Re: [squid-users] TLS passthrough
Thank you Amos and Rafael, Using the LinuxDnat approach worked great as well. On Sat, Sep 30, 2023 at 5:18 AM Amos Jeffries wrote: > On 30/09/23 11:06, Fernando Giorgetti wrote: > > If someone has already done that, with the client running in a different > > machine, I would love to know how. > > > There are several ways; > > 1) run Squid on the gateway router for your network, or > > 2) place Squid in a DMZ between the LAN gateway and WAN gateway. > > 3) setup a custom route+gateway for port 80 and 443 LAN traffic as the > Squid machine. Excluding traffic from that machine itself. > > > > > > In case Squid runs on the same machine used as a network gateway to the > > client machine, I suppose the config would be similar, but if it's not > > running on the same machine used as the gateway, then it would be nice > > to see how. > > > > That would be (1). See > <https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat> for > how to configure the gateway router running Squid. > > The configuration difference between the at-source (aka, on client > machine) you are/were using is just some iptables rules. > > > HTH > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > https://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TLS passthrough
If someone has already done that, with the client running in a different
machine, I would love to know how.
In case Squid runs on the same machine used as a network gateway to the
client machine, I suppose the config would be similar, but if it's not
running on the same machine used as the gateway, then it would be nice to
see how.
Thanks
Em sex., 29 de set. de 2023 18:13, Alex Rousskov <
rouss...@measurement-factory.com> escreveu:
> On 2023-09-29 13:55, Fernando Giorgetti wrote:
>
> > The "intercept" scenario demonstrated here
> > https://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource
> > makes sense to me, as we are just redirecting internal traffic into
> Squid,
> > so the original destination IP is preserved.
>
> > I was able to make it work and that TLS app worked just fine. The
> > only constraint is that it requires that both the client and Squid
> > ran on the same machine, but at least it worked perfectly.
>
> I am very glad you are making progress. FWIW, there are also ways to
> intercept traffic from applications that do not run on the same machine
> as Squid. This is not my area of expertise, but others on the list can
> guide you if you need that kind of setup.
>
>
> > Here is my squid.conf (just in case someone eventually has a similar
> > issue):
>
> Thank you!
>
> Alex.
>
>
>
> > acl CONNECT method CONNECT
> > acl mytlsserverip dst 10.0.0.10
> > http_access allow CONNECT mytlsserverip
> >
> > http_port 3128
> >
> > https_port 127.0.0.1:3129 intercept ssl-bump \
> >tls-cert=/tmp/certs/squid.pem \
> >tls-key=/tmp/certs/squid.key \
> >generate-host-certificates=off
> >
> > ssl_bump splice all
> >
> >
> > And here are the firewall rules I have used:
> >
> > iptables -t nat -I OUTPUT -p tcp -d 10.0.0.10 --dport 55671 -j DNAT
> > --to-destination 127.0.0.1:3129 <http://127.0.0.1:3129>
> > iptables -t nat -I OUTPUT --match owner --uid-owner squid -p tcp -d
> > 10.0.0.10 --dport 55671 -j ACCEPT
> >
> > I appreciate all the guidance and discussion Matus and Alex.
> >
> > Thank you,
> > Fernando
> >
> > On Fri, Sep 29, 2023 at 12:53 PM Alex Rousskov
> > > <mailto:rouss...@measurement-factory.com>> wrote:
> >
> > On 2023-09-29 10:55, Fernando Giorgetti wrote:
> > > Do you control the client application? If yes, then perhaps
> > it can be
> > > adjusted to support HTTP proxies? In other words, the client
> > will send a
> > > plain text HTTP CONNECT request to Squid and, upon receiving
> > a 200
> > > (Connection Established) response headers, will start using
> > TLS with the
> > > origin server. In this case, you do not need interception.
> >
> >
> > > Nope, the client application is also used to communicate with
> > other apps in
> > > other environments.
> >
> > FWIW, "used with other apps" does not imply or explain the "nope, we
> do
> > not control the application" answer IMHO.
> >
> >
> > > The SNI has to be used as the client/server apps perform
> > > mutual TLS authentication.
> >
> > To avoid a misunderstanding, nothing I have said precludes the use of
> > TLS SNI by the client application. Thus, I am not sure why you are
> > saying the above.
> >
> >
> > > In order to evaluate if we can use Squid for this purpose, I have
> > > also created a basic TLS client/server app to validate what is
> > > happening. Basically my TLS client tries to connect directly to
> Squid
> > > IP/Port and I am indicating the SNI so that the TLS handshake
> > > passes.
> >
> > FWIW, a scenario where the client application establishes a TLS
> > connection with Squid https_port (configured as a reverse HTTPS
> proxy)
> > will not work for your use case AFAICT. I am not sure why you are
> > testing this. It has not been suggested on this mailing list.
> >
> > BTW, you can use ("curl" or even "openssl s_client") and "openssl
> > s_server" for basic tests. I recommend using well-known test programs
> > (instead of custom apps) because doing so makes it easier for mailing
> > list readers to understand what your test clients and servers are
> doing
> > (and to reproduce your setup).
> >
> >
> > > When I tried to make it work usi
Re: [squid-users] TLS passthrough
Alex,
Sorry for my misconceptions in my previous email.
The "intercept" scenario demonstrated here
https://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource
makes sense to me, as we are just redirecting internal traffic into Squid,
so the original destination IP is preserved.
I was able to make it work and that TLS app (which I have no control at
all),
worked just fine. The only constraint is that it requires that both the
client and
Squid ran on the same machine, but at least it worked perfectly.
Here is my squid.conf (just in case someone eventually has a similar issue):
acl CONNECT method CONNECT
acl mytlsserverip dst 10.0.0.10
http_access allow CONNECT mytlsserverip
http_port 3128
https_port 127.0.0.1:3129 intercept ssl-bump \
tls-cert=/tmp/certs/squid.pem \
tls-key=/tmp/certs/squid.key \
generate-host-certificates=off
ssl_bump splice all
And here are the firewall rules I have used:
iptables -t nat -I OUTPUT -p tcp -d 10.0.0.10 --dport 55671 -j DNAT
--to-destination 127.0.0.1:3129
iptables -t nat -I OUTPUT --match owner --uid-owner squid -p tcp -d
10.0.0.10 --dport 55671 -j ACCEPT
I appreciate all the guidance and discussion Matus and Alex.
Thank you,
Fernando
On Fri, Sep 29, 2023 at 12:53 PM Alex Rousskov <
rouss...@measurement-factory.com> wrote:
> On 2023-09-29 10:55, Fernando Giorgetti wrote:
> > Do you control the client application? If yes, then perhaps it can be
> > adjusted to support HTTP proxies? In other words, the client will
> send a
> > plain text HTTP CONNECT request to Squid and, upon receiving a 200
> > (Connection Established) response headers, will start using TLS with
> the
> > origin server. In this case, you do not need interception.
>
>
> > Nope, the client application is also used to communicate with other apps
> in
> > other environments.
>
> FWIW, "used with other apps" does not imply or explain the "nope, we do
> not control the application" answer IMHO.
>
>
> > The SNI has to be used as the client/server apps perform
> > mutual TLS authentication.
>
> To avoid a misunderstanding, nothing I have said precludes the use of
> TLS SNI by the client application. Thus, I am not sure why you are
> saying the above.
>
>
> > In order to evaluate if we can use Squid for this purpose, I have
> > also created a basic TLS client/server app to validate what is
> > happening. Basically my TLS client tries to connect directly to Squid
> > IP/Port and I am indicating the SNI so that the TLS handshake
> > passes.
>
> FWIW, a scenario where the client application establishes a TLS
> connection with Squid https_port (configured as a reverse HTTPS proxy)
> will not work for your use case AFAICT. I am not sure why you are
> testing this. It has not been suggested on this mailing list.
>
> BTW, you can use ("curl" or even "openssl s_client") and "openssl
> s_server" for basic tests. I recommend using well-known test programs
> (instead of custom apps) because doing so makes it easier for mailing
> list readers to understand what your test clients and servers are doing
> (and to reproduce your setup).
>
>
> > When I tried to make it work using a forward proxy with intercept and
> > ssl_bump, I could not make Squid peek at the SNI and tunnel the
> > request to the correct destination.
>
> Please note that "forward proxy with intercept" is an oxymoron -- the
> two port modes (i.e. explicit "intercept" and default forward proxying)
> are mutually exclusive.
>
> If you do not want to or cannot modify/configure the client application
> to use Squid as a forward HTTP proxy (as I detailed earlier; see the
> paragraph still quoted at the beginning of this message), then your
> other choice is interception (as I detailed earlier; see the "Squid
> supports blind tunneling of intercepted TCP connections" discussion in
> the previous exchange).
>
> When Squid https_port gets an intercepted client TCP connection, Squid
> does not need SNI to know where to forward that TCP connection. Squid
> opens a TCP connection to the IP address where the client TCP connection
> was going (or trying to go) before it was intercepted. That intended
> destination IP address is delivered to Squid by the OS, as a part of
> interception mechanism/setup. TLS and SNI are not involved in this process.
>
> If you have not tested an interception scenario, please do. If you have,
> please share your interception configuration, Squid configuration, and
> any relevant error/problem information.
>
>
> HTH,
>
> Alex.
>
>
> > On Fri, Sep 29, 2023 at 11:35 AM Alex Rousskov wrote:
> >
> > On 2023-09-29
Re: [squid-users] TLS passthrough
> > Do you control the client application? If yes, then perhaps it can be > adjusted to support HTTP proxies? In other words, the client will send a > plain text HTTP CONNECT request to Squid and, upon receiving a 200 > (Connection Established) response headers, will start using TLS with the > origin server. In this case, you do not need interception. Nope, the client application is also used to communicate with other apps in other environments. The SNI has to be used as the client/server apps perform mutual TLS authentication. In other words, the client will send a > plain text HTTP CONNECT request to Squid and, upon receiving a 200 > (Connection Established) response headers, will start using TLS with the > origin server. In this case, you do not need interception. In order to evaluate if we can use Squid for this purpose, I have also created a basic TLS client/server app to validate what is happening. Basically my TLS client tries to connect directly to Squid IP/Port and I am indicating the SNI so that the TLS handshake passes. Using a reverse I was able to make it reach the TLS server after faking a CONNECT request. But without a fake CONNECT or a valid HTTP request it failed. When I tried to make it work using a forward proxy with intercept and ssl_bump, I could not make Squid peek at the SNI and tunnel the request to the correct destination. Fernando On Fri, Sep 29, 2023 at 11:35 AM Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 2023-09-29 09:17, Fernando Giorgetti wrote: > > > Actually I am evaluating if Squid can be used to proxy Non-HTTP/TLS > > data, as we have a restricted environment where Squid is currently the > > only way to get out to the internet. > > Yes, Squid can tunnel non-HTTP data, including TLS data. > > > > The idea is that the client application will open a connection to a given > > hostname and port (setting the SNI in the TLS options), considering that > > the given hostname/port is the actual backend they're trying to reach. > > Do you control the client application? If yes, then perhaps it can be > adjusted to support HTTP proxies? In other words, the client will send a > plain text HTTP CONNECT request to Squid and, upon receiving a 200 > (Connection Established) response headers, will start using TLS with the > origin server. In this case, you do not need interception. > > > > We can either try to use a fake hostname (defined in the /etc/hosts of > the > > tls client machine) which would actually point to Squid's IP > > AFAICT, faking the IP address will not work without Squid source code > modifications because a non-intercepting Squid https_port will want to > terminate TLS -- such a port does not support blindly tunneling traffic. > > > > or eventually > > redirect traffic to the real destination into Squid using a DNAT rule. > > I am not a DNAT expert, but this sounds like interception to me. Bugs > notwithstanding, Squid supports blind tunneling of intercepted TCP > connections (to their intended destination): > > https_port X intercept ssl-bump ... > ssl_bump splice all > > On a successful tunneling path, the above configuration does not care > whether the intercepted traffic is TLS and will not peek at TLS SNI, but > nothing in your requirements necessitates SNI knowledge AFAICT. > > If Squid fails to establish a TCP connection to the intended destination > of the intercepted connection, then the situation becomes more complex: > Squid (with the above configuration) assumes that the client is speaking > TLS. Squid will attempt to bump the TLS client connection and send a > Squid-generated HTTP error response to the client. AFAIK, this bumping > and error sending attempt cannot be prevented in this case without Squid > source code modifications: Squid used to be able to terminate a > client-Squid connection instead of sending a Squid-generated HTTP error > response (by replacing the corresponding Squid error page contents with > a word "reset"). However, that feature was accidentally(?) dropped in > 2002 commit 76cdc28 AFAICT. > > > HTH, > > Alex. > > > > But overall, it will be a 1:1 relationship, meaning, the https_port on > Squid > > would be used exclusively to this purpose of proxying from a given source > > to a given destination. > > > > That is why I was considering a reverse-proxy, but I had no luck with it > > (actually > > I was able to proxy HTTP/HTTPS, but not non-http). > > > > Thank you again, > > Fernando > > > > On Thu, Sep 28, 2023 at 11:39 PM Alex Rousskov > > > <mailto:rouss...@measurement-factory.com>> wrote: > > > > On 2023-09-28 20:35, Fernando G
Re: [squid-users] TLS passthrough
Hello Alex, First of all, thanks for your attention and time. Actually I am evaluating if Squid can be used to proxy Non-HTTP/TLS data, as we have a restricted environment where Squid is currently the only way to get out to the internet. The idea is that the client application will open a connection to a given hostname and port (setting the SNI in the TLS options), considering that the given hostname/port is the actual backend they're trying to reach. We can either try to use a fake hostname (defined in the /etc/hosts of the tls client machine) which would actually point to Squid's IP or eventually redirect traffic to the real destination into Squid using a DNAT rule. But overall, it will be a 1:1 relationship, meaning, the https_port on Squid would be used exclusively to this purpose of proxying from a given source to a given destination. That is why I was considering a reverse-proxy, but I had no luck with it (actually I was able to proxy HTTP/HTTPS, but not non-http). Thank you again, Fernando On Thu, Sep 28, 2023 at 11:39 PM Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 2023-09-28 20:35, Fernando Giorgetti wrote: > > > Do you have any recommendations on how I could have it done? > > I am unable to confirm whether Squid can do what you want or provide > configuration recommendations because I do not yet know how your Squid > will receive traffic (e.g., an intercepting proxy or an explicit forward > HTTP proxy), what traffic Squid will receive (e.g., TLS, plain HTTP, > something else), and what you want Squid to do with that traffic. > > To make progress, I recommend describing the above details (for one > typical use case?) and then answering any followup questions. > > > Cheers, > > Alex. > > > > When my tls client tries to reach the target through Squid, using > > a "ssl_bump splice", it seems like squid is trying to reach itself in a > > loop. > > > > I have also tried including a peek first, but no luck. > > > > Thanks again for all suggestions. > > > > On Thu, Sep 28, 2023 at 7:23 PM Alex Rousskov wrote: > > > > On 2023-09-28 15:23, Fernando Giorgetti wrote: > > > > > Actually with the suggested blind passthrough, Squid would not > > handle > > > the TLS termination. > > > > Correct. > > > > > > > how will Squid know what the target is? > > > > In many cases, Squid can learn SNI by peeking at TLS ClientHello, > > without terminating TLS. Bugs notwithstanding, none of the > > configuration > > sketches I shared previously will do that though. > > > > > > HTH, > > > > Alex. > > > > > > > > > On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov wrote: > > > > > > On 2023-09-28 11:31, Fernando Giorgetti wrote: > > > > > > > And what should I do to let Squid use the SNI defined by > > the TLS > > > client? > > > > > > What do you want Squid to use that SNI for? > > > > > > Alex. > > > > > > > > > > On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote: > > > > > > > > On 2023-09-28 09:06, Fernando Giorgetti wrote: > > > > > Hi Matus, do you mean something like a DNAT > > (iptables) rule? > > > > > If so, I would say, it should work as well. > > > > > > > > > > But this is an environment I do not control, and I > have > > > been told > > > > to try > > > > > using an existing squid installation to proxy > > non-http/TLS > > > data > > > > through. > > > > > > > > > > I appreciate any guidance or recommendation. > > > > > > > > > > > > Bugs notwithstanding, Squid can blindly tunnel > intercepted > > > (at TCP port > > > > X) TCP traffic to its intended destination: > > > > > > > > https_port X intercept ssl-bump ... > > > > ssl_bump splice all > > > > > > > > > > > > Without interception, then Squid can only tunnel stuff > > inside > > > HTTP > >
