Re: [squid-users] FTP Access thru Squid 2.7
Good Morning, could you take a look at my config and advise? On Tue, Apr 27, 2010 at 19:49, Amos Jeffries wrote: > On Tue, 27 Apr 2010 10:44:12 -0400, Milan wrote: >> I have a Squid 2.7 build on Windows 2003 and I am trying to allow ftp >> access thru the proxy. >> >> I have added the lines below as suggested: >> >> acl ftp proto FTP >> http_access allow ftp >> >> >> No avail. I can access if i type ftp://username:passw...@url-path >> >> Is their any way to configure to access by ftp://ftp.destination.com? > > The default config allows web browsers to open FTP URLs. > > The config you tried is only needed if you would otherwise be blocking > access. > It should work provided that you place it in the right part of squid.conf. > > Order is important. > > Amos > cache_peer proxy2.us.webscanningservice.com parent 3128 default no-query no-digest auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe auth_param ntlm children 40 auth_param ntlm keep_alive on auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off external_acl_type AD_global_group ttl=120 %LOGIN c:/squid/libexec/mswin_check_ad_group.exe -G ftp_user sq...@bicgraphic.com acl all src all #0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl goto_meeting dst 216.115.208.0/20 216.219.112.0/20 66.151.158.0/24 66.151.150.160/27 66.151.115.128/26 64.74.80.0/24 202.173.24.0/21 67.217.64.0/19 78.108.112.0/20 68.64.0.0/19 206.183.100.0/22 acl WindowsUpdate dstdomain -i "c:/squid/etc/windowsupdate.txt" acl bypass_auth src "C:\squid\etc\ByPass_Auth_SRC_IP.txt" acl bypass_auth-external dstdomain "C:\squid\etc\ByPass_Auth_DST_DOMAIN.txt" acl DIRECT src "C:\squid\etc\Direct_SRC_IP.txt" acl DIRECT-external dstdomain "C:\squid\etc\Direct_DST_DOMAIN.txt" acl Java browser Java/[0-9] acl Approved_IP dstdomain "C:\squid\etc\Approved_IP.txt" # Domains accessible to all PC's acl Approved_Domains dstdomain "C:\squid\etc\Approved.txt" acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl ftp proto FTP acl authproxy proxy_auth REQUIRED acl our_networks src 172.16.0.0/12 acl HEAD method HEAD acl InetAllow external AD_global_group NA\CLW.Squid.Full acl password proxy_auth REQUIRED src 172.16.0.0/12 #MP http_access allow manager localhost http_access allow HEAD http_access allow ftp http_access allow WindowsUpdate http_access allow bypass_auth http_access allow bypass_auth-external http_access allow Approved_Domains http_access allow goto_meeting http_access allow Java http_access allow Approved_IP http_access allow InetAllow http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny !our_networks icp_access allow all http_access deny all http_port 172.23.4.22:3128 hierarchy_stoplist cgi-bin ? access_log c:/squid/var/logs/access.log squid cache_log c:/squid/var/logs/cache.log squid cache_store_log none acl QUERY urlpath_regex cgi-bin \? cache deny QUERY refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl apache rep_header Server ^Apache broken_vary_encoding allow apache coredump_dir c:/squid/var/cache acl INTERNAL dst 172.16.0.0/12 always_direct allow INTERNAL
[squid-users] FTP Access thru Squid 2.7
I have a Squid 2.7 build on Windows 2003 and I am trying to allow ftp access thru the proxy. I have added the lines below as suggested: acl ftp proto FTP http_access allow ftp No avail. I can access if i type ftp://username:passw...@url-path Is their any way to configure to access by ftp://ftp.destination.com?
[squid-users] Is there a way to get transparent proxy to work with Squid 2.7 stable 8 on Windows 2003 Server?
We have a squid 2.7 stable 8 running on Windows 2003 server on a VM. Is it possible to get transparent proxy working on this version or is still impossible for windows?
