RE: [squid-users] NTLM Authenticator Statistics 3.3.5
Thanks, I will look at upgrading but these are Production servers and I notice
quite a few changes from 3.3.x to 3.4 so I might need to do something about it
in the meantime.
My idea of a fix is the following to perhaps run every 48hours...
for pid in `/usr/bin/squidclient -p 8080 mgr:ntlmauthenticator |grep RS |awk
'{print $3}'`; do kill $pid; done
Am I correct in saying that I can kill any pid with flag "RS" from the
mgr:ntlmauthenticator output?
Regards
- Kris Glynn: (07) 3295 3987 - 0434602997
-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz]
Sent: Monday, 30 September 2013 6:00 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] NTLM Authenticator Statistics 3.3.5
On 30/09/2013 8:26 p.m., Kris Glynn wrote:
> Thanks Amos, that explains helper activity in the cache.log around rotate
> time.
>
> When the problem occurred I didn't run a mgr:ntlmauthenticators report
> but on one of the proxies just now it has 77 shutting down state and
> report is here - http://pastebin.com/jhaFeW9H
>
>
>
> Regards
>
> - Kris Glynn: (07) 3295 3987 - 0434602997
>
> -Original Message-
> From: Amos Jeffries [mailto:squ...@treenet.co.nz]
> Sent: Monday, 30 September 2013 5:17 PM
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] NTLM Authenticator Statistics 3.3.5
>
> On 30/09/2013 7:26 p.m., Kris Glynn wrote:
>> Getting back to the initial problem.. I first discovered it when users
>> reported they couldn't authenticate to one of the proxies, when I logged
>> into the squid server the cache.log was full of errors like "WARNING:
>> external ACL 'ldap_group' queue overload. Using stale result" - when I dug
>> further I noticed at the top of the cache.log (after the nightly squid -k
>> rotate) it had entries such as "ipcCreate: fork: (12) Cannot allocate memory
>> WARNING: Cannot run '/usr/bin/ntlm_auth' process." And "helperOpenServers:
>> Starting 1/50 'ext_wbinfo_group_acl' processes ipcCreate: fork: (12) Cannot
>> allocate memory WARNING: Cannot run '/usr/lib64/squid/ext_wbinfo_group_acl'
>> process. " - it seemed odd to me that a squid -k rotate would either
>> restart/stop/start helpers. Shouldn't a squid -k rotate leave helpers alone
>> when it's just instructing squid to rotate the logs?
> The helpers are logging to cache.log via stderr. They need to be restarted to
> connect to the new cache.log once it has been rotated.
>
> What does the mgr:ntlmauthenticators report show about the NTLM helpers when
> this is going on?
Okay this looks like you are hitting bug 3643. Where Safari (and any other
clients behaving the same) could cause the helpers to get stuck in R / Reserved
state.
This is fixed in 3.4, but unfortuately the fix requires a few background design
changes so is not in 3.3. Are you able to use the latest daily snapshot of 3.4
(labeled r12997 or later).
Amos
The content of this e-mail, including any attachments, is a confidential
communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or
its related entities (or the sender if this email is a private communication)
and the intended addressee and is for the sole use of that intended addressee.
If you are not the intended addressee, any use, interference with, disclosure
or copying of this material is unauthorized and prohibited. If you have
received this e-mail in error please contact the sender immediately and then
delete the message and any attachment(s). There is no warranty that this email
is error, virus or defect free. This email is also subject to copyright. No
part of it should be reproduced, adapted or communicated without the written
consent of the copyright owner. If this is a private communication it does not
represent the views of Virgin Australia or its related entities. Please be
aware that the contents of any emails sent to or from Virgin Australia or its
related entities may be periodically monitored and reviewed. Virgin Australia
and its related entities respect your privacy. Our privacy policy can be
accessed from our website: www.virginaustralia.com
RE: [squid-users] NTLM Authenticator Statistics 3.3.5
Thanks Amos, that explains helper activity in the cache.log around rotate time. When the problem occurred I didn't run a mgr:ntlmauthenticators report but on one of the proxies just now it has 77 shutting down state and report is here - http://pastebin.com/jhaFeW9H Regards - Kris Glynn: (07) 3295 3987 - 0434602997 -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, 30 September 2013 5:17 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] NTLM Authenticator Statistics 3.3.5 On 30/09/2013 7:26 p.m., Kris Glynn wrote: > Getting back to the initial problem.. I first discovered it when users > reported they couldn't authenticate to one of the proxies, when I logged into > the squid server the cache.log was full of errors like "WARNING: external ACL > 'ldap_group' queue overload. Using stale result" - when I dug further I > noticed at the top of the cache.log (after the nightly squid -k rotate) it > had entries such as "ipcCreate: fork: (12) Cannot allocate memory WARNING: > Cannot run '/usr/bin/ntlm_auth' process." And "helperOpenServers: Starting > 1/50 'ext_wbinfo_group_acl' processes ipcCreate: fork: (12) Cannot allocate > memory WARNING: Cannot run '/usr/lib64/squid/ext_wbinfo_group_acl' process. " > - it seemed odd to me that a squid -k rotate would either restart/stop/start > helpers. Shouldn't a squid -k rotate leave helpers alone when it's just > instructing squid to rotate the logs? The helpers are logging to cache.log via stderr. They need to be restarted to connect to the new cache.log once it has been rotated. What does the mgr:ntlmauthenticators report show about the NTLM helpers when this is going on? Amos The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com
