[squid-users] Top users graphs with Sarg
Good morning, I know this isn´t the exact list for this question, but since Sarg and Squid are very closely attached, I presumed this would be my best shot so far. I know that I can individual topusers graphics. Does someone knows how I can put all the topusers in one single graphic? Or does anyone knows any other software that does something like it? Thank you all Henrique
Re: [squid-users] Certain applications when using NTLM auth
Okay. That worked. That really worked. APT is working perfectly. Log´s show my user accessing and downloading. I didn´t remove my ntlm lines, just added those u suggested. Now, why? I didn´t understand. 2009/2/3 James Zuelow james_zue...@ci.juneau.ak.us: -Original Message- From: Henrique Machado [mailto:henrique.cic...@gmail.com] Sent: Tuesday, 03 February, 2009 10:26 auth_param ntlm program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 Henrique -- Try adding 10 basic children: auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 10 Then see if apt is successful. James ZuelowCBJ MIS (907)586-0236 Network Specialist...Registered Linux User No. 186591
Re: [squid-users] Certain applications when using NTLM auth
Dear James, Thanks for the attention. Yes, I´m talking about Debian APT Tool =]. And I´ve already configured apt.conf so to use the proxy, adding username and password in it, but even so it´s not working, and my proxy keeps returning HTTP 407. Tried creating a user me with password 123456 inside my AD domain, and it´s not working as well. Maybe something in my Squid auth configuration, but I´m not sure. 2009/2/2 James Zuelow james_zue...@ci.juneau.ak.us: -Original Message- From: Henrique Machado [mailto:henrique.cic...@gmail.com] Sent: Monday, 02 February, 2009 06:49 To: squid-users@squid-cache.org Subject: [squid-users] Certain applications when using NTLM auth But, some applications, APT being a very simple example (and one of my headaches) can´t ask for an input. And even configuring it to send user´s credentials doesn´t seen to work (Squid keeps replying with 407). You will always get 407 replies with NTLM authentication. It is just how the protocol is designed. I presume that the behavior wait until I ask for auth credentials is necessary for the complete functionality, so Squid just ignores the info that´s initially sent. Apt as in the Debian apt tool? I have a variety of Debian boxes (used to be Sarge, now Etch and Lenny) that authenticate to squid via NTLM, and this just works for me: Set up an /etc/apt/apt.conf file like this: Acquire::http::Proxy http://username:passw...@10.11.12.13:3128/;; Where username and password are for a service account you create in active directory. You can use a human's account, but the password will be in plaintext with the apt.conf file, so I don't suggest it. Easier to create a service account and then just tightly lock it down in AD. (All you need is that the squid proxy can authenticate to it.) And of course 10.11.12.13:3128 is whatever IP address/port your Squid lives on. If you've already done this and it doesn't work, maybe there's a typo. I've used apt with NTLM for years and it has been rock solid. And of course if it is another apt you're talking about, none of this applies. :) James
Re: [squid-users] Certain applications when using NTLM auth
Sure, I was going to do that at my previous mail, but didn't had access to the Squid box that time. And by the way: Yes, you got it just right. That's exactly what's happening. Here's what I've got: auth_param ntlm program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 acl autentica proxy_auth REQUIRED acl forbidden url_regex path_for_list acl whitelist dstdomain path_for_domain_whitelist (those are the main ACL's) http_access allow autentica whitelist http_access allow autentica !forbidden Explaining: Basically I have a list of forbidden terms (full of ugly names and some others) and a domain whitelists (for fake positives). I allow complete access to the domains in the whitelist and allow access to all URL's which don't match any term in the forbidden list. Here's some basic access.log output: 1233688830.613 0 192.168.1.149 TCP_DENIED/407 3189 GET http://www.osram.com.br/_resources/img/misc/iTop.gif - NONE/- text/html 1233688830.617 2 192.168.1.149 TCP_IMS_HIT/304 256 GET http://www.osram.com.br/_resources/img/misc/iTop.gif username NONE/- image/gif First a HTTP 407, followed by the same requisition, this time authenticated. And now here's some APT access.log output: 1233662651.716 0 192.168.1.74 TCP_DENIED/407 2451 GET http://security.debian.org/dists/etch/updates/main/source/Sources.diff/Index - NONE/- text/html 