Re: [squid-users] Reverse DNS Lookup for client IPs

Thanks Alex, Now it makes more sense and I will try to follow there. Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: Alex Rousskov [mailto:rouss...@measurement-factory.com] Sent: Tuesday, June 27,

Re: [squid-users] NTLM authentication worked in Squid 2.7.STABLE8 Squid Web Proxy, now need it in v3.5 hosted on Windows server 2k12

I appreciate the input.  Do you (or anyone else) know if keytab is required in a windows only environment for kerberos authentication? From: Amos Jeffries To: Todd Pearson ; "squid-users@lists.squid-cache.org"

Re: [squid-users] Reverse DNS Lookup for client IPs

On 06/27/2017 08:19 AM, Eliezer Croitoru wrote: > Can you put a link to the thread here? The best relevant link is probably bug #4575: http://bugs.squid-cache.org/show_bug.cgi?id=4575 Alex. > Are you talking about this thread: >

Re: [squid-users] HIER_NONE on TCP_MISS?

Hmm. I don't have ICAP/eCAP or collapsed forwarding configured. Are there any situations where something similar to collapsed forwarding can happen by default? On Tue, Jun 27, 2017 at 11:55 AM Amos Jeffries wrote: > On 27/06/17 15:28, bump skier wrote: > > Hi, > > > > I'm

Re: [squid-users] NTLM authentication worked in Squid 2.7.STABLE8 Squid Web Proxy, now need it in v3.5 hosted on Windows server 2k12

On 28/06/17 05:12, Todd Pearson wrote: Thank you for the information. Is there any place to download the helper binaries for NTLM? Or do I need to build them myself? Since you were using the SSPI helper for NTLM you should have the Negotiate/Kerberos equivalent already. It is mswin_sspi

Re: [squid-users] NTLM authentication worked in Squid 2.7.STABLE8 Squid Web Proxy, now need it in v3.5 hosted on Windows server 2k12

Thank you for the information.  Is there any place to download the helper binaries for NTLM?  Or do I need to build them myself? Is there additional information on kerberos configuration in a windows environment.  Trying to wrap my head around the keytab and creation of it in a windows only

Re: [squid-users] Squid Version 3.5.20

On 28/06/17 03:46, Cherukuri, Naresh wrote: Hi, Thank You for quick turnover, as per your request I changed squid config like below, still I going to www.google.com acl CONNECT method CONNECT acl sslconnect dstdomain -i https://www.google.com acl GoogleRecaptcha url_regex

Re: [squid-users] Squid caching bad objects

On Tue, Jun 27, 2017 at 11:34 AM, Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 06/27/2017 10:11 AM, Razor Cross wrote: > > On Mon, Jun 26, 2017 at 12:06 PM, Alex Rousskov wrote: > > > >I suspect that the COMPLETE_NONPERSISTENT_MSG case in > >

Re: [squid-users] Block doc documents

On 27/06/17 23:53, Daniel Rieken wrote: Hello, I would like to block my users from downloading doc- and docm-files, but not docx. So this works fine for me: /etc/squid3/blockExtensions.acl: \.doc(\?.*)?$ \.docm(\?.*)?$ acl blockExtensions urlpath_regex -i "/etc/squid3/blockExtensions.acl"

Re: [squid-users] ACLs allow/deny logic

On 06/27/2017 12:31 AM, Vieri wrote: > http_access deny denied_restricted1_mimetypes_req > !allowed_restricted1_domains !allowed_restricted1_ips > http_reply_access deny denied_restricted1_mimetypes_rep > !allowed_restricted1_domains !allowed_restricted1_ips > http_access deny intercepted

Re: [squid-users] Squid caching bad objects

On Mon, Jun 26, 2017 at 12:06 PM, Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 06/26/2017 10:11 AM, Razor Cross wrote: > > > We are using squid 3.5. for our server. Recently we have noticed that > > squid is caching incomplete objects in case of chunked response. > > > > We have

Re: [squid-users] HIER_NONE on TCP_MISS?

