Re: [squid-users] problem accessing sharepoint
Hi In my case I can't bypass the proxies and thus it's not a solution I can implement. Please help me solve this problem in other ways. TIA Paolo On Tue, May 22, 2012 at 6:36 AM, Nishant Sharma codemarau...@gmail.com wrote: Hi, Even we by-pass proxy for access to sharepoint. It's easier to do with PAC or WPAD file to avoid making changes on each of the desktop. Regards, Nishant On 22 May 2012 06:45, Usuário do Sistema maico...@ig.com.br wrote: Hi, I'm with the same problem! and I bypass the proxy for that sharepoint URL. any tip about how to figure out is welcome thanks 2012/5/21 Paolo Supino paolo.sup...@gmail.com: Hi I was approached by a user that has problems accessing a sharepoint share external to our company and I'm lost in finding the cause of the failure and a fix for it... The remote sharepoint site (running sharepoint 14 on IIS 7.5) is accessed via a battery of Squid proxies (2.6.STABLE21, RHEL 5.5) that authenticate to the company's windows 2003 domain via kerberos and an external helper that checks group membership. When trying to access the remote sharepoint site via the URL: http://www.example.com/sites/share-name it repeatedly prompts the user with username/password (the sharepoint site uses NTLM authentication). Running TCP dump on the proxy through which the request is being forwarded I noticed that the sharepoint site rejects the username/password pair and sends back HTTP/1.1 401 Unauthorized. Authentication isn't rejected completely when using Internet Explorer 6 and explicity asking for default.aspx ASP page by entering the URL: http://www.example.com/sites/share-name/default.aspx, but some elemnts in the page aren't loaded causing it to be impossible to work with the files in the share. I apologize for the lack of information (again, I'm lost). Anyone can try and help me solve the problem (if it is solvable)? TIA Paolo
Re: [squid-users] problem accessing sharepoint
Hi Nishant Yes we do have upstream proxies: Finjan security scanner. I Tried to bypass them with always_direct, but it didn't work... TIA Paolo On Tue, May 22, 2012 at 8:41 AM, Nishant Sharma codemarau...@gmail.com wrote: Hi Paolo, Is their any AV filtering happening with HAVP as parent to Squid? You could configure something like this and see if it works: pipeline_prefetch on; acl sharepoint dst SHAREPOINT_IP or acl sharepoint dstdomain SHAREPOINT_DOMAIN always_direct allow sharepoint Moreover, sharepoint doesn't work very well on non-IE browsers. regards, Nishant On Tue, May 22, 2012 at 11:54 AM, Paolo Supino paolo.sup...@gmail.com wrote: Hi In my case I can't bypass the proxies and thus it's not a solution I can implement. Please help me solve this problem in other ways. TIA Paolo On Tue, May 22, 2012 at 6:36 AM, Nishant Sharma codemarau...@gmail.com wrote: Hi, Even we by-pass proxy for access to sharepoint. It's easier to do with PAC or WPAD file to avoid making changes on each of the desktop. Regards, Nishant On 22 May 2012 06:45, Usuário do Sistema maico...@ig.com.br wrote: Hi, I'm with the same problem! and I bypass the proxy for that sharepoint URL. any tip about how to figure out is welcome thanks 2012/5/21 Paolo Supino paolo.sup...@gmail.com: Hi I was approached by a user that has problems accessing a sharepoint share external to our company and I'm lost in finding the cause of the failure and a fix for it... The remote sharepoint site (running sharepoint 14 on IIS 7.5) is accessed via a battery of Squid proxies (2.6.STABLE21, RHEL 5.5) that authenticate to the company's windows 2003 domain via kerberos and an external helper that checks group membership. When trying to access the remote sharepoint site via the URL: http://www.example.com/sites/share-name it repeatedly prompts the user with username/password (the sharepoint site uses NTLM authentication). Running TCP dump on the proxy through which the request is being forwarded I noticed that the sharepoint site rejects the username/password pair and sends back HTTP/1.1 401 Unauthorized. Authentication isn't rejected completely when using Internet Explorer 6 and explicity asking for default.aspx ASP page by entering the URL: http://www.example.com/sites/share-name/default.aspx, but some elemnts in the page aren't loaded causing it to be impossible to work with the files in the share. I apologize for the lack of information (again, I'm lost). Anyone can try and help me solve the problem (if it is solvable)? TIA Paolo