RE: [squid-users] NTLM Authenticator Statistics 3.3.5
They are all Vmware VM's - 2VCPU and 4GB of RAM each - they authenticate, authorize (based on wbinfo AD group lookups) and cache and yes you are correct in saying adding another squid instance is as easy as cloning the VM and adding to the F5 pool. Each Datacenter is within 8km's of the majority of uses, we have 1Gig uplink from the users to proxies. Getting back to the initial problem.. I first discovered it when users reported they couldn't authenticate to one of the proxies, when I logged into the squid server the cache.log was full of errors like "WARNING: external ACL 'ldap_group' queue overload. Using stale result" - when I dug further I noticed at the top of the cache.log (after the nightly squid -k rotate) it had entries such as "ipcCreate: fork: (12) Cannot allocate memory WARNING: Cannot run '/usr/bin/ntlm_auth' process." And "helperOpenServers: Starting 1/50 'ext_wbinfo_group_acl' processes ipcCreate: fork: (12) Cannot allocate memory WARNING: Cannot run '/usr/lib64/squid/ext_wbinfo_group_acl' process. " - it seemed odd to me that a squid -k rotate would either restart/stop/start helpers. Shouldn't a squid -k rotate leave helpers alone when it's just instructing squid to rotate the logs? 2013/09/24 00:00:23 kid1| storeDirWriteCleanLogs: Starting... 2013/09/24 00:00:28 kid1| 65536 entries written so far. 2013/09/24 00:00:35 kid1|131072 entries written so far. 2013/09/24 00:00:40 kid1|196608 entries written so far. 2013/09/24 00:00:45 kid1|262144 entries written so far. 2013/09/24 00:00:48 kid1|327680 entries written so far. 2013/09/24 00:00:51 kid1|393216 entries written so far. 2013/09/24 00:00:55 kid1|458752 entries written so far. 2013/09/24 00:00:59 kid1|524288 entries written so far. 2013/09/24 00:01:02 kid1|589824 entries written so far. 2013/09/24 00:01:05 kid1|655360 entries written so far. 2013/09/24 00:01:07 kid1|720896 entries written so far. 2013/09/24 00:01:08 kid1| Finished. Wrote 759594 entries. 2013/09/24 00:01:08 kid1| Took 44.19 seconds (17189.28 entries/sec). 2013/09/24 00:01:08 kid1| logfileRotate: stdio://var/log/squid/access.log 2013/09/24 00:01:08 kid1| Rotate log file stdio://var/log/squid/access.log 2013/09/24 00:01:08 kid1| helperOpenServers: Starting 10/60 'ntlm_auth' processes 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory 2013/09/24 00:01:08 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process. 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory When I looked into it further that's when I noticed all of the old /usr/bin/ntlm_auth processes still running from months back and /usr/bin/squidclient -p 8080 mgr:ntlmauthenticator reporting that 140+ were in "shutting down state" - stopping squid did not stop all of the ntlm_auth processes so I had to killall -9 ntlm_auth and then start squid back up again. Regards - Kris Glynn: (07) 3295 3987 - 0434602997 -Original Message- From: Eliezer Croitoru [mailto:elie...@ngtech.co.il] Sent: Monday, 30 September 2013 3:43 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] NTLM Authenticator Statistics 3.3.5 Hey Kris, Well it's not such a small setup after all. I do not know what is the size of these machines but I assume they have more then just one single core to work fine. I am not sure about the next suggestion yet since I do not know if the proxy is for cache also or just plain authentication. I can assume that these machines can be configured for SMP or mulch-instances on the same machine. since you do have the F5 in place adding another so called "instance" of squid is only a matter of adding another lan IP to the squid machine and the IP to the F5. it can balance the traffic in the process level a bit more then you are might be doing now. it's not rocket science since lots of information is missing. A small question: The mentioned problem is in the period of these 10 days and the service is just reviving itself each time?? like in the logs? The network distance between the clients and the DATACENTER since it's critical for smooth operation.. Notice that each authentication takes up some traffic so a keep_alive is better to be used to lower the network load of it. Let say the server is getting 200 requests in one peak of load it means 200 incoming FD then 200 stdin\out operations 200 new connections towards the auth server\service, about 200 new outgoing connections in the case of a non cached object.. You can imagine what is the load on the servers if there is 3k requests per minute.. Eliezer On 09/30/2013 08:23 AM, Kris Glynn wrote: > Hi Eliezer, > > I am using 60 because it seemed to me that I needed that many. I am actually > running 4 x squid 3.3.5 - two in each data center. They are distribute
RE: [squid-users] NTLM Authenticator Statistics 3.3.5
