>The Ubuntu Server had an Apache Tomcat web server on it that we were not
>using at the time. It seems the Squid has disabled it. Is it possible to
>run both on the same server?
>I have crawled the archives but do not see any
>reference to this specific issue. Right now the Squid and the Apache Tom
>Is the any way to block HTTPS for some web sites?
>
>I have to block access to Gmail accounts.
>
>It's done for http but I did not find any solution for https.
>
>This is part of my configuration:
>
>acl gmail1 dstdomain google.com
>acl gmail2 dstdomain google.ca
>http_access deny CONNECT gmail1 g
>Joseph, there's no point of matching https because when your browser
>using SQUID as a proxy,
>
>it sends CONNECT request and then exchange SSL traffic which squid
>can't/won't touch at all. so the acls, they can't be applied.
Good point, I match on "facebook.com" as a whole here and it works
fi
>You can't do it, since HTTPS traffic is tunneled through squid, can't
>be filtered or cached.
If you followed what he was doing, you would have seen his error
and known you can very much do what "he" was trying to do but
he failed as a result of the regex.
You're match might change to just www.f
>acl fb1 url_regex -i
>^http://www.facebook.com/ajax/gigaboxx/endpoint/MessageComposerEndpoint.php
>http_access deny fb1
>
>but it does not work for HTTPS
Did you match for https?
>I found on the logs that msn is not sending the authentication
>information so squid is denying the connection.
How have you configured Windows to use a proxy?
Does Live know about this?
>When i
>setup the Exchange server I used a SSL certificate with the domain
>mail.myco.com. Now that I am considering using Squid I was wondering
>how I would set that up since i have already used the domain and if I
>could use a separate SSL Certificate with the same domain name on the
>SQUI
>As I
>said: with AD 2003 was working well, now with AD2008 is not working
That doesn’t help us, so you upgraded the domain? Regardless, you're not
auth'ing to the "same" server so something changed.
>auth_param basic
>program usr/sbin/squid_ldap_auth -d -v "3" -s "sub" -b "dc=example, dc=o
>On the cache.log of squid i can see a error message "could not bind to bindn"
>server" "can´t contact ldap server.
>
>Could someone help me to let it work?
Probably not without seeing your config and knowing your AD setup.
If you upgraded, has your ldap topology remained exactly the same?
Were
>Yes using -D and -w switches, with creds known to work on other devices
>doing ldap (MFDs for one).
Redact the sensitive parts, and post the actual cmd in your conf. Likely
the domain/user syntax is wrong.
>I'm sure this has been asked before - working on a squid box that is to
>Auth to AD. Unable to authenticate and getting error in squid cache log:
>WARNING: could not bind to binddn 'Invalid credentials'
By default, Windows doesn't allow anon binds, are you using a bind account
and if so are the
>But then, in 2006, Henrik Nordstrom says[2] neither squid_ldap_group nor
>squid_ldap_auth support Kerberos SSO. After the initial posting of the patch
>in '04, I can't >find any more references to it on the mailinglists.
See squid_kerb_ldap.
http://squidkerbauth.sourceforge.net/
jlc
>Anything dumping to stderr from the helper appears in the squid cache.log.
Amos,
That confirms it, so any idea's if there is a workaround, even with
squid_kerb_ldap have a default domain set (-D) it still didn’t like
the unqualified name.
>I think its a matter of "username" (Basic) vs "dom...@username"
>(Kerberos).
>
>You can test this by replacing the group lookup with a fake
>external_acl_helper which logs the credentials passed to the group helper.
>Doing a few requests through both auth mechanisms will show you what
>difference
I have a working setup with squid_kerb_auth and squid_kerb_ldap for
authorization
with group membership, I want to add squid_ldap_auth for a basic auth_param but
when a client falls back to basic and uses squid_ldap_auth, squid_kerb_ldap
errors
out. I have set the default domain in squid_kerb_lda
Users are needing access to the pdf's in http://ccemc.ca/process/guidelines
such as http://ccemc.ca/_uploads/CCEMC-166-Proposal-Guide6.pdf but in ie8 and
ff 3.6.8 the pdfs fail to render, w/o the proxy they seem to always load.