[squid-users] problem accessing sharepoint
Hi I was approached by a user that has problems accessing a sharepoint share external to our company and I'm lost in finding the cause of the failure and a fix for it... The remote sharepoint site (running sharepoint 14 on IIS 7.5) is accessed via a battery of Squid proxies (2.6.STABLE21, RHEL 5.5) that authenticate to the company's windows 2003 domain via kerberos and an external helper that checks group membership. When trying to access the remote sharepoint site via the URL: http://www.example.com/sites/share-name it repeatedly prompts the user with username/password (the sharepoint site uses NTLM authentication). Running TCP dump on the proxy through which the request is being forwarded I noticed that the sharepoint site rejects the username/password pair and sends back HTTP/1.1 401 Unauthorized. Authentication isn't rejected completely when using Internet Explorer 6 and explicity asking for default.aspx ASP page by entering the URL: http://www.example.com/sites/share-name/default.aspx, but some elemnts in the page aren't loaded causing it to be impossible to work with the files in the share. I apologize for the lack of information (again, I'm lost). Anyone can try and help me solve the problem (if it is solvable)? TIA Paolo
Re: [squid-users] ACL compisition
Hi Matus All my other http_access rules are either based on a single acl src, acl dst (and variants) or acl src, acl dst. The question (and not a problem) is whether I can have a http_access rule that is built from a: acl src, acl dst and acl port? Anyhow Amos Jeffries replied me in private and taught me that it can be done... TIA Paolo On Sun, Feb 19, 2012 at 1:13 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 16.02.12 15:51, Paolo Supino wrote: I have the following scenario: I have a subnet that needs to get out on the internet to 2 different subnets. To subnet1 it needs to be able to access only in HTTP while to subnet2 it needs to be able to access only in HTTPS. Is it possible to do the follwoing: acl source_subnet src 192.168.100.0/255.255.255.0 acl destination_subnet1 dst 172.16.0.0/255.255.0.0 acl destination_subnet2 dst 172.31.0.0/255.255.0.0 acl HTTP_PORT port 80 acl SSL_PORT port 443 http_access allow source_subnet destination_subnet1 HTTP_PORT http_access allow source_subnet destination_subnet2 SSL_PORT On Fri, Feb 17, 2012 at 9:55 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: do you have any other http_access directives in the config? On 17.02.12 14:34, Paolo Supino wrote: Yes I have a few http_access rules in my squid.conf (7 to be precise), but I can't fold this ACL into the other ACLs I have (I would have done it if I could). and what exactly is your problem? is other access to those two also allowed? Or is the access you need denied? For the former case, you are allowing access but you are not denying anything, or at least not with these directives. That might be your problem. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody
Re: [squid-users] ACL compisition
hi Yes I have a few http_access rules in my squid.conf (7 to be precise), but I can't fold this ACL into the other ACLs I have (I would have done it if I could). TIA Paolo On Fri, Feb 17, 2012 at 9:55 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 16.02.12 15:51, Paolo Supino wrote: I have the following scenario: I have a subnet that needs to get out on the internet to 2 different subnets. To subnet1 it needs to be able to access only in HTTP while to subnet2 it needs to be able to access only in HTTPS. Is it possible to do the follwoing: acl source_subnet src 192.168.100.0/255.255.255.0 acl destination_subnet1 dst 172.16.0.0/255.255.0.0 acl destination_subnet2 dst 172.31.0.0/255.255.0.0 acl HTTP_PORT port 80 acl SSL_PORT port 443 http_access allow source_subnet destination_subnet1 HTTP_PORT http_access allow source_subnet destination_subnet2 SSL_PORT do you have any other http_access directives in the config? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #9: Out of error messages.
