Amos, thanks for the answer,
We will be waiting for full support of the TLS key logging.
Kind regards,
Ankor
сб, 27 апр. 2024 г. в 10:52, Amos Jeffries :
> On 25/04/24 19:57, Andrey K wrote:
> > Hello,
> >
> > Does squid 6.9 allow you to log TLS 1.3
Hello,
Does squid 6.9 allow you to log TLS 1.3 keys so that you can then decrypt
traffic using Wireshark?
I found that there was an issue earlier with using tls_key_log to decrypt
TLS 1.3:
https://lists.squid-cache.org/pipermail/squid-users/2022-January/024424.html
I tried using tls_key_log on
vid Touzeau :
> Anyway to remove these entries from the log ?
>
> Le 31/01/2024 à 10:01, Andrey K a écrit :
>
> Hello, David,
>
> group values in your logs are BASE64-encoded binary AD-groups SIDs.
> You can try to decode them by a simple perl script sid-reader
Hello, David,
group values in your logs are BASE64-encoded binary AD-groups SIDs.
You can try to decode them by a simple perl script sid-reader.pl (see
below):
echo AQUAAAUVCkdDGG1JBGW2KqEShhgBAA== | base64 -d | perl
sid-reader.pl
And finally convert SID to a group name:
wbinfo -s
, 7 дек. 2023 г. в 18:40, Andrey K :
> Hello, Amos,
>
> Thank you for your comments.
> I must have described the scenario incorrectly, I'll try again in more
> detail.
>
>
> Let's say we have a system that collects information that a user logged in
> to a computer (it c
rocess is definitely not authorization, it is rather user
identification.
I hope I've cleared things up a bit.
Kind regards,
Ankor.
чт, 7 дек. 2023 г. в 13:39, Amos Jeffries :
> On 7/12/23 15:34, Andrey K wrote:
> > Hello,
> >
> > I was interested if I can configure some custo
Hello,
I was interested if I can configure some custom external helper that will
be called before any authentication helpers and can perform user
identification/authentication based on the client src-IP address.
It can look up in the external system information about the user logged in
to the IP
Hello, Norman,
I faced the problem too.
For myself, I modified the authorisation script (ext_wbinfo_group_acl - it
is a simple Perl code) and cache some user groups membership in a Memcache.
The script tries first of all to get the information from the cache, and if
it is not there, then get it
023-11-16 07:48, Andrey K wrote:
>
> > I have slightly patched the negotiate_kerberos_pac.cc to
> > implement ResourceGropIds-block parsing.
>
> Please consider posting tested changes as a GitHub Pull Request:
> https://wiki.squid-cache.org/MergeProcedure#pull-request
>
&g
Hello,
I found that negotiate_kerberos_auth helper does not see domain local AD
groups.
As it turned out, helper parses only GroupIds and ExtraSids pac-blocks,
while the information about domain local groups is placed in the
ResourceGropIds pac-block.
I have slightly patched the
Hello, Flashdown,
As you can see in your access.log, your client tried to connect not to a
DNS hostname but directly to IPv6 address:
1694674498.411 9 **CENSORED_internal_client_IP** TCP_DENIED/407
4129 CONNECT *[ff00::]:443* - HIER_NONE/- text/html
So, I suppose that your DNS
Hello,
I had the same crushes. A network dump showed me that crushes occurred when
clients tried to access IPv6 http-resources.
I blocked these requests at the beginning of the proxy policy.
The following configuration seems to be a workaround for me:
acl urldst_ipv6 url_regex ^http://\[
Hello, Alex,
The suggested workaround works correctly.
Thank you very much!
Kind regards
Ankor.
пн, 26 июн. 2023 г. в 17:11, Andrey K :
> Hello, Alex,
>
> Thank you very much!
>
> I will try the suggested workaround and share results.
>
> Kind regards,
> Ank
Hello, Alex,
Thank you very much!
I will try the suggested workaround and share results.
Kind regards,
Ankor.
пн, 26 июн. 2023 г. в 16:49, Alex Rousskov :
> On 6/23/23 08:05, Andrey K wrote:
>
> > A link to the uploaded ALL,9 log is: ...
>
> Your Squid is suffering
ime to take a
look at ALL,9 log.
Kind regards,
Ankor.
чт, 22 июн. 2023 г. в 20:11, Alex Rousskov :
> On 6/22/23 04:59, Andrey K wrote:
>
> > I reproduced the issue in the test environment.
> > I configured my squid with the debug_options: ALL,1 28,9
> > and ran th
Hello, Alex,
Thank you very much!
Kind regards,
Ankor
чт, 22 июн. 2023 г. в 05:23, Alex Rousskov :
> On 4/5/23 09:27, Alex Rousskov wrote:
> > On 4/5/23 06:07, Andrey K wrote:
> >
> >> Previously, caching was disabled on our proxy servers. Now we need to
> &
er caching mechanisms squid is so simple to configure and
> it really leaves dust
> behind to all many other cache mechanisms.
>
> Thanks,
> Eliezer
>
>
> From: squid-users On Behalf
> Of Andrey K
> Sent: Tuesday, June 6, 2023 16:08
> To: Alex Rousskov
> Cc: squid
the
> scenario.
>
> Eliezer
>
> From: squid-users On Behalf
> Of Andrey K
> Sent: Friday, June 9, 2023 10:03
> To: Squid Users ; Amos Jeffries <
> squ...@treenet.co.nz>
> Subject: [squid-users] Using tcp_outgoing_address with ACL
>
> Hello,
>
> We use
Hello,
We use the tcp_outgoing_address feature to access some hosts using a
dedicated source IP address.
acl domdst_SIProxy dstdomain
"/data/squid.user/etc/squid/categories/domdst_SIProxy"
tcp_outgoing_address 10.72.235.129 domdst_SIProxy
It works fine, but logs are flooded with warnings
of RAM, I can configure a sufficient amount of
cache_mem, say 2 MB to provide caching of video broadcasts.
Kind regards,
Ankor.
>
> пн, 5 июн. 2023 г. в 17:31, Alex Rousskov <
> rouss...@measurement-factory.com>:
>
>> On 6/2/23 03:29, Andrey K wrote:
>>
&g
rds,
Ankor.
чт, 1 июн. 2023 г. в 19:15, Alex Rousskov :
> On 6/1/23 05:20, Andrey K wrote:
>
> > > The next step I would recommend is to study the very first cache miss
> > > _after_ the 500 or 200 concurrent threads test. Doing so may shed
> ligh
cache_dir file /data/squid.user/cache/rock. I suppose that
file /data/squid.user/cache_map is a virtual entity.
Kind regards,
Ankor
ср, 31 мая 2023 г. в 16:43, Alex Rousskov :
> On 5/31/23 02:56, Andrey K wrote:
>
> > > Do you get close to 100% hit ratio if clients acce
_file_certgen -s
/data/squid.user/var/lib/squid/ssl_db -M 20MB
sslcrtd_children 21
logformat extended-squid %{%Y-%m-%d %H:%M:%S}tl| %6tr %>a %Ss/%03>Hs/%:
> On 5/29/23 10:43, Andrey K wrote:
>
> > We need to configure a dedicated proxy server to provide caching of
> > onlin
Hello,
We need to configure a dedicated proxy server to provide caching of online
video broadcasts in order to reduce the load on the uplink proxy.
Hundreds of users will access the same video-chunks simultaneously.
I developed a simple configuration for the test purposes (it is shown
below).
ld rephrase my question: is it possible to configure squid so that it
caches files with the extension ".ts" despite the caching control headers
passed by OCS and serves user requests from the cache?
Kind regards,
Ankor.
вт, 25 апр. 2023 г. в 17:53, Amos Jeffries :
> On 25/04/2023 9:45
Hello,
We are trying to cache some resources, but they respond in the header with
the attributes that prevent caching:
Content-Type: video/MP2T
*Expires: Thu, 01 Jan 1970 00:00:01 GMT*
*Cache-Control: no-cache*
Cache: HIT
X-Cached-Since: 2023-04-25T07:43:41+00:00
Thus, we see TCP_MISS in the
> $lastref, expires =>
$expires, lastmod => $lastmod, swap_file_sz => $swap_file_sz, refcount =>
$refcount, flags => "0x".$flags};
}
And maybe you will add it to new squid releases.
Kind regards,
Ankor.
чт, 6 апр. 2023 г. в 20:35, Alex Rousskov :
> On 4/6/23
/Features/LargeRockStore
Maybe there is a more detailed description of the internal rock data
structures?
