RE: [squid-users] Installing squidGuard - Fedora Core 3
At the time I started using SquidGuard (around three years ago), it was well known that 3.2.9 was the most reliable version of DB to use. This was discussed extensively on the SquidGuard maillist in particular by Rick Matthews. I have not since bothered trying later versions of DB to see if it works, because I know that 3.2.9 works.. I quote from a message posted by Rick on the SquidGuard list on 21/3/2003: In spite of what the documentation says, squidGuard 1.2.0 requires version 3.29 of the Berkeley DB (available here: http://www.sleepycat.com/download/patchlogs.shtml You can stay with DB 2.7.7 and run squidGuard from the text files. SquidGuard will simply rebuild the B-trees from the text files each time it is started. Once the B-trees are built and loaded into memory, squidGuard performance is the same, with or without the db files. You might want to use that approach to do enough testing to know if squidGuard does what you need. If so, you'll definitely want to move to db 3.2.9, creating the db files makes a tremendous difference in squidGuard's startup time. My suggestion to this user was based on my knowledge that 3.2.9 worked but other versions had been proven by others to not work.. Perhaps the wording to my reply was a little misleading. I just know that it definately works with 3.2.9 and it is something easy this user could check/try. Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, 30 June 2005 2:25 PM To: [EMAIL PROTECTED]; squid-users@squid-cache.org Subject: AW: [squid-users] Installing squidGuard - Fedora Core 3 Contrary to the documentation, SquidGuard 1.2.0 requires Berkeley DB 3.2.9 to function correctly. I would ensure firstly that that is the version you have installed. You can check this by executing squidGuard -v which should return: SquidGuard: 1.2.0 Sleepycat Software: Berkeley DB 3.2.9: (January 24, 2001) Regards Jay Sure? # /usr/local/bin/squidGuard -v SquidGuard: 1.2.0 Sleepycat Software: Berkeley DB 4.0.14: (November 18, 2001) works for me fine. W.Rost
RE: [squid-users] Re: Installing SquidGuard with Fedora Core 3
As I said, It works fine for me on FC3 using BDB 3.2.9 Regards Jay -Original Message- From: Enrique Charry [mailto:[EMAIL PROTECTED] Sent: Friday, 1 July 2005 7:28 AM To: Squid Users Subject: [squid-users] Re: Installing SquidGuard with Fedora Core 3 Dear List: About answers my problem is installing only squidguard with Fedora Core 3; with Red Hat 9.0 working fine. $ SquidGuard -C porn/domains segmentation fault Any ideas? Thank you! Enrique Charry __ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ¡gratis! Regístrate ya - http://correo.espanol.yahoo.com/
RE: [squid-users] Installing squidGuard - Fedora Core 3
Contrary to the documentation, SquidGuard 1.2.0 requires Berkeley DB 3.2.9 to function correctly. I would ensure firstly that that is the version you have installed. You can check this by executing squidGuard -v which should return: SquidGuard: 1.2.0 Sleepycat Software: Berkeley DB 3.2.9: (January 24, 2001) Regards Jay -Original Message- From: Enrique Charry [mailto:[EMAIL PROTECTED] Sent: Thursday, 30 June 2005 6:10 AM To: squid-users@squid-cache.org Subject: [squid-users] Installing squidGuard - Fedora Core 3 Dear List: I am installing squidguard in Fedora Core 3 with a lot of Berkeley DB libraries; when i run squidGuard -C porn/domains display segmentation fault What´s up? Thanks! Enrique Charry __ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ¡gratis! Regístrate ya - http://correo.espanol.yahoo.com/
[squid-users] STABLE10 default squid.conf
Just downloaded STABLE10 tar.gz and there doesn't seem to be a squid.conf.default where I would expect it in src/ Didn't notice anything on the changelog about it being moved... Has it been left out accidently? Thanks Jay
RE: [squid-users] STABLE10 default squid.conf
From: Jay Turner [mailto:[EMAIL PROTECTED] Just downloaded STABLE10 tar.gz and there doesn't seem to be a squid.conf.default where I would expect it in src/ Didn't notice anything on the changelog about it being moved... Has it been left out accidently? Thanks Jay Nevermind... didn't realise it's only there *after* you compile.
RE: [squid-users] never use redirector for master user
From: Robert Becskei [mailto:[EMAIL PROTECTED]
Hello,
with the help of the people at this mailing list I managed to
configure my
proxy server so that there is a master
user who can do anything, and there is normal internet user who can only
browse and download a few types of files.
my problem is :
redirect_program /usr/bin/squidGuard
redirect_children 4
is there a way to never redirect master user ? so he can browse porn
sites...?
Let SquidGuard do this.
Set up an ACL and rule in SquidGuard along the lines of:
acl {
master {
pass any
}
normal {
pass !porn !whateverelse any
redirect http://somesite.com/
}
}
This will allow master to go anywhere but normal to go anywhere except porn
and whateverelse.
RE: [squid-users] IE improperly prompts for credentials; ntlm_auth with Samba 3.0.13, Squid 2.5.STABLE7, RedHat Linux 9.0, SmartFilter 4.01
RedHat Linux 9.0, MIT Kerberos 1.4 built from source, Samba 3.0.13 built from source, Squid 2.5.STABLE7 built from source SmartFilter 4.01. Active Directory with Windows 2003 Why not use RPMs? Well - ADS support for Windows 2003 needs Kerberos 1.3 or newer. But RedHat 9.0 has Kerberos 1.2.7 and zillions of RedHat packages depend on it. So I need krb5 1.4 in another tree and everything pretty much flows from that. For what it is worth, I have this working fine against a Windows 2003 ADS with RedHat 7.3 with krb5-*-1.2.4-11.i386.rpm and on Fedora Core 3 with krb5-*-1.3.4-7.i386.rpm - however I am using Samba 3.0.2a to get around the kerberos issue. I used the information from the Squid FAQ's regarding winbind and kerberos to get mine to work (http://www.squid-cache.org/Doc/FAQ/FAQ.html#toc23.5) Looking at your squid.conf, you have stated: acl AuthorizedUsers proxy_auth REQUIRED http_access allow all AuthorizedUsers Won't 'all' get processed before AuthorizedUsers so everyone will be allowed? My http_access is just http_access allow AuthorizedUsers http_access deny all Don't know if it's what is causing your problem, but it might cause you a problem in the future? Another thing I noticed you didn't do that I did that might be causing a problem is you didn't chmod winbindd_privileged, you chgrp'd it, but not chmod it... chmod 750 /var/lib/samba/winbindd_privileged/ Failing that, I don't know why it doesn't work. Jay
RE: [squid-users] Squid build blows up
From: Greg Scott [mailto:[EMAIL PROTECTED] Sent: Tuesday, 5 April 2005 6:34 AM The fun just doesn't stop here in Minnesota. I am trying to rebuild Squid like this: cd /usr/local/squid/src/squid-2.5.STABLE7 ./configure \ --enable-smartfilter \ --enable-async-io \ --enable-linux-netfilter \ --enable-underscores \ --prefix=/usr/local/squid \ --enable-auth=ntlm,basic \ --enable-basic-auth-helpers=winbind \ --enable-ntlm-auth-helpers=winbind \ --enable-external-acl-helpers=winbind_group \ --enable-delay-pools \ --with-samba-sources=/usr/src/samba-3.0.13 make cleanruns to completion make all dies, see below By the looks of it you are using Samba 3.0 and trying to specify the Squid Winbind helpers (for 2.2.7) which won't work. In the FAQ (http://www.squid-cache.org/Doc/FAQ/FAQ.html#toc23.5) Under Configure Squid it states for Samba 3.X only use --enable-auth=ntlm,basic, the helpers --enable-basic-auth-helpers=winbind --enable-ntlm-auth-helpers=winbind would only be used for Samba 2.X Jay
[squid-users] IIS Authentication Error
Hi All, I have a client who is trying to connect to an IIS website that requires user authentication. When they bypass the Squid-2.5STABLE2 proxy it works fine and they are prompted to enter their login details. When they go through the proxy, which is using the LDAP helper to authenticate them via Novell, they get the following error returned from the destination webserver: == You are not authorized to view this page You do not have permission to view this directory or page using the credentials that you supplied because your Web Browser is sending a WWW-Authenticate header field that the web server is not configured to accept. ... HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration. Internet Information Services (IIS) == I tried adding an acl destination for the site and setting no_cache deny thesite http_access allow thesite to stop the page being cached and allow access to it before Squid requires Authentication but that didn't resolve it. Does anyone have any ideas? IIRC isn't there an issue that IIS NTLM authentication cannot be proxied? Could that be the case here? Thanks in advance Regards Jay Turner -- EOM NOTICE - This message contains information intended only for the use of the addressee named above. It may also be confidential and/or privileged. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action in reliance on it. All care has been taken to ensure that this message and any attachments are virus free although we accept no responsibility for any virus infections caused by receipt of this message.