On 27/06/17 15:28, bump skier wrote: Hi, I'm trying to understand the following behavior I'm seeing with Squid running in accelerator mode. In short, I'm seeing some TCP_MISS for requests to a static javascript file which is initially cached and returned as a cache hit. I suspect the missed

Re: [squid-users] Squid Version 3.5.20

Hi, Thank You for quick turnover, as per your request I changed squid config like below, still I going to www.google.com acl CONNECT method CONNECT acl sslconnect dstdomain -i https://www.google.com acl GoogleRecaptcha url_regex ^https://www.google.com/recaptcha/$

Re: [squid-users] NTLM authentication worked in Squid 2.7.STABLE8 Squid Web Proxy, now need it in v3.5 hosted on Windows server 2k12

On 27/06/17 12:06, Todd Pearson wrote: I am hosting the squid proxy on Windows 2K12 server. Squid 2.7.STABLE8 Squid Web Proxy version worked well for authentication until recent Windows 10 update killed Sha1. Now I am upgrading to squid proxy version 3.5.x.x to restore authentication.

Re: [squid-users] Squid Version 3.5.20

Well, I know that issue very good and google is the issue since they should put their captcha on a own subdomain. Then we could effectivley allow only the access to the captcha. Until that there is no good way to achive this. But there is a non reliable way of blocking google.com First allow

Re: [squid-users] Squid Version 3.5.20

Hi Eliezer, We successfully blocked gmail, google images, google drive and rest all google related. Now we allowing www.google.com and www. google/Recaptcha. We still need to block www.google.com and just allow www.google/recaptcha. Is there a way to do that? Appreciate your quick turnover!

Re: [squid-users] Header order in squid proxy

The sites I was talking about don't just target the header order. That's just one of the things they check. Of course, they have their own system to protect themselves again ddos attacks or use services like akamai or cloudflare. The header order is just one of the common bot-detection techniques

Re: [squid-users] Header order in squid proxy

If I may add a word or two: If sites are securing their systems based on headers order then I believe they are aiming at the wrong target. It's a "nice to have" but not actual deep application level defense.(based on my low level in the subject) One example I have seen of a DOS\DDOS issue is:

Re: [squid-users] Reverse DNS Lookup for client IPs

Hey, Can you put a link to the thread here? Are you talking about this thread: http://lists.squid-cache.org/pipermail/squid-users/2016-February/008999.html http://squid-web-proxy-cache.1019090.n4.nabble.com/Reverse-DNS-Lookup-for-client-IPs-td4675872.html Thanks, Eliezer Eliezer Croitoru

Re: [squid-users] Squid Version 3.5.20

Hey, I can try to help you but I do not have enough logs for it. Also it's not so simple. Basically you will need to block gmail and google drive themselves in one rule that will not include other google services. All The Bests, Eliezer http://ngtech.co.il/lmgtfy/ Linux System

Re: [squid-users] Block doc documents

You need an ICAP server intelligent enough to differentiate between the file types. Squid is a proxy and can only deal with the protocol. An ICAP server can deal with the content. C-icap and ecap are a couple options that seem to be available. I havr no experience with either. On Jun 27, 2017

[squid-users] Block doc documents

Hello, I would like to block my users from downloading doc- and docm-files, but not docx. So this works fine for me: /etc/squid3/blockExtensions.acl: \.doc(\?.*)?$ \.docm(\?.*)?$ acl blockExtensions urlpath_regex -i "/etc/squid3/blockExtensions.acl" http_access deny blockExtensions But in

Re: [squid-users] ACLs allow/deny logic

Please bear with me because I still don't quite grasp the AND logic with ACLs. Let's consider the logic "http_access deny (if) X (and) Y (and) Z" and the following squid configuration section: [squid.conf - start] acl denied_restricted1_mimetypes_req req_mime_type -i