[squid-users] ACL compisition
Hi I have the following scenario: I have a subnet that needs to get out on the internet to 2 different subnets. To subnet1 it needs to be able to access only in HTTP while to subnet2 it needs to be able to access only in HTTPS. Is it possible to do the follwoing: acl source_subnet src 192.168.100.0/255.255.255.0 acl destination_subnet1 dst 172.16.0.0/255.255.0.0 acl destination_subnet2 dst 172.31.0.0/255.255.0.0 acl HTTP_PORT port 80 acl SSL_PORT port 443 http_access allow source_subnet destination_subnet1 HTTP_PORT http_access allow source_subnet destination_subnet2 SSL_PORT If not, how do achieve my goal of limiting based on source, destination subnets and destination port? TIA Paolo
[squid-users] always_direct directive
Hi My Squid proxy (squid-2.6.STABLE21) is the first proxy part of hirarchy that clients on the network hit. I have client on the LAN that is having problems with one of the upstream proxies when accessing a specific web server on the internet (I have no control of the upstream proxy). I want to let that specific client bypass the proxy hirarchy when accessing that specific web server. I've tried to setup 2 acls: acl src_client src 192.168.1.88 and acl dst_server dstdomain www.example.com and then put both acls in the same always_direct rule: always_direct allow src_client dst_server, but it didn't work (though it didn't complain about the misconfiguration...). I was hoping that always_direct will work the same way that http_access works and accept multiple acls. How can I setup Squid to always_direct from a specific host to a specific server? Please don't suggest upgrading Squid because this is not possible at the moment :-( TIA Paolo
[squid-users] http status code in cache.log
Hi Does the http status code in cache.log refer to http code returned from web server squid contacted or does it refer to something else? TIA Paolo
Re: [squid-users] http status code in cache.log
Hi in the case of TCP_MISS/400 does the 400 refer to the HTTP error code returned from the web server? TIA Paolo On Wed, Nov 16, 2011 at 10:46 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 16/11/2011 10:13 p.m., Paolo Supino wrote: Hi Does the http status code in cache.log refer to http code returned from web server squid contacted or does it refer to something else? What status code? cache.log contains debug traces of all protocols, traffic and most processing actions. Amos
[squid-users] MIB
Hi I've been trying to find an elaborated description of each OID for Squid's MIB but I have not found any. Is there an elaborated description of the MIB somewhere? If so where? TIA Paolo
Re: [squid-users] MIB
Hi I saw in the archives a reply you sent with more details about a few OIDs (http://marc.info/?l=squid-usersm=122818959808426w=2). I'm looking for a similar level of detailed descriptions for other OIDs, possibly for all MIB OIDs. Is there something like that? TIA Paolo On Tue, Nov 8, 2011 at 12:57 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 9/11/2011 12:35 a.m., Paolo Supino wrote: Hi I've been trying to find an elaborated description of each OID for Squid's MIB but I have not found any. Is there an elaborated description of the MIB somewhere? If so where? http://wiki.squid-cache.org/Features/Snmp#Squid_OIDs Amos
[squid-users] grouping cache manager
Hi Is it possible to have a single squid cache that runs cach manger for a group of squid caches? TIA Paolo
[squid-users] cache sizing
Hi Can anyone direct me to a tutorial about cache sizing? -- TIA Paolo
[squid-users] Calamaris statistics
Hi at the request of my boss I've started generating daily squid statistics with calamaris. My boss asked me whether the traffic reported is incoming/outgoing (or both) to the office. I tried to find the answer on Google, but couldn't find anything concrete about it. So I'm positing the question here: What does the traffic reported in Calamaris represent incoming/outgoing or both?