RE: [squid-users] Squidguard
You can only have one IP declaration per source created..
As taken from SquidGuard.org:
---(SNIPPED)---
HTH
Regards
Jay
Not so Jay.
From: http://www.squidguard.org/config/
~~
Breaking long lines
Generally you may break a (long) line by repeating the leading
keyword. Repeated lines of the same type within a class will bee
joined when the rule trees are built. So:
src foo {
ip 1.2.3.4
ip 2.3.4.5
}
I stand corrected.
RE: [squid-users] Hacking ntlm_auth to allow squidGuard ACLs
Hi All, First post here! In the following article the author describes how to get Samba 3 and Squid working. http://www.informatikserver.at/modules.php?name=Newsfile=printsid=2710 However towards the end the author has a topic called Hacking ntlm_auth to allow squidGuard ACLs He describes making the following changes to the source of the ntlm_auth.c: In source/utils/ntlm_auth.c locate the line: x_fprintf(x_stdout, AF %s\%s , ntlmssp_state-domain, ntlmssp_state-user); And modify it to: x_fprintf(x_stdout, AF %s , ntlmssp_state-user); I came across this page because I was looking for a way to get squidGuard to recognize NT users so that I can create exceptions for certain ones. This way I can still proxy, and log the user's actions, but they won't have their content filtered. Will what this person is describing above accomplish that? Has anyone done this? If not can anyone think of any negative consequences? Also, if this does work the way I think it will, would I not specify the username in squidGuard as domain\user, or just user. domain\user crashes squidguard (probably because of the \ I am guessing. Any ideas? I have successfully done this with Squid2.5, Samba3 SquidGuard 1.2.0 without making any changes to any source. I just setup a number of squidguard userlists which I reference in my squidguard.conf file. Each file contains users in the following format: user1 user2 user3 That's all that was required for me and I can now filter users depending on their ADS user name via SquidGuard. I'm not sure why the article you reference states you need to make changes. I'm sure there is a good reason, I just know that I made no changes. Regards Jay
RE: [squid-users] Squidguard
Hello,
I am getting the following error and can not find out why:
parse error in configfile squidGuard.conf line 4
Here is the top of the file:
logdir /home/squid/squidextra/squidgaurd/squidGuard/log
dbhome /home/squid/squidextra/squidgaurd/squidGuard/db
src managers {
ip X.X.X.X
ip X.X.X.X
ip X.X.X.X
ip X.X.X.X
}
You can only have one IP declaration per source created..
As taken from SquidGuard.org:
Specification can be any reasonable combination of:
IP addresses and/or ranges (multiple):
ip xxx.xxx.xxx.xxx [...]
or
ip xxx.xxx.xxx.xxx/nn [...]
or
ip xxx.xxx.xxx.xxx/mmm.mmm.mmm.mmm [...]
or
ip xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy [...]
where:
xxx.xxx.xxx.xxx is an IP address (host or net, i.e. 10.11.12.13 or
10.11.12.0),
/nn a net prefix (i.e. /23),
mmm.mmm.mmm.mmm is a netmask (i.e. 255.255.254.0) and
yyy.yyy.yyy.yyy is a host address (must be = xxx.xxx.xxx.xxx)
IP address/range list (single):
iplist filename
where:
filename is either a path relative to dbhome or an absolute path
(i.e. /full/path) to a database file.
the iplist file format is simply addresses and/or networks separated
by a newline as above but without the ip keyword. Thus an iplist for all the
private addresses could look something like (Though the preferred use of
iplist over ip is for long lists of WS/PC addresses primarily to reduce
the size of the configuration file):
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
HTH
Regards
Jay
RE: [squid-users] log analysers
Try SARG.. http://sarg.sourceforge.net/sarg.php It should do exactly what you want. Jay -Original Message- From: Payal Rathod [mailto:[EMAIL PROTECTED] Sent: Thursday, 19 August 2004 12:36 PM To: Squid ML Subject: [squid-users] log analysers Hi, I rotate my squid logs daily. Do we have any log analysers which will tell which site is accessed by whom? I want something like a list of users along with the sites accessed by them daily. AFAIK, calamaris does not do such a thing. With warm regards, -Payal
RE: [squid-users] maxconn
Will acl localnet src 172.16.0.0/19 acl ahost src 172.16.1.1 acl conn_15 maxconn 15 http_access deny ahost conn_15 http_access allow localnet or similar not work for you? -Original Message- From: Sergey Matveychuk [mailto:[EMAIL PROTECTED] Sent: Tuesday, 27 July 2004 3:28 PM To: [EMAIL PROTECTED] Subject: [squid-users] maxconn Just tell me how it must work? acl localnet src 172.16.0.0/19 acl conn_15 maxconn 15 http_access deny localnet conn_15 It looks like it limits connections to 15 from all 172.16.0.0/19. It's not possible to limit connection numbers from one IP? -- Sem.
