Re: [squid-users] What is the best way to authenticate remote users with dynamic ip?
Dear Roma, If you want to authenticate users through a captive portal mechanism you should think to IP Address as user identity. Although it is possible to implement a cookie-based authentication but it is more complex and needs to detailed explanation. Regards, - Original Message From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: squid-users@squid-cache.org Sent: Sunday, April 13, 2008 8:16:09 PM Subject: [squid-users] What is the best way to authenticate remote users with dynamic ip? Hello, list. I want to setup public proxy, that will serve clients from anywhere, after registration. I will setup captive portal for authorization/registration and external authenticator, that will check user validity, and redirect unauthorizated to captive portal. I guess that simple basic/digest auth will be better choice, but I want to use captive portal, so its no option for me, alas. So I need some kind of session authentication. For now I'm stick to cookie authentication, but not sure if it possible. I can configure captive portal to set cookie and external helper to check for it, but I believe client will not send that cookie until squid ask him, and squid will not, are not he? What can I do it that case? Is there any better way, to approach my target? Thanks in advance, Roma. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Re: [squid-users] Authenticating users with a webpage form
Dear Mr. Jones, I think you are looking for an integration between some different requirements and integration is somehow complicated. That is captive portal, caching/proxying and user accounting. Squid hasn't written with a vision to support all of above requirement. Although they can be added with some scripting. Another way is to divide your problem to different parts and use suitable software package for each. You can make use of Squid for caching and other packages for authentication, accounting and authorization. Regards, --- Taylor Jones [EMAIL PROTECTED] wrote: I see. So I guess I need to use Hamidi's method: set up some webserver that unauthenticated users are redirected to, have the user submit his data to it, have some script on the webserver check against the password list (in my case LDAP), if the user was valid add the user's IP address to the proxy server's ACL list, then redirect the user to some other page so that the proxy accepts the newly authenticated user and allows him through. I guess I'll need some manner of measuring the how long a user has been logged in so I can give him a certain amount of access time. It just seems...kludgy somehow. Maybe its just me. It would be nice if this were more supported natively by squid, but I guess that's how guys like Amos make their money! Thanks for all your help guys! Amos Jeffries wrote: Is there no way to do this securely and in such a way that squid is able to log the IP address of the user? I mean, all I really want to do is ask the same questions of the user, just in a slightly different way. It seems hard to believe that this is so difficult in squid, every coffee shop and airport in the U.S. has something similar to this in their wifi hotspots. I am willing to accept that I may not know how it works, so I will explain what I believe to be the proper authentication steps: You misunderstand the basic HTTP/HTTPS authentication behaviour of web browsers. Over which you have absolutely no control. 1) User connects to proxy server 2) Squid sends an authentication request to the user with a method similar to .htaccess in Apache (I am using basic ncsa_auth at the moment, I realize that in digest and NTLM, this different and more secure) *nix that. Squid must check source of 'logged-in' users, redirecting any not found to the web server for 'authentication'. 3) User submits his information ** to the 'authenticating' web server via the page POST. which gets handled by a out-of-band script which on success then redirects user back to original requested page. 4) Squid uses ncsa_auth to compare the user's data with a password list somewhere on the proxy server * nix this too. proxy CANNOT use HTTP authentication for this remember? browsers provide the login box. 5) If the user is authorized, his IP address is added to a list of authorized users. If no, he is rejected. ** by the 'authenticating' web server via the POST. Proxy MUST scan source of 'logged-in' users again.. repeat ad infinitum until success or failure blocks the users loop. If I am right about that, then all I really want to do can be done by slightly modifying step 2, and send a complete webpage to the user. Since I am using basic authentication, I realize that the user's credentials are sent in plain text, so is it possible to use SSL in this scenario? The data is only being sent to the proxy server, so there shouldn't be a problem with any men-in-the-middle. Nope, the browsers behaviour on seeing browser-level credential request is to send credentials or show the box. There is no way you can use any of the *_auth and not have the box. In a way out-of-band authentication is much more secure for the proxy interaction part of the cycle and for all traffic once a user is authorized. But the authentication web server takes