Re: [squid-users] No auth, only log?
2008/6/17, Henrik Nordstrom [EMAIL PROTECTED]: Other applications are abusing the CONNECT method to do the same thing. meant to be used for SSL, but is in reality being used a lot more for other traffic such as FTP, IRC, Peer-To-Peer and god knows what.. Regards Henrik YES!!! Use lot of traffic is one thing. Abuse is another thing. Some download softwares (and sites) legally mutually break a big file in to million of 100-200 bytes files and try to parallelly send all those million chunks through proxy. My squid just moans NO FILE DESCRIPTORS for over a month, eventhough it's the only app running on Linux Box with no limit. I know we have MaxConn. But seem those intelligent (?!!?) s/w still able to slip pass through. They forces squid to open/close/open/close thousands of connection per sec ... As each file size is less than 200 bytes .. squid doesn't catch it. Delay_pool let it pass through too. Heh, could anyone suggest me whether we can limit client's tcp connection rate? -- ... Lyrics of the Forest ...
Re: [squid-users] No auth, only log?
์Nope. Squid is THE Proxy. In my site, except mail, almost all other traffics have to go through squid :-D. Others = Public web database (high, non-standard, ports) + ftp + Real Audio + MSN + blahblahblah Squid team had made somthing better than they knew :-) 2008/6/17, Henrik Nordstrom [EMAIL PROTECTED]: On mån, 2008-06-16 at 15:56 +0200, Falk wrote: Ah, so if we want to log only web traffic we can do that with acl's i guess? So that only http 80 / 443 is authed, and all other just flows throu? What other? Squid is an HTTP proxy. Regards Henrik -- ... Lyrics of the Forest ...
[squid-users] How can I turn off TCP_DENIED/403 and 407 logging?
I use squid since 1.1. Now it 2.6s17, on linux, of course! Since 1.1, squid always runs in Proxy_Authen mode. Now the 2.6s17 serves about 1,200 clients . There's new clients, around 100 every month (the old one just fade away). All clients (and software) have to log in to Squid Proxy before able to surf (via basic auth: ncsa). Problem is that: While most ppl read the documents, follow instructions, etc, etc, some are NOT. Some even careless ... install software they don't use, or let rogue softwares install themself ! So, both the people and softwares try to access the new without login. Result ? My access.log size is 400-1,200 MB everyday (yes, I rotate it everyday at 23:55pm) Worse, 3/4 of access.log is just TCP_DENIED/403 and TCP_DENIED/407. I have to pipe it to grep -v after every rotation. But ... wrote 3/4 gigabyte of useless information slow down squid somewhat. QUESTION: How can I turn off these two messages? It's useless .. BTW, I had tried my best to search through _that_ dreadfull /src/*.c and try making some changes. Useless. (In fact , I'm just a half-noob in VB). Try searching/reading 4 years of usenet. No answer. Google ignores me completely ... Thanks in advance. -- ... Lyrics of the Forest ...
Re: [squid-users] Remote access acls
I use simple NCSA. Then add small password file to NCSA directory. This password file is changed EVERY day, at 08:00am and 17:00pm. User have to call in to get the username/password of that day before they're able to use this office's squid (another way to audit who's working or not :-D) # heh! this line is extract from the very old 2.0 conf authenticate_program /usr/local/squid/bin/ncsa /usr/local/squid/etc/registered # this two lines never change eventhough it's now 2.6 acl MEMBER proxy_auth REQUIRED http_access deny !MEMBER 2008/6/13, [EMAIL PROTECTED] [EMAIL PROTECTED]: -- Original message -- From: Amos Jeffries [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'm trying to provide an externally available proxy to our employees. This way they can have the same basic protection when traveling that they get when they're inside our corporate walls. What acls or rules do I need to be looking at? I'm a newbie and just trying to keep my job. Thank you in advance. Safest ones are auth IMO. They can use any net connection, and link in through the proxy to get anywhere. After the local accepts and before the global external denial. Amos -- Please use Squid 2.7.STABLE2 or 3.0.STABLE6 Thank you for your quick reply. What auth would you recommend? The powers above decided it shouldn't be Active Directory. What other auth is recommended? is there any based on a cert installed on the laptops? Or could it be cookie based? (I know it sounds like a dumb question but I know I'll be asked) Anything to avoid login and password would be great. Thank you again. -- ... Lyrics of the Forest ...