Re: [squid-users] TLS passthrough
> > Bugs notwithstanding, none of the configuration > sketches I shared previously will do that though. Do you have any recommendations on how I could have it done? When my tls client tries to reach the target through Squid, using a "ssl_bump splice", it seems like squid is trying to reach itself in a loop. I have also tried including a peek first, but no luck. Thanks again for all suggestions. On Thu, Sep 28, 2023 at 7:23 PM Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 2023-09-28 15:23, Fernando Giorgetti wrote: > > > Actually with the suggested blind passthrough, Squid would not handle > > the TLS termination. > > Correct. > > > > how will Squid know what the target is? > > In many cases, Squid can learn SNI by peeking at TLS ClientHello, > without terminating TLS. Bugs notwithstanding, none of the configuration > sketches I shared previously will do that though. > > > HTH, > > Alex. > > > > > On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov wrote: > > > > On 2023-09-28 11:31, Fernando Giorgetti wrote: > > > > > And what should I do to let Squid use the SNI defined by the TLS > > client? > > > > What do you want Squid to use that SNI for? > > > > Alex. > > > > > > > On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote: > > > > > > On 2023-09-28 09:06, Fernando Giorgetti wrote: > > > > Hi Matus, do you mean something like a DNAT (iptables) > rule? > > > > If so, I would say, it should work as well. > > > > > > > > But this is an environment I do not control, and I have > > been told > > > to try > > > > using an existing squid installation to proxy non-http/TLS > > data > > > through. > > > > > > > > I appreciate any guidance or recommendation. > > > > > > > > > Bugs notwithstanding, Squid can blindly tunnel intercepted > > (at TCP port > > > X) TCP traffic to its intended destination: > > > > > > https_port X intercept ssl-bump ... > > > ssl_bump splice all > > > > > > > > > Without interception, then Squid can only tunnel stuff inside > > HTTP > > > CONNECT tunnels (for HTTP CONNECT requests received at TCP > > port Y): > > > > > > http_port Y ssl-bump ... > > > ssl_bump splice all > > > > > > > > > In both cases, Squid does not care about the protocols that > > tunneled > > > traffic is using. It could be HTTP, HTTPS, TLS, or anything > > else on top > > > of TCP. > > > > > > Your ACLs may differ from "all" in the above sketches, of > course, > > > but if > > > traffic is not TLS, then you want an "ssl_bump splice" rule > that > > > matches > > > during SslBump step1. A rule with an "all" ACLs is the > > simplest example > > > of that. > > > > > > > > > HTH, > > > > > > Alex. > > > P.S. I am getting an "Internal Server Error" when following > > the haproxy > > > link in the original question, so I cannot map what that page > > says to > > > the configurations above. > > > > > > > > > > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - fantomas > wrote: > > > > > > > > On 27.09.23 16:48, Fernando Giorgetti wrote: > > > > >I would like to know if it is possible to set up > > Squid to > > > perform > > > > >TLS passthrough to a given backend, relaying TLS > > encrypted > > > > >traffic to the backend, similarly to what HAProxy > > does below? > > > > > > > > > > > > > > > > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> > < > https://www.haproxy
Re: [squid-users] TLS passthrough
Actually with the suggested blind passthrough, Squid would not handle the TLS termination. So without a reverse proxy (accel mode), how will Squid know what the target is? On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 2023-09-28 11:31, Fernando Giorgetti wrote: > > > And what should I do to let Squid use the SNI defined by the TLS client? > > What do you want Squid to use that SNI for? > > Alex. > > > > On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote: > > > > On 2023-09-28 09:06, Fernando Giorgetti wrote: > > > Hi Matus, do you mean something like a DNAT (iptables) rule? > > > If so, I would say, it should work as well. > > > > > > But this is an environment I do not control, and I have been told > > to try > > > using an existing squid installation to proxy non-http/TLS data > > through. > > > > > > I appreciate any guidance or recommendation. > > > > > > Bugs notwithstanding, Squid can blindly tunnel intercepted (at TCP > port > > X) TCP traffic to its intended destination: > > > > https_port X intercept ssl-bump ... > > ssl_bump splice all > > > > > > Without interception, then Squid can only tunnel stuff inside HTTP > > CONNECT tunnels (for HTTP CONNECT requests received at TCP port Y): > > > > http_port Y ssl-bump ... > > ssl_bump splice all > > > > > > In both cases, Squid does not care about the protocols that tunneled > > traffic is using. It could be HTTP, HTTPS, TLS, or anything else on > top > > of TCP. > > > > Your ACLs may differ from "all" in the above sketches, of course, > > but if > > traffic is not TLS, then you want an "ssl_bump splice" rule that > > matches > > during SslBump step1. A rule with an "all" ACLs is the simplest > example > > of that. > > > > > > HTH, > > > > Alex. > > P.S. I am getting an "Internal Server Error" when following the > haproxy > > link in the original question, so I cannot map what that page says to > > the configurations above. > > > > > > > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - fantomas wrote: > > > > > > On 27.09.23 16:48, Fernando Giorgetti wrote: > > > >I would like to know if it is possible to set up Squid to > > perform > > > >TLS passthrough to a given backend, relaying TLS encrypted > > > >traffic to the backend, similarly to what HAProxy does > below? > > > > > > > > > > > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough> > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > >> > > > > > > > >I have tried a few different configurations using reverse > > proxy, > > > >or peek and splice, but I could not make it work without > > providing > > > >a valid HTTP request or a CONNECT request. > > > > > > what's the difference between TCP redirect and this? > > > > > > -- > > > Matus UHLAR - fantomas, uh...@fantomas.sk > > <mailto:uh...@fantomas.sk> <mailto:uh...@fantomas.sk > > <mailto:uh...@fantomas.sk>> > > > ; http://www.fantomas.sk/ <http://www.fantomas.sk/> > > <http://www.fantomas.sk/ <http://www.fantomas.sk/>> > > > Warning: I wish NOT to receive e-mail advertising to this > > address. > > > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu > > postu. > > > Depression is merely anger without enthusiasm. > > > ___ > > > squid-users mailing list > > > squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org> > > > <mailto:squid-users@lists.squid-cache.org > > <mailto:squid-users@lis
Re: [squid-users] TLS passthrough
Hello Alex, thanks for your reply. And what should I do to let Squid use the SNI defined by the TLS client? Thanks again, Fernando On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 2023-09-28 09:06, Fernando Giorgetti wrote: > > Hi Matus, do you mean something like a DNAT (iptables) rule? > > If so, I would say, it should work as well. > > > > But this is an environment I do not control, and I have been told to try > > using an existing squid installation to proxy non-http/TLS data through. > > > > I appreciate any guidance or recommendation. > > > Bugs notwithstanding, Squid can blindly tunnel intercepted (at TCP port > X) TCP traffic to its intended destination: > > https_port X intercept ssl-bump ... > ssl_bump splice all > > > Without interception, then Squid can only tunnel stuff inside HTTP > CONNECT tunnels (for HTTP CONNECT requests received at TCP port Y): > > http_port Y ssl-bump ... > ssl_bump splice all > > > In both cases, Squid does not care about the protocols that tunneled > traffic is using. It could be HTTP, HTTPS, TLS, or anything else on top > of TCP. > > Your ACLs may differ from "all" in the above sketches, of course, but if > traffic is not TLS, then you want an "ssl_bump splice" rule that matches > during SslBump step1. A rule with an "all" ACLs is the simplest example > of that. > > > HTH, > > Alex. > P.S. I am getting an "Internal Server Error" when following the haproxy > link in the original question, so I cannot map what that page says to > the configurations above. > > > > On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - fantomas wrote: > > > > On 27.09.23 16:48, Fernando Giorgetti wrote: > > >I would like to know if it is possible to set up Squid to perform > > >TLS passthrough to a given backend, relaying TLS encrypted > > >traffic to the backend, similarly to what HAProxy does below? > > > > > > > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > < > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > > > > > > > >I have tried a few different configurations using reverse proxy, > > >or peek and splice, but I could not make it work without providing > > >a valid HTTP request or a CONNECT request. > > > > what's the difference between TCP redirect and this? > > > > -- > > Matus UHLAR - fantomas, uh...@fantomas.sk <mailto:uh...@fantomas.sk> > > ; http://www.fantomas.sk/ <http://www.fantomas.sk/> > > Warning: I wish NOT to receive e-mail advertising to this address. > > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > > Depression is merely anger without enthusiasm. > > ___ > > squid-users mailing list > > squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org> > > https://lists.squid-cache.org/listinfo/squid-users > > <https://lists.squid-cache.org/listinfo/squid-users> > > > > > > ___ > > squid-users mailing list > > squid-users@lists.squid-cache.org > > https://lists.squid-cache.org/listinfo/squid-users > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > https://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TLS passthrough
Hi Matus, do you mean something like a DNAT (iptables) rule? If so, I would say, it should work as well. But this is an environment I do not control, and I have been told to try using an existing squid installation to proxy non-http/TLS data through. I appreciate any guidance or recommendation. Thank you, Fernando On Thu, Sep 28, 2023 at 3:41 AM Matus UHLAR - fantomas wrote: > On 27.09.23 16:48, Fernando Giorgetti wrote: > >I would like to know if it is possible to set up Squid to perform > >TLS passthrough to a given backend, relaying TLS encrypted > >traffic to the backend, similarly to what HAProxy does below? > > > > > https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough > > > >I have tried a few different configurations using reverse proxy, > >or peek and splice, but I could not make it work without providing > >a valid HTTP request or a CONNECT request. > > what's the difference between TCP redirect and this? > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Depression is merely anger without enthusiasm. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > https://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
[squid-users] TLS passthrough
Hello, I would like to know if it is possible to set up Squid to perform TLS passthrough to a given backend, relaying TLS encrypted traffic to the backend, similarly to what HAProxy does below? https://www.haproxy.com/documentation/aloha/latest/security/tls/encryption-strategies/#tls-passthrough I have tried a few different configurations using reverse proxy, or peek and splice, but I could not make it work without providing a valid HTTP request or a CONNECT request. Thank you, Fernando ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid yum install
Hi, The latest release there is 3.4.5-2 built July []s, Fernando Lozano You can use the rpm as can be found in http://www1.ngtech.co.il/rpm/centos/6/x86_64/ How to install squid-3.4.7 using yum?
Re: [squid-users] squid yum install
Hi Eliezer, For my part I appreciate very much your effort building and hosting those packages and understand it takes some time. Thanks a lot! PS: Most of my proposed changes (like SELinux policy for SMP) are already in Fedora. Have to check if they have moved to RHEL6/7 and so to CentOS. []s, Fernando Lozano Hey There, Indeed there is not yet a 3.4.7 release due to the basic fact that it was released in the last 24 hours and it takes time to run a basic test and build the RPMS. I will probably build the 3.4.7 RPMS in the next week. The release will be for CentOS 6 and not yet 7. Indeed squid builds on CentOS 7 but from my point view it is not tested enough for production compared to ubuntu 14.04. I will release notes about it later. Eliezer On 08/28/2014 04:28 PM, Santosh Bhabal wrote: Hello Farooq, I am unable to find squid 3.4.7 rpm in the URL which you have given. Regards Santosh
Re: [squid-users] what Squid access.log analyzer are you using?
Hi Eliezer, Since squid has new outputs in the access log I was wondering what analyzer are you using? I want to write a simple scripting (for practice) tool that will do things in a similar way that calamaris do. What statistics would be needed from such a tool? I use SARG (that is, my customer uses), but it could be better. I've worked with Calamaris before, and it did one thing SARG does not: update reports without re-parsing past log entries. So I can run Calamaris every 5 minutes to have reports updated in near real-time, even for high traffic proxies. But my SARG takes almost half an hour to generate a daily report. Neither Calamaris nor SARG does one thing I want/need: upload bandwidth reports. Both of them (and all other ones I researched) do only download reports, but in today web, where too many apps upload data to servers, upload bandwith is not so low anymore. Currently I have to generate two sets of acces logs, the regular one for download reports, and another one where I replace downloaded bytes by uploaded bytes, to generate a second set of reports. Having one tool do both from the same logs, without wasting time processing what is essentially the same log twice, would be a big plus. PS: There's also the issue of squid not reporting upload bytes for CONNECT requests, that is, https requests. This would leave of the report all upload bandwidth consume by Google services and other APIs, which I suspect are the biggest consumers. :-( []s, Fernando Lozano
Re: [squid-users] assertion failed: cbdata.cc:464: c-locks 0
Hi Amos, On 30/07/2014 10:44 p.m., Labusch, Christian (regio iT) wrote: - OS: Linux debian 3.2.0-4-486 #1 Debian 3.2.60-1+deb7u1 i686 GNU/Linux - Squid Cache: Version 3.4.6. (configure options: '--enable-delay-pools') Squid.conf (Limitation 1 Mbit/s): client_delay_pools 1 client_delay_initial_bucket_level 100 client_delay_access 1 allow localnet client_delay_access 1 deny all client_delay_parameters 1 128000 128000 To start the squid-Daemon brings the following error: Cache.log: 2014/07/30 10:33:02 kid1| assertion failed: cbdata.cc:464: c-locks 0 http://bugs.squid-cache.org/show_bug.cgi?id=3696 Just for the record, I got the same error (same assert) when I tried to enable client_delay_pools. But using CentOS 6.4 ou a 64-bit Xeon Dell server and squid 3.4.6 installed from Eliezer RPMs. Very different machine and OS, so it's not something specific to Christian setup. I took a look at the bug and comments give the impression that people thought it was reladted to the older delay_pools (not client_delay) when they reported works fine for me. The bug state could be moved to something other than UNCONFIRMED. And I have to remember how to get debug symbols for the RPM and generate a stack trace. ;-) []s, Fernando Lozano
[squid-users] conditional configuration: are nested if's ok?