I could try to write a script that reads the necessary information from the
cache_dir file.
Kind regards,
Ankor.
ср, 5 апр. 2023 г. в 16:27, Alex Rousskov :
> On 4/5/23 06:07, Andrey K wr
Hello,
Previously, caching was disabled on our proxy servers. Now we need to cache
some content (files about 10 MB in size).
So we changed the squid.conf:
#Disable caching
#cache deny all
#no_cache deny all
#cache_mem 0
cache_dir ufs /data/squid/cache 32000 16 256 max-size=1200
We have 24
Hello,
I would like to disable logging of 407-errors, except when the username is
known.
Is it possible to configure?
I have now the log configured:
acl http-407 http_status 407
access_log daemon:/var/log/squid/access.log logformat=extended-squid
on-error=drop !http-407
But I would also like to
Hello Amos,
You helped me very much.
Kind regards
Ankor
вт, 31 янв. 2023 г. в 12:37, Amos Jeffries :
> On 31/01/2023 9:16 pm, Andrey K wrote:
> > Hello Amos,
> >
> > Thank you for the idea to write a wrapper script.
> >
> > As NTLM-helper returns &q
ibute and copping it to the username:
auth_user_request->user()->username(userLabel) in the case of returned
Helper::Error;
By the way, what are these acronyms for (YR, KK, TT, AF, BH, NA, LD)?
Kind regards,
Ankor.
вт, 31 янв. 2023 г. в 08:54, Amos Jeffries :
> On 31/01/2023 6:13 pm, A
.
Is there any other possibility to log username and source IP address in
such NTLM-failed authentication attempts?
Kind regards,
Ankor.
вт, 31 янв. 2023 г. в 07:56, Andrey K :
> Hello Amos,
>
> Thank you for the information.
>
> I turned on squid debug_options 84,9 and see i
. 2023 г. в 07:09, Amos Jeffries :
> On 31/01/2023 4:55 pm, Andrey K wrote:
> > Hello,
> >
> > I need to log failed Proxy-authentication attempts. The log
> > information should contain timestamp, username and client IP address.
> > 407-records in the access
Hello,
I need to log failed Proxy-authentication attempts. The log information
should contain timestamp, username and client IP address.
407-records in the access.log file do not contain username if
NTLM-authentication is used.
I was wondering if it is possible to set up such a configuration?
Yes, it works.
Thank you very much!
вт, 13 дек. 2022 г. в 15:11, Francesco Chemolli :
>
>
> On Tue, Dec 13, 2022 at 12:57 PM Andrey K wrote:
>
>> Hello,
>>
>> I wonder if there is a way to show SQUID running config.
>> The configuration in the squid
Hello,
I wonder if there is a way to show SQUID running config.
The configuration in the squid.conf may be outdated because it can already
have been changed without SQUID reconfiguration at the time of viewing.
I saw this feature in squidclient -p 3128 mgr:menu, but this item marked as
hidden:
Hello ludovit,
We experienced the similar problems of crashing squid with "signal 6 and
status 0" symptoms in the /var/log/messages. There were hundreds of crashes
per hour during the working hours. There were also many crashes during
night hours. And I had no idea what the cause of the problem
URL I get always get:
*TCP_REFRESH_UNMODIFIED_ABORTED/200*
and I get the empty object, I've tried to play with *refresh_pattern *params
but still no luck.
Thanks for your help
Andrey
___
squid-users mailing list
squid-users@lists.squid-cache.or
Hi guys! I do not want to offend anyone, but the email lists was not
terribly comfortable. Probably, this issue has been debated, but it can
be to have a Forum?___
squid-users mailing list
squid-users@lists.squid-cache.org
I can be mistake, but i think that is fat trolling. Or a person made a
mistake with the choice of profession.
Yuri Voinov писал 2016-07-18 15:00:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> I suggest be better you start from here:
>
> https://en.wikipedia.org/wiki/Text_editor
>
>
Hi
Which version of squid do you use?
Which os do you use for squid?
Which version of AD do you use?
Is it a ssl ldap?
Thanks.
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Cannot-get-basic-ldap-auth-to-work-with-AD-tp4663282p4663404.html
Sent from the
Ok so you have Windows Server 2003 R2.
