RE: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hello Jatin, Unfortunately I cannot answer your question. But why would you like to bump the connection when admin *explicitly* specified it as *not to be bumped*. I think eCap adapter here acts as a passive beast just scanning what admin tells it to, not what it thinks it needs to scan. Raf I wanted to block a particular website based on CONNECT request because I am not bumping (decrypting) the site. But now I have realised that if I do not dump the site then there is no way I can paint a custom message on the browser. So, can somebody suggest me if there is a way to pass a flag to squid from ecap adapter to decrypt a site regardless of what ACL says. For example if I have an acl as below which says do not decrypt www.888.com but If my ecap adapter could pass a message to squid asking it to decrypt www.888.com (for that session only) and ignore the below acl. Is it possible? acl no_ssl_interception dstdomain .888.com ssl_bump none no_ssl_interception ssl_bump client-first all skip
Re: [squid-users] what AV products have ICAP support?
Hi Jason Haar, Trend micro (Stop inbound threats Secure outbound data) is one of the best Inter Scan Web Security Virtual Appliance. And also have listed other AV vendor: Samba-vscan-ICAP isilonicap AV scan (EC2) , etc.. Regards, Visolve Squid On 8/18/2014 3:00 PM, Jason Haar wrote: Hi there I've been testing out squidclamav as an ICAP service and it works well. I was wondering what other AV vendors have (linux) ICAP-capable offerings that could similarly be hooked into Squid? Thanks
Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
On 22/08/2014 7:14 p.m., Rafael Akchurin wrote: Hello Jatin, Unfortunately I cannot answer your question. But why would you like to bump the connection when admin *explicitly* specified it as *not to be bumped*. I think eCap adapter here acts as a passive beast just scanning what admin tells it to, not what it thinks it needs to scan. Indeed. Jatin I think you need to check exactly what response the eCAP adapter is producing for these CONNECT requests. The status code, content-type header and message body all need to be in agreement to have any chance at all of working. You may even have to use a 302/303 status to redirect to a different URL which has the content in it. Keep in mind also that the mainstream popular browsers simply will not display anything except their own error pages in response to unsuccessful CONNECT. Perhapse a bit on the extreme side, but that is how they have chosen to prevent security vulnerabilities which have been abused badly in the past. Amos
[squid-users] negotiate_wrapper returns asteriks
Hello, I hope some can help me. I want to use squid for authentication and send the username to dansguardian. Here's the config of the authentiction program: auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego --domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -r -d -s GSS_C_NO_NAME I always get negotiate_wrapper: Return 'AF = * username where username is the currently logged in user. Where is this asteriks comming from. I can't map * username to dansguardian filter-groups. Thanks
Re: [squid-users] negotiate_wrapper returns asteriks
On 22/08/2014 10:00 p.m., Melvin Williams wrote: Hello, I hope some can help me. I want to use squid for authentication and send the username to dansguardian. Here's the config of the authentiction program: auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego --domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -r -d -s GSS_C_NO_NAME I always get negotiate_wrapper: Return 'AF = * username where username is the currently logged in user. Where is this asteriks comming from. I can't map * username to dansguardian filter-groups. Hmm. Would this happen to be an AF response coming from the ntlm_auth helper by chance? is it sending back AF * username ? Amos
[squid-users] Anybody using squid on openWRT ?
Just trying to use offic. package for openWRT, which is based on squid2.7 only. Having detected some DNS-issues, does anybody use squid on openWRT, and which squid version ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Anybody-using-squid-on-openWRT-tp4667335.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Anybody using squid on openWRT ?
Unfortunately openwrt squid package is very outdated and buggy. I've tried it, but I gave up. I'm not sure, but they do not include software which uses C++ as language. 99% of its package repository are C source software, may be this is one reason to keep an older squid version, which is not written in C++ 2014-08-22 7:48 GMT-03:00 babajaga augustus_me...@yahoo.de: Just trying to use offic. package for openWRT, which is based on squid2.7 only. Having detected some DNS-issues, does anybody use squid on openWRT, and which squid version ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Anybody-using-squid-on-openWRT-tp4667335.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Anybody using squid on openWRT ?
Sounds good. I also do not like C++ :-) squid2.7 from openWRT is running on my Open-Mesh; besides the DNS-issues I have not found any problem. Only a bit slow. DNS-issues are related to advert-sites only, which is a bit strange. Lokks like some tricks regarding TTL/DNS-based load sharing, I guess. So I just block the well-known ad sites, and a few more, and it works (slowly) on AR71xxx CPU/64MB RAM. Maintaining the block list is a bit inconvenient, though. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Anybody-using-squid-on-openWRT-tp4667335p4667337.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Anybody using squid on openWRT ?
i do use it a lot and despite the fact it's outdated, it works just fine for my cases. I have even made myself a patch to enable the compilation of ldap authenticators, so i could authenticate users through LDAP, usually to an AD server. On 22/08/14 07:48, babajaga wrote: Just trying to use offic. package for openWRT, which is based on squid2.7 only. Having detected some DNS-issues, does anybody use squid on openWRT, and which squid version ? -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
[squid-users] Re: Anybody using squid on openWRT ?
Interesting. Have you seen any DNS issues ? For details, pls ref. here: http://squid-web-proxy-cache.1019090.n4.nabble.com/Very-slow-site-via-squid-td4667243.html Or, can your reproduce it here: www.spiegel.de -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Anybody-using-squid-on-openWRT-tp4667335p4667339.html Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] Anybody using squid on openWRT ?
Just trying to use offic. package for openWRT, which is based on squid2.7 only. Having detected some DNS-issues, does anybody use squid on openWRT, and which squid version ? I am using squid on a buffalo router on openwrt attitude adjustment (whatever squid version comes with that). I only authenticate by IP address and by time of day. Haven't seen any DNS issues. What sort of DNS issues are you seeing? And are you sure they are with squid? I have configured squid on the router to not cache, but it always forwards to a server which does do caching (that server isn't on all the time though, in which case squid fails over to go direct). James
[squid-users] RE: Anybody using squid on openWRT ?
@James: For details of my problems, pls ref. here: http://squid-web-proxy-cache.1019090.n4.nabble.com/Very-slow-site-via-squid-td4667243.html Not shure, that it is really squid. Effect is slow loading of objects from ad-servers. As I have an open-mesh AP, 64MB RAM, my squid2.7 does memory-only caching, and some ACLs + forwarding some traffic to another upstream proxy on the web. One very slow page is here: www.spiegel.de It calls *.meetrics.de , which loads veeery slow So, in case you can confirm/deny slow response times to this site, I need to look somewhere else for the bug. Which would be great help, already. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Anybody-using-squid-on-openWRT-tp4667335p4667341.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: squid_kerb_ldap issues
Hi Markus, Thanks for your input. I ended up completely removing everything and recreating my key tab and it works great now. One more question for you or the list: Is it possible to do machine based AD auth to squid? We have a use case here where we would want to allow a machine access to a resource but not necessarily specifically allow the users who are logged in to it. Thanks again, -Scott Scott Finlon, CISSP GCIA GCIH --- Information Security Engineer The University of Scranton email : scott.fin...@scranton.edu phone : 570-941-6168 --- On 8/21/14, 3:20 PM, Markus Moeller hua...@moeller.plus.com wrote: Hi Scott, So from what see in your first log you have a user MYSUER with a domain/realm MYDOMAIN, but squid belongs to SUBDOMAIN.DOMAIN.COM. squid_kerb_ldap tries to authenticate to the domain MYDOMAIN using the keytab but does not find any entry for MYDOMAIN in the keytab. Then squid_kerb_ldap tries to find an entry in the keytab of a domain which trusts MYDOMAIN and fails. It seems there is no Kerberos trust between MYDOMAIN and SUBDOMAIN.DOMAIN.COM. The second log looks better, but the password stored in the keytab for SQUIDPROXY-K$ is incorrect (Preauthentication failed). Markus Scott Finlon wrote in message news:d01b8481.36d86%scott.fin...