[squid-users] how big value should auth_param basic children be?
Hi, Just wondering how to define the optimum value for auth_param basic children. I have around 200+ users utilizing my proxy-ldap authentication. Currently i have set it to 20, i wonder if that is beyond redundant and what is actually the appropriate value to accommodate the users? thanks auth_param basic children 50
[squid-users] Grouping the delay_pool access
Dear friends, I have a 512kb ADSL link. I tried to implement delay_pools on my users but apparently after i apply the configuration, even the general surfing seems to get significant slow down. I thought the delay_pools should only affect their downloading speed, but seems like general surfing gets affected. My configuration is as follow: delay_pools 2 #setup two delay pools delay_class 1 2 #delay pool 1 is a class 2 delay_class 2 3 #delay pool 2 is a class 3 delay_parameters 1 64000/64000 16000/32000 delay_parameters 2 64000/64000 5/5 45000/45000 delay_access 1 allow all delay_access 2 allow all I tried not to provide the entire 512kb link to squid because the link is also used by our email service. So if not mistaken, i should adjust the aggreggate allocation from 64000 to something lower? And my problem now is, what configuration is affecting my general surfing speed The other issue is, i want some director to be unrestricted from delay_pools restriction, do i just create a group and set up a delay class 1 allocating the full ADSL bandwith for them as follow: delay_class 3 1 #delay pool 2 be a class 1 delay pool delay_parameters 3 64000/64000 delay_access 3 allow directors_group delay_access 3 deny all Hopefully can help me with this, thanks for taking time reading my question! regards Yong
Re: [squid-users] delay_parameters: What is difference between aggregate, network and individual bucket?
thanks a lot Amos! Amos Jeffries wrote: Yong Bong Fong wrote: Dear friends, I am just confuse about the usage of aggregate, network and individual bucket. If not mistaken, aggregate bucket is just like a public bucket that all users get the privilege to access and individual bucket is one specific for each user? Say if i set a delay_parameter as follow: delay_parameters 2 32000/32000 8000/8000 600/8000 then, how does it allocate the bucket limitation to each user? aggregate bucket - ALL traffic has to be within the parameters. network bucket (/24, /16, /network-size) - traffic per /n network as a whole network. squid may handle more than one /n network at once. individual bucket - each IP address must have its traffic matching these settings. delay_parameters 2 32000/32000 8000/8000 600/8000 - No individual IP can get more than 600bytes/sec. Slow clients are given a bit of leeway to grab up to 8000byte chunks to compensate for up to 13sec network delays. - No network of class /24? /16? missing data may use more than 8000bytes/sec. ie 12 IP can connect at full rate, any more start cut others speeds down. - Absolute max cap is set at 32000bytes/sec. ie 48 IP total can connect at full individual rate, before slowing. ie 4 network blocks may reach full rate before affecting each others speed. Amos
[squid-users] delay_parameters: What is difference between aggregate, network and individual bucket?
Dear friends, I am just confuse about the usage of aggregate, network and individual bucket. If not mistaken, aggregate bucket is just like a public bucket that all users get the privilege to access and individual bucket is one specific for each user? Say if i set a delay_parameter as follow: delay_parameters 2 32000/32000 8000/8000 600/8000 then, how does it allocate the bucket limitation to each user? thanks Regards Yong
[squid-users] sslReadServer: FD 95: read failure: (104) Connection reset by peer
Dear friends, I have these error frequently in my squid log, that everytime i encounter this error my squid server starts to serve requests super slow. On google search i can find advise that by changing http_port to http_port my_lan_ip:3128 that could solve the problem but i have tried it it doesn't solve the problem. Anyone has any idea what is the problem? Below is the error in log: 2008/02/02 09:06:58| sslReadServer: FD 95: read failure: (104) Connection reset by peer 2008/02/02 09:56:55| parseHttpRequest: Requestheader contains NULL characters 2008/02/02 09:56:55| clientReadRequest: FD 140 Invalid Request 2008/02/02 09:56:55| parseHttpRequest: Requestheader contains NULL characters 2008/02/02 09:56:55| clientReadRequest: FD 140 Invalid Request 2008/02/02 10:00:28| parseHttpRequest: Requestheader contains NULL characters 2008/02/02 10:00:28| clientReadRequest: FD 101 Invalid Request 2008/02/02 10:00:28| parseHttpRequest: Requestheader contains NULL characters 2008/02/02 10:00:28| clientReadRequest: FD 101 Invalid Request 2008/02/02 10:05:46| sslReadServer: FD 95: read failure: (104) Connection reset by peer 2008/02/02 10:22:56| sslReadServer: FD 72: read failure: (104) Connection reset by peer 2008/02/02 10:23:27| sslReadServer: FD 117: read failure: (104) Connection reset by peer 2008/02/02 10:23:33| sslReadServer: FD 71: read failure: (104) Connection reset by peer 2008/02/02 10:26:42| sslReadServer: FD 77: read failure: (104) Connection reset by peer 2008/02/02 10:31:59| sslReadServer: FD 31: read failure: (104) Connection reset by peer 2008/02/02 10:37:05| sslReadServer: FD 44: read failure: (104) Connection reset by peer 2008/02/02 10:38:33| sslReadServer: FD 46: read failure: (104) Connection reset by peer 2008/02/02 10:57:01| sslReadServer: FD 27: read failure: (104) Connection reset by peer 2008/02/02 10:57:01| sslReadServer: FD 81: read failure: (104) Connection reset by peer 2008/02/02 10:57:01| sslReadServer: FD 49: read failure: (104) Connection reset by peer 2008/02/02 11:03:57| parseHttpRequest: Requestheader contains NULL characters 2008/02/02 11:03:57| clientReadRequest: FD 69 Invalid Request 2008/02/02 11:03:57| parseHttpRequest: Requestheader contains NULL characters 2008/02/02 11:03:57| clientReadRequest: FD 69 Invalid Request thanks