[squid-users] Replace Squid Binary
Hi all, I recently deployed a Squid2.5-Stable5 server to a client using NTLM authentication via Samba 2.7 I neglected to see that there was a patch available for an assertion failed: helper.c:323: srv-flags.reserved error that this client is currently experiencing. (http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE5-ntlm_ass ert) Rather than having to completely recompile Squid on this production server with the included patch (which would be a pain), I was wondering if I could recompile Squid with the patch on a development machine (exactly same environment (OS, GCC etc) and then deploy the compiled /usr/bin/squid binary to the production server? Would this work? or are there other files that would need replacing also? I hope I have been clear. Thanks in advance Jay
RE: [squid-users] Squid Performance Analysis
Is there something that analyzes the various *_HIT statuses in the log and produces a what might have been report? Does anyone know of any tools that are not listed on the Squid Cache web site that would provide this type of report? Your requirements sound like you are looking for a cache reporting tool. Have you tried Calamaris? It can provide information like the following: Incoming TCP-requests by status status request % Byte % sec kB/sec HIT 1488651 37.68 5481382K 21.96 0 9.74 TCP_IMS_HIT 486076 12.30 139571K 0.56 0 7.82 TCP_REFRESH_HIT 413379 10.46 1626804K 6.52 0 4.87 TCP_MEM_HIT 280950 7.11 492567K 1.97 0 41.14 TCP_HIT 223217 5.65 3122269K 12.51 0 16.05 TCP_NEGATIVE_HIT 85029 2.15 100170K 0.40 0 24.26 MISS 2435997 61.65 19010M 77.99 2 3.53 TCP_MISS 2206700 55.85 18375M 75.39 2 3.50 TCP_CLIENT_REFRESH_MISS 184121 4.66 369832K 1.48 0 5.17 TCP_REFRESH_MISS 45138 1.14 279813K 1.12 1 4.22 TCP_SWAPFAIL_MISS 38 0.00 19094 0.00 0 3.97 ERROR 26514 0.67 11954009 0.05 70 0.01 TCP_MISS 22614 0.57 10625538 0.04 78 0.01 TCP_REFRESH_MISS 2685 0.07 0 0.00 37 0.00 NONE 901 0.02 1140085 0.00 0 41.78 TCP_DENIED 159 0.00 182942 0.00 0 42.76 TCP_CLIENT_REFRESH_MISS 155 0.00 5444 0.00 8 0.00 Sum 3951162 24374M 2 3.14 But formatted nicer via a web interface.. http://cord.de/tools/squid/calamaris/Welcome.html Regards Jay
RE: [squid-users] [Q] Squid Log Analyzers for Win32?
Also try SawMill.. www.sawmill.net It's fantastic! -Original Message- From: Serassio Guido [mailto:[EMAIL PROTECTED] Sent: Monday, 10 November 2003 4:52 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [squid-users] [Q] Squid Log Analyzers for Win32? Hi, At 22.14 09/11/2003, Donovan J. Edye wrote: G'Day, Does anyone know of any squid log analyzers (like Calamaris etc.) for Win32? Try webalizer for win32: http://www.medasys-lille.com/webalizer/ Regards Guido - Guido Serassio Acme Consulting S.r.l. Via Gorizia, 69 10136 - Torino - ITALY Tel. : +39.011.3249426 Fax. : +39.011.3293665 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
[squid-users] IE6 SP1 Bug NTLM
Hi All, I'm aware of the bug in IE 6 SP1 when using Basic Authentication, I was just wondering if anyone knows if NTLM (winbind) can be affected by it. I have a client using Squid and NTLM via winbind who has some IE6 SP1 clients exhibiting this same behaviour (Page not returned initially but pressing refresh then displays the page). I'm trying to determine if it is the IE6 bug or possibly a DNS issue. Thanks Jay
RE: [squid-users] Authentication by NT Domain Server
See the FAQ regarding Authentication and the Winbind helpers Regards Jay -Original Message- From: Altrock, Jens [mailto:[EMAIL PROTECTED] Sent: Wednesday, 24 September 2003 9:46 PM To: '[EMAIL PROTECTED]' Subject: [squid-users] Authentication by NT Domain Server Hi all! Am new to this group (and to squid), so sorry if my question is little bit outdated :) I am setting up a Squid proxy server on a machine that network users should use as proxy :) The network behind though is a Windows NT Domain, so I want to use the NT authentication to register when using the proxy (so only authenticated users can use that proxy). Is there a possibility to realize that and if where can I get information about that? Thanks in advance, Jens Altrock ### Diese Nachricht wurde von F-Secure Anti-Virus gescannt. This message has been scanned by F-Secure Anti-Virus.
RE: [squid-users] no cache on website
Will always_direct produce the same results? ie pages won't be served from the cache as the request will be sent directly to the origin server. Or is this only applicable in proxy chaining? -Original Message- From: Marc Elsen [mailto:[EMAIL PROTECTED] Sent: Thursday, 18 September 2003 4:10 PM To: Fritz Mesedilla Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] no cache on website Fritz Mesedilla wrote: Hello! I have a simple question... I want certain websites not to be cached by squid. For example, we have a stats website and we don't want it cached. How do this? Checkout the : no_cache directive in squid.conf. M.
RE: [squid-users] prevent users from downloading very large files from internet ONLY
You have defined the ACL name as SubnetB but you reference it in your reply_body_max rule as subnetB From memory squid.conf is case-sensitive is it not? -Original Message- From: Karmila Sari [mailto:[EMAIL PROTECTED] Sent: Thursday, 4 September 2003 2:08 PM To: [EMAIL PROTECTED] Subject: [squid-users] prevent users from downloading very large files from internet ONLY Hi, I would like to prevent users from downloading very large files from internet ONLY,but allow unlimited download size from our local web server. I've construct the ACL as bellow, but it seem it did not working. acl weblocal dst 192.168.1.0/255.255.255.0 acl subnetA src 192.168.2.0/255.255.255.0 acl SubnetB src 192.168.3.0/255.255.255.0 reply_body_max_size 1048576 allow subnetA #10MB reply_body_max_size 1048576 allow subnetB #10MB reply_body_max_size 0 allow weblocal #unlimited Would you please point me to the right direction? Any help would be great! regards, karmila __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
RE: [squid-users] wb_group
You need to supply the account name and the group to the wb_group helper. OK will be returned if the user provided is in the group provided. ie DOMAIN\\username Domain Users See if that helps Regards Jay -Original Message- From: Simon Bryan [mailto:[EMAIL PROTECTED] Sent: Monday, 4 August 2003 9:13 AM To: [EMAIL PROTECTED] Subject: [squid-users] wb_group Hi all, I am working my way through why the delay_pools do not work for me, I suspected winbind and have been rebuilding everything. I have an issue with wb_group that I can't resolve. If I use wb_group -d and enter a valid username I get a list of groups as below: student /wb_group[22779](wb_check_group.c:343): Got 'student' from Squid (length: 7). /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-513 /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-3041 /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-3530 ERR However it always terminates with an ERR which seems to me what it must be sending to Squid so the users never fall into a group. I am using the Squid snapshot from 3rd August and Samba 2.2.8a, I have copied over the winbindd_nss.h file over the top of the Squid. Squid -v gives: Squid Cache: Version 2.5.STABLE3-20030803 configure options: --enable-delay-pools --enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind --enable-ntlm-helpers=winbind wb_info gives all the right answers. Any clues appreciated. As a second question, when using wb_group in an acl do you use the NT group name eg 'teachers' or the SID number as given by wb_group on the command line? Cheers, Simon Bryan IT Manager OLMC Parramatta
RE: [squid-users] wb_group