Do you have all updates installed on windows server?
what shows netstat -aon in cmd?
is there port 389 open?
3.3.10 should work... Did you build it by yourself?
--
View this message in context:
Ok hmm...
One more thing, did you follow this one:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap#Windows_2003_Active_Directory_adjustments
Because I use now the U13.10 version with Ubuntu's Squid 3.3.8 from
repository, and Windows 2008 R2 AD. It is working good. However, as far as
Did you tried default squid?
apt-get install squid3
Maybe something else uses ldap port?
Try with (if I am not wrong):
debug_options 82,0 84,9
Do you have wireshark? Can you capture ldap requests on windows server from
Ubuntu?
Do you have firewall from Windows Server on?
From my practice it
Hi Brig,
Did you try something like this:
/usr/lib/squid3/basic_ldap_auth -P -R -u cn -b
cn=Users,dc=mydomain,dc=com -h ldap.mydomain.com
Please pay attention, that in practical way I defined that helper do not
provide support to such names:
john.doe
Better to use like this:
johndoe
Or
According
http://wiki.squid-cache.org/KnowledgeBase/DebugSections
Try to generate new logs (cache.log) E.g.:
debug_options 83,9 70,9
Play with it. And share logs here.
--
View this message in context:
I am curious too...
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Ubuntu-Server-13-10-Squid-3-3-8-WARNING-external-ACL-memberof-queue-overload-tp4663243p4663314.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Hi Elizer,
I din't try your script yet... I am busy now with setting up the following
set of packages:
Squid+dansguardian+calmav+suricata+openswan.
I am trying to create something that replace the Forefront TMG (Proxy,
Web-cache, antivirus, ids/ips, IPsec s2s VPN)
Squid already working with
) GetFirstAvailable:
GetFirstAvailable: Running servers 1
-Oorspronkelijk bericht-
From: Eliezer Croitoru
Sent: Wednesday, November 13, 2013 12:15 PM
To: Andrey ; squid-users@squid-cache.org
Subject: Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING:
external ACL 'memberof
/external-acl-td4662446.html~
http://squid-web-proxy-cache.1019090.n4.nabble.com/Starting-helpers-with-ipv6-disabled-td4660978.html
-Oorspronkelijk bericht-
From: Andrey
Sent: Wednesday, November 13, 2013 3:34 PM
To: Eliezer Croitoru ; squid-users@squid-cache.org
Subject: Re: [squid-users
, November 13, 2013 7:15 PM
To: Andrey ; squid-users@squid-cache.org
Subject: Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING:
external ACL 'memberof' queue overload
Thanks Andrey,
On 11/13/2013 07:54 PM, Andrey wrote:
I found a solution!
Problem was with IPv6.
When squid tries
, November 13, 2013 9:43 PM
To: squid-users@squid-cache.org
Cc: Andrey
Subject: Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING:
external ACL 'memberof' queue overload
OK got it.
The basic issue is that the helper is trying to use ip?
I am trying to understand something about
I try to answer your questions, because we move in the way of writing the
huge discussion book in a post:)
Why would it get stuck on IPV4 or IPV6?
It is my assumption, call it intuition. And the flag IPv4 resolved the main
problem, isn't it?
Also a FD :: should not be related to any of squid
Hi Amos
The *right* solution is to configure IPv6 properly on the
machine as working with correct firewall rules to make it obey the local
traffic policies (even if that policy is no IPv6 packets to leave the
machine).
Can you provide some configs or tutorials please, it would be nice to
Hi everyone
During configuration of LDAP basic and group authentication methods by
Squid, a came across this error (/var/log/squid3/cache.log):
Code:
WARNING: external ACL 'memberof' queue overload. Request rejected
'administrator InternetAccess'.For basic authentication I use following
inside squid and from the
external_acl to squid.
are you using the basic auth from ubuntu or self compiled?
Also if you can get the output of squid -v.
Thanks,
Eliezer
On 11/12/2013 06:33 PM, Andrey wrote:
Hi everyone
During configuration of LDAP basic and group authentication methods by
Squid
) ~UserRequest: freeing request
0x7f655bf97520
But it is far from understanding for me. I see many HEX based addresses,
what they are mean is not clear.
Thank you.