[squid-users] sslReadServer: FD 95: read failure: (104) Connection reset by peer]
Hi Amos, That https_port doesn't work. As for the squid version i am using squid-2.5.STABLE14-1.RHEL4. Thats seems the only version compatible with Red Hat enterprise 4. I tried the squid 3.0 tarball it gave me too many errors during make install. Anyway, i would prefer to pinpoint the error sslReadServer: FD 95: read failure: (104) Connection reset by peer. I have read from previous post someone suggested could be the internet connection or firewall problem, but i have tested direct connection to internet without proxy, it works so the internet line is good. As for firewall, i have switched it off also, the problem still persist, so i can narrow down it is something within squid. thanks Amos yong bong fong wrote: Dear friends, I have these error frequently in my squid log, that everytime i encounter this error my squid server starts to serve requests super slow. On google search i can find advise that by changing http_port to http_port my_lan_ip:3128 that could solve the problem but i have tried it it doesn't solve the problem. Anyone has any idea what is the problem? That would work if its was httpS_port accepting SSL traffic...maybe. Below is the error in log: 2008/02/02 09:06:58| sslReadServer: FD 95: read failure: (104) Connection reset by peer 2008/02/02 09:56:55| parseHttpRequest: Requestheader contains NULL characters 2008/02/02 09:56:55| clientReadRequest: FD 140 Invalid Request 2008/02/02 09:56:55| parseHttpRequest: Requestheader contains NULL characters 2008/02/02 09:56:55| clientReadRequest: FD 140 Invalid Request 2008/02/02 10:00:28| parseHttpRequest: Requestheader contains NULL characters 2008/02/02 10:00:28| clientReadRequest: FD 101 Invalid Request 2008/02/02 10:00:28| parseHttpRequest: Requestheader contains NULL characters 2008/02/02 10:00:28| clientReadRequest: FD 101 Invalid Request 2008/02/02 10:05:46| sslReadServer: FD 95: read failure: (104) Connection reset by peer 2008/02/02 10:22:56| sslReadServer: FD 72: read failure: (104) Connection reset by peer 2008/02/02 10:23:27| sslReadServer: FD 117: read failure: (104) Connection reset by peer 2008/02/02 10:23:33| sslReadServer: FD 71: read failure: (104) Connection reset by peer 2008/02/02 10:26:42| sslReadServer: FD 77: read failure: (104) Connection reset by peer 2008/02/02 10:31:59| sslReadServer: FD 31: read failure: (104) Connection reset by peer 2008/02/02 10:37:05| sslReadServer: FD 44: read failure: (104) Connection reset by peer 2008/02/02 10:38:33| sslReadServer: FD 46: read failure: (104) Connection reset by peer 2008/02/02 10:57:01| sslReadServer: FD 27: read failure: (104) Connection reset by peer 2008/02/02 10:57:01| sslReadServer: FD 81: read failure: (104) Connection reset by peer 2008/02/02 10:57:01| sslReadServer: FD 49: read failure: (104) Connection reset by peer 2008/02/02 11:03:57| parseHttpRequest: Requestheader contains NULL characters 2008/02/02 11:03:57| clientReadRequest: FD 69 Invalid Request 2008/02/02 11:03:57| parseHttpRequest: Requestheader contains NULL characters 2008/02/02 11:03:57| clientReadRequest: FD 69 Invalid Request thanks You neglect to say which squid version and release you are running. Have you tried a recent one? Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
[squid-users] Download always get disconnected through proxy
Dear friends, Wondering if anyone else face smilar issue to me with downloading problems through proxy. Many users complained to me that when they download through proxy, they often get corrupted file or download disconnected half way. Only if using download manager can the download be more reliable. I have come to the conclusion that it is my proxy problem because on the same link of download, if I use other direct connections internet, the download is perfect, but when go through proxy there is the problem with download disconnected... any idea what went wrong? thanks for taking time reading my mail... Regards Yong -- Yong Bong Fong System Engineer MIS (Made in Sarawak) Department Shin Yang Group of Companies Email: [EMAIL PROTECTED] Tel: (60)085-656699 Ext 376 Bekerja rajin untuk kemajuan negara kita
[squid-users] Can't do ftp://xxx.xx.com.my/xxxx
Dear friends, One of my users tried to do ftp by typing the ftp://xxx.xx.com.my/ in the browser, but after typing that it says: An FTP authentication failure occured while trying to retrieve the URL: ftp://xxx.xx.com.my/ Squid sent the following command: PASS yourpassword and then received this reply Login incorrect I am using ldap authentication for internet surfing, is there something I need to change in squid.conf before it can starts doing this ftp thingi? Thanks fro taking time reading my mail, hope can get help. Thanks Regards Yong
[squid-users] Possible to set password expiry for ldap authentication?
Dear friends, I have a long running squid + ldap authentication for internet access. Now I wish to set it up so that the user password expires after certain period and the aged password can no longer be used to access the internet. Is it possible? thanks for taking time reading my message, Regards Y -- Yong Bong Fong System Engineer MIS Department Shin Yang Group of Companies Email: [EMAIL PROTECTED] Tel: (60)085-656699 Ext 376 Bekerja rajin untuk kemajuan negara kita
[squid-users] Is it possible to redirect blocked urls to another url?