Hi Eliezer, I am using 60 because it seemed to me that I needed that many. I am actually running 4 x squid 3.3.5 - two in each data center. They are distributed by a browser PAC file and each of the two in each data center are load balanced by a Bigip F5 Load balancer. The PAC file points at the 2 x F5 Vips. As for keepalive, no reason that it is off, I will turn it on and see how it goes. Also, Kerberos isn't far off, it's implemented and tested running through the F5 load balancer so I just have to enable it. My Test environment is running squid 3.3.9 and Kerberos works well. Each of the 4 proxies have been up for 10days without a restart and averages around.. 3000 request/per min (/usr/bin/squidclient -p 8080 mgr:info | grep "HTTP requests per minute") 3500 clients accessing cache (/usr/bin/squidclient -p 8080 mgr:info | grep "Number of clients accessing cache") 2500 open files (/usr/bin/squidclient -p 8080 mgr:info | grep "Number of file desc currently in use") 600 usernames in NTLM username cache (/usr/bin/squidclient mgr:username_cache |grep AUTH | wc -l) -Original Message- From: Eliezer Croitoru [mailto:elie...@ngtech.co.il] Sent: Monday, 30 September 2013 2:40 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] NTLM Authenticator Statistics 3.3.5 Hey Kris, I am just wondering why do you nedd 60 children at all?? I am not sure what is the reason for what you are seeing but you need to make sure that all squid instances are off. If you can test it and shutdown the squid instance and all subprocess that are forked.. and then on a clean startup see the cache.log.. it will give more info. I would ask "why do not use keep_alive??" it is there for a reason.. if it's such a loaded system I would upper the startup from 15 to 30 and the idle to 15.. and would try to use keep_alive on. if you want to make sure about the ntlm_auth I would say that you can add a debug flag but it will probably will flood the logs.. A kerberous migration is possible?? since it's a 2.5 compatible I assume it's not that simple? Eliezer On 09/30/2013 07:07 AM, Kris Glynn wrote: > Hi, > > I've noticed after a while the number of /usr/bin/ntlm_auth processes in > "shutting down state" tends to increase and never actually shutdown/decrease. > > It is configured like so.. > > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 60 startup=15 idle=10 auth_param ntlm > keep_alive off > > I've found an occurrence where a squid -k rotate was performed > (performed daily via cron) and helperOpenServers tried to start > processes and logged the below. When I logged into the squid server > many many old ntlm_auth processes were running (over 140+ in shutting > down state) > > Is it normal for a squid -k rotate to spawn helpers? Should I be scheduling a > squid restart to occur every x days and perhaps killall -9 ntlm_auth at the > same time or does anyone have any suggestions as to why /usr/bin/ntlm_auth > processes with Flags "RS" increase over time when not restarting squid? > > 2013/09/24 00:00:23 kid1| storeDirWriteCleanLogs: Starting... > 2013/09/24 00:00:28 kid1| 65536 entries written so far. > 2013/09/24 00:00:35 kid1|131072 entries written so far. > 2013/09/24 00:00:40 kid1|196608 entries written so far. > 2013/09/24 00:00:45 kid1|262144 entries written so far. > 2013/09/24 00:00:48 kid1|327680 entries written so far. > 2013/09/24 00:00:51 kid1|393216 entries written so far. > 2013/09/24 00:00:55 kid1|458752 entries written so far. > 2013/09/24 00:00:59 kid1|524288 entries written so far. > 2013/09/24 00:01:02 kid1|589824 entries written so far. > 2013/09/24 00:01:05 kid1|655360 entries written so far. > 2013/09/24 00:01:07 kid1|720896 entries written so far. > 2013/09/24 00:01:08 kid1| Finished. Wrote 759594 entries. > 2013/09/24 00:01:08 kid1| Took 44.19 seconds (17189.28 entries/sec). > 2013/09/24 00:01:08 kid1| logfileRotate: > stdio://var/log/squid/access.log > 2013/09/24 00:01:08 kid1| Rotate log file > stdio://var/log/squid/access.log > 2013/09/24 00:01:08 kid1| helperOpenServers: Starting 10/60 > 'ntlm_auth' processes > 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory > 2013/09/24 00:01:08 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process. > 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory > 2013/09/24 00:01:08 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process. > 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory > 2013/09/24 00:01:08 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process. > 2013/09/24 00:01:08 kid1| ipcC
[squid-users] NTLM Authenticator Statistics 3.3.5
Hi, I've noticed after a while the number of /usr/bin/ntlm_auth processes in "shutting down state" tends to increase and never actually shutdown/decrease. It is configured like so.. auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 60 startup=15 idle=10 auth_param ntlm keep_alive off I've found an occurrence where a squid -k rotate was performed (performed daily via cron) and helperOpenServers tried to start processes and logged the below. When I logged into the squid server many many old ntlm_auth processes were running (over 140+ in shutting down state) Is it normal for a squid -k rotate to spawn helpers? Should I be scheduling a squid restart to occur every x days and perhaps killall -9 ntlm_auth at the same time or does anyone have any suggestions as to why /usr/bin/ntlm_auth processes with Flags "RS" increase over time when not restarting squid? 2013/09/24 00:00:23 kid1| storeDirWriteCleanLogs: Starting... 2013/09/24 00:00:28 kid1| 65536 entries written so far. 2013/09/24 00:00:35 kid1|131072 entries written so far. 2013/09/24 00:00:40 kid1|196608 entries written so far. 2013/09/24 00:00:45 kid1|262144 entries written so far. 2013/09/24 00:00:48 kid1|327680 entries written so far. 2013/09/24 00:00:51 kid1|393216 entries written so far. 2013/09/24 00:00:55 kid1|458752 entries written so far. 2013/09/24 00:00:59 kid1|524288 entries written so far. 2013/09/24 00:01:02 kid1|589824 entries written so far. 2013/09/24 00:01:05 kid1|655360 entries written so far. 2013/09/24 00:01:07 kid1|720896 entries written so far. 2013/09/24 00:01:08 kid1| Finished. Wrote 759594 entries. 