Re: [squid-users] How to Squid-Websense
You have to log on to the websense website with your subscription key and download the linux installer for websense. Run the install.sh from the tarball on the squid box, but select custom install, integration, integrate with squid cache server. Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED] Corey Tyndall [EMAIL PROTECTED] M To [EMAIL PROTECTED] 03/07/2005 09:07 n.at AM cc squid-users@squid-cache.org Subject Re: [squid-users] How to Squid-Websense does anyone know where to get the websense connector? I can't seem to find any info on the Wesense web site. [EMAIL PROTECTED] 03/02/05 08:33AM There is websense connector whcih should be installed in squid proxy server, and in squid.conf should be defined redirector as helper outside of squid program which is in this case this connector. regards, Nikolay Nenchev [EMAIL PROTECTED]@inet 02.03.2005 15:14 To squid-users@squid-cache.org cc Subject [squid-users] How to Squid-Websense Hi everybody, I'd like to integrate squid to websense. I have installed squid in a RedHat 9 machine and websense in Windows 2003 server. I can't find any documentation that descripes the integration steps. Do you know how may I do this. Thanks a lot. Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/ -- The contents of this e-mail (and any attachments) are confidential, may be privileged and may contain copyright material. You may only reproduce or distribute material if you are expressly authorized by us to do so. If you are not the intended recipient, any use, disclosure or copying of this email (and any attachments) is unauthorized. If you have received this e-mail in error, please notify the sender and immediately delete this e-mail and any copies of it from your system. ==
Fw: [squid-users] How to Squid-Websense
We are running Websense 5.5 on RH9 with all components, but we used to only run the redirector to a Win2K Server. If you just want squid to run the redirector, you do the following: Have squid running prior to all of this, without any user authentication at this point. Create a folder called /tmp/Websense551 Put your Websense551Setup_Lnx.tar.gz file in your /tmp/Websense551 and un-tar it. cd to /tmp/Websense551, run ./install.sh. This is an installshield wizard, so it's pretty simple. The install does get redundant in its questions, sometimes. You will be doing a custom installation. You will choose to only do an integration install, and install the Websense plugin for squid. This should be option #4 during the custom install. You will be prompted for the IP address of your policy server and filtering server (the Win2K3 box), as well as the port. Check your in-house configurations and the Websense manual in pdf form for the Win2K3 installation. The installshield will automatically update your squid.conf with the redirector information. Hope this helps, if not, let me know. I know politics are often involved, but if you can swing it, you should really run the whole thing on one box if possible. It is much cleaner, and can still be administrated via the gui console from a windows client. Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED] On Wed, Mar 02, 2005 at 02:14:11PM +0100, sania maro wrote: I'd like to integrate squid to websense. I have installed squid in a RedHat 9 machine and websense in Windows 2003 server. I can't find any documentation that descripes the integration steps. Do you know how may I do this. I have never separated websense like that - I have it all running on the same solaris box with squid. At a guess you need to install some of the components onto the linux machine - I think the bits you need are the policy server... or maybe just the integration needs to be installed. I have installed websense a few times but I normally just put it all on the squid box... -- Brett Lymn
[squid-users] Compile squid with squid_ldap_auth and squid_ldap_group support
What are the ./configure options I need to specify to compile squid to support ldap operations? Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED]
Re: [squid-users] squid_ldap_group with users in several OUs
Hi oliver- Try adjusting your squid_ldap_group query just after -b cn=Users,dc=domain,dc=local to include -s sub to search all subcontainers. Let me fire a question at you- I am trying to use squid_ldap_group to query Novell eDirectory via LDAP for multiple group memberships. I am fuzzy on how the search filter is used, and I see in your filter that you use variables other than %s that was referred to in some material I read. What is %g, and what is %u? What is the difference between little f and big F in your search filter? I can find no documentation on big F. I think this is the key I need to understand squid_ldap_group Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED] Oliver Hookins [EMAIL PROTECTED] ce.com.au To squid-users 12/01/2004 08:46 [EMAIL PROTECTED] PM cc Subject [squid-users] squid_ldap_group with users in several OUs OK this is my last question about this I swear... but I really need to know the answer to this one. I've just found out that where I'll be implementing the squid_ldap_group authorisation has several OUs for containing the user accounts on the 2000 AD. At the moment my command line for the squid_ldap_group is as follows: external_acl_type ldap_group ttl=120 negative_ttl=120 %LOGIN /usr/lib/squid/squid_ldap_group -b cn=Users,dc=domain,dc=local -f ((cn=%g)(member=%u)(objectClass=group)) -B cn=Users,dc=domain,dc=local -F samaccountname=%s -D cn=Oliver,cn=Users,dc=domain,dc=local -w password -S 192.168.150.100 This obviously just looks in the Users container for groups and users and any subtrees. I tried shortening the Base DN for both users and groups to just dc=domain,dc=local but it doesn't appear to work, I suspect because of the filters or something. How can I specify a base DN and filter when the users may be in one of any number of OUs? (even OUs nested within others) Thanks in advance, Oliver --- Oliver Hookins B.Sc(Computing and Information Systems) Exhibition IT Services Pty Ltd e: [EMAIL PROTECTED] p: +61 2 9882 1300 f: +61 2 9882 3377 This communication is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking any action in reliance on, this communication by persons or entities other than the intended recipient is prohibited. Exhibition IT Services Pty LTD makes no express or implied representation or warranty that this electronic communication or any attachment is free from computer viruses or other defects or conditions which could damage or interfere with the recipients data, hardware or software. This communication and any attachment may have been modified or otherwise interfered with in the course of transmission.