Hi,
from squid.conf.documented, regarding conditional configuration:
NOTE: An else-if condition is not supported.
This mean we cannot have nested if's, like:
workers 2
cache_dir rock /cache/shared 2000 min-size=1 max-size=31000
max-swap-rate=250 swap-timeout=350
if ${process_number} = 4
# no aufs for coordinator
else
if ${process_number} = 3
# no aufs for disker
else
cache_dir aufs /cache/worker${process_number} 2000 16 256
min-size=31001 max-size=346030080
endif
endif
[]s, Fernando Lozano
Re: [squid-users] Monitoring bandwidth usage: good and bad news
Hi Eliezer, What would expect from this monitoring tool to do? Per-user and per-host bandwidth monitoring for both upload and download. When using access log parsers like sarg and calamaris we get only download bandwidth. It's easy to configure them to generate a parallel set of upload reports from a parallel access.log that switches %st to %st but it looks like squid wont log upload sizes for CONNECT requests, so the big badwidth eaters like google drive won't show any upload traffic. From squidclient mgr:utilization I could get only agregate upload and download bandwidth. Not per user or per host. And of course I'd like to find something ready to use instead of hacking my own scripts to query squid, generate logs and plot graphics. ;-) []s, Fernando Lozano Eliezer On 07/15/2014 11:11 PM, ferna...@lozano.eti.brwrote: Hi there, As stated in another thread, using the access log format st seems ineffective to measure upload bandwidth to things like Google Drive. Amos stated that this could be related to a CONNECT issue. Is anyone aware of this issue? Is there a bug report? Now the good news: I'm collecting data from squidclient mgr:usage, and all attributes client.*kbytes_in/out and the server ones seems to be correct, and accounting for HTTPS downloads and uploads. Is anyone aware of a ready-to-use monitoring tool that uses squidlcient for those metrics? []s, Fernando Lozano
[squid-users] Monitoring bandwidth usage: good and bad news
Hi there, As stated in another thread, using the access log format st seems ineffective to measure upload bandwidth to things like Google Drive. Amos stated that this could be related to a CONNECT issue. Is anyone aware of this issue? Is there a bug report? Now the good news: I'm collecting data from squidclient mgr:usage, and all attributes client.*kbytes_in/out and the server ones seems to be correct, and accounting for HTTPS downloads and uploads. Is anyone aware of a ready-to-use monitoring tool that uses squidlcient for those metrics? []s, Fernando Lozano
Re: [squid-users] access log request size x google drive
Hi Amos, I configured my squid.conf to generate a second access log but using the client request size (%st) in place of the response size (%st): My goal was to use sarg to generate a report for upload sizes alongside the standard report wich contains only download sizes. after I uploaded some big files to google drive the reports still doesn't show a significant increase in upload sizes. I also run darkstat on the server and it shows the expected increase for Out traffic. Is that out to the client? or out to the server? or both (when out means servicing clients over the same NIC)? Both, only one NIC. So, why aren't my upload.log showing uploads to google drive? Is this supposed to work at all, or do I need some trick for squid? What type of requests are being logged? All of them. No ACLs for logging. IIRC there is an issue with CONNECT traffic only logging one direction. So I may be experiencing this. All google properties use https all the time, so all requests for Google Drive are CONNECT ones. Can you point to a bug ticket or something I can to do confirm this is the problem? I', running squid 3.4.3 (from Eliezer rpm). Is this issue also on 3.4.6 (which is the latest rpm released by Eliezer)? []s, Fernando Lozano
Re: [squid-users] access log request size x google drive
Hi, Is that out to the client? or out to the server? or both (when out means servicing clients over the same NIC)? Both, only one NIC. Then you are not able to distinguish outbound to client and outboud to server. That's right. You would be better off using %st for logging the sizes. That accumulates the total for each transaction and more correctly matches the NIC RX+TX total throughput. Nice idea. But doesn't solve my problem of not having the upload (from squid to internet) to google on the access logs. :-( I'll check if measuring from squidclient mgr:usage, which separates server from client, provides values consistent with my google drive tests. []s, Fernando Lozano
[squid-users] access log request size x google drive
Hi there, I configured my squid.conf to generate a second access log but using the client request size (%st) in place of the response size (%st): logformat upload %ts.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %[un %Sh/%a %mt access_log stdio:/var/log/squid/upload.log logformat=upload access_log stdio:/var/log/squid/access.log My goal was to use sarg to generate a report for upload sizes alongside the standard report wich contains only download sizes. The reports looks ok for regular web browsing (download sizes much larger than upload sizes) but after I uploaded some big files to google drive the reports still doesn't show a significant increase in upload sizes. I also run darkstat on the server and it shows the expected increase for Out traffic. So, why aren't my upload.log showing uploads to google drive? Is this supposed to work at all, or do I need some trick for squid? []s, Fernando Lozano
Re: [squid-users] problem with filedescriptors after reboot
Hi, Probably the low limit on file descriptors came from /etc/security/limits.conf. But you can edit /etc/sysconfig/squid and add there the command ulimit -n 16384 So squid gets a higher number no matter what's in limits.conf []s, Fernando Lozano There is an issue with that not related directly to squid. You can try to add into the sysvinit script a strict declaration using ulimit that will force a limit on the script at runtime. It can be caused due to malfunction or mis-configuration in RH and that the FD limit at the time when squid starts up at boot is not yet set. Regards, Eliezer On 06/20/2014 04:05 PM, ama...@tin.it wrote: Hello we are testing squid-3.4.5-20140616-r13146 on - rh es 6 64 with kernel version 2.6.32-431.20.3.el6.x86_64 squid it's compiled with -- with-filedescriptors=16384 and we have found this strange behavior If I reboot the linux box we have this situation(wrong): squidclient mgr: info |grep file Sending HTTP request ... done. Maximum number of file descriptors: 1024 Largest file desc currently in use: 14 Number of file desc currently in use:7 Available number of file descriptors: 1017 Reserved number of file descriptors: 100 Store Disk files open: 0 After this I restart the squid service and the situation(correct): squidclient mgr:info |grep file Sending HTTP request ... done. Maximum number of file descriptors: 16384 Largest file desc currently in use: 14 Number of file desc currently in use:7 Available number of file descriptors: 16377 Reserved number of file descriptors: 100 Store Disk files open: 0 Regards, Maurizio
Re: [squid-users] problem with filedescriptors after reboot
Hi James, On 2014-06-20 09:10, ama...@tin.it wrote: I had configured /etc/security/limits.conf squid softnofile 16384 squid hardnofile 16384 rootsoftnofile 16384 roothardnofile 16384 but to resolve the problem I have to add into /et/init.d/squid #set fildedescriptor set -e ulimit -n 16384 thank Eliezer I've found that adding: * - nofile 16384 To limits.conf works as well. That's expected: /etc/init.d/squid doesn't honors limits.conf. But you changed the limit for all users, root will get then and so will squid when started. That's why I told you to put an ulimit command on /etc/sysconfig/squid, so you can increase the limit just for squid and not for the whole system. []s, Fernando Lozano
Re: [squid-users] squid smp fails -k reconfigure
Hi Alex,
First of all, thanks for the feedback.
I find very strange that workers 6 and 5 try to get aufs cache stores.
They are supposed to be the rock store disker and the coordinator! My
squid.conf has:
workers 4
cache_dir aufs /cache/worker${process_number} 25000 16 256 min-size=31001
max-size=346030080
AUFS store is not SMP-aware. You should not be using it in SMP
configurations IMO.
Squid configuration examples and the wiki page about SMP tells to use
${process_number} to setup exclusive aufs caches for each worker.
See, for example,
http://wiki.squid-cache.org/ConfigExamples/SmpCarpCluster
Which was the inspiration for my setup.
If we should not use anything except rock store for SMP this should be
explicit in the docs/wiki/faq.
Is squid -k reconfigure working well for everyone else with SMP?
Reconfigure does not work well without SMP. It works even worse with
SMP. Log file rotation is an example of a problematic area specific to SMP.
That's also news to me. I could not find anything on squid-cache.org
stating reconfigure is problematic and should be avoided.
Just to make sure I understand correctly: I shoud restart squid, instead
of reconfiguring, when changing acls, and cope with the downtime?
Should I try to hide those directives from them?
In general, no. It is best to let your squid.conf reflect the entire
Squid instance configuration rather than sprinkle it with SMP
conditionals. Besides, many options have defaults so hiding them will
not produce the intended results. Squid will eventually learn to ignore
irrelevant settings on its own.
However, if hiding some directive works around a significant SMP
problem, hiding it may be better than waiting for others to fix the
actual problem.
So I'll try to hide the cache_dir aufs from the processes that doesn't
need them, as the default would be having no disk cache. I'll tell you
if this helped or not.
[]s, Fernando Lozano
[squid-users] squid smp fails -k reconfigure
Hi there,
Since I enabled SMP mode on my squid 3.4.3 server, reconfiguring is not
working consitently. Here's the relevant log entries:
--
2014/06/02 11:35:37| Set Current Directory to /cache
2014/06/02 11:35:37 kid6| Reconfiguring Squid Cache (version 3.4.3)...
2014/06/02 11:35:37 kid6| Logfile: closing log
stdio:/var/log/squid/access.log
2014/06/02 11:35:37 kid5| Reconfiguring Squid Cache (version 3.4.3)...
...
2014/06/02 11:35:37 kid6| ERROR opening swap log
/cache/worker6/swap.state: (2) No such file or directory
2014/06/02 11:35:37 kid5| ERROR opening swap log
/cache/worker5/swap.state: (2) No such file or directory
2014/06/02 11:35:37 kid5| storeDirWriteCleanLogs: Starting...
2014/06/02 11:35:37 kid5| log.clean.start() failed for dir #1
2014/06/02 11:35:37 kid5| Finished. Wrote 0 entries.
2014/06/02 11:35:37 kid5| Took 0.00 seconds ( 0.00 entries/sec).
FATAL: UFSSwapDir::openLog: Failed to open swap log.
Squid Cache (Version 3.4.3): Terminated abnormally.
FATAL: UFSSwapDir::openLog: Failed to open swap log.
Squid Cache (Version 3.4.3): Terminated abnormally.
--
I find very strange that workers 6 and 5 try to get aufs cache stores.
They are supposed to be the rock store disker and the coordinator! My
squid.conf has:
workers 4
cache_mem 6144 MB
cache_dir rock /cache/shared 3 min-size=1 max-size=31000
max-swap-rate=250 swap-timeout=350
cache_dir aufs /cache/worker${process_number} 25000 16 256
min-size=31001 max-size=346030080
logfile_rotate 4
Would squid be having troubles with my cache_mem and cache_dir big sizes?
Is squid -k reconfigure working well for everyone else with SMP?
Other strange entries, from earlier in the cache.log:
-
2014/06/01 03:13:05 kid5| Set Current Directory to /cache
2014/06/01 03:13:05 kid5| Starting Squid Cache version 3.4.3 for
x86_64-redhat-linux-gnu...
2014/06/01 03:13:05 kid5| Process ID 23990
2014/06/01 03:13:05 kid5| Process Roles: disker
2014/06/01 03:13:05 kid5| With 65536 file descriptors available
2014/06/01 03:13:05 kid5| Initializing IP Cache...
2014/06/01 03:13:05 kid5| DNS Socket created at 0.0.0.0, FD 7
2014/06/01 03:13:05 kid5| Adding nameserver 200.20.212.75 from
/etc/resolv.conf
2014/06/01 03:13:05 kid5| Adding nameserver 200.20.212.99 from
/etc/resolv.conf
2014/06/01 03:13:05 kid5| Adding domain inmetro.gov.br from /etc/resolv.conf
2014/06/01 03:13:05 kid5| Adding domain inmetro.gov.br from /etc/resolv.conf
2014/06/01 03:13:05 kid5| helperOpenServers: Starting 10/100
'basic_ldap_auth' processes
-
If kid5 is a disker, why does it setups up dns resolver and ldap auth
helpers? It looks like disker and coordinator try to process all
squid.conf directives, even when they are supposed not to do any
network-related stuff.
Should I try to hide those directives from them?
I also got something strange on shutdown:
2014/06/02 14:36:47| Set Current Directory to /cache
2014/06/02 14:36:47 kid6| Preparing for shutdown after 0 requests
2014/06/02 14:36:47 kid6| Waiting 5 seconds for active connections to finish
...
2014/06/02 14:36:53 kid6| Shutting down...
2014/06/02 14:36:53 kid6| Not currently OK to rewrite swap log.
2014/06/02 14:36:53 kid6| storeDirWriteCleanLogs: Operation aborted.
-
What means not OK to rewrite swap log? kid6 is the coordinator, it
shoud not mess with cache dirs!
[]s, Fernando Lozano
RE: [squid-users] configuring Eliezer RPMs for CentOS 6 for SMP
Hi Lawrence, Write permissions for user/group squid. Instead of just trying what worked for me, we should find what's happening with you: - what happens when you try to start squid in smp mode? - How are your squid.conf? - Are there erros on squid's cache.log? []s, Fernando Lozano What permissions are needed? Best regards, The Geek Guy Lawrence Pingree
RE: [squid-users] configuring Eliezer RPMs for CentOS 6 for SMP
Hi Lawrence,
Here's the error I am getting and my squid.conf
FATAL: Ipc::Mem::Segment::create failed to
ftruncate(/squid-squid-page-pool.shm): (22) Invalid argument
If squid can't create the shm file, you should check your OS
configuration. It's not squid fault, the server Os has to be configured
to provide enough shared memory to squid.
Most of the time, it's enough to mount tmpfs mounted as /dev/shm, but
I'm not familiar with SuSE installation defaults.
cache_dir aufs /ssd/squid/cache0 45000 64 1024
cache_dir aufs /ssd/squid/cache1 45000 64 1024
This won't work in smp mode. Each worker needs a dedicated cache_dir,
except for rock store. But your squid never reached that point.
The way you did all workers will try to use both cache_dirs. I guess
you want one for each worker. So replace those two lines by:
cache_dir aufs /ssd/squid/cache${process_number} 45000 64 1024
That way each worker will use only it's own, exclusive, cache dir.
workers 2
Ok, you are trying to use 2 workers.