2013/09/24 00:01:08 kid1| Took 44.19 seconds (17189.28 entries/sec). 2013/09/24 00:01:08 kid1| logfileRotate: stdio://var/log/squid/access.log 2013/09/24 00:01:08 kid1| Rotate log file stdio://var/log/squid/access.log 2013/09/24 00:01:08 kid1| helperOpenServers: Starting 10/60 'ntlm_auth' processes 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory 2013/09/24 00:01:08 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process. 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory 2013/09/24 00:01:08 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process. 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory 2013/09/24 00:01:08 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process. 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory 2013/09/24 00:01:08 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process. 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory 2013/09/24 00:01:08 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process. 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory 2013/09/24 00:01:08 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process. 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory 2013/09/24 00:01:08 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process. 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory 2013/09/24 00:01:08 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process. 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory 2013/09/24 00:01:08 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process. 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory 2013/09/24 00:01:08 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process. 2013/09/24 00:01:08 kid1| helperOpenServers: Starting 1/10 'ntlm_auth' processes 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory 2013/09/24 00:01:08 kid1| WARNING: Cannot run '/usr/bin/ntlm_auth' process. 2013/09/24 00:01:08 kid1| helperOpenServers: Starting 1/50 'ext_wbinfo_group_acl' processes 2013/09/24 00:01:08 kid1| ipcCreate: fork: (12) Cannot allocate memory mgr:ntlmauthenticator NTLM Authenticator Statistics: program: /usr/bin/ntlm_auth number active: 40 of 60 (77 shutting down) requests sent: 9021339 replies received: 9021339 queue length: 0 avg service time: 0 msec Below is output from mgr:info at the same time the above mgr:ntlmauthenticator was run.. Squid Object Cache: Version 3.3.5 Start Time: Wed, 18 Sep 2013 04:48:06 GMT Current Time: Mon, 30 Sep 2013 03:50:02 GMT Connection information for squid: Number of clients accessing cache: 3540 Number of HTTP requests received: 47586765 Number of ICP messages received:0 Number of ICP messages sent:0 Number of queued ICP replies: 0 Number of HTCP messages received: 0 Number of HTCP messages sent: 0 Request failure ratio: 0.00 Average HTTP requests per minute since start: 2763.2 Average ICP messages per minute since start:0.0 Select loop called: 1816815750 times, 0.569 ms avg Cache information for squid: Hits as % of all requests: 5min: 13.2%, 60min: 17.0%
RE: [squid-users] kerberos keytab
Just curious.. what conditions might occur that would need the keytab updated? I've been running Kerberos auth squid for 6+ months now and have not had to update the keytab ever. Is this because the Active Directory account name (proxytest) I used to generate the keytab with has "Password never expires" I generate with ktpass on the Windows 2008r2 KDC and then copy to squid directory.. ktpass.exe -princ HTTP/proxytest.company.internal@COMPANY.INTERNAL -mapuser COMPANY\proxytest -crypto rc4-hmac-nt -ptype KRB5_NT_PRINCIPAL +rndpass -out HTTP.keytab This has worked well for me. -Original Message- From: Carlos Defoe [mailto:carlosde...@gmail.com] Sent: Tuesday, 20 August 2013 7:12 AM To: hel...@hullen.de Cc: squid-users@squid-cache.org Subject: Re: [squid-users] kerberos keytab thanks, Helmut. i made one script to check the file change and run "squid -k reconfigure". i'll wait till next change to see if it works correctly. thank you On Mon, Aug 19, 2013 at 2:11 PM, Helmut Hullen wrote: > Hallo, Carlos, > > Du meintest am 19.08.13: > >> What is the best strategy to use a keytab file within multiple >> servers? By now i'm using a NFS share to export the keytab. >> Every day msktutil runs to update the file if necessary. The job is >> schedule in one server only. > >> Also, after the update of the keytab file, is it necessary to reload >> squid? > > I'd prefer "incron" for watching the keytab. > > Rule (pseudo code): > if the original keytab is changed: > copy it to the necessary places > run "squid -k reconfigure" > > Viele Gruesse! > Helmut The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com
RE: [squid-users] Problem with compile squid 3.4.0.1 on RHEL6 x64