I have tried in squid-3.0.STABLE20 and squid-3.1.4 and the issue is t
>what mean redirect_children.
First hit on goggle explains it well:)
Its in the config manual:
Tag Nameredirect_children
Usage redirect_children number
Description
This tag is used to set the number of redirect processes to spawn
Default redirect_children 5
Example
redirect_ch
> Here is a short overview what squid_kerb_ldap does.
> 1) A user authenticates with either NTLM (username will be NT-DOM\user)
>or Kerberos (username will be u...@kerb-dom)
> 2) squid_kerb_ldap uses the -N flag to map NT-DOM to KERB-DOM for NTLM
>authenticated users
> 3) Uses DNS SRV rec
We have a mixed 2k -> 2k8r2 environment. Currently I am using ntlm_auth and
Samba
for the 2k machines, and squid_kerb_auth/squid_ldap_auth for the newer machines
to
manage access based on AD group membership.
Do I understand correctly that if I use squid_kerb_ldap with the -N I can
provide
grou
>> I updated the article for 5.5, why are you using 5.4?
>
>There is no special reason for I'm been using CentOS 5.4. It was the
>newer version available when I set successfully my squid proxy and I
>haven't updated it yet. By the way, there is no citation in your
>article that it is for CentOS 5.5
>Stop what? I've understood stop doing only step 4, right? Any way, I
>was following
>http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5
>article and I didn't find wbpriv group on my CentOS 5.4 box (Yeah,
>authconfig, krb5-workstation and samba-common are installed!).
I updated t
> and set the server as a winbind server in
>the wizard will automatically make the smb server a pdc which will be
>your primary domain controller.
So in his Windows 2003 Active Directory Forest, he should make a Samba server
a PDC? Really?
>I have followed these steps and I keep getting this error :
>
>
>Password:
>[2010/06/16 16:25:28, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(367)
> Error in domain join verification (credential setup failed):
>NT_STATUS_NOT_SUPPORTED
>
>Unable to jo
>Did anyone make it works ? :
>
>http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5
Of course, it was written while being built, then retested immediately after.
>authconfig --enableshadow --enablemd5 --passalgo=md5
>--krb5kdc=ads.example.local
>2010-05-31 16:17:31 [2785] squidGuard 1.3 started (1275319051.335)
>2010-05-31 16:17:31 [2785] squidGuard ready for requests (1275319051.340)
>2010-05-31 16:17:31 [2785] source not found
>2010-05-31 16:17:31 [2785] no ACL matching source, using default
>http://proxy.cp.mydomain.com/block.html 192.
Using the redhat package on CentOS 5x64, sarg faults and can't generate
all of the files needed for the view.
This worked on the older version in the main repo, is there something known
to change to allow sarg to work or is the issue unexpected?
Thanks!
jlc
>I´ve added the following to squid.conf:
>
>external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b
>"CN=Users,DC=heidelberg,DC=bw-online,DC=de" -f
>"(&(cn=%g)(memberUid=%u)(objectClass=ebay))" -B "CN=Users" -F "(CN=%s)" -D
>>"CN=ldap,CN=Users,DC=heidelberg,DC=bw-online,DC=de" -w "
Is there an alternative to ntlm_auth supporting these browsers in active
directory
to facilitate access w/o asking for creds (such as if used with LDAP auth) with
out
joining the server to active directory and using Samba?
We have Kerberos auth functioning and the few win2k/ie6 clients obviously
>> Is there a way to show what the helper is doing in the log file?
>
>http://www.squid-cache.org/Versions/v3/3.1/manuals/squid_ldap_group
>
>Looks like the -d debug option.
Amos,
Can't believe I missed that, it needed the '-K'. Where you get the
patience to deal with such careless malarkey escape
>Perhapse the fact that Kerberos works with anonymous binary blobs? no
>username in sight.
You have to pardon me, I am not familiar enough with the inner workings
of Kerberos to understand what a binary blob is wrt to Kerberos:)
>Or if not that, something in the elided section "<...>".
I omitte
I am trying to supplement squid_kerb_auth with squid_ldap_group, from
the cli, my external_acl_type string works fine, username and group
pairs return expected results.