[]s, Fernando Lozano
Re: [squid-users] Error restarting squid from RPM
Hi Cinaed, The problem as I see it is there needs to be timeout (or a wait) between stop and start in restart. The stop branch returns immediately and then executes the start branch which sees the pid file (since the controlling squid is waiting for the children to complete their processes) and claims squid already running and exits. No, stop won't return immediately. It waits for the control process to stop, but it waits for a limited amount of time. So when stop returns to restart, squid may still be alive. That's why I propose using the stop function own return code on restart: if stop says it returned by timeout, restart shouldn't start. So when the controlling squid finally stops and removes the pid file the start branch has already exited and the server doesn't restart. I'm not an expert on squid but I would not recommend removing the pid file before squid controller has exited. I guess the script removes the pid file because squid may have been killed without a change to clean after himself. Other CentOS init scripts do the same. []s, Fernando Lozano
[squid-users] Another bug on Eliezer RPM packages - squid SMP needs /var/run/squid
Hi there, To make squid run in SMP mode using Eliezer packages for CentOS 6.x it is not enough to add SELinux policies as I already presented in another thread. You have to create /var/run/squid with appropriate permissions. I did: # mkdir /var/run/squid # chgrp squid /var/run/squid # chmod g+w /var/run/squid Squid creates the socket files (coordinator.ipc, kid-1.ipc, etc) for SMP mode in /var/run/squid, but this directory does not exists on a standard CentOS install and it's not created by Eliezer RPM packages. I guess this directory should be part of the squid RPM package. I'm also trying to submit my fixes for squid SMP on Fedora project, as their packages eventually become the official CentOS/RHEL packages. If someone is interested, you can follow: - Fedora packages SElinux policies in a single package, instead of inside each service package: https://bugzilla.redhat.com/show_bug.cgi?id=1099543 - About /var/run/squid https://bugzilla.redhat.com/show_bug.cgi?id=1099970 - About my proposed change to /etc/init.d/squid https://bugzilla.redhat.com/show_bug.cgi?id=1099577 []s, Fernando Lozano
[squid-users] Error restarting squid from RPM
Hi,
I don't know if this affects only the RPM packaging or squid sources.
I'm
using Eliezer packages for CentOS 6, namely 3.4.3-1.el6.x86)64.
The issue is that sometimes service squid restart leaves old squid
processes running alongside newer ones. I have to killall squid and
start
again to have a working proxy.
I see squid -k shutdown does not wait for all squid kids to stop, and
this makes init.d/squid to leave such broken restart.
I coud just increate SQUID_SHUTDOWN_TIMEOUT at /etc/sysconfig/squid so
the
init.d/squid script wait a little longer, but i think the restart
command
should be more robust. So I propose the following simple change to the
init.d/squid script:
---
restart() {
stop
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
rm -rf $SQUID_PIDFILE_DIR/*
start
else
echo Failure stopping squid or stopping squid took too long. Please
check
before restarting.
return 1
fi
}
---
Instead of blindly calling start after stop, check if the stop function
returned ok or an error status code.
I think it's better having restart fail sometimes than having broken
squid
processes after restart.
[]s, Fernando Lozano
Re: [squid-users] configuring Eliezer RPMs for CentOS 6 for SMP
Hi Lawrence, Personally I use RPM's on Opensuse and I'm running 3.4.4.2 which is pretty recent to be honest. (..) However, the down side is that I cannot run SMP mode (for some reason I think the RPM is not compiled with it) as well as I am stuck running this version until someone builds a new RPM. This thread started when I offered a contribution for allowing SMP mode from the rpm packages. :-) Are your issues related to SELinux or APParmour? If post them on the list someone may help you with them and the fix may be incorporated to a later rpm package. []s, Fernando Lozano
Re: [squid-users] configuring Eliezer RPMs for CentOS 6 for SMP
Hi, On Sun, May 18, 2014 at 4:32 AM, Marcus Kool marcus.k...@urlfilterdb.com wrote: The statement that RPMs add an unnecessary component that may need debugging is utter nonsense. In fact, it's technically factual. Some may find it useful in other ways, but the following facts remain: It's only your version of the facts, that is, your own *opinion*. But when you state it in such absolute terms, you do a disservice to the community, because many newbies will take your opinion as a real fact and loose the oportunity to have something that could be way better for their particular setup. So I'm sorry Amos Jeffries, but I have to continue this thread a little longer. ;-) 1. It's unnecessary - Squid does not need RPMs to install, or run. If package management is so unnecessary, why all major linux distros were built around this concept? Why aren't more people using Linux from scratch to build their production servers? Why don't you build your own kernel, gcc, bash, openssl, etc? 2. It may not work the way you expect, so you have to debug the unnecessary component. RPM and DEB infrastructure provides a really nice debugging infrastructure. Just learn how to use it. :-) Besides, your own build also may not work as you expect, and for most sysadmins, who are not system-level programmers, finding the cause may be harder than with rpm or deb packages. If you install something from a properly built RPM or DEB package, you get configuration management, something no sysadmin should ever live without. The package manager knows your binary files checksums and can check they were tampered with. The package manager knows your binaries depends on system shared libraries, and won't let you install without them -- most will even download all your system is missing -- and won't let you remove something other packages depends upon. Without package management, you'll have do do yourself this management. You may end up with lots of software (libraries and binaries) which the system does not know where they came from, nor how they are related. In the long run, it gets much easier to break something than with package management. Not only your squid binaries need security updates, but all libs and other binaries it depends on need those updates. One big cause of vulnerabilities are outdated libs embebbed in some software installation. Your distro will provide you timely updates, easy to apply, but only if you do use package management. If you don't, it gets much easier to end up with a vulnerable squid installation. Squid is not a special case. All reasons to use package management apply as well to squid as to any other server software. Of course you can do the right thing with build-your-own, but you'll have more work to do, more changes do forget about something, more room for mistakes. Most sysadmins won't live on the edge. I belive for most of them rpm/deb packages will be way better. If compiling your self works for you, and you do know all the implications of this, you do all your homework to keep your server stable and secure, fine. But it is my opinion that it's a little irresponsible to advice this as the better choice for everyone. PS: If you do want to build youself (say to try latest development code) take the time to use your distro -devel packages. Try to build the mininum set of software yourself and relay on the biggest set of distro-packaged software you can. Better yet, build your own squid from SRPM packages, so you can have your custom binaries and yet have all package management features. Those are not exclusive choices. :-) []s, Fernando Lozano
Re: [squid-users] configuring Eliezer RPMs for CentOS 6 for SMP
Hi, I don't quite agree with you. Let me expose my views so each member of the list can weight pros and cons: Not answering this thread, but would like to ask some related points for anyone who may be listening in: 1. RPMs. For practically everything else, I use RPMs for installation. For Squid, I've moved away from this approach. Standard RPMs still provide only 3.1.10. Non-standard RPMs, you have no idea where the next one is coming from, or whether it suits your needs. If you compile-your-own, you get the version you want, anytime you want In my experience using unofficial rpms from the community is way better than compile-your-own. More people try, test and fix unofficial rpms than your own build. When you get someone providing those RPMs for many releases, lie Eliezer, you can trust it almost like the official community packages from your distro. Besides, in the rare occasions you really need a custom build you can start from the SRPM and still get dependency management, integrity verification and other RPM/yum features that you loose then you compile-your-own. Better to help improve the RPM packages for the benefit of all the community than selfishly wasting your time on a build only for yourself. 2. SELinux With Squid, normally you don't let end-users on the same server. In you don't have end-users on the same server, from a technical point of view, SELinux doesn't add value. If you have end-users on the same box, you probably have other issues to deal with first. SELinux is very usefull even if no other user has shell access to the machine. Turning off SELinux is like turning off your firewall. JUST DON'T. Any process that listens for network packets can/wiil sometimes be vulnerable to a buffer overflow or some other kind of remote exploit. SELinux prevents those -- not only the known ones, but also those yet unkown -- from doing more damage. If a cracker finds some squid vulnerability but SELinux is enabled and properly configured, he can only mess with the cache files, the things squid normally has to have write access. But it there's no SELinux, we can find a privilege escalation bug (though rare, those exists) and become root. Even without privilege escalation, we can use the squid proces to open network connections do do damage to other internal servers, as your firewall will normally protect only the network edge, and not internal servers from one another. There are many other possibilities for a succesfull attach to squid (or any other network server). But SELinux liimts even those running as root. if you turn off SELinux, this means you simply don't understand how it improves security. Some time ago you found you should learn how to configure network firewalls. Just accept you now should learn how to configure SElinux. []s, Fernando Lozano
Re: [squid-users] configuring Eliezer RPMs for CentOS 6 for SMP
Hi Eliezer,
I have an updated version of my policy file. It prevents an AVC when
stopping or reloading squid.
Hope you noticed the wrong name for the original file: it was supposed
to be squid-*smp*.te, not squid-*snmp*.te. :-)
Here's the new file:
--- squid-smp.te ---
module squid-smp 1.1;
# for ipc channels between kids/workers
require {
type var_run_t;
type squid_t;
class sock_file { create write unlink };
}
allow squid_t var_run_t:sock_file { create write unlink };
allow squid_t var_run_t:sock_file create;
# for shm used by cache_mem and rock store(?)
require {
type squid_t;
type tmpfs_t;
class dir { remove_name add_name write };
class file { unlink create };
}
allow squid_t tmpfs_t:dir { remove_name write add_name };
allow squid_t tmpfs_t:file { unlink create };
--- end of squid-snmp.te ---
I have not tested it with squid development releases (3.5) only with
your 3.4.x rpms. But please write me if you need any help with SELinux
in the future. I'm not an expert, but as I do have to use it in
enforcing mode, I'll probably get the same issues.
[]s, Fernando Lozano
Hey Fernandno,
First thanks!
It indeed helps a lot since there were issues I didn't knew how to
look at.
I am hoping to release the RPM next week but I will include the
selinux rules only on the next release due to the overhead of packing
it.
I might be able to package it in another external package not related
directly to squid package and which seems reasonable for me.
About the ulimit related issue:
It's an option to use sysconfig for this option and I will consider
it in the next releases.
Eliezer
Re: [squid-users] Advise about cache store in SMP mode, single disk
Hi Amos, (or do you prefer Jeffries?) On 9/05/2014 6:29 a.m., fernando wrote: I have a server configured to run in SMP mode with two cache stores: a shared rock store and a dedicated aufs store for each worker. But I have only one physical disk (actually a hardware raid). RAID ? ... pretty much dont. I know... but right now I can't change that. :-( So I'm trying to do the best with what I have, and later try to build a new server more closely following best practices. This does not change with SMP. I fact it gets worse as each worker will be adding I/O contention at much higher overall rate than a single Squid process could. The problem is: we have lots and lots of acls, and cpu use is already at 100% during regular user load. Response time is good, but we can't add more acls (and other requested features, such as delay pools) because of the cpu bottleneck. Yes, we do have some weird internet access rules. ;-) [rock + aufs or rock + diskd?] diskd is roughly equivalent to AUFS with one I/O thread. It will remove the contention by removing cache_dir throughput capacity, and thus limiting Squid traffic speed. So no diskd is not likely to be useful if your aim is high performance. Right now I need to use more cpu. I know disk access will be worse, but so far everything tells it'll be acceptable. I'm running CentOS 6.5 x86_64. None of the UFS storage types are using SMP-aware code at present so each SMP worker requires a unique cache_dir location for ufs, diskd, and aufs caches. So I understand diskd with SMP will spawn one diskd process for each worker, and so It won't be better than aufs, given that I do have a single (raid) disk. :-( I was hoping that I'd get a single diskd process for all workers, and in my particular scenario this could be better than many aufs threads sharing the same physical disk. Yes, in your situation CARP would the be somewhat equivelant to AUFS is disk behaviour. Just using whole Squid processes instead of lightweight threads. I can't anymore. I need more cpu (more cores). I would take a good look over that hardware RAID controller and see if there is either a way to expose the underlying HDD as mounts for Squid use (effectively disabling the RAID), or pin a particular Squid worker process to a physical spindle (random guess at that even being possible). The single raid set has the OS and cache_dir. I can't change that without reinstalling anew. And I can't reinstall right now. :-( I wan't the guy who installed this firsttime. I'm just expect to do miracles with minimum change to the hw/os setup. ;-) You dont mention a Squid version, so another thing to look at might be the upcoming large file support for rock caches in 3.HEAD packages. That should (in theory a least) let you replace the AUFS dirs with rock dirs. I'm following that. I'm using the latest 3.4.3 RPMs for CentOS by Eliezer. Policy here won't allow me to try development releases, so I'd have to wait for a stable 3.5.x release. []s, Fernando Lozano
[squid-users] configuring Eliezer RPMs for CentOS 6 for SMP
Hi there,
First of all, thanks Elizer for providing the packages!
The package installed and run fine with the default, single process
config. I'm trying to follow best-practices like keeping SELinux enabled
(enfocing) and I was happy to see the packages follow the standard
targete policies included on CentOS 6.5.
But, when I tried a SMP setup, I got some SELinux AVCs.
Those were related to the socket files used for IPC betweeb workers and
coordinator, and shm files for shared cache_mem and (i guess) rock
store.
Here are the revelant settings from my squid.conf (this is my test
machine, the production one has more RAM, cores and disk):
--- SNIP ---
workers 2
cache_mem 1024 MB
cache_dir rock /cache/shared 2000 min-size=1 max-size=31000
max-swap-rate=250 swap-timeout=350
cache_dir aufs /cache/worker${process_number} 2000 16 256
min-size=31001
max-size=346030080
--- SNIP ---
I followed standard advice and run audit2allow to build aditional
SELinux
policy modules. After everything was working fine, I took the time to
build and test a consolidated policy module. Here it is:
--- squid-snmp.te ---
module squid-smp 1.0;
# for ipc channels between kids/workers
require {
type var_run_t;
type squid_t;
class sock_file { create write };
}
allow squid_t var_run_t:sock_file { create write };
allow squid_t var_run_t:sock_file create;
# for shm used by cache_mem and rock store(?)
require {
type squid_t;
type tmpfs_t;
class dir { remove_name add_name write };
class file { unlink create };
}
allow squid_t tmpfs_t:dir { remove_name write add_name };
allow squid_t tmpfs_t:file { unlink create };
--- squid-snmp.te ---
To compile and install this policy module, please run:
# checkmodule -M -m -o squid-smp.mod squid-smp.te
# semodule_package -o squid-smp.pp -m squid-smp.mod
# semodule -i squid-smp.pp
I hope Eliezer can add this to the next update to his packages, so
others can try SMP without fighting with SELinux.
But, as I'm not so experienced with SELinux, I'd be glad to receive
advice on how to make this policy more strict, more secure.
For example, I guess I could use squid_var_run_t instead of using
var_run_t, to have a more specific fcontext for squid IPC files. I know
how to do this manually:
# semanage fcontext -a -t squid_var_run_t /var/run/squid(/.*)?
# restorecon -Fv /var/run/squid/
But I don't know hot to add this to the policy file.
I also guess I could be more strict about the shm files (tmpfs_t) but I
don't know how to do this.
Another hurdle I had with the RPM packages was about setting ulimit
nofile. I'm used to add them to /etc/security/limits.conf and this work
fo r CentOS init.d scripts, but not for the squid script.