-Original Message- From: Eliezer Croitoru [mailto:elie...@ngtech.co.il] Sent: Thursday, 1 August 2013 5:42 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Problem with compile squid 3.4.0.1 on RHEL6 x64 Hey Kris and Hussam, This issue exists probably due to the "-fPIC" flag that is being used by default by the RPMBUILD tool. I posted a thing on it in the squid-dev list. if you build squid using regular methods such as "./configure && make && make install" it would be built fine. I would later compare the build environment on both Fedora And CentOS.. Since I am not RH engineer I cannot speak or design for them but I do design for those that needs that package up and running to make sure new bugs dosn't take effect on newer systems. Eliezer On 07/31/2013 02:35 PM, Hussam Al-Tayeb wrote: > On Wednesday 31 July 2013 01:52:35 Kris Glynn wrote: >> Hi, >> >> I'm using a squid.spec from squid 3.3 to build 3.4.0.1 but it fails >> with >> "/usr/bin/ld: ../snmplib/libsnmplib.a(snmp_vars.o): relocation >> R_X86_64_32 against `.rodata' can not be used when making a shared >> object; recompile with -fPIC ../snmplib/libsnmplib.a: could not read >> symbols: Bad value" >> >> libtool: link: g++ -I/usr/include/libxml2 -Wall -Wpointer-arith >> -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -O2 -g >> -fPIC -fpie -march=native -std=c++0x .libs/squidS.o -fPIC -pie -Wl,-z >> -Wl,relro -Wl,-z -Wl,now -o squid AclRegs.o AuthReg.o >> AccessLogEntry.o AsyncEngine.o YesNoNone.o cache_cf.o CacheDigest.o >> cache_manager.o carp.o cbdata.o ChunkedCodingParser.o client_db.o >> client_side.o client_side_reply.o client_side_request.o BodyPipe.o >> clientStream.o CompletionDispatcher.o ConfigOption.o ConfigParser.o >> CpuAffinity.o CpuAffinityMap.o CpuAffinitySet.o debug.o delay_pools.o >> DelayId.o DelayBucket.o DelayConfig.o DelayPool.o DelaySpec.o >> DelayTagged.o DelayUser.o DelayVector.o NullDelayId.o >> ClientDelayConfig.o disk.o DiskIO/DiskIOModule.o DiskIO/ReadRequest.o >> DiskIO/WriteRequest.o dlink.o dns_internal.o DnsLookupDetails.o >> errorpage.o ETag.o event.o EventLoop.o external_acl.o >> ExternalACLEntry.o FadingCounter.o fatal.o fd.o fde.o filemap.o >> fqdncache.o ftp.o FwdState.o gopher.o helper.o HelperChildConfig.o >> HelperReply.o htcp.o http.o HttpHdrCc.o HttpHdrRange.o HttpHdrSc.o >> HttpHdrScTarget.o HttpHdrContRange.o HttpHeader.o HttpHeaderTools.o >> HttpBody.o HttpMsg.o HttpParser.o HttpReply.o RequestFlags.o >> HttpRequest.o HttpRequestMethod.o icp_v2.o icp_v3.o int.o internal.o >> ipc.o ipcache.o SquidList.o main.o MasterXaction.o mem.o mem_node.o >> MemBuf.o MemObject.o mime.o mime_header.o multicast.o neighbors.o >> Notes.o Packer.o Parsing.o pconn.o peer_digest.o >> peer_proxy_negotiate_auth.o peer_select.o peer_sourcehash.o >> peer_userhash.o redirect.o refresh.o RemovalPolicy.o send-announce.o >> MemBlob.o snmp_core.o snmp_agent.o SquidMath.o SquidNew.o stat.o >> StatCounters.o StatHist.o String.o StrList.o stmem.o store.o >> StoreFileSystem.o store_io.o StoreIOState.o store_client.o >> store_digest.o store_dir.o store_key_md5.o store_log.o >> store_rebuild.o store_swapin.o store_swapmeta.o store_swapout.o >> StoreMeta.o StoreMetaMD5.o StoreMetaSTD.o StoreMetaSTDLFS.o >> StoreMetaUnpacker.o StoreMetaURL.o StoreMetaVary.o StoreStats.o >> StoreSwapLogData.o Server.o SwapDir.o MemStore.o time.o tools.o >> tunnel.o unlinkd.o url.o URLScheme.o urn.o wccp.o wccp2.o whois.o >> wordlist.o LoadableModule.o LoadableModules.o >> DiskIO/DiskIOModules_gen.o err_type.o err_detail_type.o globals.o >> hier_code.o icp_opcode.o LogTags.o lookup_t.o repl_modules.o >> swap_log_op.o DiskIO/AIO/AIODiskIOModule.o >> DiskIO/Blocking/BlockingDiskIOModule.o >> DiskIO/DiskDaemon/DiskDaemonDiskIOModule.o >> DiskIO/DiskThreads/DiskThreadsDiskIOModule.o >> DiskIO/IpcIo/IpcIoDiskIOModule.o DiskIO/Mmapped/MmappedDiskIOModule.o >> -Wl,--export-dynamic auth/.libs/libacls.a ident/.libs/libident.a >> acl/.libs/libacls.a acl/.libs/libstate.a auth/.libs/libauth.a >> libAIO.a libBlocking.a libDiskDaemon.a libDiskThreads.a libIpcIo.a >> libMmapped.a acl/.libs/libapi.a base/.libs/libbase.a >> ./.libs/libsquid.a ip/.libs/libip.a fs/.libs/libfs.a >> ipc/.libs/libipc.a mgr/.libs/libmgr.a anyp/.libs/libanyp.a >> comm/.libs/libcomm.a eui/.libs/libeui.a http/.libs/libsquid-http.a >> icmp/.libs/libicmp.a icmp/.libs/libicmp-core.a log/.libs/liblog.a >> format/.libs/libformat.a repl/libheap.a repl/liblru.a -lpthread >> -lcrypt adaptation/.libs/libadaptation.a esi/.libs/libesi.a >>
[squid-users] Problem with compile squid 3.4.0.1 on RHEL6 x64
Hi, I'm using a squid.spec from squid 3.3 to build 3.4.0.1 but it fails with "/usr/bin/ld: ../snmplib/libsnmplib.a(snmp_vars.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC ../snmplib/libsnmplib.a: could not read symbols: Bad value" libtool: link: g++ -I/usr/include/libxml2 -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -O2 -g -fPIC -fpie -march=native -std=c++0x .libs/squidS.o -fPIC -pie -Wl,-z -Wl,relro -Wl,-z -Wl,now -o squid AclRegs.o AuthReg.o AccessLogEntry.o AsyncEngine.o YesNoNone.o cache_cf.o CacheDigest.o cache_manager.o carp.o cbdata.o ChunkedCodingParser.o client_db.o client_side.o client_side_reply.o client_side_request.o BodyPipe.o clientStream.o CompletionDispatcher.o ConfigOption.o ConfigParser.o CpuAffinity.o CpuAffinityMap.o CpuAffinitySet.o debug.o delay_pools.o DelayId.o DelayBucket.o DelayConfig.o DelayPool.o DelaySpec.o DelayTagged.o DelayUser.o DelayVector.o NullDelayId.o ClientDelayConfig.o disk.o DiskIO/DiskIOModule.o DiskIO/ReadRequest.o DiskIO/WriteRequest.o dlink.o dns_internal.o DnsLookupDetails.o errorpage.o ETag.o event.o EventLoop.o external_acl.o ExternalACLEntry.o FadingCounter.o fatal.o fd.o fde.o filemap.o fqdncache.o ftp.o FwdState.o gopher.o helper.o HelperChildConfig.o HelperReply.o htcp.o http.o HttpHdrCc.o HttpHdrRange.o HttpHdrSc.o HttpHdrScTarget.o HttpHdrContRange.o HttpHeader.o HttpHeaderTools.o HttpBody.o HttpMsg.o HttpParser.o HttpReply.o RequestFlags.o HttpRequest.o HttpRequestMethod.o icp_v2.o icp_v3.o int.o internal.o ipc.o ipcache.o SquidList.o main.o MasterXaction.o mem.o mem_node.o MemBuf.o MemObject.o