Dear friends, I am implementing acls, thankfully with the help from squid mailing lists, I have successfully made it works in restricting certain users to certain urls only. However, I just need one more step to make it complete. My boss wants all blocked urls to be redirected to another urls. Can I do it by squid itself? thanks for helping -- Yong Bong Fong (Ah Fong) Rookie System Engineer MIS Department Shin Yang Group of Companies Email: [EMAIL PROTECTED] or [EMAIL PROTECTED] Tel: (60)085-656699 Ext 375 Bekerja Rajin Untuk Kemajuan Negara Kita
Re: [squid-users] Restricting certain users to certain urls
Dear friends, I have successfully created the acls to restrict users to certain urls. But there seems to be a problem whenever the urls contain a / symbol in it. All the sites that has a / in it are denied eventhough I had listed it as allowed sites. Some of the examples are as follows: _https://metoc.npmoc.navy.mil/jtwc.html http://www.wline.co.jp/ http://www.coi.gov.cn/ _ _ _ Other sites such as google.com, yahoo.com works well. Before when I tried with squidguard, the same problem occured, anyone knows what is the problem and if can be resolved? Also is it possible to redirect all the blocked sites to a certain url? Really thankful for helping, thanks a lot. Yong _ _ _ _ -Original Message- From: Yong Bong Fong [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 13, 2005 5:02 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Restricting certain users to certain urls Hi Christoph, I got problem again. Squidguard acl was problematic it didn't work quite well. Now I am trying on Squid acl to restrict certain users to certain urls. I also have ldap authentication for my squid. Following are my acls: acl abc ident andy acl blocksites dstdomain .google.com http_access deny abc blocksites http_access allow ldap_group-www Change these lines to... acl abc proxy_auth andy acl allowsites dstdomain .google.com http_access allow abc allowsites # Allow andy to surf google http_access deny abc # Prevent andy from surfing elsewhere http_access allow ldap_group-www # Allow ldap_group-www to surf What I am trying to achieve is to only allow Andy (who is grouped in abc above) to access google.com only. Other sites are blocked for him. I tried it but it didn't work quite well, it does block google.com but not just for andy, it blocks all other users too. Apparently the problem must be something to do with the acl abc ident andy. When I retsarted squid the first time after changing the configuration, its fine. But second time the following message came out: # service squid restart Stopping squid: 2005/09/14 08:48:49| squid.conf line 1791: acl abc ident bfyong 2005/09/14 08:48:49| aclParseAclLine: Invalid ACL type 'ident' 2005/09/14 08:48:49| squid.conf line 1821: http_access allow abc blocksites 2005/09/14 08:48:49| aclParseAccessLine: ACL name 'abc' not found. Any idea what is wrong? seems like it is not checking the username thingi to do the acl. please help me to identify my problem..thanks a lot for taking time helping. thanks a lot... You are not using ident to gather usernames (instead it looks like you are using a basic authenticator) so you need to use proxy_auth acls. Chris
Re: [squid-users] Restricting certain users to certain urls
Hi Christoph, I got problem again. Squidguard acl was problematic it didn't work quite well. Now I am trying on Squid acl to restrict certain users to certain urls. I also have ldap authentication for my squid. Following are my acls: acl abc ident andy acl blocksites dstdomain .google.com http_access deny abc blocksites http_access allow ldap_group-www What I am trying to achieve is to only allow Andy (who is grouped in abc above) to access google.com only. Other sites are blocked for him. I tried it but it didn't work quite well, it does block google.com but not just for andy, it blocks all other users too. Apparently the problem must be something to do with the acl abc ident andy. When I retsarted squid the first time after changing the configuration, its fine. But second time the following message came out: # service squid restart Stopping squid: 2005/09/14 08:48:49| squid.conf line 1791: acl abc ident bfyong 2005/09/14 08:48:49| aclParseAclLine: Invalid ACL type 'ident' 2005/09/14 08:48:49| squid.conf line 1821: http_access allow abc blocksites 2005/09/14 08:48:49| aclParseAccessLine: ACL name 'abc' not found. Any idea what is wrong? seems like it is not checking the username thingi to do the acl. please help me to identify my problem..thanks a lot for taking time helping. thanks a lot... On Mon, Sep 12, 2005 at 09:53:45AM +0800, Yong Bong Fong wrote: How to restrict certain users to certain urls only based on their authenticated usernames? I did it with squidguard ages ago but it doesn't work now. It didn't work out properly 100% too. I am trying to figure out how with squid acl itself instead of squidguard That's easily possible. Where did you get stuck? Literature: http://squid.visolve.com/squid/squid24s1/access_controls.htm http://workaround.org/moin/HowSquidAclsWork Christoph -- -- Yong Bong Fong (Ah Fong) Rookie System Engineer MIS Department Shin Yang Group of Companies Email: [EMAIL PROTECTED] or [EMAIL PROTECTED] Tel: (60)085-656699 Ext 375 Bekerja Rajin Untuk Kemajuan Negara Kita
[squid-users] Restricting certain users to certain urls
Dear friends, How to restrict certain users to certain urls only based on their authenticated usernames? I did it with squidguard ages ago but it doesn't work now. It didn't work out properly 100% too. I am trying to figure out how with squid acl itself instead of squidguard thanks for taking time helping, -- Yong Bong Fong (Ah Fong) Rookie System Engineer MIS Department Shin Yang Group of Companies Email: [EMAIL PROTECTED] or [EMAIL PROTECTED] Tel: (60)085-656699 Ext 375 Bekerja Rajin Untuk Kemajuan Negara Kita
[squid-users] How to by pass proxy for intranet/local address?