I think you have your ACL's wrong. That said I haven't tried it with multiple groups as you have. I use a file located on the file system to list my groups that I want to allow internet access to. I use an external file for listing the groups as you cannot list groups in squid.conf if they have a space in them (Domain Users for example) Below are the relevant excerpts from my squid.conf: snip== external_acl_type NTGroups %LOGIN /usr/lib/squid/wb_group acl InternetUsers external NTGroups /etc/squid/ntgroups-access acl AuthorizedUsers proxy_auth REQUIRED http_access allow AuthorizedUsers InternetUsers http_access deny all =end snip= where ntgroups-access contains: Domain Users Administrators **Note Make sure there is no blank line after the last listed NT group in the access file. Otherwise it doesn't work. Regards Jay -Original Message- From: Simon Bryan [mailto:[EMAIL PROTECTED] Sent: Monday, 4 August 2003 11:20 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [squid-users] wb_group Jay Turner said: You need to supply the account name and the group to the wb_group helper. OK will be returned if the user provided is in the group provided. ie DOMAIN\\username Domain Users See if that helps Yes it works from the command line OK with that syntax. Does Squid do that automatically? If not how do you configure the acl? I have the following at the moment: acl winauth external wb_group wwwusers acl banned external wb_group banned acl staff external wb_group Teachers acl students external wb_group Students Regards Jay -Original Message- From: Simon Bryan [mailto:[EMAIL PROTECTED] Sent: Monday, 4 August 2003 9:13 AM To: [EMAIL PROTECTED] Subject: [squid-users] wb_group Hi all, I am working my way through why the delay_pools do not work for me, I suspected winbind and have been rebuilding everything. I have an issue with wb_group that I can't resolve. If I use wb_group -d and enter a valid username I get a list of groups as below: student /wb_group[22779](wb_check_group.c:343): Got 'student' from Squid (length: 7). /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-513 /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-3041 /wb_group[22779](wb_check_group.c:237): SID:S-1-5-21-8915387-1576539265-1404200075-3530 ERR However it always terminates with an ERR which seems to me what it must be sending to Squid so the users never fall into a group. I am using the Squid snapshot from 3rd August and Samba 2.2.8a, I have copied over the winbindd_nss.h file over the top of the Squid. Squid -v gives: Squid Cache: Version 2.5.STABLE3-20030803 configure options: --enable-delay-pools --enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind --enable-ntlm-helpers=winbind wb_info gives all the right answers. Any clues appreciated. As a second question, when using wb_group in an acl do you use the NT group name eg 'teachers' or the SID number as given by wb_group on the command line? Cheers, Simon Bryan IT Manager OLMC Parramatta Simon Bryan IT Manager OLMC Parramatta
RE: [squid-users] NTLM Domain Membership Issue
Hi Guido, I don't think this is the problem. Preliminary testing is pointing to incorrect security policies being deployed to the client workstations with LAN Authentication set to NTLM Responses only rather than LM NTLM Responses. I am still proving this in the development environment and scheduled to go back out onsite tomorrow to test if this resolves the issue in the production environment. I'll inform the list of my results. Thanks Jay -Original Message- From: Serassio Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, 31 July 2003 3:53 AM To: [EMAIL PROTECTED]; Serassio Guido Cc: [EMAIL PROTECTED] Subject: RE: [squid-users] NTLM Domain Membership Issue Hi Jay, Sorry for the delayed response, but now I'm very busy. At 07.16 27/07/2003, Jay Turner wrote: -Original Message- From: Serassio Guido [mailto:[EMAIL PROTECTED] Sent: Saturday, 26 July 2003 3:20 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] NTLM Domain Membership Issue Hi, At 08.05 26/07/2003, Jay Turner wrote: Hi All, I am experiencing an unusual problem with NTLM and Domain Membership.. Environment: Red Hat 7.3 Squid2.5-STABLE2 Samba 2.2.7-3.7.3 (Red Hat) Windows 2000 AD server (Native Mode with Pre-2000 compatibility) WinXP SP1, IE6 SP1 + all current patches applied Background: I have deployed Squid and NTLM a number of times now so I have a bit of experience installing trouble shooting it. Winbindd is working correctly from the command line with wbinfo -t, -u, -g, -r and -a all performing correctly. wb_auth from the command line also works correctly and so does wb_group So from what I can see Winbindd is working fine. If have a client computer (Win2000 or WinXP) that is on the network, but not a member of the domain and I access the proxy, I receive an authentication window. This is correct as NTLM will fail as it is not a member of the domain and fall back to Basic. I can enter a valid username/password/domain and then access the proxy correctly. Cache and access.log all report the correct behaviour as I expect. As soon as I add this client computer to become a member of the domain, everything stops working. NTLM authentication does not work, and neither does Basic authentication. The browser sits there for a second then displays the standard IE 'Page cannot be found'. I have increased debugging on Authentication in squid.conf and run winbindd in debug mode (winbindd -i -d 3) to try and establish the problem. When a client on the domain requests a page cache.log reports authenticateValidateUser: Validating Auth_user request '0x8413238' authenticateValidateUser: Validated Auth_user request '0x8413238' User not fully authenticated But nothing is being recorded by Winbindd (as opposed to when it works). This message could hold the key, but I'm not entirely sure where I should look next for this. I have reams of log files with debugging turned right up which I can post specific sections of if required, but I'm not going to post all of them now for people to wade through. I commented out wb_ntlmauth in squid.conf and tried using just wb_auth to see if I could get the basic auth to work and that did the same thing.. The interesting thing is that I brought this server back to my office and changed it's IP address and made it a member of our Windows NT4 domain and then using the same Win XP client from the other network (it's a laptop) it works perfectly!! This leads me to believe that there must be something in the way their AD is setup that might be causing this problem?? Any advice will be greatly appreciated. Some tips: - Do You have restarted Squid after disabling NTLM authentication ? - an AD replication problem ? Samba should use always the DC that acts as PDC emulator - some strange behaviour of DNS caching Hoping to help you Regards Guido Hi Guido, 1)I don't specifically remember restarting Squid, but I would have definately issued a 'squid -k reconfigure'. Is it necessary when dealing with winbind to actually issue 'service squid restart'? If I'm not wrong, when the authentication schema are changed, squid should be restarted. 2)I'm not a Windows 2000 admin (which makes this harder) so while I understand what you are saying, I'm not sure how it might affect me and this install. I believe there is only one AD server that authenticates user logins in this network but I will follow that up 3) It's funny you mention DNS caching because I did notice some strange DNS behaviour onsite. It's not so funny, AD domains are DNS based and Microsoft DNS sometimes is very strange While trying to isolate the problem I noticed by using
[squid-users] NTLM Domain Membership Issue