up all the usual security holes any other clear-text password mechanism has. Thus, I give away a secure code for the risky bit free, with advice available on it. While charging for the config part. Amos Adrian Chadd wrote: You misunderstand how it works. The browser pops up that box to gather authentication credentials it then uses for all subsequent connections to the proxy server. Using a login page won't magically place authentication credentials in the web browser for it to then use for subsequent connections. The proxy has to track which IP addresses have had users log and then pass them through. This has security implications which noone really seems to care about... Adrian On Sun, Dec 02, 2007, Taylor Jones wrote: Thanks for the offer, but I'm not looking for a way to login, I'm looking for a way to change the way in which squid lets users log in. As you know, the user authenticates himself via a little
Re: [squid-users] Authenticating users with a webpage form
Hi, If your workstations are not behind NAT there is a simple solution as below: 1- Block all local IP ranges to access the net as default. 2- Change the error page so that the users which are denied access to be redirected to login page. 3- Create a file which consists of allowed IP addresses and include in your squid ACL's. Define relevant access rule. 4- When a user get authenticated, simply add its IP address to above mentioned file (access-allowed IP's). When a user logins out or the authentication times out, remove its IP address from the file. 5- Alert authenticated user to keep the authentication page open and open a new browser session or tab to continue web surfing. 6- Check user presence with common techniques like page refresh in login page. 7- It is also possible to provide original referrer URL to user after successful authentication. More details can be added to above solution to improve users experience, however the overall mechanism is same. There are other methods for users behind NAT or thin clients which is more complicated. Best wishes, --- Taylor Jones [EMAIL PROTECTED] wrote: Hello, I read the guidelines for this mailing list, and I really do hope I'm not asking a question you've all heard a million times. If I am, feel free to berate me, I probably deserve it. I am looking for a way to use a webpage with a GET/POST form to get the user's name and password for authentication instead of the pop-up that the user receives by default. I realize that this is just an aesthetic kind of thing, but I'm nothing if not obsessive, and I hate that I can't tell a user where he is and what he needs to do to gain access to our proxy server. Honestly, this shouldn't be that hard to implement, I just don't really know where I should start. Any help you guys could give me would be much appreciated! Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/
Re: [squid-users] Re: SARG
Dear Nima, Which version of SARG do you use? Upgrade your SARG to latest version. Some older versions have such bug. Regards, --- nima sadeghian [EMAIL PROTECTED] wrote: the cpu is 3.0 and free hard space is about 100GB. very strange. I used it in GNOME. could graphical interface effect the proficiancy? thnx nima On 5/31/06, Shoebottom, Bryan [EMAIL PROTECTED] wrote: I agree, with ~5000 users we process a 1.5GB file nightly and it only takes about 30minutes. The system is a dual 3.6GHz. Thanks, Bryan -Original Message- From: Jason Gauthier [mailto:[EMAIL PROTECTED] Sent: May 31, 2006 9:12 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] SARG Hi friends my SARG is too slow. I run squid for 400 users here, and a log file about 200MB. after one night SARG is runnig and donot want to give me report . is this ok? How can I change it more quick? After 1 month my access.log is 1G in size. It only takes a little while. This may be disk or CPU based issues. But I would check with the SARG lists/maintainers. -- Best Regards NIMA SADEGHIAN __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] delay pools
Hi, - Have you enabled delay pools during build of your squid? - As you may know you, lines which begin with hash mark are not parsed by squid. To activate a configuration you should remove hash marks. Regards, --- dharam paul [EMAIL PROTECTED] wrote: I write my delay pools like this after the word Default: #TAG:delay_pools #Default: #delay_pools 2 TAG:delay_class #Default: #delay_class 1 3 #delay_class 2 1 #TAG:delay_access #Default: #delay_access 1 allow All #delay_access 2 allow LOCALUSERS #TAG: delay_parameters #delay_parameters 1 25600/25600 2/2 9000/1 #delay_parameters 2 -1/-1 'All' and 'LOCALUSERS' are two ACLs. This delay pools does not work. Am I wrong somewhere? I have tried this on squid 2.5.stable9 and 2.5.stable13 Could some one please tell me if I am wrong somewhere in passing delay_pools this way? My delay_pools work well on Windows platform, this does not work on my Free BSD machine (Intel Celeron 667 on a Intel 810 E chipset). __ Yahoo! India Matrimony: Find your partner now. Go to http://yahoo.shaadi.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] Squid Authentication