Dear friends, Just wondering if it is possible to skip proxy for all intranet addresses? And only allow proxy if clients are accessing external addresses? Thanks for taking time reading my mail, -- Yong Bong Fong (Ah Fong) Rookie System Engineer MIS Department Shin Yang Group of Companies Email: [EMAIL PROTECTED] Tel: (60)085-656699 Ext 375 Bekerja Rajin Untuk Kemajuan Negara Kita
[squid-users] WARNING: All redirector processes are busy.; WARNING: Reply from unknown nameserver
Dear all, I have a new squid box that is serving around 80+ users. the squid is 2.5 version. Inmy cache.log Ihave the following log messages: WARNING: All redirector processes are busy. 2005/03/26 10:39:22| WARNING: up to 10 pending requests queued 2005/03/26 10:39:48| WARNING: Reply from unknown nameserver 2005/03/26 10:40:49| WARNING: Reply from unknown nameserver [xxx.xxx.xxx.xxx] 2005/03/26 10:45:34| WARNING: Reply from unknown nameserver [xxx.xxx.xxx.xxx] 2005/03/26 10:46:49| WARNING: Reply from unknown nameserver [xxx.xxx.xxx.xxx] 2005/03/26 10:48:11| WARNING: Reply from unknown nameserver [xxx.xxx.xxx.xxx] 2005/03/26 10:48:36| comm_udp_sendto: FD 4, xxx.xxx.xxx.xxx, port xx: Network is unreachable 2005/03/26 10:48:36| idnsSendQuery: FD 4: sendto: (101) Network is unreachable 2005/03/26 10:48:36| comm_udp_sendto: FD 4, xxx.xxx.xxx.xxx, port xx: Network is unreachable 2005/03/26 10:48:36| idnsSendQuery: FD 4: sendto: (101) Network is unreachable 2005/03/26 10:49:28| WARNING: Reply from unknown nameserver [xxx.xxx.xxx.xxx] What is the problem, is it something to do with the number of reidrector to spawn? Thanks a lot for helping me!
[squid-users] Unable to increase file descriptor
Dear all, I have a squid that always start with 1024 file descriptors. But I intend to increase the value because my new proxy will serve around 70-80 users. My squid version is squid-2.5.STABLE5-2, kernel is 2.6.5-1.358. My squid comes with the distribution therefore I did not do any compiling. According to the mailing list, I read that: you may try to allocate more file descriptors before start Squid server. This can be done using max_open_disk_fds TAG. In addition to that you can allocate more file descriptors at the shell level by using following command. ulimit -HSn 2048 I have set in my squid.conf, max_open_disk_fds 2048 but when I restart squid and check the cache.log it still says With 1024 file descriptors available. I thought after alteration, it should have 2048 file descriptors available instead of 1024? please help me with this, I am worried because of the large number of users, 1024 file descriptors might not be enough. Thanks for any help!
Re: [squid-users] Unable to increase file descriptor
Dear Yang, I know the site that you sent to me, but I don't quite understand. First because my squid comes with my FC2 distribution, I did not compile or build it. Meaning the following steps doesn't apply to my case? * Before configuring Squid run /ulimit -HSn / (where is the number of filedescriptors you need to support). Be sure to run make clean before configure if you have already run configure as the script might otherwise have cached the prior result. * Configure, build and install Squid as usual * Make sure your script for starting Squid contains the above /ulimit/ command to raise the filedescriptor limit. You may also need to allow a larger port span for outgoing connections (set in /proc/sys/net/ipv4/, like in /echo 1024 32768 /proc/sys/net/ipv4/ip_local_port_range/) Thanks for your advice anyway! wrote: Yong Bong Fong, the kernel of OS limite the max fd of application . 'ulimit' is update this argument . Perhaps you need rebuild squid if you want support more client (more 1000 client ) . you need not update 'max_open_disk_fds' . more detail : http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.4 === 2005-03-17 === Dear all, I have a squid that always start with 1024 file descriptors. But I intend to increase the value because my new proxy will serve around 70-80 users. My squid version is squid-2.5.STABLE5-2, kernel is 2.6.5-1.358. My squid comes with the distribution therefore I did not do any compiling. According to the mailing list, I read that: you may try to allocate more file descriptors before start Squid server. This can be done using max_open_disk_fds TAG. In addition to that you can allocate more file descriptors at the shell level by using following command. ulimit -HSn 2048 I have set in my squid.conf, max_open_disk_fds 2048 but when I restart squid and check the cache.log it still says With 1024 file descriptors available. I thought after alteration, it should have 2048 file descriptors available instead of 1024? please help me with this, I am worried because of the large number of users, 1024 file descriptors might not be enough. Thanks for any help! . = = = = = = = = = = = = = = = = = = = = [EMAIL PROTECTED] 2005-03-17
[squid-users] Squid ACL [url_regex] bypass vulnerability
Dear all, I read from http://esikker.dk/vul_14462.php says that A bug in Squid allows users to bypass certain access controls by passing a URL containing %00 which exploits the Squid decoding function. This may insert a NUL character into decoded URLs, which may allow users to bypass url_regex access control lists that are enforced upon them. In such a scenario, Squid will insert a NUL character after the%00 and it will make a comparison between the URL to the end of the NUL character rather than the contents after it: the comparison does not result in a match, and the user's request is not denied. Does it mean that any url containing the symbol % will not work with url_regex? I ask this because whenever I configure my url_regex to detect % it never does so. And then i read about the above from some website. Not sure if I am right in my understanding of the above article. please help me with that, thanks a million for helping
[squid-users] How to configure squid to abort redirection for for URL that contain , ? or =
Dear all, I read from somewhere since I have added a abort redirection in squid conf file for URL that contain , ? or =, viralator seems to work much better. I wish to know how to configure squid conf file to abort redirection for URL that contain ? or =. Please teach me how to do that, because I want my viralator to work with Squid. Thanks a lot for any assistance! Regards Yong
[squid-users] where can I find help for sarg?