Re: [squid-users] External users from Child AD domain unable to use local Squid proxy
Yes the Version we are using is 2.0 on Squid 2.7 stable 8 and and clw.squid.full is a universal group On Wed, Apr 21, 2010 at 09:19, Guido Serassio wrote: > Hi, > > Yes, but only if you are using the 2.x version of the helper and the > CLW.Squid.Full group is group with the appropriate scope (Local, Global or > Universal). > > Regards > > Guido Serassio > Acme Consulting S.r.l. > Microsoft Gold Certified Partner > VMware Professional Partner > Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY > Tel. : +39.011.9530135 Fax. : +39.011.9781115 > Email: guido.seras...@acmeconsulting.it > WWW: http://www.acmeconsulting.it > > > >> -Messaggio originale- >> Da: Milan [mailto:compguy030...@gmail.com] >> Inviato: mercoledì 21 aprile 2010 14.52 >> A: Guido Serassio >> Cc: squid-users@squid-cache.org >> Oggetto: Re: [squid-users] External users from Child AD domain unable to >> use local Squid proxy >> >> So instead of the way the line is now: >> >> acl InetAllow external AD_global_group CLW.Squid.Full >> >> The domain would be added to the group like below: >> >> acl InetAllow external AD_global_group NA\CLW.Squid.Full >> >> >> >> On Wed, Apr 21, 2010 at 06:19, Guido Serassio >> wrote: >> > Hi, >> > >> >> >> We have the below acl for users in the Ad global group >> >> >> >> >> >> >> >> >> external_acl_type AD_global_group ttl=120 %LOGIN >> >> >> c:/squid/libexec/mswin_check_ad_group.exe -G >> >> >> >> >> >> and another acl below that allows full access thru the squid proxy >> >> >> using an ad group >> >> >> >> >> >> acl InetAllow external AD_global_group CLW.Squid.Full >> >> >> >> >> >> >> >> >> any ideas >> >> > >> > >> > AGAIN: >> > >> > "When using mswin_check_ad_group.exe 1.x in global mode (-G options), >> > the check is done always against a global group placed in the user's >> > domain." >> > >> > So the question is: On which AD domain is defined the CLW.Squid.Full >> > group ? >> > >> > Regards >> > >> > Guido >> > >> > Guido Serassio >> > Acme Consulting S.r.l. >> > Microsoft Gold Certified Partner >> > VMware Professional Partner >> > Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY >> > Tel. : +39.011.9530135 Fax. : +39.011.9781115 >> > Email: guido.seras...@acmeconsulting.it >> > WWW: http://www.acmeconsulting.it >> > >> > >> > >> > >
Re: [squid-users] External users from Child AD domain unable to use local Squid proxy
So instead of the way the line is now: acl InetAllow external AD_global_group CLW.Squid.Full The domain would be added to the group like below: acl InetAllow external AD_global_group NA\CLW.Squid.Full On Wed, Apr 21, 2010 at 06:19, Guido Serassio wrote: > Hi, > >> >> We have the below acl for users in the Ad global group >> >> >> >> >> >> external_acl_type AD_global_group ttl=120 %LOGIN >> >> c:/squid/libexec/mswin_check_ad_group.exe -G >> >> >> >> and another acl below that allows full access thru the squid proxy >> >> using an ad group >> >> >> >> acl InetAllow external AD_global_group CLW.Squid.Full >> >> >> >> >> >> any ideas >> > > > AGAIN: > > "When using mswin_check_ad_group.exe 1.x in global mode (-G options), > the check is done always against a global group placed in the user's > domain." > > So the question is: On which AD domain is defined the CLW.Squid.Full > group ? > > Regards > > Guido > > Guido Serassio > Acme Consulting S.r.l. > Microsoft Gold Certified Partner > VMware Professional Partner > Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY > Tel. : +39.011.9530135 Fax. : +39.011.9781115 > Email: guido.seras...@acmeconsulting.it > WWW: http://www.acmeconsulting.it > > > >
Re: [squid-users] External users from Child AD domain unable to use local Squid proxy