mime.o mime_header.o multicast.o neighbors.o Notes.o Packer.o Parsing.o pconn.o peer_digest.o peer_proxy_negotiate_auth.o peer_select.o peer_sourcehash.o peer_userhash.o redirect.o refresh.o RemovalPolicy.o send-announce.o MemBlob.o snmp_core.o snmp_agent.o SquidMath.o SquidNew.o stat.o StatCounters.o StatHist.o String.o StrList.o stmem.o store.o StoreFileSystem.o store_io.o StoreIOState.o store_client.o store_digest.o store_dir.o store_key_md5.o store_log.o store_rebuild.o store_swapin.o store_swapmeta.o store_swapout.o StoreMeta.o StoreMetaMD5.o StoreMetaSTD.o StoreMetaSTDLFS.o StoreMetaUnpacker.o StoreMetaURL.o StoreMetaVary.o StoreStats.o StoreSwapLogData.o Server.o SwapDir.o MemStore.o time.o tools.o tunnel.o unlinkd.o url.o URLScheme.o urn.o wccp.o wccp2.o whois.o wordlist.o LoadableModule.o LoadableModules.o DiskIO/DiskIOModules_gen.o err_type.o err_detail_type.o globals.o hier_code.o icp_opcode.o LogTags.o lookup_t.o repl_modules.o swap_log_op.o DiskIO/AIO/AIODiskIOModule.o DiskIO/Blocking/BlockingDiskIOModule.o DiskIO/DiskDaemon/DiskDaemonDiskIOModule.o DiskIO/DiskThreads/DiskThreadsDiskIOModule.o DiskIO/IpcIo/IpcIoDiskIOModule.o DiskIO/Mmapped/MmappedDiskIOModule.o -Wl,--export-dynamic auth/.libs/libacls.a ident/.libs/libident.a acl/.libs/libacls.a acl/.libs/libstate.a auth/.libs/libauth.a libAIO.a libBlocking.a libDiskDaemon.a libDiskThreads.a libIpcIo.a libMmapped.a acl/.libs/libapi.a base/.libs/libbase.a ./.libs/libsquid.a ip/.libs/libip.a fs/.libs/libfs.a ipc/.libs/libipc.a mgr/.libs/libmgr.a anyp/.libs/libanyp.a comm/.libs/libcomm.a eui/.libs/libeui.a http/.libs/libsquid-http.a icmp/.libs/libicmp.a icmp/.libs/libicmp-core.a log/.libs/liblog.a format/.libs/libformat.a repl/libheap.a repl/liblru.a -lpthread -lcrypt adaptation/.libs/libadaptation.a esi/.libs/libesi.a ../lib/libTrie/libTrie.a -lxml2 -lexpat ssl/.libs/libsslsquid.a ssl/.libs/libsslutil.a snmp/.libs/libsnmp.a ../snmplib/libsnmplib.a ../lib/.libs/libmisccontainers.a ../lib/.libs/libmiscencoding.a ../lib/.libs/libmiscutil.a -lssl -lcrypto -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -L/root/rpmbuild/BUILD/squid-3.4.0.1/compat -lcompat-squid -lm -lnsl -lresolv -lcap -lrt -ldl -L/root/rpmbuild/BUILD/squid-3.4.0.1 -lltdl /usr/bin/ld: ../snmplib/libsnmplib.a(snmp_vars.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC ../snmplib/libsnmplib.a: could not read symbols: Bad value collect2: ld returned 1 exit status libtool: link: rm -f ".libs/squidS.o" make[3]: *** [squid] Error 1 make[3]: Leaving directory `/root/rpmbuild/BUILD/squid-3.4.0.1/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/root/rpmbuild/BUILD/squid-3.4.0.1/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/root/rpmbuild/BUILD/squid-3.4.0.1/src' make: *** [all-recursive] Error 1 Any ideas? The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or
RE: [squid-users] acl file for multiple users authentication by AD?
acl proxy_admins proxy_auth "/etc/squid/proxyadminuser.txt" cat "/etc/squid/proxyadminuser.txt" user-a user-b user-c ... http_access allow proxy_admins -Original Message- From: Beto Moreno [mailto:pam...@gmail.com] Sent: Friday, 12 July 2013 1:59 PM To: squid-users@squid-cache.org Subject: [squid-users] acl file for multiple users authentication by AD? Very simple question, I authenticate squid vs AD using squid_ldap_auth, but exist a way to add a group of users to a file to apply my acl's? restrict_users.acl user-a user-b user-c user-d acl restrict_users path/restrict_users.acl? I have seen how to do it with IP address but haven't seen with users, is possible? Thanks. The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com
[squid-users] RE: Diffence between NTLM in 2.6 compared to 3.3.5 - Citrix ?
>-Original Message- >From: Kris Glynn >Sent: Wednesday, 29 May 2013 1:07 PM >To: squid-users@squid-cache.org >Subject: Diffence between NTLM in 2.6 compared to 3.3.5 - Citrix ? > >I've noticed that since upgrading from Squid 2.6 to Squid 3.3.5 the Citrix ICA >Client will no longer authenticate via NTLM to squid 3.3.5 - the ICA client >just keeps popping up asking for NTLM auth - at no stage does it fallback to >basic auth. > >Every other NTLM aware application whether it be IE, Firefox, Chrome and even >curl works fine and can authenticate no problems via NTLM however the Citrix >ICA client just won't work. > >If I change back to squid 2.6 it works fine. Both are using exactly the same >squid.conf with... > ># Pure NTLM Auth - fallback >auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp >auth_param ntlm children 60 startup=15 idle=10 auth_param ntlm keep_alive off > ># BASIC Auth - fallback >auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic >auth_param basic children 10 auth_param basic realm Internet Access auth_param >basic credentialsttl 1 hours > >Has anyone else experienced this? To answer my own question it was due to Citrix ICA Client (I'm using 13.4.0 - latest version) ignoring "Connection: keep-alive" headers in squid 3.3.x and starting new connection breaking the NTLM auth challenge. Squid 2.6.x sends "Proxy-Connection: keep-alive" with NTLM auth responses which is the only header the Citrix ICA Client appears to accept to maintain keepalive. What RFC can I point Citrix at so I can submit a bug with them to fix their client and accept both headers? Am I correct in saying that Squid 2.6 is a HTTP/1.0 proxy and 3.x are HTTP/1.1 proxies? The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com
[squid-users] Diffence between NTLM in 2.6 compared to 3.3.5 - Citrix ?