Dear all, I am currently using sarg to check on usage. Wondering where can I find help for sarg specific configuration? I just need to configure the sarg report to provide monthly report for all user's usage details etc. Currently my report provides report in daily format, but my boss wants it in monthly format. My colleague however has his as one report for 4 days. But we just couldn't find the configuration to change that report from to display in other formats. Hope anyone can direct me to the appropriate help site. Thanks a lot, Regards Yong
[squid-users] error: Ignoring squid.rpmsave, because of .rpmsave ending
Dear all, I tried to setup a logrotate in cron. Below is when I force a logrotate: # /usr/sbin/logrotate -f -s /var/lib/logrotate.status /etc/logrotate.conf error: Ignoring squid.rpmsave, because of .rpmsave ending The command does rotate the log files, however the above error message always come out. How do I remove that error? Hope can help me, thanks a lot..
[squid-users] service squid restart not good? must use service squid stop and start?
Dear all, I read from somewhere that says do not use service squid restart, rather do the following: #service squid stop long wait 30s to 1 minute #service squid start Very long wait - half and hour or so if you have about a million urls in the squidguard block lists. It says the reason is Do not do 'service squid restart'. Doing so will result in multiple copies of squidguard running, the server will slow to a crawl and the paint on the wall will crack and peel off before the system is working again Does it mean my squid will one day not running if I continuosly use restart squid. I didn't know restart is bad and it has became my habit to use restart rather than service start and stop because it is much faster.
[squid-users] Ask about what neccessary configuration needed to server 200++ clients
Dear all, I have got a squid working with LDAP authentication, squidguard + viralator. The box is complete and can run well. However so far Ihave only used it on my own machine, I have never test it out to serve huge number of clients. I wish to know what are the other configurations that I need to set inorder to make my squid proxy to be capable of serving 200++ clients. I have only got the very basic configurations working, and its not on production yet, I expect there will be other configuration that I need to be careful with in order for my squid to run well when it is on production. Hope to get advise about this, My machine is FC2. thanks in advance. Regards Yong
[squid-users] segmentation fault when I did ldapsearch for squid _ldap_group
Dear all, I tried to implement squid_ldap_group. Problem is when I tried ldapsearch such as this: /usr/lib/squid/squid_ldap_group -b cn=apple,dc=orange,dc=com -f ((member=%v)(uid=%a)(objectClass=qmailGroup)) -B cn=apple,dc=orange,dc=com -F uid=%s -D cn=toby,ou=users,cn=apple,dc=orange,dc=com -w x -h 123.456.789.10 it says no such command for -B then I removed the -B part for the above command to /usr/lib/squid/squid_ldap_group -b cn=apple,dc=orange,dc=com -f ((member=%v)(uid=%a)(objectClass=qmailGroup)) -D cn=toby,ou=users,cn=apple,dc=orange,dc=com -w x -h 123.456.789.10 then entered my username and password, it replied segmentation fault I did a man squid_ldap_group showed that the it does not have the -B -F options for that version of squid_ldap_group. without the -B and -F options how should I go about implementation the group authentication? anyone ..pls help.. thanks in advance, Regards Yong
Re: [squid-users] deny access
Hi, without password request prompt? Just remove your authentication scheme in squid.conf Regards Yong lharissa wrote: Hi, Does anybody know how to deny access without password request prompt? Thank you Lharissa
[squid-users] squid_ldap_group: no login prompt but able to authenticate group from command line
Dear all, I am trying to setup squid_ldap_group. It successfully authenticated from the command line, but when I used browser there is no login prompt come out for the group authentication. belows is my configuration that worked from command line: * /usr/lib/squid/squid_ldap_group -b ou=chicken, cn=apple,dc=xinxin,dc=com,dc=my -f ((dnmember=%u)(cn=%g)(objectclass=qmailGroup)) -B ou=chicken, cn=apple,dc=xinxin,dc=com,dc=my -F uid=%s -D cn=ali,ou=chicken,cn=apple,dc=xinxin,dc=com,dc=my -w x -h 191.111.111.111* This worked, and gave me OK after I typed in my username and group. Below is the squid.conf: *auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hour auth_param basic program /usr/lib/squid/squid_ldap_auth -b cn=apple,dc=xinxin,dc=com,dc=my -D cn=ali,ou=chicken,cn=apple,dc=xinxin,dc=com,dc=my -w x -f uid=%s -h 190.111.111.111 external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -b cn=apple,dc=xinxin,dc=com,dc=my -f ((dnmember=%v)(uid=%a)(objectClass=qmailGroup)) -B cn=apple,dc=xinxin,dc=com,dc=my -F uid=%s -D cn=ali,ou=chicken,cn=apple,dc=xinxin,dc=com,dc=my -w x -h 190.111.111.111 acl authenticated proxy_auth REQUIRED acl ldap_group-internet external ldap_group internet acl phoenixtv dstdomain phoenixtv.com http_access allow authenticated http_access deny phoenixtv !ldap_group-mis * when I tried to access phoenixtv.com no login prompt comes out to authenticate my username and group. I read Henrik mentioned before that acl authenticated proxy_auth REQUIRED and http_access allow authenticated are not neccessary, but upon removing those lines there is no longer any authentication login prompt to access normal sites. Anyone had similar problem? pls help Thanks in advance Regards Yong
[squid-users] Is there a squid_ldap_auth FAQ or trouble shoot help?