Hi All, I am experiencing an unusual problem with NTLM and Domain Membership.. Environment: Red Hat 7.3 Squid2.5-STABLE2 Samba 2.2.7-3.7.3 (Red Hat) Windows 2000 AD server (Native Mode with Pre-2000 compatibility) WinXP SP1, IE6 SP1 + all current patches applied Background: I have deployed Squid and NTLM a number of times now so I have a bit of experience installing trouble shooting it. Winbindd is working correctly from the command line with wbinfo -t, -u, -g, -r and -a all performing correctly. wb_auth from the command line also works correctly and so does wb_group So from what I can see Winbindd is working fine. If have a client computer (Win2000 or WinXP) that is on the network, but not a member of the domain and I access the proxy, I receive an authentication window. This is correct as NTLM will fail as it is not a member of the domain and fall back to Basic. I can enter a valid username/password/domain and then access the proxy correctly. Cache and access.log all report the correct behaviour as I expect. As soon as I add this client computer to become a member of the domain, everything stops working. NTLM authentication does not work, and neither does Basic authentication. The browser sits there for a second then displays the standard IE 'Page cannot be found'. I have increased debugging on Authentication in squid.conf and run winbindd in debug mode (winbindd -i -d 3) to try and establish the problem. When a client on the domain requests a page cache.log reports authenticateValidateUser: Validating Auth_user request '0x8413238' authenticateValidateUser: Validated Auth_user request '0x8413238' User not fully authenticated But nothing is being recorded by Winbindd (as opposed to when it works). This message could hold the key, but I'm not entirely sure where I should look next for this. I have reams of log files with debugging turned right up which I can post specific sections of if required, but I'm not going to post all of them now for people to wade through. I commented out wb_ntlmauth in squid.conf and tried using just wb_auth to see if I could get the basic auth to work and that did the same thing.. The interesting thing is that I brought this server back to my office and changed it's IP address and made it a member of our Windows NT4 domain and then using the same Win XP client from the other network (it's a laptop) it works perfectly!! This leads me to believe that there must be something in the way their AD is setup that might be causing this problem?? Any advice will be greatly appreciated. Thanks Regards Jay
RE: [squid-users] Winbind problem
Try adding # Misc winbind enum users = yes winbind enum groups = yes To smb.conf Regards Jay -Original Message- From: Tony Melia (DMS) [mailto:[EMAIL PROTECTED] Sent: Tuesday, 22 July 2003 5:11 AM To: '[EMAIL PROTECTED]' Subject: [squid-users] Winbind problem Hi, I know in advance that this question is more of a samba related one than squid, but there are a lot of winbind users here, so I will throw it at you anyway. I am still trying to get squid and winbind talking so I can control access via groups. I found that I get a 'cannot enum groups' error if I include the domain name. for example, here is 2 attempts using the wb_group on command line; I give 'mydomain\\administrator ProxyUsers' and get. /wb_group[2860](wb_check_group.c:343): Got 'mydomain\\administrator ProxyUsers' from Squid (length: 34). /wb_group[2860](wb_check_group.c:231): Warning: Can't enum user groups. I give administrator ProxyUsers and get. /wb_group[2860](wb_check_group.c:343): Got 'administrator ProxyUsers' from Squid (length: 24). /wb_group[2860](wb_check_group.c:237): SID: S-1-5-21-1232230414-721959228-1536833037-513 /wb_group[2860](wb_check_group.c:196): Stripping domain from group name MYDOMAIN\Domain Users /wb_group[2860](wb_check_group.c:201): Windows group: Domain Users, Squid group: ProxyUsers /wb_group[2860](wb_check_group.c:237): SID: S-1-5-21-1232230414-721959228-1536833037-512 /wb_group[2860](wb_check_group.c:196): Stripping domain from group name MYDOMAIN\Domain Admins /wb_group[2860](wb_check_group.c:201): Windows group: Domain Admins, Squid group: ProxyUsers as you can see, leaving out the domain works, but I do need multi domains working. I have this problem on 2 different boxs. squid was built with ./configure --prefix=/usr --enable-delay-pool --enable-snmp --enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind --enable-ntlm-auth-helpers=winbind,fakeauth --enable-external-acl-helpers=winbind_group samba built with... ./configure --prefix=/usr --with-winbind --with-winbind-auth-challenge --with-smbmount --with-pam --with-acl-support relevant snippit of smb.conf is; [global] workgroup = mydomain server string = Samba Server log file = /var/log/samba/log.%m log level = 4 max log size = 50 security = domain password server = testserver encrypt passwords = yes winbind uid = 1-65000 winbind gid = 1-65000 winbind separator = + relevant squid.conf bits are; auth_param ntlm program /usr/libexec/wb_ntlmauth auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes acl all src 10.0.0.0/255.255.255.0 #http_access allow all external_acl_type winbind-group %LOGIN /usr/libexec/wb_group -d acl myProxyUsers external winbind-group ProxyUsers acl password proxy_auth REQUIRED http_access allow myProxyUsers http_access deny all ___ This is authenticating against NT4 at the moment, also have same issue against win2k - the group I am using for testing is ProxyUsers. Thanks in advance. Downs MicroSystems Pty Ltd 145 Margaret Street Toowoomba Qld 4350 Ph. (07) 4639 3344 Fax (07) 4639 3820 Important Disclaimer and Warning Downs MicroSystems does not represent or warrant that any attached files are free from computer viruses or other defects. The attached files are provided, and may only be used, on the basis that the user assumes all responsibility for any loss, damage or consequences resulting directly or indirectly from use of the attached files. The liability of Downs MicroSystems in any event is limited to either the resupply of the attached files or the cost of having the attached files resupplied. NOTE: The views expressed by the individual in this message do not necessarily reflect those of the organisation. Downs MicroSystems is committed to protecting the privacy of individuals, and is bound by the principles of the Commonwealth Privacy Act (1988). Should you wish to view our Privacy Policy, please visit www.downsmicro.com.au. The information contained in this message is confidential and may be legally privileged. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, dissemination, or reproduction is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
RE: [squid-users] Running squid -k reconfigure frequently
I have been running Squid versions 2.4 STABLE6 - 2.5 STABLE2 and I have a system that also uses reconfigure frequently to update blocking lists automatically for squidGuard. I generally use a 5 minute interval scheduled in cron but I use a token file that is checked for before I issue a reconfigure. That is, reconfigure is only called if changes have been made (which is infrequent, but could occur at any time). I have found this system to work quite well for our systems. During testing, I have even gone down to once a minute, but again, reconfigure will only be triggered if it is required. There is a slight disruption to service during a reconfigure, but it is negligible and generally unnoticeable by end-users in my experience. Regards Jay -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Saturday, 19 July 2003 4:53 PM To: Steve Cody Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] Running squid -k reconfigure frequently On Saturday 19 July 2003 06.44, Robert Collins wrote: Well, this will negatively impact squid. There is a slight delay in all requests every time reconfigure is run. And it is also a thing which is not very much tested. It is quite likely you will uncover several yet unknown Squid bugs/problems if doing this. What kind of changes is the reason to needing this? -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
RE: [squid-users] winbind and samba