Hi, How do you expect the browser to send authentication information without user intervention? sending authentication information automatically, contradicts with authentication concept. Maybe you look for an authentication mechanism like web login? Regards, --- Rachel [EMAIL PROTECTED] wrote: Hi All, Im looking for a way to authenticate with squid (not IP based) that wont prompt the user for a user name or password. At the moment im using a BASIC auth method and saving the password, however id quite like to find a way to have the client automatically supply this information to squid rather than to prompt the user to press OK. Unfortunately NTLM is not an option for me. Thanks Rachel __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] Squid Authentication
Hi, How do you expect the browser to send authentication information without user intervention? sending authentication information automatically, contradicts with authentication concept. Maybe you look for an authentication mechanism like web login? Regards, --- Rachel [EMAIL PROTECTED] wrote: Hi All, Im looking for a way to authenticate with squid (not IP based) that wont prompt the user for a user name or password. At the moment im using a BASIC auth method and saving the password, however id quite like to find a way to have the client automatically supply this information to squid rather than to prompt the user to press OK. Unfortunately NTLM is not an option for me. Thanks Rachel __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] IP + NCSA auth
hi, There is an external ACL helper in squid source tree named ip_user which allows to restrict users to IP addresses. --- Varun [EMAIL PROTECTED] wrote: Hello, Can I combine ACL rules for IP based and NCSA auth together and bind them together ? Thanks Varun __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] Few probs Again
Hi, You can simply make use of alias. For example to open your squid.conf file with vim you can define an alias in your bash as follow: alias edit-squid=vim /path/to/squid.conf then by enetring edit-squid in command line you can edit your squid.conf from any path. To make this alias permanet put it in .bashrc in your home directory. For other shells you should follow similar way. --- kashif Mazhar [EMAIL PROTECTED] wrote: Hello all, I want to know how can i run squid while sitting at any path..means mostly squid system files are placed at /usr/local/squid/etc/squid.conf Now i want to open squic.conffrom any path like sitting at /home folder..i know it is possible..with some script but how to and whats process..i dont know...? Regards, Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
Re: [squid-users] single squid proxy caching multiple http servers
Hi, You should search for reverse proxying. --- Jeremy Pettet [EMAIL PROTECTED] wrote: hello, I think this question it too simple because I have not been able to find a definitive answer. I want to speed up a php-based web site and I was thinking of having a single machine running squid and caching the websites of multiple machine each running many typo3-based websites. The squid machine will be fast with lots of ram and a fast disk subsystem. The only task the http servers will be is to run the cms administrative interface and update the site. Is this possible? Has it been done before and can you point me to some resources that can help? Thanks. jp __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] What antivirus solution do u recommend?
I recommend using ICAP (Ineternet Content Adaption Protocol), a lightweight protocl to pass http message to ICAP servers for modification or adaption. For more information refer to ICAP RFC. Today, It is the preferred approach in commercial products. However, open source implementations are in early stage and not completely stable. There are two ICAP server projects on soruceforge at following addresses and ICAP client is now part of squid development projects (http://devel.squid-cache.org/icap/). - http://icap-server.sourceforge.net/ - http://c-icap.sourceforge.net/ --- Pavel M. Ivanchev [EMAIL PROTECTED] wrote: I found two solutions that use squid but which one i cant decide to use. One is squid+ dansguardian+clmav and the other is squd+HAVP. I want to scan all traffic through squid. Any recommendations? Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
Re: [squid-users] I need htpasswd
It is part of Apache distribution. If you have installed Apache before, you can do a locate to find htpasswd. It usually resides beside apache executables. If you don't want to install apache you can download and install htpasswd separately, for example from here: http://www.squid-cache.org/htpasswd/ --- Carstea Catalin [EMAIL PROTECTED] wrote: I need the htpasswd for change my accounts. ( for FreeBSD) -- Any help would be greatly appreciated. regards, Carstea Catalin __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] I need one command
Simply you can use top command. In addition there are a number of ports in ports collection, mostly in sysutils directory, which can provide you useful information about system status. --- Carstea Catalin [EMAIL PROTECTED] wrote: I run squid on my freebsd box and i need to know the free memory. In redhat exist a nice command #free to show the free memory. In FreeBsd how can i get the same result? -- Any help would be greatly appreciated. regards, Carstea Catalin __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] Squid, Antivirus Pf