Hi All, Anyone knows if there is a FAQ or troubleshoot site specially dedicated for the implementation of squid_ldap_auth? Something similar to the squid faq. I searched through the web but couldn't find much help for squid_ldap_auth. thanks all, Regards Yong
[squid-users] my login kept replying with ERR, is it something to do with squid_ldap_auth.c?
Hello, I am having trouble getting pass a login prompt. It just keep giving me ERR. Somewhere in the archive, i read that Henrik mentioned that we need to modifythe squid_ldap_auth.c file. However I searched through the internet and read the instructions about setting up squid_ldap_auth hardly anyone mentioned about squid_ldap_auth.c. I am wondering if my login failure is because I missed that part to deal with squid_ldap_auth.c ? where exactly in the directory is squid_ldap_auth.c stored? I canot find the file with locate or find command. I read from the archive someone called Shahin Hacikuliev faced similar problem too with his login keep producing ERR. But the replies he got was not quite related to his question. I can bind and search users with ldapsearch without problem, just cannot get pass the login prompt after typing in login name and password. Where are the possible errors of my work? Thanks all, regards yong
[squid-users] ERR is all I got when I use squid_ldap_auth from command line and browser reprompt for login
Hello , Anyone knows what are the general cause of a reply of ERR when login from terminal? Even when I tried to login from browser when authenticated It always failed and reprompt for login. I read through 1000 of archives mails but couldn't seek an answer. _my squid configuration for:_ *auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hour **auth_param basic program /usr/lib/squid/squid_ldap_auth -b cn=root,dc=shinyang,dc=com,dc=my -D cn=bfyong,ou=qmail_users,cn=root,dc=shinyang,dc=com,dc=my -w xx -f ((objectclass=person)(cn=%s)) -h 172.16.0.11 *_when I typed:_ * /usr/lib/squid/squid_ldap_auth -b cn=root,dc=shinyang,dc=com,dc=my -D cn=bfyong,ou=qmail_users,cn=root,dc=shinyang,dc=com,dc=my -w xx -f ((objectclass=person)(cn=%s)) -h 172.16.0.11 username password (enter my login info) ERR *_When I used ldapsearch: _# ldapsearch -x -b cn=bfyong,ou=qmail_users,cn=root,dc=shinyang,dc=com,dc=my -h 172.16.0.11 _ results:_ version: 2 # # filter: (objectclass=*) # requesting: ALL # # bfyong, qmail_users, root, shinyang, com, my dn: cn=bfyong,ou=qmail_users,cn=root,dc=shinyang,dc=com,dc=my objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: qmailUser objectClass: shinyangUser mailHost: symail.shinyang.com.my mailQuotaCount: 0 accountStatus: active mail: [EMAIL PROTECTED] sn: Yong Bong Fong uid: bfyong mailMessageStore: bfyong deliveryMode: normal cn: Yong Bong Fong ou: Shin Shin mailQuotaSize: 2000 mailClass: full userPassword:: e2NyeXB0fWpwUlNtMWRHN2RlR0U= mailSenderScope: full mailAlternateAddress: [EMAIL PROTECTED] # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 When I login from browser it also kept prompting for login. I couldn't track down the cause of the problem, anyone have similar problem before can help me with this, I think this is a very general problem but not sure why I tried this and that still cannot get it work. Please help million thanks... regards Yong * ** *
[squid-users] ./squid_ldap_auth command says bash: ./squid_ldap_auth: No such file or directory
Dear all, I was trying to test my squid_ldap_auth from the terminal as shown below but the outcome was bad: *./squid_ldap_auth -P -R -b 'dc=shinyang,dc=com dc=my' -D 'cn=admin,dc=shinyang,dc=com dc=my' -w password -f 'cn=%s' -h 172.16.0.21 bash: ./squid_ldap_auth: No such file or directory *As seen above, it responded with bash: ./squid_ldap_auth:no such file or directory I read from somwhere, if I type ./squid_ldap_auth at least there should be something proper or some prompt come out, but this just say bash.. Anyone knows why? I do have squid_ldap_auth comes with the RH distribution in /usr/lib/squid/sauid_ldap_auth Please help...thanks in advnace... * *
[squid-users] squid_ldap_auth from command line do nothing ...and display no further prompt from terminal
Hello All, When I typed my squid_ldap_auth command as shown below, it always do nothing. Other people seems to get a follow-up response of a prompt for username and password from the machine, and then further prompting an error or ok message back to user. But my command seems to just stuck there without further progress, see below: [EMAIL PROTECTED] root]# /usr/lib/squid/squid_ldap_auth -b dc=shinyang, dc=com, dc=my -D cn=root,dc=shinyang,dc=com,dc=my -w -f '((objectclass=person)(cn=%s))' -h 172.16.0.21 (it just stops there and do nothing) *where should I track down the problem for this? Thanks in advance Regards Yong
[squid-users] How does squid_ldap_auth knows which flag in the ldap server to be used to authenticate users?
Dear all, I read from the squid_ldap_auth(8) document that, if I have a single domain ,all I need to specify is usually the base DN under where your users are located and he server name: such as squid_ldap_auth -b ou=people,dc=your,dc=domain ldapserver but from the above command, how is it able to know which flag in the ldapserver to used to authenticate the user? eg, in the ldap server there are many flags used to identify the user such as uid, cn etc. Thanks in advance
[squid-users] basic program authentication setting for squid_ldap_auth, am I right in my configuration?