And isn't this compatibility known as mixed-mode?? -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Thursday, 17 July 2003 2:55 PM To: [EMAIL PROTECTED]; Tony Grace; 'squid' Subject: Re: [squid-users] winbind and samba On Thursday 17 July 2003 07.07, Jay Turner wrote: I have had it working no worries against 2000 server's in mixed-mode, but have read conflicting reports about NTLM in native mode. If wbinfo -a says challenge/response works then it is fine. This requires compability with NT4 to be enabled in the directory. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
RE: [squid-users] winbind and samba
Hi Guido, I found your post from February regarding this issue and I now understand what you are saying. As I will be connecting to a pre-existing AD that was not setup by me, could you tell me where I could find in Windows 2000 server that will tell me if the AD is configured for Pre Windows 2000 compatibility?? If the server has not been configured for pre-compatibility, am I able to change a setting somewhere so that it will be? Thanks for your help Jay -Original Message- From: Serassio Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, 17 July 2003 5:11 PM To: [EMAIL PROTECTED]; Henrik Nordstrom Cc: [EMAIL PROTECTED] Subject: RE: [squid-users] winbind and samba Hi, At 09.37 17/07/2003, Jay Turner wrote: And isn't this compatibility known as mixed-mode?? No, If your squid works fine in mixed-mode, it works on native mode too. What is needed for running Squid + NTLM + Winbind + Samba + AD is the Pre Windows 2000 compatibility configured during the installation of AD (DCPromo of the FIRST DC in the domain). As say Henrik, see previous posts for more details. Regards Guido -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Thursday, 17 July 2003 2:55 PM To: [EMAIL PROTECTED]; Tony Grace; 'squid' Subject: Re: [squid-users] winbind and samba On Thursday 17 July 2003 07.07, Jay Turner wrote: I have had it working no worries against 2000 server's in mixed-mode, but have read conflicting reports about NTLM in native mode. If wbinfo -a says challenge/response works then it is fine. This requires compability with NT4 to be enabled in the directory. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED] - Guido Serassio Acme Consulting S.r.l. Via Gorizia, 69 10136 - Torino - ITALY Tel. : +39.011.3249426 Fax. : +39.011.3293665 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
RE: [squid-users] winbind and samba
I would appreciate it very much if you are able to confirm that for me. If this group does not exist am I in trouble? Does NTLM then no longer become an option for me? -Original Message- From: Robert Collins [mailto:[EMAIL PROTECTED] Sent: Thursday, 17 July 2003 5:32 PM To: [EMAIL PROTECTED] Cc: Serassio Guido; Henrik Nordstrom; [EMAIL PROTECTED] Subject: RE: [squid-users] winbind and samba On Thu, 2003-07-17 at 19:19, Jay Turner wrote: Hi Guido, I found your post from February regarding this issue and I now understand what you are saying. As I will be connecting to a pre-existing AD that was not setup by me, could you tell me where I could find in Windows 2000 server that will tell me if the AD is configured for Pre Windows 2000 compatibility?? -- GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt. Look for a group called Pre Windows 2000 Compatible access (IIRC). If that exists, it /should/ have the appropiate permissions on it, and all domain members in it. Again, going off memory. I can confirm tomorrow morning if needed... Rob
RE: [squid-users] winbind and samba
Just out of interest. Has anyone had success using winbind/ntlm authentication against a Windows 2000 server running in native mode? I have had it working no worries against 2000 server's in mixed-mode, but have read conflicting reports about NTLM in native mode. I am hoping someone can provide some guidance so I am not forced to build a native mode Win2K AD myself to test it. Squid-2.5STABLE2 RedHat Samba-2.2.7-3.7.3 Thanks Jay -Original Message- From: Tony Grace [mailto:[EMAIL PROTECTED] Sent: Wednesday, 16 July 2003 11:49 AM To: 'Rodriguez Quintero, Juan Diego, SYNAPSIS Perú'; 'squid' Subject: RE: [squid-users] winbind and samba I also have this problem. I have reset the machine account on the Windows 2003 server. Also wb_auth works with 'username password' but does not work with 'domain\username password' I am using squid Squid Cache: Version 2.5.STABLE3 with --enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind --enable-ntlm-auth-helpers=winbind Samba 2.2.8a with --with-winbind --with-winbind-auth-challenge smbpasswd -j DOMAIN -r works Regards Tony -Original Message- From: Rodriguez Quintero, Juan Diego, SYNAPSIS Perú [mailto:[EMAIL PROTECTED] Sent: Wednesday, 16 July 2003 8:08 AM To: squid Subject: [squid-users] winbind and samba Hi... I have some troubles to configure winbind and samba 2.2.6 on a a RedHat 8.0 I included the next options on samba configuration --with-winbind --with-winbind-auth-challenge Also edited the smb.conf file and join the linux to the domain. When i test winbind funcionalities with: winbind -t It works winbind -u It works. I get the domain users list winbind -p It works and when i test winbind -a user%passwd plaintext password authentication succeeded error code was NT_STATUS_OK (0x0) but when i add the domain options i get the next error winbind -a domain\\user%passwd plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc064) Could not authenticate user domain\user%passwd with plaintext password Any ideas? Juan Diego
RE: [squid-users] redirector_access usage
I have spent a few more hours this morning testing this more thoroughly.
This time I was making no changes to any of my NT Global Groups I just
surfed the web seeing how often I would be correctly blocked from accessing
a site. The results were very bad.
Maybe 1 in 5 requests were being sent to the redirector by the
redirector_access rule. I'm unsure if I am doing anything wrong, or if it is
the combination of redirector_access and wb_groups not getting along.
All I know is I will be unable to use this in a production environment.
I'd log a bug, but I don't really know what to say or be able to provide any
concrete evidence (except for what I have supplied below)... All I can say
is this feature may need reviewing sometime in the future.
Again here were my ACL's/access rules:
acl FilteredUsers external NTGroups /etc/squid/ntgroups-filtered
acl UnfilteredUsers external NTGroups /etc/squid/ntgroups-unfiltered
acl BlockedUsers external NTGroups /etc/squid/ntgroups-blocked
acl AuthorizedUsers proxy_auth REQUIRED
redirector_access allow AuthorizedUsers FilteredUsers
http_access deny AuthorizedUsers BlockedUsers
http_access allow AuthorizedUsers FilteredUsers
http_access allow AuthorizedUsers UnfilteredUsers
cache.log - debug 61,9
2003/06/25 10:31:19| redirectStart: 'http://www.porn.com/'
2003/06/25 10:31:20| redirectStart: 'http://www.porn.com/images2/back.gif'
2003/06/25 10:31:20| redirectStart: 'http://www.porn.com/images2/spacer.gif'
2003/06/25 10:31:20| redirectStart: 'http://www.porn.com/images2/p_top.jpg'
2003/06/25 10:31:21| redirectStart:
'http://www.porn.com/images2/today_top.gif'
2003/06/25 10:31:21| redirectStart: 'http://www.porn.com/images2/baba.gif'
2003/06/25 10:31:21| redirectHandleRead:
{http://10.20.10.225/vw/denied.php?client=10.20.10.122user=
domain\jturnerurl=http://www.porn.com/images2/baba.gif 10.20.10.122/-
domain\jturner GET}
2003/06/25 10:31:21| redirectStart: 'http://www.porn.com/images2/1.gif'
2003/06/25 10:31:21| redirectStart: 'http://www.porn.com/images2/light.gif'
2003/06/25 10:31:21| redirectHandleRead:
{http://10.20.10.225/vw/denied.php?client=10.20.10.122user=
domain\jturnerurl=http://www.porn.com/images2/light.gif 10.20.10.122/-
domain\jturner GET}
As you can see only 2 of the 10 requests were sent to the redirector. When
they did go, they were correctly blocked.