I've noticed that since upgrading from Squid 2.6 to Squid 3.3.5 the Citrix ICA Client will no longer authenticate via NTLM to squid 3.3.5 - the ICA client just keeps popping up asking for NTLM auth - at no stage does it fallback to basic auth. Every other NTLM aware application whether it be IE, Firefox, Chrome and even curl works fine and can authenticate no problems via NTLM however the Citrix ICA client just won't work. If I change back to squid 2.6 it works fine. Both are using exactly the same squid.conf with... # Pure NTLM Auth - fallback auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 60 startup=15 idle=10 auth_param ntlm keep_alive off # BASIC Auth - fallback auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 10 auth_param basic realm Internet Access auth_param basic credentialsttl 1 hours Has anyone else experienced this? The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com
RE: [squid-users] Looking for squid spec file
-Original Message- From: Eliezer Croitoru [mailto:elie...@ngtech.co.il] Sent: Tuesday, 14 May 2013 8:53 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Looking for squid spec file On 5/13/2013 6:13 PM, Amm wrote: > Well one can modify it to require for init.d (or whatever that package > is called) > > Or even pick up spec file from previous Fedora releases. > > Amm >And since someone in the user list have a ready to use spec file just share it >with me and I will use it. >Now I dont have the head to work on it too much. >Why work hard for a long time to find that someone else have the file already?? >Eliezer I use this for RHEL6 - I guess it should work for Centos http://netsick.dyndns.org/squid.spec.3.3 Built the latest squid 3.3.4 with it.. The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com
[squid-users] DNS search not working - Squid Cache: Version 3.3.3
Hi, Given the following why doesn't DNS search work given that my nameserver 1.1.1.1 contain valid DNS entries for test.blue.internal and test2.green.internal GET http://test/ GET http://test2/ .. both return DNS entry not found in squid. /etc/resolv.conf options rotate search blue.internal green.internal nameserver 1.1.1.1 squidclient -p 8080 mgr:idns Internal DNS Statistics: Nameservers: IP ADDRESS # QUERIES # REPLIES 1.1.1.1 205 205 *snip* Search list: blue.internal green.internal *snip* I do not have append_domain set in squid.conf - I've tried adding it but it only accepts one domain not two.. Clearly running " squidclient -p 8080 mgr:idns" shows that squid has consumed my /etc/resolv.conf and I can nslookup test and test2 from the bash shell.. [root@squid]# nslookup > test Server: 1.1.1.1 Address:1.1.1.1#53 Name: test.blue.internal Address: 192.168.48.41 > [root@squid]# nslookup > test2 Server: 1.1.1.1 Address:1.1.1.1#53 Name: test2.green.internal Address: 192.168.48.42 > The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com
[squid-users] ext_kerberos_ldap_group_acl - how to ?
Hi, I can not for the life of me work out how to use ext_kerberos_ldap_group_acl with squid 3.2.6 I have authentication with negotiate_kerberos_auth working fine but I also want authorisation helper for group membership. Relevant squid.conf config below.. # Kerberos Auth auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth auth_param negotiate children 40 auth_param negotiate keep_alive on # Group ACL Helper external_acl_type ldap_group ttl=60 negative_ttl=60 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -d -g ALL@ -D my.internal What is the ALL@ for ? Does someone have a working config against Windows 2008 AD/LDAP ? To be honest, at the moment I am using this external helper ext_wbinfo_group_acl which is working fine.. external_acl_type ldap_group ttl=300 children-max=50 children-startup=40 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl -K .. but is ext_kerberos_ldap_group_acl better or should I leave authorisation up to ext_wbinfo_group_acl since I have it working? Is either better than the other? Thanks Kris The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com
RE: [squid-users] Squid Cache: Version 3.1.15 - Adding custom header
Thank you. If for instance there was a header to replace and it was an RFC defined header - would this work? request_header_replace X-Sophos-WSA-ClientIP %SRC Is %SRC a valid parameter ? Regards - Kris Glynn: (07) 3295 3987 - 0434602997 -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Tuesday, 13 September 2011 2:58 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid Cache: Version 3.1.15 - Adding custom header On 13/09/11 15:44, Kris Glynn wrote: > Hi, > > Can I add a custom header to outgoing http requests from squid. I have > compiled with "--enable-http-violations" > > I've tried something like this below but it doesn't appear to work. > > request_header_replace X-Sophos-WSA-ClientIP %SRC replace is actually *replace*. There must be a copy of the same header removed from the request in order to replace. Additionally this is only possible in current Squid with registered headers (RFC defined). Unknown custom headers cannot be replaced like this. Sponsorship or patches welcome to enable this for unregistered headers. > > Can anyone suggest a way to achieve this ? > Client IP information is already provided by Squid in these common headers: X-Forwarded-For: [... ,] $(client-ip) X-Client-IP: $(client-ip) Ensure forwarded_for is ON (the default) to receive them from your Squid. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.11 The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia, Pacific Blue or a related entity (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia, Pacific Blue or their related entities. Please be aware that the contents of any emails sent to or from Virgin Australia, Pacific Blue or their related entities may be periodically monitored and reviewed. Virgin Australia, Pacific Blue and their related entities respect your privacy. Our privacy policy can be accessed from our website: http://www.virginaustralia.com/
[squid-users] Squid Cache: Version 3.1.15 - Adding custom header