Dear all, I am confused about the configuration of squid_ldap_auth in squid.conf. Below is the format of the ldap built by my system administrator, he wants me to set up ldap authentication through squid. DN:cn=root, dc=shinyang, dc=com, dc=my | |DN:ou=qmail_users, cn=root, dc=shinyang, dc=com, dc=my | |DN:cn=bfyong, ou=qmail_users,cn=root, dc=shinyang,dc=com,dc=my I understand most steps about setting up ldap for squid, except the section that I have about : auth_param basic program in squid.conf. *In my squid.conf I set: auth_param basic program /usr/lib/squid/squid_ldap_auth -b dc=shinyang, dc=com, dc=my -D cn=root,dc=shinyang,dc=com,dc=my -w -f((objectclass=person)(cn=%s)) -h 172.16.0.21 *Does it look right based on the LDAP tree I supplied above? or is it as */usr/lib/squid/squid_ldap_auth -b -h 172.16.0.21 -D cn=root,dc=shinyang,dc=com,dc=my -f ((objectclass=person)(cn=%s) *or is it */usr/lib/squid/squid_ldap_auth -b o=root -h 172.16.0.21 -D cn=bfyong,ou=qmail_users,o=root -w bfyongpassword -f ((objectclass=person)(cn=%s)) *Is any one of the above right? if not...can please show me how to get the right configuration thanks all...
[squid-users] cache.log says 2004/12/01 15:53:46| User-Agent logging is disabled.
2004/12/01 15:53:46| Referer logging is disabled. Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Dear all, I have the following output from my cache.log: 2004/12/01 15:53:45| Starting Squid Cache version 2.5.STABLE3 for i386-redhat-linux-gnu... 2004/12/01 15:53:45| Process ID 6550 2004/12/01 15:53:45| With 1024 file descriptors available 2004/12/01 15:53:45| DNS Socket created at 0.0.0.0, port 32777, FD 4 2004/12/01 15:53:45| Adding nameserver 172.16.1.253 from /etc/resolv.conf *2004/12/01 15:53:45| helperOpenServers: Starting 5 'squidguard' processes 2004/12/01 15:53:45| helperOpenServers: Starting 5 'squid_ldap_auth' processes 2004/12/01 15:53:46| User-Agent logging is disabled. 2004/12/01 15:53:46| Referer logging is disabled.* 2004/12/01 15:53:46| Unlinkd pipe opened on FD 19 2004/12/01 15:53:46| Swap maxSize 102400 KB, estimated 7876 objects 2004/12/01 15:53:46| Target number of buckets: 393 2004/12/01 15:53:46| Using 8192 Store buckets 2004/12/01 15:53:46| Max Mem size: 8192 KB 2004/12/01 15:53:46| Max Swap size: 102400 KB 2004/12/01 15:53:46| Rebuilding storage in /var/spool/squid (CLEAN) 2004/12/01 15:53:46| Using Least Load store dir selection 2004/12/01 15:53:46| Set Current Directory to /var/spool/squid 2004/12/01 15:53:46| Loaded Icons. 2004/12/01 15:53:47| Accepting HTTP connections at 0.0.0.0, port 3128, FD 20. 2004/12/01 15:53:47| Accepting ICP messages at 0.0.0.0, port 3130, FD 21. 2004/12/01 15:53:47| WCCP Disabled. 2004/12/01 15:53:47| Ready to serve requests. 2004/12/01 15:53:50| Done scanning /var/spool/squid swaplog (0 entries) 2004/12/01 15:53:50| Finished rebuilding storage from disk. 2004/12/01 15:53:50| 0 Entries scanned 2004/12/01 15:53:50| 0 Invalid entries. 2004/12/01 15:53:50| 0 With invalid flags. 2004/12/01 15:53:50| 0 Objects loaded. 2004/12/01 15:53:50| 0 Objects expired. 2004/12/01 15:53:50| 0 Objects cancelled. 2004/12/01 15:53:50| 0 Duplicate URLs purged. 2004/12/01 15:53:50| 0 Swapfile clashes avoided. 2004/12/01 15:53:50| Took 3.8 seconds ( 0.0 objects/sec). 2004/12/01 15:53:50| Beginning Validation Procedure 2004/12/01 15:53:50| Completed Validation Procedure 2004/12/01 15:53:50| Validated 0 Entries 2004/12/01 15:53:50| store_swap_size = 0k 2004/12/01 15:53:51| storeLateRelease: released 0 objects The bolded highlighted section stated *2004/12/01 15:53:46| User-Agent logging is disabled. 2004/12/01 15:53:46| Referer logging is disabled. *its right after the authentication program part, wondering if it means something is wrong? has anyone got a properly running squid cache.log file output? I am just not sure if the things displayed on cache.log means if I am on the right track. Thanks all! regards Yong * *
[squid-users] How to test if my squidguard and LDAP authentication works from the command line
Dear all, I have configured squidguard and squid_ldap_auth on my squid. From the cache and webmin it there seems to have no error message. But I just want to find out if there is any way I can test the squidguard and squid_ldap_auth from the command line without connecting to internet. Or is it the only way to test if my squid, squidguard, squid_ldap_auth work, is to connect the computer (with squid) to the internet and check it from the client computers that it serves? Thanks all!
[squid-users] ClamAV information needed, any recommendation?