Thanks for your time
Jay
-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 24 June 2003 4:49 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [squid-users] redirector_access usage
On Tuesday 24 June 2003 04.17, Jay Turner wrote:
i.e. I add a 'Staff' member to 'block' and they lose access
(correct), then I remove them from 'block' to re-instate access and
then I find that the Staff member now gets passed through to the
redirector rather than bypassing it.
This should be dependent on the ttl setting only, but maybe winbind
also have cached group memberships for the user..
Try runnig the wb_group helper interactively to see if it reacts
properly to group changes.
Regards
Henrik
--
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] redirector_access usage
Hi All,
I'm having some trouble getting the redirector_access directive to work
correctly for me with SquidGuard.
I'm using Squid2.5STABLE2 with Winbind/NTLM Group authentication
(wb_ntlmauth, wb_group), but I have tried on STABLE3 also with no luck.
I have three global groups on my NT domain - staff, students, block
Staff have unfiltered access
Students are filtered through squidguard
Users from both these groups can be added to the block group to disable
their access for whatever reason
The problem I am having is that when I add a user to the block group, it
blocks as planned, but when I subsequently remove them, the
redirector_access isn't working correctly.
i.e. I add a 'Staff' member to 'block' and they lose access (correct), then
I remove them from 'block' to re-instate access and then I find that the
Staff member now gets passed through to the redirector rather than bypassing
it.
From cache.log:
2003/06/24 10:02:41| redirectStart:
'http://www.traxxas.com/products/index.html'
2003/06/24 10:02:41| redirectHandleRead:
{http://10.20.10.225/vw/denied.php?client=10.20.10.122url=http://www.traxxa
s.com/products/index.html 10.20.10.122/- domain\jturner GET}
But the redirector doesn't even function correctly as this website
(www.traxxas.com) is not in my whitelist. So most of the page loads and only
some elements are blocked. If I restart Squid then the page is fully
blocked, but forcing a refresh on my browser a couple of times will then
half display the page again.
As soon as I take out redirect_access (making everyone go through
redirector) everything works as expected.
I think the issue is probably with my ACL ordering, even though I have tried
numerous combinations.
I have verified that the user's group ACL's are being properly evaluated via
cache.log, so it's not that.
Below are the pertinent lines from squid.conf
#Helper
external_acl_type NTGroups ttl=10 negative_ttl=10 %LOGIN
/usr/lib/squid/wb_group # ttl=10 for rapid testing
#ACLS
acl all src 0.0.0.0/0.0.0.0
acl FilteredUsers external NTGroups /etc/squid/ntgroups-filtered
acl UnfilteredUsers external NTGroups /etc/squid/ntgroups-unfiltered
acl BlockedUsers external NTGroups /etc/squid/ntgroups-blocked
acl AuthorizedUsers proxy_auth REQUIRED
redirector_access allow AuthorizedUsers FilteredUsers
redirector_access deny AuthorizedUsers UnfilteredUsers
http_access deny AuthorizedUsers BlockedUsers
http_access allow AuthorizedUsers FilteredUsers
http_access allow AuthorizedUsers UnfilteredUsers
http_access deny all
Any help would be appreciated.
Thanks
Regards
Jay
[squid-users] RE: redirector_access usage
I think I have this sorted now..
I did some more detailed, structured testing and it appears that using the
following rules it does work, it just takes some time for squid to start
sending all requests to the redirector/the redirector to process them
correctly.
To test I was simply changing the group name in the ntgroups file and
issuing a reconfigure as required.
Below are the rules I tested with and the results:
#
# NTLM Rules
#
acl FilteredUsers external NTGroups /etc/squid/ntgroups-filtered
acl UnfilteredUsers external NTGroups /etc/squid/ntgroups-unfiltered
acl BlockedUsers external NTGroups /etc/squid/ntgroups-blocked
acl AuthorizedUsers proxy_auth REQUIRED
redirector_access allow AuthorizedUsers FilteredUsers
http_access deny AuthorizedUsers BlockedUsers
http_access allow AuthorizedUsers FilteredUsers
http_access allow AuthorizedUsers UnfilteredUsers
Results:
Filtered - Works
Change to Unfiltered - Works
Change to Filtered - No response from redirector immediately, then only some
requests go through
Wait 2mins close browser - Force refresh - eventually
works.
Change to Unfiltered - Works
Change to Filtered - Works after about 20 seconds
Change to Blocked - Works
Change to Filtered - Not immediately, starts half working, eventually works
after about 1 min
==
Why is there this time delay? Why is the change no immediate like when
moving from filtered to unfiltered access?
Is there any way this delay could be reduced?
I'm actually fairly happy with these results as at least now I am aware of
what will happen when a change is made. (it won't start filtering
immediately, but eventually it will)
Jay
-Original Message-
From: Jay Turner [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 24 June 2003 10:18 AM
To: [EMAIL PROTECTED]
Subject: redirector_access usage
Hi All,
I'm having some trouble getting the redirector_access directive to work
correctly for me with SquidGuard.
I'm using Squid2.5STABLE2 with Winbind/NTLM Group authentication
(wb_ntlmauth, wb_group), but I have tried on STABLE3 also with no luck.
I have three global groups on my NT domain - staff, students, block
Staff have unfiltered access
Students are filtered through squidguard
Users from both these groups can be added to the block group to disable
their access for whatever reason
The problem I am having is that when I add a user to the block group, it
blocks as planned, but when I subsequently remove them, the
redirector_access isn't working correctly.
i.e. I add a 'Staff' member to 'block' and they lose access (correct), then
I remove them from 'block' to re-instate access and then I find that the
Staff member now gets passed through to the redirector rather than bypassing
it.
From cache.log:
2003/06/24 10:02:41| redirectStart:
'http://www.traxxas.com/products/index.html'
2003/06/24 10:02:41| redirectHandleRead:
{http://10.20.10.225/vw/denied.php?client=10.20.10.122url=http://www.traxxa
s.com/products/index.html 10.20.10.122/- domain\jturner GET}
But the redirector doesn't even function correctly as this website
(www.traxxas.com) is not in my whitelist. So most of the page loads and only
some elements are blocked. If I restart Squid then the page is fully
blocked, but forcing a refresh on my browser a couple of times will then
half display the page again.
As soon as I take out redirect_access (making everyone go through
redirector) everything works as expected.
I think the issue is probably with my ACL ordering, even though I have tried
numerous combinations.
I have verified that the user's group ACL's are being properly evaluated via
cache.log, so it's not that.