1233662651.761 0 192.168.1.74 TCP_DENIED/407 2463 GET http://security.debian.org/dists/etch/updates/contrib/source/Sources.diff/Index - NONE/- text/html 1233662651.767 0 192.168.1.74 TCP_DENIED/407 2513 GET http://security.debian.org/dists/etch/updates/main/binary-i386/Packages.gz - NONE/- text/html 1233662651.773 0 192.168.1.74 TCP_DENIED/407 2525 GET http://security.debian.org/dists/etch/updates/contrib/binary-i386/Packages.gz - NONE/- text/html 1233662651.804 0 192.168.1.74 TCP_DENIED/407 2489 GET http://security.debian.org/dists/etch/updates/main/source/Sources.gz - NONE/- text/html 1233662651.808 0 192.168.1.74 TCP_DENIED/407 2501 GET http://security.debian.org/dists/etch/updates/contrib/source/Sources.gz - NONE/- text/html As you can see, only 407 answers. Here's my apt.conf: Acquire::http::Proxy http://me:123456@squidbox_IP:3128/; And that's it. I've got no clues at all. Thanks again for the attention. Henrique 2009/2/3 James Zuelow james_zue...@ci.juneau.ak.us: -Original Message- From: Henrique Machado [mailto:henrique.cic...@gmail.com] Sent: Tuesday, 03 February, 2009 03:10 To: James Zuelow Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Certain applications when using NTLM auth Dear James, Thanks for the attention. Yes, I´m talking about Debian APT Tool =]. And I´ve already configured apt.conf so to use the proxy, adding username and password in it, but even so it´s not working, and my proxy keeps returning HTTP 407. Tried creating a user me with password 123456 inside my AD domain, and it´s not working as well. Maybe something in my Squid auth configuration, but I´m not sure. Hmm. So if I understand what's going on correctly -- a normal user can authenticate through the proxy, either automatically with IE or Firefox on a Windows box, or else by providing a username/password for something like Firefox on a Linux box. Correct? If so, then the apt.conf entry should be working. It is easy to get strange results if the access rules are out of order. Can you sanitize your rules and post them? And the apt.conf file as well?
[squid-users] Certain applications when using NTLM auth
Morning, For quite some time I´ve wondered about something. Certain applications worked perfectly with Squid in the past. But, since we´ve integrated it with Active Directory (NTLM auth) some applications just don´t work anymore, even if they do have authenticated proxy support. What I´ve noticed about NTLM authentication with Squid is: 1) Application sends HTTP request (Firefox or IE, for instance) 2) Squid receives the request and then returns HTTP code 407 to the client (Proxy Authentication Required) 3) The application receives the 407 code and asks the user for authentication input (the browsers use the current logged user credentials if inside an Active Directory domain) 4) The application sends the authentication info 5) Squid receives it, checks it and then does its work But, some applications, APT being a very simple example (and one of my headaches) can´t ask for an input. And even configuring it to send user´s credentials doesn´t seen to work (Squid keeps replying with 407). I presume that the behavior wait until I ask for auth credentials is necessary for the complete functionality, so Squid just ignores the info that´s initially sent. Anyway I can solve that without having to put those applications outside the proxy? Best regards, Henrique Cicuto Machado
[squid-users] Exchange OWA + Squid - Duplicated Windows
Greetings Recently installed Squid 3.0Stable8 and many users complained when trying to access Exchange OWA. I saw the problem mysel: When someone clicks over answer/answer all/print or any other buttons within the OWA window, another OWA window open-up. If you click more, more and more windows keep on opening. Exchange server is running Microsoft Exchange Server 2003. I think that, perhaps, adding extension_methods could make it work, but I don't know which ones to try. Thank you everyone for the attention
Re: [squid-users] Issues with Squid and authenticated sites
