Re: [squid-users] ntlm and internet explorer
How about Digest authentication? Does digest is as weak as NTLM? and another question: Is it possible to use Kerberos (actually Negotiate) protocol for squid user authentication in a network without any Active Directory or Domain? On 9/14/10, Amos Jeffries squ...@treenet.co.nz wrote: On Mon, 13 Sep 2010 11:28:13 -0500, Terry td3...@gmail.com wrote: I have a working NTLM implementation in place and it works great from yum and wget for example. However, when I try to use squid from IE8, it prompts for password and I never see the credentials hit squid, just this for example: 1284395121.846 0 10.8.1.100 TCP_DENIED/407 1798 GET http://google.com/ - NONE/- text/html I have added google.com to IE's local intranet zone and gave that zone low priority so I am not sure where the problem lies. Here's my configuration: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=DOM\\proxyusers auth_param ntlm children 5 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of=DOM\\proxyusers auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 5 hours acl NTLMUsers proxy_auth REQUIRED http_access allow all NTLMUsers I can test fine from the squid server: [r...@proxy01a squid]# ntlm_auth --helper-protocol=squid-2.5-basic DOM\jmama password OK What am I missing? The fact that NTLM has been obsolete for 8 years now? It's encryption schemes were demonstrated to be decrypted in under 15 minutes with a standard consumer desktop as of a year or so ago. Microsoft have declared is deprecated in favor of Kerberos back in the early stages of Vista and all their newer software attempts to do Kerberos instead. IE8 and Windows 7 are known to have NTLM fully disabled by default, with some hoop-jumping needed to open up those hole again. *Please* look at upgrading your network to Negotiate/Kerberos. It's much more secure, faster and very much less resource hungry than NTLM. Amos
[squid-users] Cutomizable Bandwidth Allocation
I have installed squid server as a proxy server for a small network in office and configured it to dedicate 100KB/s for each computer (by leaky buckets) But sometimes (e.g. when the office is solitude) the users need more bandwidth (temporary). I figured out three ways to solve this problem: 1- Defining some user/passwords for squid server and allocating more bandwidth for authenticated users (with ACLs). This solution is not practical because the users can always use that user/password and always get more bandwidth, so it is not temporary. 2- Modifying the squid.conf file to give more bandwidth to special computers and reverting it back when the user is done. This solution solves the problem and bandwidth allocation is under control of Admin, But modifying squid.conf is not simple and trivial. 3- I heard about webmin which is a tool that simplifies squid configuration but don't test it. Does that solve my problem? Is there any other options to allocate more bandwidth temporary for computers?
Re: [squid-users] Squid 3.1.6 is available
Thanks! But these resolved bugs are missing from the chang log: - Bug 2985: search scope for digest_ldap_auth didn't work - Bug 2963: Stop ignoring --with-valgrind-debug failures - Bug 2885: AIX support: several fixes - Bug 2651: crash handling NULL write callback there are no reference to them in http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_6.html is there any problem with them? On Tue, Aug 3, 2010 at 16:44, Amos Jeffries squ...@treenet.co.nz wrote: The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.1.6 release! This release brings a functionality bump for several operating systems and bug fixes over previous releases. * A update of the squid-cache.org packaging systems has occurred. This and later packages now support Libtool 2.2. We hit several compatibility issues in the process and hacks have had to be implemented to retain support for older Libtool on build systems. One small issue remains yet to be closed satisfactorily in the loadable-modules feature below eCAP. Limited support for IPv6 split-stack has been worked out. This means that users of MacOS X, OpenBSD and any others which forcibly disabled IPv6 due to lack of Squid support may enable as desired. IPv6 DNS and contact with IPv6 clients is fully operational. Contact with IPv6-enabled websites and several management protocols is partially supported although some special squid.conf alterations are needed. The Database-backed basic authentication helper has Joomla and MD5 support added with optional salting. Several other bugs have been resolved in this release: - Bug 2991: Wrong parameters to fcntl() in commSetCloseOnExec() - Bug 2975: chunked requests not supported after regular ones - Bug 2985: search scope for digest_ldap_auth didn't work - Bug 2963: Stop ignoring --with-valgrind-debug failures - Bug 2885: AIX support: several fixes - Bug 2651: crash handling NULL write callback - Fix: 32-bit overflow in reported bytes received from next hop - Fixed several memory leaks related to Range requests - Fixed SASL helper build checks - Updated error page translations Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.1/RELEASENOTES.html if and when you are ready to make the switch to Squid-3.1 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.1/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.1/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries