RE: [squid-users] Media players with proxy_auth REQUIRED
Hi! Thanks for answering! Yes i have, will send it to you. Regards /Mattias -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: den 19 december 2007 12:45 To: Olsson, Mattias Cc: squid-users Subject: Re: [squid-users] Media players with proxy_auth REQUIRED Do you have a tcpdump of the failed authentication transactions? Adrian On Wed, Dec 19, 2007, Olsson, Mattias wrote: > > > Hallo all! > > Im running my squid server with proxy_auth REQUIRED. The Linux server is > fully integrated with my AD. Samba/Winbind/kerberos all is working > great. The problem i have is that IE / Windows is automatically > authenticated against the proxy servers. But embedded players like > Windows Media Player, Quicktime and others fails to automatically auth. > I get a popup box where i can enter username / password to auth. If i do > so, i get authed and i can se the movie ... > > The problem is that we are going to remove username/password within the > AD and just use smartcards. So i need to figure out how to solve this or > create and acl where i can allowd media sites. > > Is it possible to solve the Media Player issue? To have it auth the same > way as IE? > > How can i create an acl that allows some media sites? > > > #From my squid.conf - local networks have to auth. > acl MYNETWORK proxy_auth REQUIRED src 192.168.0.0/255.255.0.0 > http_access allow MYNETWORK > > > #Tried to do something like this > acl NoAUTHsite dstdomain *.domain1.com > acl NoAUTHsite dstdomain *.domain2.com > http_access allow NoAUTHsite > > > > > #This is from access.log when im trying to view a media link. > > 1198061741.907 21 127.0.0.1 TCP_MISS/404 4478 GET > http://wwwc.aftonbladet.se/special/webbtv/jsp/webbtv.css MYUSERNAME > DIRECT/192.71.238.83 text/html > 1198061741.922 58 127.0.0.1 TCP_MISS/200 2586 GET > http://wwwc.aftonbladet.se/special/webbtv/jsp/webbtv_ad_right.jsp? > MYUSERNAME DIRECT/192.71.238.83 text/html > 1198061741.933 0 127.0.0.1 TCP_DENIED/407 2159 GET > http://www.aftonbladet.se/statistik/instadia/clientstep.js - NONE/- > text/html > 1198061741.936 0 127.0.0.1 TCP_DENIED/407 2089 GET > http://ad.aftonbladet.se/RealMedia/ads/adstream_mjx.ads/www.aftonbladet. > se/webbtv/noje/[EMAIL PROTECTED] - NONE/- text/html > 1198061741.936 0 127.0.0.1 TCP_DENIED/407 1999 GET > http://qstream-wm.qbrick.com/00862/aftonbladet1/Noje/0712/m0nj071219Cloo > ney.wmv - NONE/- text/html > 1198061741.939 0 127.0.0.1 TCP_DENIED/407 1930 GET > http://wwwc.aftonbladet.se/special/webbtv/jsp/webbtv.css - NONE/- > text/html > 1198061741.944 0 127.0.0.1 TCP_DENIED/407 2312 GET > http://ad.aftonbladet.se/RealMedia/ads/adstream_mjx.ads/www.aftonbladet. > se/webbtv/noje/[EMAIL PROTECTED] - NONE/- text/html > 1198061741.950 0 127.0.0.1 TCP_DENIED/407 2153 GET > http://wwwc.aftonbladet.se/special/webbtv/jsp/webbtv.css - NONE/- > text/html > 1198061741.971 34 127.0.0.1 TCP_MISS/302 451 GET > http://www.aftonbladet.se/statistik/instadia/clientstep.js MYUSERNAME > DIRECT/192.71.238.76 text/javascript > 1198061742.012 68 127.0.0.1 TCP_MISS/200 744 GET > http://ad.aftonbladet.se/RealMedia/ads/adstream_mjx.ads/www.aftonbladet. > se/webbtv/noje/[EMAIL PROTECTED] MYUSERNAME DIRECT/192.71.238.79 > application/x-javascript > 1198061742.025 13 127.0.0.1 TCP_MISS/302 449 GET > http://www.aftonbladet.se/statistik/instadia/specials.js MYUSERNAME > DIRECT/192.71.238.76 text/javascript > 1198061742.048 2 127.0.0.1 TCP_IMS_HIT/304 331 GET > http://ad.aftonbladet.se/RealMedia/ads/Creatives/default/empty.gif > MYUSERNAME NONE/- image/gif > 1198061742.048 99 127.0.0.1 TCP_MISS/404 5864 GET > http://wwwc.aftonbladet.se/special/webbtv/jsp/webbtv.css MYUSERNAME > DIRECT/192.71.238.83 text/html > 1198061742.062 0 127.0.0.1 TCP_DENIED/407 1888 GET > http://se1.instadia.net/cgi-bin/gatherfpc? - NONE/- text/html > 1198061742.069 0 127.0.0.1 TCP_DENIED/407 2111 GET > http://se1.instadia.net/cgi-bin/gatherfpc? - NONE/- text/html > 1198061742.083 0 127.0.0.1 TCP_DENIED/407 2086 GET > http://ad.aftonbladet.se/RealMedia/ads/adstream_mjx.ads/www.aftonbladet. > se/webbtv/noje/[EMAIL PROTECTED] - NONE/- text/html > 1198061742.085 0 127.0.0.1 TCP_DENIED/407 2008 GET > http://wwwc.aftonbladet.se/special/webbtv/bilder2/Noje/0712/p1nj071214fi > lmerny.jpg - NONE/- text/html > 1198061742.093 1 127.0.0.1 TCP_DENIED/407 2309 GET > http://ad.aftonbladet.se/RealMedia/ads/adstream_mjx.ads/www.aftonbladet. > se/webbtv/noje/[EMAIL PROTECTED] - NONE/- text/html > 1198061742.094 0 127.0.0.1 TCP_DENIED/407 2231 GET > http://wwwc.aftonbladet.se/special/webbtv/bilder2/Noje/0712/p1nj071214fi > lmer
[squid-users] Media players with proxy_auth REQUIRED
Hallo all! Im running my squid server with proxy_auth REQUIRED. The Linux server is fully integrated with my AD. Samba/Winbind/kerberos all is working great. The problem i have is that IE / Windows is automatically authenticated against the proxy servers. But embedded players like Windows Media Player, Quicktime and others fails to automatically auth. I get a popup box where i can enter username / password to auth. If i do so, i get authed and i can se the movie ... The problem is that we are going to remove username/password within the AD and just use smartcards. So i need to figure out how to solve this or create and acl where i can allowd media sites. Is it possible to solve the Media Player issue? To have it auth the same way as IE? How can i create an acl that allows some media sites? #From my squid.conf - local networks have to auth. acl MYNETWORK proxy_auth REQUIRED src 192.168.0.0/255.255.0.0 http_access allow MYNETWORK #Tried to do something like this acl NoAUTHsite dstdomain *.domain1.com acl NoAUTHsite dstdomain *.domain2.com http_access allow NoAUTHsite #This is from access.log when im trying to view a media link. 1198061741.907 21 127.0.0.1 TCP_MISS/404 4478 GET http://wwwc.aftonbladet.se/special/webbtv/jsp/webbtv.css MYUSERNAME DIRECT/192.71.238.83 text/html 1198061741.922 58 127.0.0.1 TCP_MISS/200 2586 GET http://wwwc.aftonbladet.se/special/webbtv/jsp/webbtv_ad_right.jsp? MYUSERNAME DIRECT/192.71.238.83 text/html 1198061741.933 0 127.0.0.1 TCP_DENIED/407 2159 GET http://www.aftonbladet.se/statistik/instadia/clientstep.js - NONE/- text/html 1198061741.936 0 127.0.0.1 TCP_DENIED/407 2089 GET http://ad.aftonbladet.se/RealMedia/ads/adstream_mjx.ads/www.aftonbladet. se/webbtv/noje/[EMAIL PROTECTED] - NONE/- text/html 1198061741.936 0 127.0.0.1 TCP_DENIED/407 1999 GET http://qstream-wm.qbrick.com/00862/aftonbladet1/Noje/0712/m0nj071219Cloo ney.wmv - NONE/- text/html 1198061741.939 0 127.0.0.1 TCP_DENIED/407 1930 GET http://wwwc.aftonbladet.se/special/webbtv/jsp/webbtv.css - NONE/- text/html 1198061741.944 0 127.0.0.1 TCP_DENIED/407 2312 GET http://ad.aftonbladet.se/RealMedia/ads/adstream_mjx.ads/www.aftonbladet. se/webbtv/noje/[EMAIL PROTECTED] - NONE/- text/html 1198061741.950 0 127.0.0.1 TCP_DENIED/407 2153 GET http://wwwc.aftonbladet.se/special/webbtv/jsp/webbtv.css - NONE/- text/html 1198061741.971 34 127.0.0.1 TCP_MISS/302 451 GET http://www.aftonbladet.se/statistik/instadia/clientstep.js MYUSERNAME DIRECT/192.71.238.76 text/javascript 1198061742.012 68 127.0.0.1 TCP_MISS/200 744 GET http://ad.aftonbladet.se/RealMedia/ads/adstream_mjx.ads/www.aftonbladet. se/webbtv/noje/[EMAIL PROTECTED] MYUSERNAME DIRECT/192.71.238.79 application/x-javascript 1198061742.025 13 127.0.0.1 TCP_MISS/302 449 GET http://www.aftonbladet.se/statistik/instadia/specials.js MYUSERNAME DIRECT/192.71.238.76 text/javascript 1198061742.048 2 127.0.0.1 TCP_IMS_HIT/304 331 GET http://ad.aftonbladet.se/RealMedia/ads/Creatives/default/empty.gif MYUSERNAME NONE/- image/gif 1198061742.048 99 127.0.0.1 TCP_MISS/404 5864 GET http://wwwc.aftonbladet.se/special/webbtv/jsp/webbtv.css MYUSERNAME DIRECT/192.71.238.83 text/html 1198061742.062 0 127.0.0.1 TCP_DENIED/407 1888 GET http://se1.instadia.net/cgi-bin/gatherfpc? - NONE/- text/html 1198061742.069 0 127.0.0.1 TCP_DENIED/407 2111 GET http://se1.instadia.net/cgi-bin/gatherfpc? - NONE/- text/html 1198061742.083 0 127.0.0.1 TCP_DENIED/407 2086 GET http://ad.aftonbladet.se/RealMedia/ads/adstream_mjx.ads/www.aftonbladet. se/webbtv/noje/[EMAIL PROTECTED] - NONE/- text/html 1198061742.085 0 127.0.0.1 TCP_DENIED/407 2008 GET http://wwwc.aftonbladet.se/special/webbtv/bilder2/Noje/0712/p1nj071214fi lmerny.jpg - NONE/- text/html 1198061742.093 1 127.0.0.1 TCP_DENIED/407 2309 GET http://ad.aftonbladet.se/RealMedia/ads/adstream_mjx.ads/www.aftonbladet. se/webbtv/noje/[EMAIL PROTECTED] - NONE/- text/html 1198061742.094 0 127.0.0.1 TCP_DENIED/407 2231 GET http://wwwc.aftonbladet.se/special/webbtv/bilder2/Noje/0712/p1nj071214fi lmerny.jpg - NONE/- text/html 1198061742.124 76 127.0.0.1 TCP_MISS/200 655 GET http://sifo.aftonbladet.se/data/? MYUSERNAME DIRECT/80.76.145.58 image/gif 1198061742.134 64 127.0.0.1 TCP_MISS/200 478 GET http://se1.instadia.net/cgi-bin/gatherfpc? MYUSERNAME DIRECT/193.88.187.16 image/gif 1198061742.145 50 127.0.0.1 TCP_MISS/200 7394 GET http://ad.aftonbladet.se/RealMedia/ads/adstream_mjx.ads/www.aftonbladet. se/webbtv/noje/[EMAIL PROTECTED] MYUSERNAME DIRECT/192.71.238.79 application/x-javascript 1198061742.154 60 127.0.0.1 TCP_MEM_HIT/200 3957 GET http://wwwc.aftonbladet.se/special/webbtv/bilder2/Noje/0712/p1nj071214fi lmerny.jpg MYUSERNAME NONE/- image/jpeg 1198061742.169 15 127.0.0.1 TCP_MEM_HIT/200 3744 GET http://wwwc.aftonbladet.se/special/webbtv/bilder2/Noje/0712/p1nj071213pa risNEW.jpg MYUSERNAME NONE/- image/jpeg 1198061742.179 9 127.0
[squid-users] Exclude embedded applications from ntlm auth
Hello! I have a cluster of Squid servers integrated with my AD. IE and Firefox is working most of the time. My biggest problem is that Windows Media Player, Quicktime and other embedded players fails to auth against the AD automaticly. I get a popup requesting my usename/password. This is enoying and it will not work with our PKI2 cards. I dont know if its possible to solve this problem with embedded players failing against Squid/Kerberos/AD, so i was hoping for an work around meanwhile. First, can it be done? Having embedded players automatically auth against the AD... If not, is it possible to make an exclution acl within squid? Maby on mime type or application type / sort of traffic? This is how i have configured squid, if you are comming from the internal lan you have to auth... auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Proxy Server AUTH auth_param basic credentialsttl 2 hours auth_param basic casesensitive off authenticate_cache_garbage_interval 10 seconds acl MYNET proxy_auth REQUIRED src 192.168.0.0/255.255.0.0 http_access allow MYNET Thanks for any kind of help! Mvh / Kind regards Mattias Olsson Siemens AB IT Solutions and Services AB SE-171 95 Solna Sweden P: +46 8 730 6573 M:+46 70 629 1071 **'**
[squid-users] Telling Squid not to proxy this host
Hello! I have a Squid proxy for our PDAs connected via vpn. The only thing this proxy should do and is doing fine i declear internal networks. The rest is internet. But what i wish to do for one ip (cant figure out this) it telling the the web browser to connect to it directly. Ex. All internal and external networks will be accessed via the proxy but "no proxy for" 192.168.1.1. Windows mobile doesnt have this setting so i must do it somehow on the proxy. Thanks all! Mvh / Kind regards Mattias Olsson Siemens IT Solutions and Services AB SE-171 95 Solna Sweden P: +46 8 730 6573 M:+46 70 629 1071 ***
RE: [squid-users] LDAP Auth Netware
Hi again! Just a last question... I have two domains, not in the same top domain. Can Squid be configured to validate users from the two different domains? Or is it like in windows... just on domain... EX: COMPANY.COM -> Squid is joined and is validating over LDAP. Works great :) TESTDOMAIN.SE -> How do I specify another domain? In krb5, no problem. But the rest? Regards /Mattias -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: den 21 augusti 2007 12:01 To: Olsson, Mattias Cc: squid-users@squid-cache.org Subject: RE: [squid-users] LDAP Auth Netware On tis, 2007-08-21 at 08:59 +0200, Olsson, Mattias wrote: > Thank you for the answer! > > In my Windows environment im using kerberos to get a valid ticket. Can that also be done with Netware? No idea, and it's not LDAP realted. > Sorry for the lame questions, havent been around Netware since the last centuary ... :-) Haven't been around Netware ever, apart from a one hour OS lab in 1993. Only been in contact with users using squid_ldap_auth with various Novell servers. Regards Henrik
RE: [squid-users] LDAP Auth Netware
Thank you for the answer! In my Windows environment im using kerberos to get a valid ticket. Can that also be done with Netware? Sorry for the lame questions, havent been around Netware since the last centuary ... :-) Mvh / Kind regards Mattias Olsson Siemens IT Solutions and Services AB SE-171 95 Solna Sweden P: +46 8 730 6573 M:+46 70 629 1071 *** -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: den 20 augusti 2007 23:52 To: Olsson, Mattias Cc: squid-users@squid-cache.org Subject: Re: [squid-users] LDAP Auth Netware On mån, 2007-08-20 at 10:24 +0200, Olsson, Mattias wrote: > Hello! > > I authentiate my proxy users against my MS domain via ldap. Is it > possible to do the same against Netware? Yes. Novell NDS and eDirectory is both quite capable LDAP servers.. Regards Henrik
[squid-users] LDAP Auth Netware
Hello! I authentiate my proxy users against my MS domain via ldap. Is it possible to do the same against Netware? Mvh / Kind regards Mattias Olsson Siemens IT Solutions and Services AB SE-171 95 Solna Sweden P: +46 8 730 6573 M:+46 70 629 1071 ***
[squid-users] Squid Ldap
Hi! I would like to use LDAP to auth proxy users (win 2003). Its working great exept that i have to login every time. I have seen that the NT domain name could be removed with option -S. But i cant get that to work. Please have a look and correct me:) external_acl_type InetGroup %LOGIN /usr/sbin/squid_ldap_group -R -b "ou=Users Accounts,dc=domain,dc=local" -D "cn=Administrator,cn=Users,dc=domain,dc=local" -w "password" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Global,ou=S ecurity groups,dc=domain,dc=local))" -S -h ldap_server_ip My client machines are inte same domain. Loggin in with my user named works but IE appears to send domain\username by default... Mvh / Kind regards Mattias Olsson Siemens Business Services AB SE-171 95 Solna Sweden P: +46 8 730 6573 M:+46 70 629 1071 ***
[squid-users] SMP support
Hi all! Im running squid on machines with dual cpuÅ. Looking into top it looks like squid is just rinning on one cpu. How do i enable smp support withing squid when running ./configure? Thanks guys! /Mattias
RE: [squid-users] Blocking msn file sharing
Today i block MSN like this, acl MSN req_mime_type ^application/x-msn-messenger$ http_access deny MSN And its working... Just don't know how to block file sharing like this. Maby deny port80 to some msn site... /Mattias -Original Message- From: Elsen Marc [mailto:[EMAIL PROTECTED] Sent: den 24 juni 2004 13:29 To: Olsson Mattias; [EMAIL PROTECTED] Subject: RE: [squid-users] Blocking msn file sharing > > Hi all! > > Is it possible to block msn messenger file sharing in Squid? > Msn and sending / > receiving messages should be allowed, filesharing not. > Note that SQUID only serves http requests , and http is stateless in it's nature. In so far that this issue relates to the fact that MSN messenger is doing it's work using http and through a http proxy (in this case SQUID), then this may perhaps be possible by using mime based acl's and looking at certain types extensions being used; possibly blocking them afterwards. Though I am not sure that this can be worded out easily. But remember that SQUID deals with http-ing only, if involved at all, and knows nothing in essence about msn. M.
[squid-users] Blocking msn file sharing
Hi all! Is it possible to block msn messenger file sharing in Squid? Msn and sending / receiving messages should be allowed, filesharing not. Regards /Mattias
[squid-users] Whitelist / Blacklist
HI Im trying to to make an access and deny list. My blacklist should look like "deny everyting" and my whitelist should consist of only allowed links. The example below works, but i need to define 0.0.0.0/0.0.0.0 as the blacklist. How do i do that? cant find it... acl whitelist url_regex ^http://www\.siemens\.se/ acl blacklist dstdomain .siemens.se http_access deny blacklist !whitelist Thanks !!! /Mattias
[squid-users] URL filtering
Hi all! Just a simple question. If i run squid as a proxy and in the .conf file say that on this server www.test.com you are allowed to view the two following URLs www.test.com/custommer and www.test.com/partner , all other URLs on www.test.com are DENYED! Can this be done in Squid? Regards /Mattias
[squid-users] Tool to display access.log and store.log
> Hi all! > > Im trying to have my squid logs displayed in an nice manner on my web > server. > Calamaris does the job with the access.log file, but most of all i wish to > display > the info from the store.log file. Calamaris dosent seem to be able to > handel it. > I need to se "site names" "urls" "downloads" and "time". Im trying to > findout how much "illigal" > surfing that is done. > > > > Q. Is there an application that can convert my store.log and access.log > into a nice .html > file? Or is there a combination of tools to use? > > > Regards > > > Mattias Olsson > IT Consultant > Communication Solutions > [EMAIL PROTECTED] > Phone: +46 8 730 6573 > Mobile: +46 70 629 1071 >