My solution was to a line to /etc/sysconfig/squid:
ulimit -n 32768
But maybe I should edit the init.d/squid script to use function
daemon() from /etc/init.d/functions or runuser like other CentOS init.d
scripts do.
Well, I hope my findins and ideas can be useful to ther CentOS/RHEL
admins, and someone there can help me making the squid RPM more Red
Hat-ish.
[]s, Fernando Lozano
[squid-users] Advise about cache store in SMP mode, single disk
Hi there, I have a server configured to run in SMP mode with two cache stores: a shared rock store and a dedicated aufs store for each worker. But I have only one physical disk (actually a hardware raid). My preliminary tests show that having the shared rock store brings better response times than having only the aufs stores. But, as I still have some disk contention between workers, I wonder if I should replace the aufs stores by a diskd one. Squid docs are not clear about how diskd is supposed to work in a SMP setup: will I get only one diskd process, and so eliminate the disk contention from aufs stores? Or will squid start a diskd daemon for each worker? I also guess building a CARP setup wound not be so benefical because there would be still many workers competing for the same physical disk. []s, Fernando Lozano
[squid-users] Configuring Squid for windows to fight DDoS attacks
Hello, We have a server (for an online game) an we are receiving Ddos attacks. We don't know anything about Squid, but we would like that someone explains us how to configure the Windows version of squid to fight DDos attacks. Thanks, Fernando
[squid-users] Squid 2.6 with Active Directory Authentication
Hi List I'm from Brazil and this is my first post here... I'm trying do authentication in my Active Directory with Winbind and = Samba, I'm using FreBSD 6.3 Release, Squid 2.6.STABLE16 and Samba = 3.0.28. I am having problems with authentication I used to Squid 2.5 and I obtained sucess in my authentication... But = with Squid 2.6 I didn't obtain. Follow the error in my cache.log: Could not convert sid S-1-5-21-992990153-3527494177-59510-3105 to = gid Could not get groups for user 0 2008/02/26 10:49:56| helperHandleRead: unexpected reply on channel -1 = from nt_group #1 'OK' I found this correct, but the error continue: = http://wiki.squid-cache.org/KnowledgeBase/NoNTLMGroupAuth Follow my squid.conf, the authenticatio step #NTLM auth_param ntlm program /usr/local/bin/ntlm_auth = --helper-protocol=3Dsquid-2.5-ntlmssp -d 2 auth_param ntlm children 60 auth_param ntlm keep_alive on #B=E1sico auth_param basic program /usr/local/bin/ntlm_auth = --helper-protocol=3Dsquid-2.5-basic auth_param basic children 10 auth_param basic realm Internet Monitorada auth_param basic credentialsttl 2 hours #ACL External para Grupos external_acl_type nt_group ttl=3D0 concurrency=3D5 %LOGIN = /usr/local/libexec/squid/wbinfo_group.pl Follow some tests that I realized: srv-gw01-sve# wbinfo -u | grep fernando.lima fernando.lima srv-gw01-sve# wbinfo -g | grep g-netliberada-sve g-netliberada-sve srv-gw01-sve# wbinfo -t checking the trust secret via RPC calls succeeded srv-gw01-sve# wbinfo -n g-netliberada-sve S-1-5-21-992990153-3527494177-59510-4298 Domain Group (2) Please, can somebody help-me ??? Thanks !! Fernando de Lima Network Administrator
RE: [squid-users] access.log
Instead of moving only the file you can change the name using the same cron so the name of the file will be access.log-day-month-year-hour-minute --- Fernando Rodriguez -Mensaje original- De: Firas A. Mubarak [mailto:[EMAIL PROTECTED] Enviado el: miércoles, 20 de junio de 2007 01:19 p.m. Para: Fernando Rodriguez; squid-users@squid-cache.org Asunto: Re: [squid-users] access.log this is a very good idea i likd it thank you very much, but once it rotate it just overwrite the previous log file. i want to keep all the access.log files stored for 6 momths . any ideas ? thnx - Original Message - From: Fernando Rodriguez [EMAIL PROTECTED] To: 'Firas A. Mubarak' [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Wednesday, June 20, 2007 5:29 PM Subject: RE: [squid-users] access.log I made a litle shell script that does that but instead of ftp y rsync to another server whare the file is processed I use centos 4 so I created an entry in crontab where I run this every 8 minutes #!/bin/bash rsync /var/log/squid/access.log -e ssh [EMAIL PROTECTED]:webcache1.log cat /dev/null /var/log/squid/access.log squid -k rotate Hope this helps --- Fernando Rodriguez -Mensaje original- De: Firas A. Mubarak [mailto:[EMAIL PROTECTED] Enviado el: miércoles, 20 de junio de 2007 09:24 a.m. Para: squid-users@squid-cache.org Asunto: [squid-users] access.log Dear All, I have to store my access.log files for 6 months. i need to log rotate the file every 6 hours and then get it uploaded to a local FTP server automatically. any ideas ? Thanks Firas
[squid-users] Squid compression
Hello, Is there any way to compress the traffic on the fly for squid ?? Can someone point on the right direction. --- Fernando Rodriguez -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: [squid-users] Squid compression
Hello, I didnt undestand your reply what does original server mean?? --- Fernando Rodriguez -Mensaje original- De: Snow Wolf [mailto:[EMAIL PROTECTED] Enviado el: jueves, 14 de junio de 2007 11:12 a.m. Para: Fernando Rodriguez CC: squid-users@squid-cache.org Asunto: Re: [squid-users] Squid compression Instead you could do compress on original servers.If you were using Apache,then can use deflate module.Also notice when using deflate you may need to open this directive in squid.conf: cache_vary on Good luck. 2007/6/14, Fernando Rodriguez [EMAIL PROTECTED]: Hello, Is there any way to compress the traffic on the fly for squid ?? Can someone point on the right direction. --- Fernando Rodriguez -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: [squid-users] Intercepting cache, CISCO + SQUID = WCCP
I just finished the set up CISCO + SQUID = WCCP and its working great I didnt use tproxy, I am using ufdb for content filtering. Im running centos 4 squid 2.6.STABLE12 (created the rpms) ip_gre module If you need any help I could send you the files Cisco 3845 Using wccpv2 whith access list --- Fernando Rodriguez -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Alexandre Correa Enviado el: miércoles, 09 de mayo de 2007 11:17 p.m. Para: squid-users@squid-cache.org Asunto: [squid-users] Intercepting cache, CISCO + SQUID = WCCP Hello again :) i´m planing to move my new squid box to act with cisco using wccp v2 !! today my network topology: (internet) - cisco -- switch -- (eth0) gateway+squid (eth1) -- clients squid is running on gateway.. the new topology is: (internet) - cisco - switch - (eth0) gateway (eth1) - clients _|(eth0) squid box Questions: 1- with wccp, squid are transparent like TPROXY ? 2- wich is best, turn my gateway into a bridge and squid box receiving the link (eth0) and on eth1 linked to gateway (eth0) OR put squid like the 'new topology' ? Thanks !! Best Regards !! -- Sds. Alexandre J. Correa Onda Internet / OPinguim.net http://www.ondainternet.com.br http://www.opinguim.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: [squid-users] Router Bridge or wccp
What version of squid would you reccomend for this task --- Fernando Rodriguez -Mensaje original- De: Adrian Chadd [mailto:[EMAIL PROTECTED] Enviado el: lunes, 07 de mayo de 2007 10:13 p.m. Para: Fernando Rodriguez CC: squid-users@squid-cache.org Asunto: Re: [squid-users] Router Bridge or wccp On Mon, May 07, 2007, Fernando Rodriguez wrote: Hello, I run a big network with more than 8000 computers y am planning on setting up a squid cache proxy I have done this in different ways as a transparent bridge proxy and as wccp but not with that many clients. I'd set it up using WCCP from the right spot in your network. It makes adding more proxy servers easier; it makes handling failover easier. You can tune the WCCP configuration to distribute traffic based on client IP or on destination IP (and including source/destination port too.) Adrioan -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] User Authentication
Can anyone tell me how to use User Authentication in SQUID??? I want to create 2 users, one is Student other one is Teacher, If it is Student he will be restrice Prono sites,movie downlods...etc Pl help me..I am a newbie to Linux. Sandun.
[squid-users] Delay Pools Order
Hello, I have squid Version 2.5 STABLE6, running on a SME 7 server. I enabled delay pools for 3 groups of users as follows: acl all src 0.0.0.0/0.0.0.0 acl localsrc src 127.0.0.1 175.1.1.0/255.255.255.0 192.168.37.14 acl itguys src /etc/squid/itguys acl filesno url_regex -i /etc/squid/filesno acl trustedsites url_regex -i /etc/squid/trustedsites acl catastmap src /etc/squid/catastromap delay_pools 3 delay_class 1 1 delay_class 2 1 delay_class 3 1 delay_parameters 1 16000/16000 delay_parameters 2 32000/32000 delay_parameters 3 64000/64000 delay_access 1 allow catastmapa delay_access 1 deny all delay_access 3 allow sistemas delay_access 3 deny all delay_access 2 allow localsrc delay_access 2 deny all AND then, I have the following acl rules: http_access allow trustedsites http_access allow itguys http_access deny filesno http_access allow catastmapa http_access deny all Now, the problem is that when testing internet speeds (My PC is part of the itguys group), it never shows bandwith superior to 160kbps. The question then is: Is there anything wrong with the order of the pools, or for that matter with the distribution of groups in the way I did it? Thank you all so much in advance for any help you might give me. Mario F. Rodríguez IT Director Municipality of Quetzaltenango, Guatemala.
Re: [squid-users] Squid and NTLM passthrough
Steffan, I use Squid and NTLM passthrough auth. The credentials used during login are automatically passed to Squid to allow/block user access to this or that ACL. It works just fine. The only problem I had is that I hat to manually insert users on Squid lists (on the domain\username format). I had to that because I don´t like Winbind - during the Active Directory replication intervals, user information obtained with winbind - such as group membership, account status and other important stuff - may not be the up to date. I solved that building a script that uses openldap clients to import the list of users allowed to access the Internet from the Active Diretory Domain Controller - if the user is in this OU, he/she has access; if he/she´s not, he doesn´t have. The configuration is quite simple: === squid.conf === # DOMAIN is your AD domain ; server1 and server2 are the Netbios names # of your domain controllers (you can specify more servers, if you want) auth_param ntlm program /usr/lib/squid/ntlm_auth DOMAIN/server1 DOMAIN/server2 auth_param ntlm children 40 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate off # Making the authentication a requirement acl password proxy_auth REQUIRED # Example of user ACLs acl common_users proxy_auth /etc/squid/lists/common_users.auth acl vip_users proxy_auth /etc/squid/lists/vip_users.auth # Blocked keyworks in URLs (Regular Expressions) acl trash url_regex -i /etc/squid/lists/trash.url # Webmail sites acl webmail url_regex -i /etc/squid/lists/webmail.url # Blocked file extensions - for everyone´s safety acl bad_extensions url_regex -i /etc/squid/lists/bad_extensions.url # http_access rules - # Blocking unsafe files for everyone http_access deny bad_extensions all # Allowing vip users to access everything http_access allow vip_users all # Disallowing common users to access trash and webmail http_access deny common_users trash http_access deny common_users webmail # Allowing common users to access other sites http_access allow common_users password # Denying everything to everyone http_access deny all = == Sample common_users.auth file === # Everyone that have access to the Internet mydomain\leeoswald mydomain\pmacartney mydomain\fmulder mydomain\peppin mydomain\fbaggins mydomain\joliva = == Sample common_users.auth file === mydomain\sauron # The President/CEO mydomain\nazgul # Mr. Sauron´s secretary (almost doesn´t work, but complains a lot) mydomain\cmanson # HR Manager - Better not to bother him :) = == Sample webmail.url file === # List of regular expressions that mean that user is # trying to access some webmail service webmail ^http\://mail\.yahoo hotmail zipmail myrealbox .*/(web)?mail # Insert your own expressions = == Sample trash.url file === # List of regular expressions that mean that user is # trying to access some blocked websites porn xxx pornography chat orkut mp3 = == Sample bad_extensions.url file === # List of regular expressions that mean that user is # trying to access some blocked files .*\.exe$($|\?) .*\.bat($|\?) # Or, making it more simple: .*\.(exe|bat|com|scr|cmd|pif|reg|vbs)($|\?) = Hope it helps! Regards, Luis Talora Steffan Corley escreveu: I understand from Henrik Nordstrom's message on 1st September 2006 that Squid 2.6 supports NTLM passthrough. I need to implement a Squid cache in front of an upstream proxy running ISA server (which is at the enterprise level). The ISA server authenticates using NTLM and then uses WebSense to filter web results. Crucially, while one user may be filtered for a particular site, another user may have access to that site. Unfortuately, I have no control over the ISA server set up and no way to bypass it. Is this possible? I see two possible problems: 1. Is NTLM passthrough actually implemented? I can find nothing in the Squid documentation. Does it do what I would need for this to actually work (i.e. maintain a 1-1 mapping between client connections and connections to the upstream proxy)? 2. Will the cached pages get served to different users without checking whether the upstream ISA server would have blocked them for this user? I.e. if user A visits www.dodgy.com and is not blocked by ISA server, will www.dodgy.com be served from the cache to user B regardless of whether the ISA server would have blocked them or not. Thanks for any help. Steffan
Re: [squid-users] disable ntlm_auth for java
Hello! I had the same problem and I did the same thing you are thinking about. I bypassed authentication for java stuff. I've read many things including the sun knowledge base and there are many issues regarding authentication with the jvm, especially with ntlm! You can solve this by creating an acl like this: acl java_jvm browser Java/1.4 Java/1.5 http_access allow java_jvm Remember to keep it in front of any http_access lines regarding authentication, otherwise it won't work. I haven't worked out the windows update issue since I only do it in my servers and when I do I make a NAT rule in my firewall, but I think it has something to do with 443 port (ssl). Cheers, André Hitzler, Siegfried (Exchange) wrote: Hello, We authenticate our users over ntlm_auth. The problem is if the load a Java-Applet which is implemented on a Secure Site (www.netbanking.at), Java pops up a Windows and force the users to enter their username, password and domain to load the Applet. Is there a way to disable authentication for Java-Applets or for some sites? Same shit on Windows Update Site. Site is searching for needing updates when suddenly an error apears. authentication lines in squid.conf looks something like this: auth_param ntlm program /usr/lib/squid/ntlm_auth DOMAIN/PDC auth_param ntlm children 10 auth_param ntlm max_challenge_lifetime 2 minutes Would be realy greate if somebody can help me out of this problem! Thanks and best regards Siegfried
Re: [squid-users] Howto for Squid in Active Directory (on Debian)
Hi! I´ve tried to use squid with winbind and couldn´t put it working. Then I realized that it is not worth (at least in my case): it too boring to add a user to some group and wait Active Diretory to replicate the changes to ensure squid gets them. I use ntlm_auth and files containing domain\username to build my access lists. It works really nice! And you don´t need samba installed (at least I didn´t, running on Fedora 4 and installing squid from the RPM package). If you need any help, just let me know. Regards, Luis Talora Odhiambo WASHINGTON escreveu: * On 10/08/06 14:37 +0200, Mario Iseli wrote: | Hello, | | on the Internet i find tousands of Howtos how to install Squid, | windbind, etc. Noone of them is working! Can anyone give my some hints | where I find a good tutorial obout how to install a Squid with | authentication (to Active Directory) and how to handle with Windows | group-privileges? Is it necessary to execute winbindd --set-auth-user | bla%blabla? What happens if the password of bla changes? http://kb.papercutsoftware.com/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Never eat more than you can lift. -- Miss Piggy
[squid-users] Virtual drives
Fellows, I´m having some trouble writing a very basic ACL, but I can´t realize were´s the catch. The idea is to block virtual drivers (which peolple use to store all sorts of files). For some sites (such as http://www.idrive.com; or http://www.freedrive.com;), the blocking occurs ok; for Yahoo! Briefcase (http://briefcase.yahoo.com;), the blocking does not occur. Configuration used follow: --- squid.conf --- acl virtualdrv url_regex -i /etc/squid/lists/virtualdrv.url (...) # BLOCKING VIRTUAL DRIVES http_access deny all virtualdrv - virtualdrv.url yousendit\.com briefcase discovirtual idrive freedrive xdrive imacfloppy mydocsonline myspace driveway mywebos all-free-info - Could anybody please give me a clue? Thanks a lot! Luís Talora
Re: [squid-users] Virtual drives
Hello, From my experience, you can achieve better results if you use dstdomain type acl for blocking an entire domain. The use of regex acls is much slower and is only effective for matching things after the domain name (eg: domain.com/blah). In this case, you have to change your acl to something like: acl virtualdrv dstdomain /etc/squid/lists/virtualdrv.url And inside the virtualdrv.url file, add your entries to something like: .idrive.com .xdrive.com ... and so on regards, André Luís Fernando C. Talora wrote: Fellows, I´m having some trouble writing a very basic ACL, but I can´t realize were´s the catch. The idea is to block virtual drivers (which peolple use to store all sorts of files). For some sites (such as http://www.idrive.com; or http://www.freedrive.com;), the blocking occurs ok; for Yahoo! Briefcase (http://briefcase.yahoo.com;), the blocking does not occur. Configuration used follow: --- squid.conf --- acl virtualdrv url_regex -i /etc/squid/lists/virtualdrv.url (...) # BLOCKING VIRTUAL DRIVES http_access deny all virtualdrv - virtualdrv.url yousendit\.com briefcase discovirtual idrive freedrive xdrive imacfloppy mydocsonline myspace driveway mywebos all-free-info - Could anybody please give me a clue? Thanks a lot! Luís Talora
Re: [squid-users] Virtual drives
I didn´t want to do that, because I´d like to block every URL with matching words on it (such as briefcase for example.briefcase.com, briefcase.example.com and www.example.com/briefcase). The ACL is OK in that case, right? What could be causing the behavior I´m experiencing here? Thanks again! Regards, Luis Talora Andre Fernando Goldacker escreveu: Hello, From my experience, you can achieve better results if you use dstdomain type acl for blocking an entire domain. The use of regex acls is much slower and is only effective for matching things after the domain name (eg: domain.com/blah). In this case, you have to change your acl to something like: acl virtualdrv dstdomain /etc/squid/lists/virtualdrv.url And inside the virtualdrv.url file, add your entries to something like: .idrive.com .xdrive.com ... and so on regards, André Luís Fernando C. Talora wrote: Fellows, I´m having some trouble writing a very basic ACL, but I can´t realize were´s the catch. The idea is to block virtual drivers (which peolple use to store all sorts of files). For some sites (such as http://www.idrive.com; or http://www.freedrive.com;), the blocking occurs ok; for Yahoo! Briefcase (http://briefcase.yahoo.com;), the blocking does not occur. Configuration used follow: --- squid.conf --- acl virtualdrv url_regex -i /etc/squid/lists/virtualdrv.url (...) # BLOCKING VIRTUAL DRIVES http_access deny all virtualdrv - virtualdrv.url yousendit\.com briefcase discovirtual idrive freedrive xdrive imacfloppy mydocsonline myspace driveway mywebos all-free-info - Could anybody please give me a clue? Thanks a lot! Luís Talora
Re: [squid-users] Group ACLs
I´ve tried that, but it didn´t work as expected. I´ve replaced lines as follow: http_access allow usr_site1 password http_access allow usr_site2 password http_access allow usr_site3 password with this line: http_access allow usr_site1 usr_site2 usr_site3 password It didn´t work. Is this behavior correct? Did I do anything wrong? Thanks a lot! Regards, Luis Talora Henrik Nordstrom escreveu: fre 2006-06-23 klockan 08:59 -0300 skrev Luís Fernando C. Talora: So, is it possible to create an ACL to group the other ACLs? Something line an all_users ACL containing the site1_users, site2_users ... and siteN_users ACLs, is it possible? It would make a lot easier to add new sites/ACLs when necessary... You can list multiple groups in the same acl.. Regards Henrik
Re: [squid-users] Group ACLs
Hum, I see now... And how would the acl line to group those ACLs into one be like? Thanks again (specially for your patience)! Regards, Luis Talora Henrik Nordstrom escreveu: mån 2006-06-26 klockan 10:54 -0300 skrev Luís Fernando C. Talora: I´ve tried that, but it didn´t work as expected. I´ve replaced lines as follow: http_access allow usr_site1 password http_access allow usr_site2 password http_access allow usr_site3 password0 with this line: http_access allow usr_site1 usr_site2 usr_site3 password This is not what I meant and won't work... (acl's in a http_access is logically AND:ed, so for the above to work the requested site must be in all three ACLs at the same time...) What I meant was joining the three into a single usr_sites acl. http_access allow usr_sites password Regards Henrik
[squid-users] Group ACLs
Fellows, I use Squid with ntlm_auth against an Active Directory server. A few days ago, I´ve replaced the ACL file witch contained the users allowed to use the proxy with 5 new ACLs, one for each site of the company. I did it to organize and turn administration easier. The only problem is that, for it line on squid.conf pointing the old ACL, I had to use 5 lines instead. So, is it possible to create an ACL to group the other ACLs? Something line an all_users ACL containing the site1_users, site2_users ... and siteN_users ACLs, is it possible? It would make a lot easier to add new sites/ACLs when necessary... Thanks a lot! Regards, Luis Talora
Re: [squid-users] DNSBL Redirector
Instead of using redirectores, I use deny_info on squid.conf (much easier), as follows: - # Declaration of the ACL for Pornography acl porn url_regex -i /etc/squid/lists/porn.url # Redirection to 10.0.0.10 deny_info http://10.0.0.10/proxy/?cat=pornurl=%s porn # Blocking access to porn (user will be redirected to the link above) http_access deny all porn - It rocks! Regards, Luis Talora Luiz Henrique Ozaki escreveu: Hi, Im using a DNSBL redirector that denies some sites redirecting to a warning page. How can I make denied sites from the redirector to get logged in the access.log as denied ?? Im using dnsbl on redirect_program ( http://www.frws.com/squid_block/). Is it possible to use external_acl_type with this redirector with a little modification making this 'redirector' like the squid ACLs ? Like when got a denied, gets a squid denied message and get logged in access.log.
Re: [squid-users] Squid + NTLM auth + Windows 2003 AD
We´ve put Squid 2.5.STABLE13 to work on a Fedora 4 box, authenticating users against a Windows Server 2003 domain controller using NTLM and it worked just fine! I did´t need to install samba on the Linux box nor use any other auth helpers than Squid ones. Part of my squid.conf follows: auth_param ntlm program /usr/lib/squid/ntlm_auth DOMAIN/dc_server_1 DOMAIN/dc_server_2 DOMAIN/dc_server_N auth_param ntlm children 40 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate off Hope it helps! Regards, Luis Talora VAIBHAV NALDURGKAR escreveu: Hi ALL, I am using squid Version 2.5.STABLE5 and samba 3.0.4 with NTLM authentication previously the NTLM authentication was working fine with my windows 2000 AD server but we have upgraded this windows AD to 2003 and also increased the security for this new AD like we have blocked the anonymous query to the new 2003 AD as a result of this my squid is not able to fetch the users and groups from the AD using the NTLM authentication. I tried upgrading my Linux OS from RHL 8 to AS 3 as well as squid version also but no luck but when I tried this with centos it is working. Can some one help me to set up squid + NTLM + Samba with windows 2003 AD on RedHat linux AS 3. Thanks in advance Vaibhav
[squid-users] Automatic updates
Friends, Based on Mr.Odhiambo Washington´s tip about automatic downloading a malware blacklist from http://www.malware.com.br (thanks a lot, it worked pretty nicelly!), I´ve started wondering: couldn´t we download other lists automaticaly from the Internet? So, I´d like to ask you guys who know some sites where we can download some lists for Squid, to post it here (or send it to me). I could create some kind of repository for blacklists for Squid, to help all of us... A good start would be a blacklist for open proxies, which are a terrible problem! Thanks a lot! Regards, Luis Talora
[squid-users] File extension blocking rules
Fellows, To protect dummy users against themselves, I´ve put a few rules on my Squid server to prevent them on downloading some potentially dangerous files by its extensions, such as .exe, .zip, .bat, .scr, and so on. Part of the regex files for those rules follow: \.com$ \.scr$ \.bat$ \.pif$ (...) However, an user recieved a mail message with a link to some virtual card (witch was, indeed, some kind of trojan) and I´ve noticed that Squid allowed the user to download the file. The link follows: http://www.mikes.educv.ro/albums/cartao.scr?4d325356ae47122a6e7b8f1f07cae26d It is quite impressive how the bad guys create ways to bypass the proxy... If the URL do not end with the .xxx, the rule is easily bypassed. So I´ve tried the following: \.scr[\?\]?.* It worked, but too many pages were blocked by mistake. Then I´ve thought on this: \.scr$ \.scr[\?\] It probably works, but I didn´t try it, but I doesn´t seem to be the best way to do it (I would need to create to lines for each blocked extension). My question is: is there an easier way to do that? I mean, a single rule that work in both cases (the file extension followed by the ? - ou the - in the meedle of the URL or in the end of URL). Thanks a lot! LUIS FERNANDO C. TALORA
[squid-users] Using Squid and NTLM form a workstation running Windows Server 2003
Friends, I´m having trouble trying to enable a Windows Server 2003 box to access the Internet through our Squid server, which is configured to use ntlm_auth. Analizing access.log, I´ve realized that no username seems to be sent from the Windows Server machine to the proxy. The most strange thing is that previouslly, with a ISA Server proxy, this machine used to access the Internet OK. I´ve already tried running proxycfg -u, on the server, without success. Any suggestions? Thanks a lot! Best regards, Luis Talora
Re: [squid-users] Using Squid and NTLM form a workstation running Windows Server 2003
My scenario follows: Squid server: Fedora Core 4 running squid-2.5.STABLE11-3.FC4 and samba-3.0.14a-2 Client: Windows Server 2003 (no service pack) I´ve configured samba for security=ADS and made the Linux box join the domain, but it still doesn´t work. Anithing else that I should try? Thanks again! Regards, Luis Talora Mark Elsen wrote: Friends, I´m having trouble trying to enable a Windows Server 2003 box to access the Internet through our Squid server, which is configured to use ntlm_auth. Analizing access.log, I´ve realized that no username seems to be sent from the Windows Server machine to the proxy. The most strange thing is that previouslly, with a ISA Server proxy, this machine used to access the Internet OK. I´ve already tried running proxycfg -u, on the server, without success. Please note that if your running SP3, you may need an uptodate SAMBA release and or simply stated; use the latest SAMBA available. M.
[squid-users] Redirecting users to a login screen
How can i redirect users to a login screen ? Fernando Rodriguez V. [EMAIL PROTECTED]
[squid-users] Question.
Lets say you are using squid with a redirector that matches users and ip adresses You have your acl where you match the request of a client based on its ip address then squid-cache sends the request to a redirector for authorization it will ether return a new webpage or a \n in the case of a succesfull authorization. But in the case of returning a webpage it will be good to match the result via an acl so it can be requested a login and password. Is this possible ?? Fernando Rodriguez V. [EMAIL PROTECTED] AITelecom S.A. de C.V. http://www.aitelecom.net
[squid-users] Redirector Capture
Is there any way to capture the return url of a redirector program so i can reprosses the resulting url for password authentication?? Thanks Fernando Rodriguez V. [EMAIL PROTECTED]
[squid-users] Redirect
Hello, How can i catch a url that matches a pattern and redirect that pattern to a login screen Thanks Fernando Rodriguez V. [EMAIL PROTECTED] AITelecom S.A. de C.V. http://www.aitelecom.net
[squid-users] Redirect
Can some one point me on the right direction for doing this ?? or thell me where I can find information regarding my requirements.. Hello, How can i catch a url that matches a pattern and redirect that pattern to a login screen so it can be reprocesed. Thanks Fernando Rodriguez V. m.net
RE: [squid-users] Redirect
After the redirect process returns either nothing or a new url, if its a new url can squid process an acl regarding the result of its a resulting url ? or its sent directly for processing. thanks -Mensaje original- De: Gregori Parker [mailto:[EMAIL PROTECTED] Enviado el: Miércoles, 15 de Febrero de 2006 06:27 p.m. Para: squid-users@squid-cache.org Asunto: RE: [squid-users] Redirect 1) Use a redirector. The Squid FAQ has an entire section on it. http://www.squid-cache.org/Doc/FAQ/FAQ-15.html ..I recommend Squirm: http://squirm.foote.com.au/ 2) configure a pattern (this is squirm format) regexi .*/whatever/pattern/ https://whatever.com/login.jsp 3) be more patient, people will help you if they can...but may choose not to if you reply to your own messages or sound too demanding. -Original Message- From: Fernando Rodriguez [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 15, 2006 4:14 PM To: squid-users@squid-cache.org Subject: [squid-users] Redirect Can some one point me on the right direction for doing this ?? or thell me where I can find information regarding my requirements.. Hello, How can i catch a url that matches a pattern and redirect that pattern to a login screen so it can be reprocesed. Thanks Fernando Rodriguez V. m.net
[squid-users] regexp after redirect
Hello, Is there a way to match a regexp after redirect returns?? Im using Squid Squidguard, I have done some tests regarding userlists and ip lists Since both of the matches are done via the same network it usually works but since the firs ACL to match is regarding ip if your ip is on the list you will have no problems, but if is not then you will be redirected to http://jdkalsjd.jjj http://jdkalsjd.jjj/ that obiously dosnt exist but I wan to catch that url to ask the user for its login and password using PAM so the next time is redirected it will also have a username and password to see if this matches a user from squidguard and then contunie with the process. Thanks Fernando Rodriguez V. [EMAIL PROTECTED] AITelecom S.A. de C.V. http://www.aitelecom.net
[squid-users] Acl blocking .exe files + unblocking some sites that require .exe files to work
Hi, I'm having some trouble with ACLs when I try to block .exe files. Actually the acl works very well, but some sites use .exe files do display html content. I have a few webmail sites and some bank sites that do this. The problem is that I can't figure out how to unblock them. From what I know, squid reads acl rules from top to botton so if I have specified a site to be allowed first, even if there is a blocking rule below it should ignore it. Below are the related acl rules. The first 4 lines are ntlm group based rules. The goodextensions acl is the one that should allow sites with webmail.exe. Instead of letting it go, squid returns me, for ex. that access to the site http://email.terra.com.br/cgi-bin/webmail.exe? is denied. Does anyone know what I'm doing wrong? I'm using squid version 2.5.STABLE9. Any help will be much appreciated. Andre external_acl_type grupo ttl=900 concurrency=150 %LOGIN /usr/sbin/wbinfo_group.pl acl acesso external grupo internet acl CONNECT method CONNECT acl rede proxy_auth REQUIRED src x.x.x.x/x acl badsites dstdomain /etc/squid/lists/badsites.conf acl badwords url_regex -i /etc/squid/lists/badwords.conf acl badextensions urlpath_regex -i \.(exe|bat|cmd|pif|scr|vbs|mov|mp3|avi|mwa|mwv|mpg)($|\?) acl malware url_regex -i /etc/squid/malware/lista.txt acl goodsites dstdomain /etc/squid/lists/goodsites.conf acl goodwords url_regex -i /etc/squid/lists/goodwords.conf acl goodextensions urlpath_regex -i webmail.exe($|\?) acl java_jvm browser Java/1.4 Java/1.5 http_access allow manager localhost http_access deny manager http_access deny !portaspadrao http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow java_jvm http_access allow rede acesso goodsites goodwords goodextensions http_access allow rede acesso !badsites !badwords !badextensions !malware http_access deny all http_reply_access allow all icp_access allow all
[squid-users] 2 auth mechanisms
Friends, I´m using squid with auth_ntlm against Microsoft AD, and it s working pretty fine (with IE, at least). It does not work with Firefox, though. I´ve tried using auth_msnt, wich worked fine, but I need IE user to use pass-through authenticantion. Is there anyway to use two auth mechanisms in one running copy of Squid? I´ve tried a few combinations, whitout success. Could anybody give some help? Thank you all! Talora -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo.
[squid-users] Best Way to use Proxy Authentication
Hi all, I'm trying to find the best solution to authenticate Samba + Squid. I successfully configured winbindd and ntlm_auth. But I need to create acl's using group authentication. Which is the best solution? openLdap appears to be very difficult. :( Thanks in advance. Fernando Lujan
Re: [squid-users] Facing problems with NTLM authentication
Try this: auth_param ntlm program /usr/local/libexec/squid/ntlm_auth DOMAIN\dcserver where DOMAIN is your NT/AD domain name and dcserver is the name of you Domain Controller that runs as PDC. Note that your Linux box that runs Squid *must* be able to resolve the PDC address. To ensure that, try pinging your PDC domain controller by name: ping dcserver If that doesn´t work, add server name and its IP address to /etc/hosts and try again. Regards, Luis Talora Manish Jain wrote: Hi, I am trying to configure Squid to use NTLM authentication on FreeBSD 6.0. This is what I put into my squid.conf : auth_param ntlm program /usr/local/libexec/squid/ntlm_auth auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate off Now when I try to access the web from a Windows client, I simply get an error message The page could not be found in IE. If I remove the 5 lines above and restart squid, everything works fine. /usr/local/libexec/squid/ntlm_auth exists and is executable. The FreeBSD box is also the SMB domain controller and it facilitates domain logons for our organisation. What mistake am I making ? If anyone can help get the squid configuration right, I shall be grateful. Thank you. Manish Jain [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo.
[squid-users] Authentication.
Hi all, I'm researching a way to authenticate users using Samba or Ldap. There problem is that I need to authenticate the users using group policies. Which is the best alternative to implement this behavior? Thanks and regards. Fernando Lujan
Re: [squid-users] Authentication.
Kinkie wrote: On Tue, 2006-01-24 at 14:23 -0200, Fernando Lujan wrote: Hi all, I'm researching a way to authenticate users using Samba or Ldap. There problem is that I need to authenticate the users using group policies. Which is the best alternative to implement this behavior? Authenticate or authorize? As in: yes, I the server trust that you are really user foo\bar or yes, given that you are foo\bar you can access url http://gazonk.com/;? The former cannot be done via group policy, the latter can be. Not in the Group policy sense, but rather in the check group membership sense. This is relevant because squid splits authentication from authorization. The former can be done via samba's winbind or (if you're running on windows using the LSA) or again via ldap against a domain controller, the latter is better done via ldap. For the details on how please do a search on this mailing-list - it's almost a FAQ. Thanks Kinkie. I'm serarching for the authorization behavior. :) I found a howto here http://workaround.org/moin/SquidLdap , and I'm going to use it. Fernando Lujan
[squid-users] ntlm_auth again... :(
Hi all, I'm trying to make squid works with my Samba PDC. The command: [EMAIL PROTECTED] ntlm_auth --helper-protocol=squid-2.5-basic xxx+root # OK But The squid always pop-up for a username password, no matter how many different users/passwords I try. Here is: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours Thanks in advance. Fernando Lujan
RES: [squid-users] MSNT_auth - Group Requests
I´ve heard it´s possible to use MS NT/AD Groups if you use wb_ntlmauth. I´ve found this auth mechanism too hard to configure, though (it requires you to configure winbind - and maybe kerberos, also). I know nothing about msnt_auth. Here we use ntlm_auth. We´ve chosen not to use groups because our old proxy (MS ISA Server) showed itself very ineficient with that configuration: every single change made on group membership to give or revoke user´s access to some site, required us to wait for AD replication and the user to logoff and logon his machine again. If we had made some mistake (put the user in the wrong group, for example), we had to it all over again. It was terrible! Text files with Squid showed themselves much more reliable and faster to solve problems ando to put things working. If you think that it can help, I can send you na example of a working squid.conf with wb_ntlmauth, from a company where some friend work. If you don´t mind, could you please send me your auth_param lines for msnt_auth? I´m curious to try that authentication mechanism... Thanks a lot! And hope I´ve helped... Best regards, Luis Talora -Mensagem original- De: Brian Bepristis [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 18 de janeiro de 2006 18:21 Para: squid-users@squid-cache.org Assunto: [squid-users] MSNT_auth - Group Requests Okay I have squid running V. 2.5.STABLE9 using msnt_auth works great however I want to know if there is a way I can use NT Groups to lock down users access I have groups for every department and some of them dont need access to the internet I am having problems with wb_ntlmauth and ntlm_auth that I cant seem to get around so If there is a way to do it with msnt_auth I would like to please advise Brian
[squid-users] NTLM_authentication
Hi all, I'm trying to make my squid authenticate with the samba server, without success. I'm following the steps described in the following link: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#winbind I hope that all information which I provide is enough, if not, please tell me. Thanks in advance. I compiled squid (2.5STABLE10) with the following options: ./configure --prefix=/usr \ --sysconfdir=/etc/squid \ --enable-delay-pools \ --enable-snmp \ --enable-htcp \ --enable-ssl \ --enable-default-err-language=Portuguese \ --enable-linux-netfilter \ --enable-underscores \ --with-samba-sources=/root/samba-3.0.10 \ --enable-auth=ntlm,basic \ --enable-external-acl-helpers=wbinfo_group Erros: [EMAIL PROTECTED]:~# net join -W xxx -U root Password: Joined domain XXX. [EMAIL PROTECTED]:~# wbinfo -t checking the trust secret via RPC calls succeeded [EMAIL PROTECTED] ntlm_auth --helper-protocol=squid-2.5-basic xxx+root # ERR This is my smb.conf from the PDC Machine( Samba 3.0.20). 1. [global http://www.php.net/global] 2. netbios name = Arquivos 3. workgroup = teste.com.br 4. server string = Servidor de Arquivos 5. security = user 6. load printers = yes 7. log http://www.php.net/log file http://www.php.net/file = /var/log http://www.php.net/log/samba.%m 8. max http://www.php.net/max log http://www.php.net/log size = 50 9. socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 10. local master = yes 11. os level = 33 12. domain master = yes 13. preferred master = yes 14. domain logons = yes 15. wins support = yes 16. dns proxy = no 17. 18. [homes] 19. path=/home/%S 20. browseable = no 21. writable = yes 22. 23. [netlogon] 24. path = /home/netlogon 25. guest ok = yes 26. writable = no 27. share modes = no And from the Squid machine: [global] workgroup = xxx server string = Squid Server netbios name = squid security = domain log file = /var/log/samba.%m max log size = 50 password server = 192.168.1.5 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 encrypt passwords = yes winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes dns proxy = no Fernando Lujan
[squid-users] Squid + ntlm authentication with not trusted domains
Hi, My squid is running with ntlm authentication against MS AD 2k. Is there a way to configure squid using ntlm to authenticate users that aren't members of my current domain and neither members of a trusted domain? I have a mixed MS AD/NT4 environment with some NT4 domains on a WAN. Also, sometimes I have users that come with notebooks and I don't want them to join my domain or change their workgroup, but they need to go through the proxy. My goal is to get rid of MS Proxy 2.0 which I'm currently using and does this job, and squid always asks for username and password for that kind of users which have to inform my domain\username and pass to go through, I want to know if squid can also like MS Proxy forget the domain part and authenticate them as if they were part of the domain. Any help will be very much appreciated, André
RES: [squid-users] Squid + ntlm authentication with not trusted domains
Hi, My squid is running with ntlm authentication against MS AD 2k. Is there a way to configure squid using ntlm to authenticate users that aren't members of my current domain and neither members of a trusted domain? I have a mixed MS AD/NT4 environment with some NT4 domains on a WAN. Also, sometimes I have users that come with notebooks and I don't want them to join my domain or change their workgroup, but they need to go through the proxy. My goal is to get rid of MS Proxy 2.0 which I'm currently using and does this job, and squid always asks for username and password for that kind of users which have to inform my domain\username and pass to go through, I want to know if squid can also like MS Proxy forget the domain part and authenticate them as if they were part of the domain. Any help will be very much appreciated, Put them in a reserved ip address range; and let these addresses use the proxy without authentication. M. Thanks for the tip Mark I think it can do the job for the notebooks, but I can't leave the domains I mentioned without authentication because each of them is a whole factory with an average of 300 users accessing the internet for each one (there are 3 of them). Do you (or anyone else) have anything else in mind that may help? Thanks in advance,
[squid-users] Show auth dialog if automatic auth fails
Fellows, I´m running squid 2.5.STABLE9 on a Fedora 4 server, with ntlm auth against Microsoft Active Directory, using pass-through authemtication. The problem is that, if we have some visitor (i.e., someone who did not logon on the Active Directory domain and/or whose machine is not a domain member) on my network who tries to access the Internet, Squid simply shows the message Access denied., giving no oportunity to the user to inform his username/password. I´d like, in that case, the user to be asked for a valid username and password. In other words, if the pass-through auth fails, the browser would show an logon dialog asking for user credencials. The auth config portion of my squid.conf follows: auth_param ntlm program /usr/lib/squid/ntlm_auth DOMAIN/domain_controller auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate off Could anyone give me some advice on that? Thanks a lot! Best regards, Luis Talora
Re: [squid-users] Proxied JSP pages load in Firefox/Safari but not IE?
Hi, Can this work with ASP pages too ?? because I have a very similar problem but with ASPx. Thank you in advance !! Mario F. Rodríguez Highland Systems Quetzaltenango - Original Message - From: Christian Bell [EMAIL PROTECTED] To: squid-users@squid-cache.org Sent: Thursday, August 11, 2005 7:36 PM Subject: Re: [squid-users] Proxied JSP pages load in Firefox/Safari but not IE? When the page is accessed through the proxy with Internet Explorer (Win32), a blank page is rendered (and a subsequent View Source reveals only skeletal HTML, no content). When the page is accessed WITHOUT the proxy in Internet Explorer, the page is rendered correctly. When the page is accessed through the proxy with either Firefox (Win32 or Mac) or a different browser like Safari, the page is rendered correctly. I wrote the above to the list back on 9 June 2005. (Archived: http://tinyurl.com/bda97) Here was the fix: On the Internet Explorer systems that were not rendering the page, the 'Use HTTP 1.1 through proxy' option in Internet Options - Advanced was disabled. (This option should probably be enabled on most/all systems by default.) Enabling this option let Internet Explorer render the pages fine. The other web browsers mentioned already use HTTP 1.1 through a proxy connection, which is why they did not exhibit the symptoms. Hopefully this will be helpful to someone else. -- Christian Bell :: [EMAIL PROTECTED]
Re: [squid-users] Squid running in a gateway machine.
On 7/26/05, Matus UHLAR - fantomas [EMAIL PROTECTED] wrote: You should probably put www.mydomain.com with IP 192.168.0.12 to squid hosts table (or /etc/hosts on the server) Thanks, it really solved the problem. :) -- Fernando Lujan
[squid-users] Squid running in a gateway machine.
My iptables is running as both a gateway and a http-proxy. I route every incoming connection from the INTERNET to the 192.168.0.12:8080, wich is my web server. From my internal network when I try to access the address www.mydomain.com, wich represents my domain in the internet, the squid answers with (111) Connection refused message. I've already tried to use the no_cache option, like: acl DOMAIN url_reges .*mydomain.* no_cache DENY DOMAIN Can I use this configuration? -- Fernando Lujan
[squid-users] Squid as both a proxy server and a transparent proxy.
Is this possible? Whether I configure the proxy server in my browser it works as a proxy following the ACL... I tried without sucess. :( -- Fernando Lujan
[squid-users] Problems Visualizing ASP Pages behind squid proxy
Hello, I have a SmoothWall server between the internet my network. I can't visualize the contents for CERTAIN aspx pages when using Iexplore 6.0. However, when I connect the Pcs directly to the ISP line, I have no problem visualizing the pages. Also, when squid is not active, I can view the pages without complication. Any thoughts ? Thanks in advance. _ Consigue aquí las mejores y mas recientes ofertas de trabajo en América Latina y USA: http://latam.msn.com/empleos/
[squid-users] Squid 2.5 STABLE 9 restarts continuously
Dear all, after upgrading to 2.5STABLE 9 for resolve a problem with bug #852 (DNS queries), my Squid is restarting with the following error: ... 2005/04/28 12:58:03| assertion failed: stmem.c:93: current_offset == target_offset 2005/04/28 12:58:06| Starting Squid Cache version 2.5.STABLE9 for i386-redhat-linux-gnu... ... ... What does this mean? How can I fix this? I read that is an issue with diskd, but i´m not sure. Any suggestion, will be appreciated. Regards! Fernando Sclavo.-
[squid-users] Re: Squid 2.5 STABLE 9 restarts continuously
Looking for a solution to my problem, I found that using aufs storage type instead of diskd resolve the fail, but the memory usage of squid is about three times bigger than using diskd, is it normal? On 4/28/05, Fernando Sclavo [EMAIL PROTECTED] wrote: Dear all, after upgrading to 2.5STABLE 9 for resolve a problem with bug #852 (DNS queries), my Squid is restarting with the following error: ... 2005/04/28 12:58:03| assertion failed: stmem.c:93: current_offset == target_offset 2005/04/28 12:58:06| Starting Squid Cache version 2.5.STABLE9 for i386-redhat-linux-gnu... ... ... What does this mean? How can I fix this? I read that is an issue with diskd, but i´m not sure. Any suggestion, will be appreciated. Regards! Fernando Sclavo.-
[squid-users] Help! FATAL: xstrdup: tried to dup a NULL pointer!