Hi, Can I add a custom header to outgoing http requests from squid. I have compiled with "--enable-http-violations" I've tried something like this below but it doesn't appear to work. request_header_replace X-Sophos-WSA-ClientIP %SRC Can anyone suggest a way to achieve this ? The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia, Pacific Blue or a related entity (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia, Pacific Blue or their related entities. Please be aware that the contents of any emails sent to or from Virgin Australia, Pacific Blue or their related entities may be periodically monitored and reviewed. Virgin Australia, Pacific Blue and their related entities respect your privacy. Our privacy policy can be accessed from our website: http://www.virginaustralia.com/
RE: [squid-users] Squid 2.6 - Deny all users in a specific Active Directory OU (not group)
Thanks for the info. Can the same be achieved with the NTLM helper given this initial configuration ? external_acl_type ldap_group ttl=300 children=40 %LOGIN /usr/lib/squid/wbinfo_group.pl Can we allow/deny users in a specific OU with NTLM ? Regards - Kris Glynn: (07) 3295 3987 - 0434602997 -Original Message- From: Henrik Nordström [mailto:hen...@henriknordstrom.net] Sent: Wednesday, 19 May 2010 11:02 AM To: Kris Glynn Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Squid 2.6 - Deny all users in a specific Active Directory OU (not group) ons 2010-05-19 klockan 10:54 +1000 skrev Kris Glynn: > Thank you very much Henrik. > > A few things I would like to mention. > > 1. You specify using "external_acl_program" but I assume you mean > "external_acl_type" Correct. > 2. What does the "X" mean in this acl line "acl ldap_service_accounts > external ldap_service_accounts X" It's a dummy group name. The helper is designed for group lookups and not sure the helper is happy without a group argument. Actually ignored due to the filter not including %g for group. Regards Henrik The content of this e-mail, including any attachments, is a confidential communication between Virgin Blue, Pacific Blue or a related entity (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Blue, Pacific Blue or their related entities. Please be aware that the contents of any emails sent to or from Virgin Blue, Pacific Blue or their related entities may be periodically monitored and reviewed. Virgin Blue, Pacific Blue and their related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginblue.com.au
RE: [squid-users] Squid 2.6 - Deny all users in a specific Active Directory OU (not group)
Thank you very much Henrik. A few things I would like to mention. 1. You specify using "external_acl_program" but I assume you mean "external_acl_type" 2. What does the "X" mean in this acl line "acl ldap_service_accounts external ldap_service_accounts X" Again, thanks for the prompt response. Regards - Kris Glynn: (07) 3295 3987 - 0434602997 -Original Message- From: Henrik Nordström [mailto:hen...@henriknordstrom.net] Sent: Wednesday, 19 May 2010 5:32 AM To: Kris Glynn Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid 2.6 - Deny all users in a specific Active Directory OU (not group) tis 2010-05-18 klockan 14:33 +1000 skrev Kris Glynn: > I would like to know if it is possible to deny/allow based on a specific OU > in Active Directory. Yes. The squid_ldap_group helper can do this by simply searching for the user again below that OU and denying access if found. external_acl_program ldap_service_accounts %LOGIN /usr/lib/squid_ldap_group -R -b "OU=Service Accounts,dc=company,dc=internal" -D username -w password -f "(&(sAMAccountName=%u)(objectClass=Person))" -h 192.168.60.4 acl ldap_service_accounts external ldap_service_accounts X http_access deny ldap_service_accounts If you have many of these OUs that you want to match then the -g option to squid_ldap_group may be handy, enabling you to add the OU part via the acl line. But is a little tricky if the OU contains spaces as in your "OU=Service Accounts" (requries an acl include file). Regards Henrik The content of this e-mail, including any attachments, is a confidential communication between Virgin Blue, Pacific Blue or a related entity (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Blue, Pacific Blue or their related entities. Please be aware that the contents of any emails sent to or from Virgin Blue, Pacific Blue or their related entities may be periodically monitored and reviewed. Virgin Blue, Pacific Blue and their related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginblue.com.au
[squid-users] Squid 2.6 - Deny all users in a specific Active Directory OU (not group)
Hi, I would like to know if it is possible to deny/allow based on a specific OU in Active Directory. Problem: I have an OU (OU=Service Accounts,dc=company,dc=internal) that contains accounts that should not be allowed access through squid. How would I go about denying access to all users in OU=Service Accounts,dc=company,dc=internal given my current ldap configuration below. auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=company,dc=internal" -D username -w password -f "(&(sAMAccountName=%s)(objectClass=Person))" -t 10 -h 192.168.60.4 auth_param basic children 40 auth_param basic realmInternet Access auth_param basic credentialsttl 1 hours external_acl_type ldap_group ttl=3600 children=60 %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=company,dc=internal" -B "dc=company,dc=internal" -F "(&(sAMAccountName=%s)(objectClass=Person))" -f "(&(member=%v)(cn=%a))" -D username -w password -h 192.168.60.4 -P Thanks Kris The content of this e-mail, including any attachments, is a confidential communication between Virgin Blue, Pacific Blue or a related entity (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Blue, Pacific Blue or their related entities. Please be aware that the contents of any emails sent to or from Virgin Blue, Pacific Blue or their related entities may be periodically monitored and reviewed. Virgin Blue, Pacific Blue and their related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginblue.com.au