Dear all, I am trying to find a good step by step or How-to guide about installation and everything about ClamAV, does anyone know where can I get it? I found the official site of ClamAV but seems like the information in there is quite limited. Thanks all
[squid-users] Squidguard seems not start when squid started
Dear all, I am trying to figure out whether my squidguard starts when my squid starts. Someone told me once I attached squidguard as redirect_program in my squid.conf, then whenever squid starts it automatically start squidguard. However when restart my computer, and then check in the squidguard.log file, it shows blank. After I typed /usr/bin/squidguard on the command line and then checked the squidguard.log the following sentences were in the squidguard.log: 2004-12-01 08:30:00 [4195] init domainlist /var/db/blacklists/ads/domains 2004-12-01 08:30:00 [4195] init urllist /var/db/blacklists/ads/urls 2004-12-01 08:30:00 [4195] init domainlist /var/db/blacklists/aggressive/domains 2004-12-01 08:30:00 [4195] init domainlist /var/db/blacklists/audio-video/domains 2004-12-01 08:30:00 [4195] init urllist /var/db/blacklists/audio-video/urls 2004-12-01 08:30:00 [4195] init domainlist /var/db/blacklists/drugs/domains 2004-12-01 08:30:00 [4195] init domainlist /var/db/blacklists/gambling/domains 2004-12-01 08:30:00 [4195] init domainlist /var/db/blacklists/hacking/domains 2004-12-01 08:30:00 [4195] init urllist /var/db/blacklists/hacking/urls 2004-12-01 08:30:00 [4195] init domainlist /var/db/blacklists/porn/domains 2004-12-01 08:30:06 [4195] init urllist /var/db/blacklists/porn/urls 2004-12-01 08:30:06 [4195] init domainlist /var/db/blacklists/violence/domains 2004-12-01 08:30:06 [4195] init domainlist /var/db/blacklists/warez/domains 2004-12-01 08:30:06 [4195] squidGuard 1.2.0 started (1101861000.926) 2004-12-01 08:30:06 [4195] squidGuard ready for requests (1101861006.684) Anyone know how do I make squidguard starts whenever my squid starts? Thanks all,
[squid-users] can't find the tag authenticate_options in squid.conf
Dear all, I tried to set up LDAP authentication for my squid, found a useful example from a site that stated: |*authenticate_program /usr/local/squid/bin/ldap_auth authenticate_options ldap.yourdomain.com 389 dc=yourdomain,dc=com uid authenticate_children 2 *I have found the tag authenticate_program in my webmin and squid.conf, its called auth_param in my squid.conf. But can't find the second tag authenticate_options from webmin and squid.conf. My system administrastor gave me the cn and dc of the LDAP server he sets up. I have configured by webmin Basic authentication program /usr/lib/squid/squid_ldap_auth and also have configured the ACLs. If I am not mistaken, the only left part is the cn, dc , where should I place those information? Thanks for helping! |
[squid-users] log file squid.out not exist in my log folder
Dear all, I used the squid from distribution. For some reason, there is no squid.out in the log folder. I remembered the last time I installed squid in another distribution there are 4 logs files namely cache.log, access.log, store.log and squid.out , however I couldn't find the squid.out file in this new installation. Anyone has any idea, Thanks all,
[squid-users] do we need to create the user squid by ourselves?
Dear all, Recently I ran into problem with permission on squid and squidguard. I am aware that squid change to user squid (or nobody in some case) as effective user when it runs, my question is do we need to create the user account squid manually or is it automatically created upon installation. What I mean is do we need to use the command useradd to add the user squid to my system? I am confused about this because I wanted to check if I have access to certain files as squid user, so I tried to su into squid user as follows: [EMAIL PROTECTED] log]# su squid This account is currently not available*. as shown above, says the account is not available but when I tried to create this account, by the command useradd the following came out: [EMAIL PROTECTED] /]# useradd squid useradd: user squid exists *So, do we actually need to create that account ourselves or has it been created dring installation? if it has been created during installation how do we know the password of the account then? thanks for helping all.. Regards Fong
[squid-users] I have a cache directory, I am not sure if that is squid's cache directory
Dear all, I am wondering if the cache directory I have belongs to squid. the reason is because that cache directory is at the path /var/spool/cache i.e not under the squid directory. I read from other people that most have a cache directory under the squid directory path such as /var/squid/cache. also, because after I uninstalled my squid, that cache directory /var/spool cache is still there. that makes me wonder if that is a cache diretory existed when I first installed FC3 or is that belong to squid. maybe this could help clearify, the content of the cache directory is as follow: [EMAIL PROTECTED] cache]# ls 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F log log-last-clean netdb_state *Does anyone of your squid cache has this content too? thanks all.
[squid-users] FATAL: redirect_program /usr/bin/squidguard: (13) Permission denied
Hi all, I have a problem with squid that hasn't been able to get a solution in FAQ or other Linux forums. Hope you can help me with this. I am trying to use squidguard with squid. Everything seems to be fine so far till I realised that when I try to insert a redirect_program /usr/bin/squidguard in the squid.conf, the whole squid cannot work. Below is what I did: I inserted the line redirect_program /usr/bin/squidguard in the squid.conf file. then I typed squid -k reconfigure and the outcome came out as: Aborted when I tried to service squid restart the following output came out: [EMAIL PROTECTED] squid]# service squid restart Stopping squid: /etc/init.d/squid: line 82: 4924 Aborted $SQUID -k check /var/log/squid/squid.out 21 [FAILED] Starting squid: /etc/init.d/squid: line 53: 4925 Aborted $SQUID $SQUID_OPTS /var/log/squid/squid.out 21 [FAILED] and inside the log file squid.out in /var/log/squid the following output came out: FATAL: redirect_program /usr/bin/squidguard: (13) Permission denied Squid Cache (Version 2.5.STABLE6): Terminated abnormally. CPU Usage: 0.015 seconds = 0.009 user + 0.006 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 I really hope you can help me to track down the problem, because I have searched through google yet find nothing related to this matter. thanks in advance Regards Fong *