Thanks so far Henrik. Since I´m a very stubborn person, I´m still trying. Doing some further research, I found a post in squid list from 3 years ago (in fact, you answered to it that time) where a user said he changed squid so it would return to the browser a HTTP_UNAUTHORIZED (401) message and then a WWW-Authenticate response-header. Did some work with Wireshark, and also found some old Squid docs, that showed me that Squid already does the HTTP_UNAUTHORIZED part. Back then the person said it worked for Mozilla and Firefox, but not for IE. Even you said backthen that it wouldn´t always work. Even so, I´d like to give it a try. Anyone knows if this change in Squid so it replies with WWW-Authenticate is something done in the config file or the source code? Even if it doesn´t work, I think is a very useful thing to learn. For the record: the thread I´m based on is: http://www.squid-cache.org/mail-archive/squid-users/200505/0404.html (original thread) http://www.squid-cache.org/mail-archive/squid-users/200505/0411.html (answer) Thanks again 2008/6/12 Henrik Nordstrom [EMAIL PROTECTED]: On tor, 2008-06-12 at 17:22 -0300, Henrique Machado wrote: I checked on that. You´re right, sorry about that. But the FTP still opens as read-only. Any ideas? File a bug report with your browser vendor, it's a known shortcoming of current browsers. Netscape 3 did support uploads via HTTP proxies. MSIE has never supported it. Firefox has forgotten how to do it.. Regards Henrik
Re: [squid-users] Issues with Squid and authenticated sites
And because you told Squid to access anonymous FTP. Authenticated FTP uses URLs on the form ftp://user:[EMAIL PROTECTED]/ with some browsers you can leave out the :password part and Squid will prompt for the password. Most browsers fail this however... Indeed. Some people also told me that, but the only different thing is the message saying that User name_of_the_user cannot log in. What can I do? Squid does not log the password component of the requested URL. I checked on that. You´re right, sorry about that. But the FTP still opens as read-only. Any ideas? I checked the squid manuals for any options related to ftp management, but none of them helped me out :( 2008/6/12 Henrik Nordstrom [EMAIL PROTECTED]: On ons, 2008-06-11 at 22:34 -0300, Henrique Machado wrote: The problem is: everytime when trying to access a website that asks for a user and a password (some FTP sites and even some websites), I don´t receive the INPUT USERNAME AND PASSWORD box. When I had no authentication method running in Squid, I´d get an error message when trying to authenticate. Squid sent the command FTPpassword and received the reply ´User anonymous cannot log in´ (this one is for FTP sites). And because you told Squid to access anonymous FTP. Authenticated FTP uses URLs on the form ftp://user:[EMAIL PROTECTED]/ with some browsers you can leave out the :password part and Squid will prompt for the password. Most browsers fail this however... All around the world I have searched for an answer, and I always received the same one: Place the username and password in the URL. K, fine, that works, partially, because the FTP always opens as read-only (and also the idea of having users´s passwords in our log files is against our security policy). Squid does not log the password component of the requested URL. The same goes for the websites that require authentication (this situation happens mostly when it´s an authentication method from Apache or IIS): no authentication box. That's a different problem. Should work out of the box except for sites using NTLM authentication. For those you need to use Squid-2.6 or 2.7 as Squid-3 do not yet have the needed workarounds to play well with Microsofts bending of the HTTP message model... Regards Henrik
[squid-users] Issues with Squid and authenticated sites
Good evening, First time in the list, and I´m having a terrible issue with my squid. Had 2.5STABLE12 running with no auth and recently upgraded to 3.0STABLE6 with auth against Windows DC. The problem is: everytime when trying to access a website that asks for a user and a password (some FTP sites and even some websites), I don´t receive the INPUT USERNAME AND PASSWORD box. When I had no authentication method running in Squid, I´d get an error message when trying to authenticate. Squid sent the command FTPpassword and received the reply ´User anonymous cannot log in´ (this one is for FTP sites). All around the world I have searched for an answer, and I always received the same one: Place the username and password in the URL. K, fine, that works, partially, because the FTP always opens as read-only (and also the idea of having users´s passwords in our log files is against our security policy). The same goes for the websites that require authentication (this situation happens mostly when it´s an authentication method from Apache or IIS): no authentication box. After the upgrade, when accessing sites/FTP that require authentication, I keep getting an authentication box, but from my proxy, not from the website/FTP. Unfortunetly Google couldn´t help me out with this situation, and since I had luck when consulting the netfilter list for some issues with iptables, I hope I´d get the same result coming to squid list. I thank everyone in advance for the attention. Henrique