Disregarding the ldap group check, the following authenticates correctly:
acl auth proxy_auth REQUIRED
http_access deny !auth
h
>The patch is already included since the following STABLE versions:
>
>2.7 STABLE1
>3.0 STABLE2
Guido,
Thanks, I should have read all the comments in the post:) Do you know
if it's possible to facilitate the following scenario where access is
auth'ed by Kerberos, and an ldap external_acl_type chec
We are getting some Win7 machines so I am migrating our ntlm setup
to Kerberos. Looking at Markus Moeller's kerb guide, I see that it
doesn't state how to control access after successful auth. Looking
online,
http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authoriza
>After configuring everything according to this :
>http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
>I got this error :
>
>[2009/11/01 15:36:11, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
>kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
>c
>What do you mean with maintain a windows account ? You usually create it
>once. If you run squid on Windows you don't need a keytab.
Markus,
The account must be created, then maintained in ad which is a burden I am
hoping to avoid:) With pw aging and policies, I have to watch when it gets
locke
To get kerb auth in Squid functioning, is the only procedure that
is available make use of a keytab, or are there alternatives which
don't require a windows account for a keytab to be maintained?
Thanks!
jlc
>Good day.
>I've checked Russian FAQ and did not find the answer to my question.
>I have a net with 20 computers. I want to block access to certain sites
>forbid to download of certain types of files (*.mp3, *.avi e.t.c.).
>Is it possible with Squid? For now I just want "yes" or "no" because the
>r
>My sperator is +
Ok, then you simply separate domain and group with a plus. It doesn't need
to be escaped.
>I've tried all kinds of things:
>
>auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
>--require-membership-of=domain\\"Domain Users"
>auth_param basic program
>I have everything setup as documented but its not working. The
>proxy is joined to the domain, wbinfo -g/-u gives results. Without
>the --require-membership-of switch If I supply a valid domain users
>credentials it works. This is running latest build of 2.7.
>NTLM Authentiation
>auth_param ntlm
>Sorry for the silly question, I've been using squid to allow access to users
>on a domain, but how can I limit access to users only in a certain security
>group on the domain.
Check the wiki out. Once they are in a group, you specify group access in the
ntlm_auth helper something like this:
auth
We have users trying to use www.aircanada.com and the site loads
but then gives a message about being unavailable after its clearly
rendered and then shows an "Operation Aborted" error and displays
a Website Unavailable page?
There is nothing in the log that looks suspicious, any ideas where
to lo
>Hi,
>Can anybody provide me with a good tutorial on how to integrate windows
>2003 AD to authenticate
>Squid using NTLM. My environment is CenOS5 running Squid 2.6 and Windows
>2003 R2 Standard (LDAP v3).
>Thanks in advance
>A. Khan
Check the wiki :)
http://wiki.squid-cache.org/ConfigExamples/A
>any other ideas?
Well your problem should be the simplest to diagnose. Does User1's pc have
direct access to the internet? Is his proxy setting configured correctly?
Is his ip in the 10.100.30.0/255.255.255.0 network? I still think your acl's
aren't right, you deny localhost then allow *after*?
>I have 3 users for my test:
>
>Admin (who is member of InternetAccess)
>User1 (who is a domain account but not member of InternetAccess)
>User2 (who is a local account of my pc-client)
/snip
>The problem appear with user1 who is supposed to don’t have an access to
>internet, but after logon on w
>Thanks Joseph, I found the AD group can not be a domain local group.
>Set to global it works but that's only good if you only have one
>domain. Set to universal it will enumerate users in trusted domains. I
>have a user in a trusted domain belonging to a global group in that
>domain called interne
>Thank you for your howto. Because of your howto I've had a test system
>logging access by DOMAIN\Username for a while now. After through
>review I can't see where the --require-membership-of switch is added.
You add the switch to the ntlm_auth command:
$ /usr/bin/ntlm_auth --help
So mine looks l
>Is someone keeping track of all the Active Directory Authentication
>solutions available in the Squid distribution?
>In /usr/lib/squid3 I have all these and no idea which is the latest best.
>pam_auth
>smb_auth
>smb_auth.sh
>smb_auth.pl
>ntlm_auth
>msnt_auth
>squid_ldap_auth
>squid_ldap_group
>wbi
>I wasn't able to access the systems with the SG-config today.