-Oorspronkelijk bericht-
From: Eliezer Croitoru
Sent: Tuesday, November 12, 2013 9:55 PM
To: Andrey ; squid-users@squid
I did. All LDAP related logs info is in previous message. However I do not
understand what all this codes means.
-Oorspronkelijk bericht-
From: Eliezer Croitoru
Sent: Wednesday, November 13, 2013 1:04 AM
To: Andrey ; squid-users@squid-cache.org
Subject: Re: [squid-users] Ubuntu
Hi list.
How is the best way to calculate the delay pools parameter? I have a 6
MB bandwidth, and I don't wanna only one machine use all the link a time
(1500 PCs on lan)
I also would like to have a complete example, using delay pools, delay
class, etc
[]s;
Andrey
to some files (EXE, GIF,
JPG...), as it would supposed to do.
- How to set squid as FQDN?
Thanks in advance;
Andrey
- Interesting things on squid.conf
cache_swap_low 80
cache_swap_high 85
ipcache_size 2048
fqdncache_size 5000
httpd_accel_host virtual
httpd_accel_port 80
this
behavior of the site affected on cachability of squid? In the thread
mentioned you named such site broken. As i understand, squid convert
http 1.1 to http 1.0.
Andrey Oreshnikov.
On 11/13/06, Mark Elsen [EMAIL PROTECTED] wrote:
Verify whether the particular object(s) can be cached
the above error..
Outlook Express doesn't use proxy for POP3/IMAP/SMTP. Only for
external images/whatever inside e-mails.
Check your DNS firewall settings on client cpumputer(s):
nslookup xxx.com
telnet xxx.com 25
telnet xxx.com 110
--
Best regards,
Andrey Shorin
,
Andrey Shorin
their
workstation when they leave. Enable screensaver with password thru
group policy.
--
Best regards,
Andrey Shorin
...
None of my Network PC's can access Net..its running on default port 3128
What does 'telnet ip-of-squid-NT 3128' give you?
What does it say in the logs? access.log and cache.log
--
Best regards,
Andrey Shorin
which can access your proxy.
Another alternative is to possibly look at the snmp extension for squid.
and yet another one is to use squidclient utility:
squidclient mgr:
--
Best regards,
Andrey Shorin
?
As for connections speeds, read about delay pools.
http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#ss19.8
--
Best regards,
Andrey Shorin
...
regards
Daniel Bonnici
Looks like pop up goes from ActiveX control, but not because http
authorization required. So it's look into your browser
ActiveX/security settings.
And yes, I tried this behind a squid 2.5.10.
--
Best regards,
Andrey Shorin
Hello Shin,
Thursday, June 16, 2005, 11:48:00, Shin Imai wrote:
hosts file looks fine on squid server.
not the hosts file, but hosts_file directive in squid.conf file
--
Best regards,
Andrey Shorin
squid.conf
--
Best regards,
Andrey Shorin
Hello kdv,
Tuesday, June 14, 2005, 18:21:18, kdv wrote:
One more question! :(
Which TAG in squid.conf is responsible for displaing ERR_ pages in, for
example, russian language?
error_directory
--
Best regards,
Andrey Shorin
calamaris.cache' option.
--
Best regards,
Andrey Shorin
of dnsserver.exe?
Have I totally missed the point here?
Most likely it's compiled with internal DNS resolver. Does it complain
on DNS tests performed on startup? See dns_testnames setting in
squid.conf
--
Best regards,
Andrey Shorin
don't want.
How does the dollar make a difference?
Dollar sign stays for end of string (URL)
--
Best regards,
Andrey Shorin
to use Chinese Character URLS?
Thanks very much
Through a redirector, I guess.
Best regards,
Andrey Shorin
System/Web Administration Consultant
this file and try to
launch SquidNT once more.
Best regards,
Andrey Shorin
System/Web Administration Consultant
SECTION:
mail.domain.ph. 14400 IN A 203.167.64.22
(which means mail.domain.ph exists)
Can you ping it? Maybe, there is a problem with your name
server(s).
Best regards,
Andrey Shorin
System/Web Administration Consultant
know, how to configure Squid to redirect all queries to
ISVW to obtain a chain
(user)---(Squid)---(ISVW)---(Inet)?
The problem is that afaik ISVW doesn't support ICP queries.
Can you give me a piece of advice?
Thanks a lot.
--
WBR,
Andrey Voitenko
79 matches
Mail list logo