Dear all, I´m running Squid on a FC3 SMP, and the server is a Proliant 5500 multiprocessor. Recently, my squid is terminating abnormally with the following error: FATAL: xstrdup: tried to dup a NULL pointer! Squid Cache (Version 2.5.STABLE6): Terminated abnormally. CPU Usage: 55.150 seconds = 27.885 user + 27.265 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 Memory usage for squid via mallinfo(): total space in arena: 76864 KB Ordinary blocks:75991 KB391 blks Small blocks: 0 KB 1 blks Holding blocks: 4324 KB 3 blks Free Small blocks: 0 KB Free Ordinary blocks: 872 KB Total in use: 80315 KB 104% Total free: 873 KB 1% I read in the mail list that maybe is a bug, but don´t know if the bug was fixed on the STABLE 9 version or if is another way to fix it. Why until these last days Squid doesn´t fail? It is running on a production enviroment since 3 months ago. Thanks to all and sorry about my english! Regards. Fernando Sclavo.-
[squid-users] Squid + WMP.
Hi all, I have the following problem... I can´t listen radio or watch tv with windows media player through squid. Anybody know if I need some squid special configuration to do this? In access.log I can see this log: 1112710231.466187 207.169.88.182 TCP_NEGATIVE_HIT/404 4246 GET http://www.tn.com.ar/subtitles/popup_metafile.srt avupdate NONE/- text/html Squid version 2.5 stable 7. Regards, Fernando. Fernando Ampugnani EDS Argentina - Software, Storage Network Information Technology Outsourcing Tel: 5411 4704 3428 Mail: [EMAIL PROTECTED]
[squid-users] Refresh Pattern question.
Hi all, I want know if my configuration refresh_pattern TAG it´s correct, because I can see in squid logs analyzer tools the same values: TCP_MISS 92% TCP_REFRESH_MISS 1,2% TCP_CLIENT_REFRESH_MISS 5,9% My configuration value in refresh_pattern TAG is default: refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 The major percent shouldn´t be in TCP_HIT? refresh_pattern . 0 20% 4320 include all remaining things? Ex. HTTP, files, movies, songs Thanks in Advance. Fernando Ampugnani EDS Argentina - Software, Storage Network Information Technology Outsourcing Tel: 5411 4704 3428 Mail: [EMAIL PROTECTED]
RE: [squid-users] Refresh Pattern question.
Henrik: The cache size is 2gb, and traffic is 20gb per week and 79gb a month. Regards. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 6:55 PM To: Ampugnani, Fernando Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] Refresh Pattern question. On Wed, 10 Nov 2004, Ampugnani, Fernando wrote: I want know if my configuration refresh_pattern TAG it´s correct, because I can see in squid logs analyzer tools the same values: TCP_MISS 92% TCP_REFRESH_MISS 1,2% TCP_CLIENT_REFRESH_MISS 5,9% How large is your cache, and how much traffic do you have per week? The major percent shouldn´t be in TCP_HIT? How good your hit ratio is depends on very many factors. Regards Henrik
RE: [squid-users] Squid Management
Yes. www.webmin.com Regards. -Original Message- From: Boris Macías [mailto:[EMAIL PROTECTED] Sent: Friday, October 15, 2004 4:41 PM To: [EMAIL PROTECTED] Subject: [squid-users] Squid Management Hello. I'm a student of an University in Ecuador, I'm interesting in learn more about Squid, my principal question is: Exist a Grafical Interface (as a Web Management tool) for Setting Or/and Managing the Squid Proxy Server ? Please helpme with links to look for more information. Boris Macías
[squid-users] External Acl problem.
Hi all, It is possible when I define about 5 external acl to deny about 2 porn domains squid process take all cpu (90%) every time?. Are this decrease the squid performance? Are there some suggestions for this? Thanks in advance. Fernando Ampugnani EDS Argentina - Software, Storage Network Information Technology Outsourcing Tel: 5411 4704 3428 Mail: [EMAIL PROTECTED]
RE: [squid-users] External Acl problem.
Henrik: I send that you request. acl porn url_regex /usr/local/squid/etc/porn_domains acl aggresive url_regex /usr/local/squid/etc/aggrsive_domains acl violence url_regex /usr/local/squid/etc/violence_domains acl audiovideo url_regex /usr/local/squid/etc/audiovideo_domains acl drugs url_regex /usr/local/squid/etc/drugs_domains acl warez url_regex /usr/local/squid/etc/warez_domains acl denydownload url_regex /usr/local/squid/etc/downloaddeny http_access deny prohibitedsites http_access deny porn http_access deny aggresive http_access deny violence http_access deny audiovideo http_access deny drugs http_access deny warez http_access deny denydownload Regards. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Thursday, September 30, 2004 10:25 AM To: Ampugnani, Fernando Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] External Acl problem. On Thu, 30 Sep 2004, Ampugnani, Fernando wrote: It is possible when I define about 5 external acl to deny about 2 porn domains squid process take all cpu (90%) every time?. How have you defined the acls? Regards Henrik
RE: [squid-users] Squid-3.x
Henrik, what is the advantage rewrite squid in C++? Regards. Fernando. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 8:55 AM To: Ralf Hildebrandt Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] Squid-3.x On Tue, 21 Sep 2004, Ralf Hildebrandt wrote: I imagine that I read someplace that squid-3.x is supposed to make use of multiple processors. True or dream? Dream. Squid-3.x is supposed to be feature wise close to Squid-2.5 but rewritten to C++, and with a few new features thrown in. Regards Henrik
RE: [squid-users] SSL question.
Why, because browser will reject the SSL connection if thouched by any host now knowing the private encryption key of the server.? There is an other way to support this schema.? Regards. -Original Message- From: Elsen Marc [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 12:26 PM To: Ampugnani, Fernando; [EMAIL PROTECTED] Subject: RE: [squid-users] SSL question. Hi all, Can squid support SSL in both way inbound and outbound traffic, with the same certificate.? Client---squid--local-webserver (SSL) (SSL) Yep , but the problem is that there ain't any browsers that support the first step in your graph. M.
[squid-users] SSL question.
Hi all, Can squid support SSL in both way inbound and outbound traffic, with the same certificate.? Client---squid--local-webserver (SSL) (SSL) Thanks in advance. Fernando Ampugnani EDS Argentina - Software, Storage Network Information Technology Outsourcing Tel: 5411 4704 3428 Mail: [EMAIL PROTECTED]
RE: [squid-users] Squid + MSAD.
In below mail I want say squid_ldap_auth. Did you see the strace that I send yesterday?, if yes... there are any wrong? Thanks. Fernando. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Monday, March 08, 2004 20:38 To: Ampugnani, Fernando Cc: Henrik Nordstrom; [EMAIL PROTECTED] Subject: RE: [squid-users] Squid + MSAD. On Mon, 8 Mar 2004, Ampugnani, Fernando wrote: Hi henrik, I have been doing several test with ldpa_auth and don?t work. By ldap_auth do you really mean ldap_auth or do you mean squid_ldap_auth? Do I need my local dns in resolv.conf? Normally not, but if referrals is enabled and your directory make use of them then squid_ldap_auth may need to know the DNS-IP lookup for your LDAP servers. Regards Henrik
RE: [squid-users] Squid + MSAD.
Hi henrik,
I have been doing several test with ldpa_auth and don?t
work.
I send you an strace, because I saw that in one moment the ldap_auth query
to public dns.
Do I need my local dns in resolv.conf?
Do you see same wrong in strace that I not perceive?
Regards-
Fernando.
-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]
Sent: Sunday, February 22, 2004 11:48
To: Ampugnani, Fernando
Cc: Henrik Nordstrom
Subject: RE: [squid-users] Squid + MSAD.
On Fri, 20 Feb 2004, Ampugnani, Fernando wrote:
Does squid_ldap_auth works with blank spaces in DN.
Yes.
Regards
Henrik
execve(./squid_ldap_auth, [./squid_ldap_auth, -b, cn=internet
users,ou=grupos,ou=comunes,ou=usuariosygrupos,ou=arcos dorados,dc=ar,dc=mcdcorp,
-D, cn=test user,ou=varios,ou=eds,ou=usuariosygrupos,ou=arcos
dorados,dc=ar,dc=mcdcorp, -w, password, -f,
((userPrincipalName=%s)(object-Class=user)), 207.169.88.202, -d], [/* 25 vars
*/]) = 0
uname({sys=Linux, node=EDSADSAPRXY, ...}) = 0
brk(0) = 0x804fa80
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40017000
open(/etc/ld.so.preload, O_RDONLY)= -1 ENOENT (No such file or directory)
open(/etc/ld.so.cache, O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=42294, ...}) = 0
old_mmap(NULL, 42294, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40018000
close(3)= 0
open(/usr/lib/libldap.so.2, O_RDONLY) = 3
read(3, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`x\0\000..., 1024) = 1024
fstat64(3, {st_mode=S_IFREG|0755, st_size=193691, ...}) = 0
old_mmap(NULL, 163140, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40023000
mprotect(0x4004a000, 3396, PROT_NONE) = 0
old_mmap(0x4004a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x27000) =
0x4004a000
close(3)= 0
open(/usr/lib/liblber.so.2, O_RDONLY) = 3
read(3, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\\36\0..., 1024) = 1024
fstat64(3, {st_mode=S_IFREG|0755, st_size=44792, ...}) = 0
old_mmap(NULL, 40340, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4004b000
mprotect(0x40054000, 3476, PROT_NONE) = 0
old_mmap(0x40054000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x8000) =
0x40054000
close(3)= 0
open(/lib/i686/libm.so.6, O_RDONLY) = 3
read(3, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320H\0..., 1024) = 1024
fstat64(3, {st_mode=S_IFREG|0755, st_size=626562, ...}) = 0
old_mmap(NULL, 142708, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40055000
mprotect(0x40077000, 3444, PROT_NONE) = 0
old_mmap(0x40077000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x21000) =
0x40077000
close(3)= 0
open(/lib/libresolv.so.2, O_RDONLY) = 3
read(3, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\'\0\000..., 1024) = 1024
fstat64(3, {st_mode=S_IFREG|0755, st_size=262879, ...}) = 0
old_mmap(NULL, 72768, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40078000
mprotect(0x40086000, 15424, PROT_NONE) = 0
old_mmap(0x40086000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xd000) =
0x40086000
old_mmap(0x40088000, 7232, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0) = 0x40088000
close(3)= 0
open(/lib/libnsl.so.1, O_RDONLY) = 3
read(3, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20?\0\000..., 1024) = 1024
fstat64(3, {st_mode=S_IFREG|0755, st_size=436448, ...}) = 0
old_mmap(NULL, 89532, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4008a000
mprotect(0x4009d000, 11708, PROT_NONE) = 0
old_mmap(0x4009d000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x12000) =
0x4009d000
old_mmap(0x4009e000, 7612, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0) = 0x4009e000
close(3)= 0
open(/lib/i686/libc.so.6, O_RDONLY) = 3
read(3, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\307\1..., 1024) = 1024
fstat64(3, {st_mode=S_IFREG|0755, st_size=5792713, ...}) = 0
old_mmap(NULL, 1293384, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x400a
mprotect(0x401d3000, 35912, PROT_NONE) = 0
old_mmap(0x401d3000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x132000)
= 0x401d3000
old_mmap(0x401d8000, 15432, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0) = 0x401d8000
close(3)= 0
open(/usr/lib/libsasl.so.7, O_RDONLY) = 3
read(3, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320!\0..., 1024) = 1024
fstat64(3, {st_mode=S_IFREG|0755, st_size=48571, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x401dc000
old_mmap(NULL, 42336, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x401dd000
mprotect(0x401e6000, 5472, PROT_NONE) = 0
old_mmap(0x401e6000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x8000) =
0x401e6000
close(3)= 0
open(/lib/libssl.so.2, O_RDONLY
RE: [squid-users] Squid + MSAD.
Hi Henrik, In squid_ldap_auth the filter as I configure looks like... -f ((sAMAccountName=%u)(object-Class=user)) is ok? How many way of configure it there are? In man page I didn?t find many variants of this. Thanks Regards, Fernando. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Thursday, February 19, 2004 11:49 To: Ampugnani, Fernando Cc: Henrik Nordstrom Subject: RE: [squid-users] Squid + MSAD. On Thu, 19 Feb 2004, Ampugnani, Fernando wrote: OK Henrik, thanks now I understand how work squid_ldap_auth + squid_ldap_group, so I don?t test it from cmd line isnt?t it? There is no problem tesing squid_ldap_group from the command line. It expects username space groupname as input. It then uses the optional user search filter (-F) to locate the users DN like the -f flag for squid_ldap_auth, and finally looks via the group search filter (-f) if there is a group where this user is member. Regards Henrik
RE: [squid-users] Squid + MSAD.
Hi Henrik, I have been same test with squid_ldap_auth and squid_ldap_group. And I see that same part of squid_ldap_group line work properly (part that connect to LDAP and do the search), but I belive that when squid_ldap_group must send user and password there is same wrong, because take password as group. Is the filter syntax correct? ...if not ... How can I do to send correct user and password? [localhost]#./squid_ldap_group -b dc=ar,dc=McDcorp -D cn=test user,ou=Varios,ou=EDS,ou=UsuariosyGrupos,ou=Arcos Dorados,dc=ar,dc=McDcorp -w password -f ((cn=%g)(member=cn=%u,cn=Squid,ou=Grupos,ou=Comunes,ou=UsuariosyGrupos,ou= Arcos Dorados,dc=ar,dc=McDcorp)) -h 207.169.88.202 -p 389 -d ar-username password Connected OK filter ((cn=password)(member=cn=ar-username,cn=Squid,ou=Grupos,ou=Comunes,ou=Usuar iosyGrupos,ou=Arcos Dorados,dc=ar,dc=McDcorp)) ERR Thanks in Advance. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 17, 2004 19:31 To: Ampugnani, Fernando Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] Squid + MSAD. On Tue, 17 Feb 2004, Ampugnani, Fernando wrote: I want validate squid via squid_ldap_auth but don´t work. See the MSAD examples in the squid_ldap_auth manual for some information as to what is required to set up the connection. Regards Henrik