Below are the pertinent lines from squid.conf
#Helper
external_acl_type NTGroups ttl=10 negative_ttl=10 %LOGIN
/usr/lib/squid/wb_group # ttl=10 for rapid testing
#ACLS
acl all src 0.0.0.0/0.0.0.0
acl FilteredUsers external NTGroups /etc/squid/ntgroups-filtered
acl UnfilteredUsers external NTGroups /etc/squid/ntgroups-unfiltered
acl BlockedUsers external NTGroups /etc/squid/ntgroups-blocked
acl AuthorizedUsers proxy_auth REQUIRED
redirector_access allow AuthorizedUsers FilteredUsers
redirector_access deny AuthorizedUsers UnfilteredUsers
http_access deny AuthorizedUsers BlockedUsers
http_access allow AuthorizedUsers FilteredUsers
http_access allow AuthorizedUsers UnfilteredUsers
http_access deny all
Any help would be appreciated.
Thanks
Regards
Jay
RE: [squid-users] iptables to limit connections
taken from: http://www.cs.princeton.edu/~jns/security/iptables/ ## SYN-FLOODING PROTECTION # This rule maximises the rate of incoming connections. In order to do this we divert tcp # packets with the SYN bit set off to a user-defined chain. Up to limit-burst connections # can arrive in 1/limit seconds . in this case 4 connections in one second. After this, one # of the burst is regained every second and connections are allowed again. The default limit # is 3/hour. The default limit burst is 5. # iptables -N syn-flood iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 80 -j RETURN iptables -A syn-flood -j LOG --log-prefix syn-flood-protection: iptables -A syn-flood -j DROP Regards Jay -Original Message- From: Ralf Hildebrandt [mailto:[EMAIL PROTECTED] Sent: Monday, 16 June 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Re: [squid-users] iptables to limit connections * Henrik Nordstrom [EMAIL PROTECTED]: So I thought iptables --limit could do the trick. Before I reinvent the whell, I'd like to ask if someone already has such a connection rate limiter per IP in place (and how it looks). iptables -m limit should handle such case nicely, but you will need one rule per client IP address... Something like the following should work I think: -N SYN -A SYN -s ip.of.first.client -m limit --limit ... -j ACCEPT -A SYN -s ip.of.second.client -m limit --limit ... -j ACCEPT -A SYN -m limit ... -j LOG --log-prefix SYNRATE -A SYN -j DROP -A INPUT -p tcp --syn -J SYN Yes, but this requires identifying the evil client. -- Ralf Hildebrandt (Im Auftrag des Referat V a) [EMAIL PROTECTED] Charite Campus MitteTel. +49 (0)30-450 570-155 Referat V a - Kommunikationsnetze - Fax. +49 (0)30-450 570-916 AIM: ralfpostfix
RE: [squid-users] Re: Squid_ldap_group vs. Notes
I wanted to know if I was able to get the context of their login to log what department they belonged to perhaps. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, 19 March 2003 4:13 PM To: Jay Turner Cc: [EMAIL PROTECTED] Subject: RE: [squid-users] Re: Squid_ldap_group vs. Notes On Wed, 19 Mar 2003, Jay Turner wrote: In follow up to this, squid_ldap_auth shows only the username in the access.log. Would squid_ldap_group be able to show the user's context? ie sales.company.username or similar? It is only intended to log the username the user entered when logging in to the proxy. If squid_ldap_group is unable to do this, is there any way I can obtain this functionality? Why do you want to log something else than what the user logged in as? Regards Henrik
RE: [squid-users] Re: Squid_ldap_group vs. Notes
In follow up to this, squid_ldap_auth shows only the username in the access.log. Would squid_ldap_group be able to show the user's context? ie sales.company.username or similar? If squid_ldap_group is unable to do this, is there any way I can obtain this functionality? Thanks Regards Jay -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, 12 March 2003 4:21 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [squid-users] Re: Squid_ldap_group vs. Notes squid_ldap_auth verifies the users login and password. squid_ldap_group checks if the user belongs to certain groups. The % codes expand to different values in different contexts and their use (where applicable) is documented in the manpage documentation for each helper. Regards Henrik On Wed, 12 Mar 2003 [EMAIL PROTECTED] wrote: Henrik, I can't get it. Can you explain me what does squid_ldap_auth do? And squid_ldap_group? Why are the two programs necessary together? And the diference between %a, %s, %v, %u? Thanks a lot.
[squid-users] wb_group space issue
Hi All, I have successfully got wb_group installed and running on my Squid2.5-STABLE1 install. I am having a problem with NT domains that have a space in them (Domain Users). I downloaded the squid-2.5.STABLE1-spaces.patch file and it appears to have applied correctly: patching file src/cache_cf.c Hunk #1 succeeded at 2433 (offset -5 lines). It's a new install so 'make distclean' is not required (i blow away my test machine completely when testing this stuff to be absolutely sure) After compiling and install I edit my acl to read: acl ProxyUsers external NTGroups Domain Users I still see: 2003/02/27 16:51:33| strtokFile: Domain not found in cache.log and requests are not processed: (wb_group)[11271](wb_check_group.c:285): Got 'mydomain\\jturner' from Squid (length: 8192). (wb_group)[11271](wb_check_group.c:187): SID: S-1-5-21-507187248-207029365-1082013118-513 (wb_group)[11271](wb_check_group.c:187): SID: S-1-5-21-507187248-207029365-1082013118-1013 Can someone please provide assistance into how I now get this to work. The patch listing on the website mentions the include function but I don't know what this is. Thanks Jay
RE: [squid-users] Squid2.4 /etc/hosts
Hi Robert, Thanks for your reply. Checking the log file the CONNECT method is provided to squid with the hostname webmail.company.com however the IP address that is shown is the world address rather than the address specified in the /etc/hosts file. ie /etc/hosts entry: 10.14.12.122 webmail.company.com Browser Request: https://webmail.company.com Log Shows: 10.14.12.123 TCP_MISS/503 0 CONNECT webmail.company.com:443 - DIRECT/203.123.xxx.xxx - So you are saying this should work and is probably a bug? -Original Message- From: Robert Collins [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 5 February 2003 9:14 AM To: [EMAIL PROTECTED] Cc: Henrik Nordstrom; [EMAIL PROTECTED] Subject: RE: [squid-users] Squid2.4 /etc/hosts On Wed, 2003-02-05 at 12:02, Jay Turner wrote: But it is maintained by Red Hat who backport any security patches to the 2.4 version they ship with 7.3. If you could please re-read my post you will note that I have recompiled with --disable-internal-dns and it successfully references /etc/hosts for http:// pages. My question relates to https:// pages and having squid do a local lookup from somewhere for the IP address rather than fetching it from the DNS (as it does with /etc/hosts for http:// requests). Which you probably can't do. If the CONNECT verb is provided to squid with an ip address rather than a hostname, no proxy can do what you are asking. If a hostname is provided, then the same host-ip lookup path is followed as for http:// requests. Check access.log. If you see CONNECT ipaddress:443 then you need to look at using a redirectory to alter the requested IP address. If you see CONNECT hostname:443, then please log a bug in bugzilla. Rob -- GPG key available at: http://users.bigpond.net.au/robertc/keys.txt.