[squid-users] Fw: squid_ldap_group config
Hi all, I hope this has not been addressed anywhere in the mailing lists. I did a search and couldn't find anything, and I've already RTFM'd. I don't understand how to set up the squid_ldap_group external acl type. We are running Novell eDirectory and using various LDAP groups to (hopefully) control internet access for our various high school campuses. We want to have different control lists based upon the user. Students are denied ftp downloads and are sent to a redirector/content filter, while we IT people don't go to the redirector and get ftp downloads. The man page for external_acl_type doesn't seem clear to me. This is what I've got so far: external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b basedn -D squidaccount -w passwd -f ((cn=%v)(groupMembership=cn=group1dn)) -h ldap.host external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b basedn -D squidaccount -w passwd -f ((cn=%v)(groupMembership=cn=group2dn)) -h ldap.host acl Restricted port 20 21 1025-65535 acl external ldap_group deny Restricted acl external ldap_group allow Restricted I'm certain I am doing something wrong with my acl external lines. How do I differentiate the two different groups? How exactly is the external_acl_type line used? Is ldap_group a reserved phrase that has to follow external_acl_type? How do I return to squid the group membership token for the user? Thanks for any illumination... Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED]
Re: [squid-users] Fw: squid_ldap_group config
Hi Matt - Your solution sounds pretty cool, but my boss is really pro-vendor software and I have won a big point getting squid into our district. However, he is dead set on keeping Websense as our content filter, and does not want our internet system to become difficult to support if someone leaves the department. If I use the squid_ldap_auth, program, I can only use one group and I am stuck in an accept/deny internet filtering role. I had this working for a while, but it does not fit our organization quite right. I stumbled upon squid_ldap_group and it sounds like it works perfectly, but I am really confused as to how to use and external_acl_type role, and how to bring this group information back to squid for potential redirection, ftp filtering or user denial. Is there anyone on this list who currently uses squid_ldap_group to segregate internet traffic permission? Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED] Matt Benjamin [EMAIL PROTECTED] m To [EMAIL PROTECTED] 12/01/2004 10:39 cc AM[EMAIL PROTECTED], Adam D. Gorski [EMAIL PROTECTED] Subject Re: [squid-users] Fw: squid_ldap_group config Kelly, The intent of the Squid mechanism, is, I think, a bit obscure--hopefully the authors will step forward and show how you set up the two distinct external auth mechanisms it appears you need in order for Squid to a) authenticate to LDAP b) do the group check. However, our solution (which resembles that used in a commercial K12 proxy solution which I shall not name), is as follows: 1. We use one external authenticator, the squid_ldap_auth program 2. All traffic is sent to a customized Squidguard redirect_program--our version combines a bunch of extant modifications, including LDAP group-based ACLs, and a modified logging feature used to drive reporting 3. Any sort of authorization rule, including one forbidding specific users/groups to visit FTP urls, would happen here. For example, your source group might be kids, and the destination group anything matching an ^ftp://; regex. We have some tweaks to Webmin, a real-time log parser, and reporting tool we're releasing, that organize all this. Matt [EMAIL PROTECTED] wrote: Hi all, I hope this has not been addressed anywhere in the mailing lists. I did a search and couldn't find anything, and I've already RTFM'd. I don't understand how to set up the squid_ldap_group external acl type. We are running Novell eDirectory and using various LDAP groups to (hopefully) control internet access for our various high school campuses. We want to have different control lists based upon the user. Students are denied ftp downloads and are sent to a redirector/content filter, while we IT people don't go to the redirector and get ftp downloads. The man page for external_acl_type doesn't seem clear to me. This is what I've got so far: external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b basedn -D squidaccount -w passwd -f ((cn=%v)(groupMembership=cn=group1dn)) -h ldap.host external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b basedn -D squidaccount -w passwd -f ((cn=%v)(groupMembership=cn=group2dn)) -h ldap.host acl Restricted port 20 21 1025-65535 acl external ldap_group deny Restricted acl external ldap_group allow Restricted I'm certain I am doing something wrong with my acl external lines. How do I differentiate the two different groups? How exactly is the external_acl_type line used? Is ldap_group a reserved phrase that has to follow external_acl_type? How do I return to squid the group membership token for the user? Thanks for any illumination... Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED]
Re: [squid-users] Reverse proxy performance in FreeBSD 5.3
I get similar performance out of a Linux dual P3-500 Xeon box, but I run about 50 redirectors off it and have about 24Mb bandwidth. Are you running diskd? Do you have SCSI/RAID? How many peer caches are subordinate to this one? Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED] Jeff Behl [EMAIL PROTECTED] com To [EMAIL PROTECTED] 12/01/2004 01:00 cc PM Subject [squid-users] Reverse proxy performance in FreeBSD 5.3 howdy, I've got a dual proc AMD64 (2gHz) FreeBSD 5.3 system running two squid processes (to take advantage of both CPUs). Each process is doing around 195 req/s, and the total bandwidth is ~40Mb/s (gig nic via bge driver). All content is being served out of memory (very little disk activity). Top shows CPU states: 16.0% user, 0.0% nice, 42.7% system, 7.6% interrupt, 33.6% idle Mem: 898M Active, 569M Inact, 179M Wired, 214M Buf, 171M Free Swap: 4069M Total, 4069M Free PID USERNAME PRI NICE SIZERES STATE C TIME WCPUCPU COMMAND 14598 squid1080 463M 459M select 0 39.2H 59.96% 59.96% squid 14605 squid1050 421M 416M CPU0 1 38.4H 49.95% 49.95% squid but the % system time can fluctuate up to 60 at times. My question is if this is about the type of performance I could expect, or if people have seen better. I was expecting to see much better performance, seeing how everything is being served out of memory, but maybe I'm asking too much? Is this a FreeBSD issue (anybody else with similar experience)? A majority of the cpu time being spent in system would seem to indictate such. Any help/pointers/remarks appreciated Jeff