>So let's solve your problem with SG tomorrow instead of hunting for
>a "suboptimal" solution.
>Did you try to post your prob to Shalla / Christine Kronberg ?
>She is usually a great help.
Philipp,
It turned out to be the in-addr that
>Joseph,
>I wasn't able to access the systems with the SG-config today.
>So let's solve your problem with SG tomorrow instead of hunting for
>a "suboptimal" solution.
>Did you try to post your prob to Shalla / Christine Kronberg ?
>She is usually a great help.
Philipp,
I did post just now, for som
>I switched to ufdbguard and have been real pleased with it's performance
>and support.
Thomas,
Do I understand this right, the software is free but the db is not? Can one
use shalla lists with this software?
Thanks!
jlc
>I think it's pretty clear he meant using the files downloaded from shalla on
>his server. I know of no system that queries "remote files". BLs mean DNS
>based lookups, which shalla does not have.
Yeah, that's exactly what I meant. I don't think over the fastest pipe one
could remotely access thes
>Depends on your chosen ACL type and the number of patterns.
>Many regex may be slower than DG, many dstdomain or dst may improve
>response time.
It looks like the lists are far too large for any regex type acls but
the acl dstdomain "file" is causing me issues with the way the
shalla lists are
What kind of performance issues should I expect if I remove squidGuard and
simply make a series of acl's pointing to shalla bl files directly then denying
them with http_access deny statements?
Given the size of the shalla lists, what would any seasoned squid admins expect
as a scalability thresho
>I'm using Squid3STABLE9 and SquidGuard 1.3 on three openSUSE10.3 boxes
>and tested the URL you gave us above
>without hanving any problems to access the TechNet site. So this must be
>something with your specific setup.
>What's the version of SG are you using ? Maybe you can post your problem
>
When logging in to MS Technet, I get this:
ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: http:443
Unable to determine IP address from host name
T
When editing squid.conf is not sufficient to restart the squid
service to enact changes, or does one need to execute squid -k reconfigure
always as well?
Thanks!
jlc
>Amos,
>Still no luck, if it matters I am on the upstream packaged 2.6 stable 5
>from RH. If I moved that up to a more recent version do you think this
>issue might be handled better?
Before I even started this thread, I had removed the url_rewrite_program
reference to squidguard as I assumed that
>You've just reminded me of the hotmail problems...
>
>Joseph:
> see if it disappears when you turn "balance_on_multiple_ip off". It
>still defaults to on in most Squid installs.
Amos,
Still no luck, if it matters I am on the upstream packaged 2.6 stable 5
from RH. If I moved that up to a more
>You've just reminded me of the hotmail problems...
>
>Joseph:
> see if it disappears when you turn "balance_on_multiple_ip off". It
>still defaults to on in most Squid installs.
Amos,
I am on holidays w/o access to this system atm, but wouldn't this only
matter if their was more than one public
>Define 'connection'. I suspect what you think of as a connection is not
>related to HTTP connections.
Amos,
Appreciate your help here, why I theorize connection was because what happens
when an SSL session is started versus a simple HTTP session. This is all related
to our users getting yahoo ma
How does one deal with this scenario? It seems that when we encounter websites
that toggle between http/s the connection is broken. I can see why this
logically
happens, but I am unable to work a solution for it? Anyone have experience with
a
scenario such as this?
Thanks!
jlc
I had a transparent squid proxy setup and was having issues where yahoo
attachments
after scanning and enabling the interface to download them would logout a user
when
clicking the link. Thinking this had something to do with the switching back
and forth from
http/https and being transparent, I
>Add this before the line that requires auth:
>
>acl covisint dstdomain messaging.covisint.com
>http_access allow CONNECT localnet covisint
>
>Assuming that you have the localnet (local network ranges) and CONNECT
>acls defined already.
Much appreciated Amos, this worked perfectly!
jlc
I am running squid-2.6.STABLE6-5.el5_1.3 on CentOS 5 with ntlm auth
and all our mail and banking ssl sites are functioning except one
site, messaging.covisint.com:443 that we do EDI with. I am getting:
192.168.0.146 TCP_DENIED/407 1859 CONNECT messaging.covisint.com:443 - NONE/-
text/html
in the a
64 matches
Mail list logo