Below is our Squid.conf. We still cannot get external ad users to work on our proxy. cache_peer proxy2.us.xx.com parent 3128 default no-query no-digest auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe auth_param ntlm children 40 auth_param ntlm keep_alive on auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off external_acl_type AD_global_group ttl=120 %LOGIN c:/squid/libexec/mswin_check_ad_group.exe -G ftp_user sq...@.com acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl WindowsUpdate dstdomain -i "c:/squid/etc/windowsupdate.txt" acl bypass_auth src "C:\squid\etc\ByPass_Auth_SRC_IP.txt" acl bypass_auth-external dstdomain "C:\squid\etc\ByPass_Auth_DST_DOMAIN.txt" acl DIRECT src "C:\squid\etc\Direct_SRC_IP.txt" acl DIRECT-external dstdomain "C:\squid\etc\Direct_DST_DOMAIN.txt" acl Java browser Java/[0-9] acl Approved_IP dstdomain "C:\squid\etc\Approved_IP.txt" # Domains accessible to all PC's acl Approved_Domains dstdomain "C:\squid\etc\Approved.txt" acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl ftp proto FTP acl authproxy proxy_auth REQUIRED acl our_networks src 172.xx.xx.xx/12 acl HEAD method HEAD acl InetAllow external AD_global_group CLW.Squid.Full http_access allow manager localhost http_access allow HEAD http_access allow ftp http_access allow WindowsUpdate http_access allow bypass_auth http_access allow bypass_auth-external http_access allow Approved_Domains http_access allow Java http_access allow Approved_IP http_access allow InetAllow http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny !our_networks On Sun, Apr 18, 2010 at 06:26, Guido Serassio wrote: > Hi, > > When using mswin_check_ad_group.exe 1.x in global mode (-G options), the > check is done always against a global group placed in the user's domain. > > Starting from 2.7 STABLE 8, mswin_check_ad_group.exe 2.x is now a full AD > group helper supporting full forest wide group recursion. > Take a look to the included docs for details. > > Regards > > Guido Serassio > Acme Consulting S.r.l. > Microsoft Gold Certified Partner > Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY > Tel. : +39.011.9530135 Fax. : +39.011.9781115 > Email: guido.seras...@acmeconsulting.it > WWW: http://www.acmeconsulting.it > > >> -Messaggio originale- >> Da: Milan [mailto:compguy030...@gmail.com] >> Inviato: giovedì 15 aprile 2010 17.17 >> A: squid-users@squid-cache.org >> Oggetto: [squid-users] External users from Child AD domain unable to use >> local Squid proxy >> >> We are using Squid on windpow as a proxy and we are having an issue >> when users that come from a child domain to our office do not >> authenticate properly. >> >> Example: our domain is na.myworld.com and users from eu.myworld.com >> come to our office and do not authenticate correctly >> The log of the connection is below. >> >> 1271280071.727 47 172.23.5.54 TCP_DENIED/407 1766 GET >> http://www.yahoo.com/ - NONE/- text/html >> 1271280071.774 31 172.23.5.54 TCP_DENIED/407 2082 GET >> http://www.yahoo.com/ - NONE/- text/html >> 1271280099.086 27312 172.23.5.54 TCP_DENIED/403 1449 GET >> http://www.yahoo.com/ eu\vbonafe NONE/- text/html >> 1271280104.258 47 172.23.5.54 TCP_DENIED/407 1763 GET >> http://www.yahoo.es/ - NONE/- text/html >> 1271280104.289 31 172.23.5.54 TCP_DENIED/407 2079 GET >> http://www.yahoo.es/ - NONE/- text/html >> 1271280104.524 235 172.23.5.54 TCP_DENIED/403 1447 GET >> http://www.yahoo.es/ eu\vbonafe NONE/- text/html >> 1271280110.274 391 172.23.5.54 TCP_MISS/200 5128 GET >> http://www.google.com/ - >> DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html >> 1271280110.524 63 172.23.5.54 TCP_MISS/204 494 GET >> http://clients1.google.com/generate_204 - >> DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html >> 1271280110.649 157 172.23.5.54 TCP_MISS/204 434 GET >> http://www.google.com/csi? - DIRECT/72.14.204.103 text/html >> >> We have the below acl for users in the Ad global group >> >> >> external_acl_type AD_global_group ttl=120 %LOGIN >> c:/squid/libexec/mswin_check_ad_group.exe -G >> >> and another acl below that allows full access thru the squid proxy >> using an ad group >> >> acl InetAllow external AD_global_group CLW.Squid.Full >> >> >> any ideas >
