabling (...) digest ?
After playing with it some more, I determined that the only extra rules I need are: always_direct deny all never_direct allow all After doing this, when the upstream M86 / R3000 content filter proxy blocks access to a site, trying to get to it through squid using https just results in a blank page in Firefox, or can't display the webpage for IE, which is what I am expecting. All pfsense firewall rules can be removed other than a single one: LAN block any address/port to any WAN address/port. This rule blocks all direct Internet access by clients, but does not prevent squid itself on pfSense from being able to access the external parent proxy on the WAN side. It must have both always_direct and never_direct in there. With only the never_direct allow all and not always_direct deny all, the local squid still retrieves content directly, if the upstream content filtering parent deliberately misses/denies 10 retrieval attempts in a row. , (For googlers of this issue, the actual spelling in the log files is temporary, not temporarily which looks like a spelling error to me..) Temporary disabling (Not Found) digest from Temporary disabling (...) digest ,
[squid-users] prevent squid from temporarily disabling (...) digest ?
Environment: pfSense 1.2.3-Release Squid 2.7.9_4.1 I am using squid as a local access-logging front-end, to another remote proxy which acts as a content filter on which I don't have reporting/logging access. If I specify the remote proxy and port in the web browser, I just get a blank can't connect error for HTTPS addresses. It is blocking the site, as expected. But when squid is used, the access.log contains a long string of all TCP_DENIED or TCP_MISS messages, but the blocked page loads anyway. Checking the cache.log there is a message Temporarily disabling (Not Found) digest from proxy.foo.com: it appears squid is quietly saying fine, I will go direct and retrieve the data anyway. The directive never_direct doesn't do anything for this: never_direct deny all I need squid to just simply give up and stop trying to access the blocked site, if the upstream parent won't provide the content. This is probably complicated by the fact that this is a pfsense firewall appliance. I have tried applying restrictions to brute-force prevent squid from serving up pages directly but they do not do anything: Deny All from LAN (Any) to WAN (Any) Deny All from WAN (external firewall address) to any address port 80 Deny All from WAN (external firewall address) to any address port 443 Squid still retrieves the blocked data through the WAN side of the pfsense box. (I can't post a copy of the squid config. It's all managed through the pfsense GUI.)
[squid-users] Don't use ICP at all, don't ask, don't request, do nothing with ICP?
Our organization uses a centralized ISP 8e6 R3000 proxy that provides us with CIPA compliance. Because I don't have access to the ISP's 8e6 log files for our site, I have been using squid 2.7 STABLE3 as a proxy log / cache for the 8e6 box. It appears that the latest upgrade of the ISP's 8e6 R3000, installed yesterday, does not support ICP at all. Before I was able to get squid to work with the default port of 3130 even though the ISP would not officially confirm to me that ICP was supported. But now I get continuous TCP connection failed messages with the new R3000 update. It appears that I cannot stop Squid from making any sort of ICP request of the parent? This does not work: icp_port 0 cache_peer proxy.foo.com parent 8760 0 originserver no-query no-digest no-netdb-exchange Also very strange, but when a page access is attempted through the now-nonfunctional squid cache, a Red Hat Enterprise Linux Apache server default-install page pops up in place of root page access to any website. For example, http://www.google.com/ comes up looking like that. The squid's host OS is Ubuntu, and there is no Apache web server or www directory on the server. I have looked carefully through the config file and I do not know where it is pulling up that Red Hat apache webserver page from.
[squid-users] Auth'ing to Novell eDirectory via LDAP (Re: Windows auto-login)
The problem with most LDAP-auth examples is that they are written for Active Directory, and they assume the reader is an expert at understanding LDAP syntax. As such the following appears to be meaningless with Novell eDirectory: uid=some-user,ou=People,dc=yourcompany,dc=com , We don't have domain controllers in novell's eDir, so dc= appears to be the wrong identifier for Novell's LDAP. Instead, we have this thing called the Tree and the Org at the top level. I've played with trying random guesses like cn=foo,ou=accounts,o=myorg,t=mytree and it doesn't work. I don't know where to find a list of all valid LDAP identifiers (cn=, dc=, etc) so I don't know what syntax to use. And does using uid= or cn= make a difference with AD vs eDir? , Also, what's with the commas and periods in LDAP vs Novell? Does it matter? Novell eDirectory: cn=user.ou=orgunit.o=org.t=tree LDAP: uid=some-user,ou=People,dc=yourcompany,dc=com Will either work, or must the delimiter be a comma with LDAP? , Novell eDirectory permits spaces in the names of objects. How do you deal with spaces in LDAP objects from the command line? Do you wrap the individual item with quotes or the whole LDAP path/context in quotes? , Also what is the debug option in the LDAP authenticator supposed to be used for? It does not appear to generate any useful output. I am looking for extensive debugging information to tell me why and how exactly it is or isn't working, like this: Connecting to LDAP server: foo.company.com (10.0.0.10) ... ** Connected. Using authenticated bind with user: cn=user.ou=accounts.dc=somewhere With password: foo ** Successful authenticated bind. Searching tree using matching pattern: cn=%s ** Actual search pattern: cn=(whatever %s means) Found the following match: (etc) Getting only ERR Success as a response is quite unhelpful for an LDAP-noob to figure out what is wrong. , If I get answers to these questions I'll probably put it into the wiki page.. http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap - Dale Mahalko On Tue, Sep 22, 2009 at 6:23 AM, Amos Jeffries squ...@treenet.co.nz wrote: We have a generic LDAP how-to which may or may not be useful to you... http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap Recent squid releases bundle an eDirectory helper for doing secure encrypted digest authentication. That auth method is also growing in its support from browsers etc. Hopefully someone with a bit more experience in these auth methods will speak up. This should give you a place to start seraching anyway. Good luck.
[squid-users] Windows auto-login helper application?
I need some help with setting up a fairly secure, easy to use method of authenticating users of Windows XP with squid, that: * doesn't require the users to remember a name and password to use the proxy, and does an auto-login so I can identify the user in the proxy access logs * uses password encryption to prevent sniffing of passwords on the network It does not look like NTLM authentication will work because apparently that requires Windows to be joined to a domain before Windows will use that method. None of the computers are in a domain, and they can't be since this is a Novell network. For the life o' me, I cannot figure out how to get the LDAP-auth to connect to do a Novell eDir/NDS LDAP user lookup. Most searched discussions regarding this are incomplete, usually ending with someone saying Oh I figured it out myself and they never post what they did. I know our LDAP server works since I can login to it using a generic LDAP browser. , At this point I would be happy with sticking a small program in each user's Windows roaming profile account that loads when they login and does the authentication for them, whenever they try to use the proxy. There is apparently no formal name for doing this sort of user-login though so I can't search for examples of anyone doing it since I don't know what to call it. Maybe: Windows helper application squid authentication? , Actually this is how Novell's aging BorderManager proxy does it, using a program called the Client Trust that sits in the taskbar and talks to the proxy to authorize the user. It interfaces with the Novell client to get the user's credentials. I am not expecting or looking for anything this extravagant that also can talk to the Novell Client. I would be fine with a taskbar/background helper that just uses a simple hashed config file in the user's account to authenticate them with squid. (BorderManager is being retired by Novell next year and so I can't expect or rely on the Client Trust authenticator to continue to be available. And besides it is made only for BorderManager, and doesn't work with other proxies like squid..) , Dale Mahalko