Hi, To answer your first question I suggest using squid ICAP client. I think using ICAP can lead to better performance. --- Maxime Woznicki [EMAIL PROTECTED] wrote: Hello, I'm trying to set up my own gateway using OpenBSD, Pf (filtering + QoS) and Squid. I have several problems : I would like to set up an antivirus running with squid. I've tried Squid + Squirm + Viralator + Clamav, which works finely, but i'm not really satisfied in term of performance and use of ressources. Is there an efficient, free and really secure way to set up such a thing ? and which tools ? My second problem is that pf acts as a packet filter, nat and QoS (sharing dl bandwidth between hosts ip addresses with pf (cbq) on internal interface). But if I use squid for http and ftp downloads, I cannot control bandwidth sharing using pf. I've red somewhere that is possible to manage bandwidth with squid's acls. How can I do that ? Thx for help. Max Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com
Re: [squid-users] web base squid configuration package
What do you mean exactly? If you are looking for a web based configuration for squid, you can use squid webmin module. --- ashkan almaspour [EMAIL PROTECTED] wrote: i want configure squid based on web base. it is possible ?please help me. __ Discover Yahoo! Get on-the-go sports scores, stock quotes, news and more. Check it out! http://discover.yahoo.com/mobile.html
Re: [squid-users] Logfile Analysis
It is important to know which kinds of reports and analysis do you need? Do you want to monitor squid itself or users activities? As far as I know each of this tools covers some portions of needs and there is not an integrated tool for log analysis, reporting and some sorts of monitoring. However, I myself prefer SARG for most cases. For managers, usually, tracking user activities is more important than cache health! --- [EMAIL PROTECTED] wrote: Greetings, I have squid up and running and now I'm interested into generating reports per it's log files and any other resources I can tap into. I've reviewed the entries on http://www.squid-cache.org/Scripts/, but considering the length of the list, I was curious if anyone had some recommendations from that list or maybe even something that wasn't listed? I currently have a mysql and apache servers supporting my DB and web based needs, so if any of these reporting tools need such daemons, I'd prefer if they supported these two. Does anyone have anything they recommend? Regards, Joshua __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Re: [squid-users] Logfile Analysis
Yes, It has a nice web interface with many features. --- [EMAIL PROTECTED] wrote: Thank you for the quick response. I'm interested in monitoring all aspects of a user's activities. A web interface would also be preferable since management may want to have direct access to this material. Does SARG have a web interface? Regards, Joshua __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250
Re: [squid-users] too many messages in cache.log
Probably you have run squid with -k debug option which causes squid to generate full log messages. --- Askar [EMAIL PROTECTED] wrote: hi, I duno why but one of our cache server's cache.log is full of messages like this 2005/06/01 10:40:25| WARNING: Forwarding loop detected for: GET /us.yimg.com/i/us/pim/el/check_1.gif HTTP/1.0 Accept: */* Referer: http://us.f306.mail.yahoo.com/ym/Compose?YY=11670 Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: us.i1.yimg.com Via: 1.1 mcache.beaconet.net:3128 (squid/2.5.STABLE9) X-Forwarded-For: xxx.xxx.xxx.xxx Cache-Control: max-age=1209600, only-if-cached perhaps for each request squid appending these entries in cache.log, any idea what's going on there and how to fix it. Thanks and regards Askar Ali __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail
[squid-users] is there tproxy patch for freebsd?
Hi list, Does any one know if there is a patch similar to BalaBit patches for transparent proxying (http://www.balabit.com/downloads/tproxy/) to Freebsd kernel? Another question: Is it necessary such patches to be implemented in kernel level? May it be possible to implement it using packet capture libraries(e.g. libpcap or bpf). __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] transparent proxy + auth
This solution only works when there is a one-to-one mapping between users and ip addresses but imagine circumstances where all users have same ip addresses( e.g. terminal server users). The definite solution to this problem is cookie-based authentication which is implemented by some commercial products like bluecoat ProxySG (http://www.bluecoat.com/downloads/support/BCS_tb_enabling_transparent_auth.pdf) and Novell BoarderManager (http://support.novell.com/techcenter/articles/cfa03332.html) --- Henrik Nordstrom [EMAIL PROTECTED] wrote: On Sat, 30 Apr 2005, Varun wrote: Is it possible to have any sort of authentication with squid running as transparent proxy. Yes, but not the HTTP authentication. To make authenitcation in a transparent proxy you need to figure out some way of authenticating the user based on his IP. The external_acl interface of Squid-2.5 or later allows you to plug this into Squid. Regards Henrik __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