[squid-users] External users from Child AD domain unable to use local Squid proxy
We are using Squid on windpow as a proxy and we are having an issue when users that come from a child domain to our office do not authenticate properly. Example: our domain is na.myworld.com and users from eu.myworld.com come to our office and do not authenticate correctly The log of the connection is below. 1271280071.727 47 172.23.5.54 TCP_DENIED/407 1766 GET http://www.yahoo.com/ - NONE/- text/html 1271280071.774 31 172.23.5.54 TCP_DENIED/407 2082 GET http://www.yahoo.com/ - NONE/- text/html 1271280099.086 27312 172.23.5.54 TCP_DENIED/403 1449 GET http://www.yahoo.com/ eu\vbonafe NONE/- text/html 1271280104.258 47 172.23.5.54 TCP_DENIED/407 1763 GET http://www.yahoo.es/ - NONE/- text/html 1271280104.289 31 172.23.5.54 TCP_DENIED/407 2079 GET http://www.yahoo.es/ - NONE/- text/html 1271280104.524 235 172.23.5.54 TCP_DENIED/403 1447 GET http://www.yahoo.es/ eu\vbonafe NONE/- text/html 1271280110.274 391 172.23.5.54 TCP_MISS/200 5128 GET http://www.google.com/ - DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html 1271280110.524 63 172.23.5.54 TCP_MISS/204 494 GET http://clients1.google.com/generate_204 - DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html 1271280110.649 157 172.23.5.54 TCP_MISS/204 434 GET http://www.google.com/csi? - DIRECT/72.14.204.103 text/html We have the below acl for users in the Ad global group external_acl_type AD_global_group ttl=120 %LOGIN c:/squid/libexec/mswin_check_ad_group.exe -G and another acl below that allows full access thru the squid proxy using an ad group acl InetAllow external AD_global_group CLW.Squid.Full any ideas
Fwd: [squid-users] Fwd: Squid 2.7 with NTLM auth
I have tried the below lines and it works but I would prefer to get it working using the allowed_ip.txt file. In that case we can just add ip address to allow through the proxy instead of making additional acls. acl goto_meeting dst 216.115.208.0/20 216.219.112.0/20 66.151.158.0/24 66.151.150.160/27 66.151.115.128/26 64.74.80.0/24 202.173.24.0/21 67.217.64.0/19 78.108.112.0/20 68.64.0.0/19 206.183.100.0/22 http_access allow goto_meeting Any ideas? On Tue, Apr 6, 2010 at 03:48, Amos Jeffries wrote: > > Milan wrote: >> >> We are Squid ported for windows and are experiencing issue with one >> particular service. GotoMeeting, GotoAssist, GotoWebinar(Citrix) We >> are unable to get users connected unless we add the individual IP >> Address of the servers individually: >> >> 216.115.208.0 / 20 >> 216.219.112.0 / 20 >> 66.151.158.0 / 24 >> 66.151.150.160 / 27 >> 66.151.115.128 / 26 >> 64.74.80.0 / 24 >> 202.173.24.0 / 21 >> 67.217.64.0 / 19 >> 78.108.112.0 / 20 >> 68.64.0.0 / 19 >> 206.183.100.0 / 22 >> >> The full list is above and there is no way we are typing individual >> IPs. We tried putting CIDR notation in the allowed_ip.txt but the it >> does not like that. Any advice on how to setup with the least >> administrative effort? We are kind of new to SQUID. Thanks for your >> advice. > > There is no such thing as "allowed_ips.txt" in Squid. I assume you have > followed some how-to tutorial. > > ... what does squid.conf contain? (without the # comment lines) > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.1
[squid-users] Fwd: Squid 2.7 with NTLM auth
We are Squid ported for windows and are experiencing issue with one particular service. GotoMeeting, GotoAssist, GotoWebinar(Citrix) We are unable to get users connected unless we add the individual IP Address of the servers individually: 216.115.208.0 / 20 216.219.112.0 / 20 66.151.158.0 / 24 66.151.150.160 / 27 66.151.115.128 / 26 64.74.80.0 / 24 202.173.24.0 / 21 67.217.64.0 / 19 78.108.112.0 / 20 68.64.0.0 / 19 206.183.100.0 / 22 The full list is above and there is no way we are typing individual IPs. We tried putting CIDR notation in the allowed_ip.txt but the it does not like that. Any advice on how to setup with the least administrative effort? We are kind of new to SQUID. Thanks for your advice.