@scranton.edu... Hi All, I have squid_kerb_auth working and authenticating via my key tab file. However, when trying to lock it down to users that are in a group in AD, I¹m seeing a weird issue. I put my sanitized output here: http://pastebin.com/wGc3RC0h But basically if I use this ./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN² it is able to auth to AD and eventually attempts to use a bind path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it gives a referral error. So seeing that, I tried to use my full domain as the default domain, like this ./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM² it gives a Preauthentication failed error and doesn¹t even make it in to AD, full output here: http://pastebin.com/Gk1ci0nt That makes me think it¹s an issue with the key tab file, but it works appropriately with kerb auth just not kerb ldap. Any ideas? I am going to try and make a key tab file with ktpass instead of msktutil and see if that has any affect. Thanks, -Scott
[squid-users] Re: squid_kerb_ldap issues
Hi Scott, You mean authentication and authorisation ? I think you can. I would expect you see instead of user@DOMAIN a host/fqdn@DOMAIN and if you add the computer account to the AD group it should authorise. I am very curious to see it :-) Markus Scott Finlon wrote in message news:d01cdf61.36eeb%scott.fin...@scranton.edu... Hi Markus, Thanks for your input. I ended up completely removing everything and recreating my key tab and it works great now. One more question for you or the list: Is it possible to do machine based AD auth to squid? We have a use case here where we would want to allow a machine access to a resource but not necessarily specifically allow the users who are logged in to it. Thanks again, -Scott Scott Finlon, CISSP GCIA GCIH --- Information Security Engineer The University of Scranton email : scott.fin...@scranton.edu phone : 570-941-6168 --- On 8/21/14, 3:20 PM, Markus Moeller hua...@moeller.plus.com wrote: Hi Scott, So from what see in your first log you have a user MYSUER with a domain/realm MYDOMAIN, but squid belongs to SUBDOMAIN.DOMAIN.COM. squid_kerb_ldap tries to authenticate to the domain MYDOMAIN using the keytab but does not find any entry for MYDOMAIN in the keytab. Then squid_kerb_ldap tries to find an entry in the keytab of a domain which trusts MYDOMAIN and fails. It seems there is no Kerberos trust between MYDOMAIN and SUBDOMAIN.DOMAIN.COM. The second log looks better, but the password stored in the keytab for SQUIDPROXY-K$ is incorrect (Preauthentication failed). Markus Scott Finlon wrote in message news:d01b8481.36d86%scott.fin...@scranton.edu... Hi All, I have squid_kerb_auth working and authenticating via my key tab file. However, when trying to lock it down to users that are in a group in AD, I¹m seeing a weird issue. I put my sanitized output here: http://pastebin.com/wGc3RC0h But basically if I use this ./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN² it is able to auth to AD and eventually attempts to use a bind path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it gives a referral error. So seeing that, I tried to use my full domain as the default domain, like this ./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM² it gives a Preauthentication failed error and doesn¹t even make it in to AD, full output here: http://pastebin.com/Gk1ci0nt That makes me think it¹s an issue with the key tab file, but it works appropriately with kerb auth just not kerb ldap. Any ideas? I am going to try and make a key tab file with ktpass instead of msktutil and see if that has any affect. Thanks, -Scott
RE: [squid-users] Anybody using squid on openWRT ?
Plus a wifi device is severely underpowered and lacks sufficient memory and storage for squid to provide any real benefit (IMHO). -Original Message- From: Cassiano Martin [mailto:cassi...@polaco.pro.br] Sent: Friday, August 22, 2014 5:06 AM To: babajaga Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Anybody using squid on openWRT ? Unfortunately openwrt squid package is very outdated and buggy. I've tried it, but I gave up. I'm not sure, but they do not include software which uses C++ as language. 99% of its package repository are C source software, may be this is one reason to keep an older squid version, which is not written in C++ 2014-08-22 7:48 GMT-03:00 babajaga augustus_me...@yahoo.de: Just trying to use offic. package for openWRT, which is based on squid2.7 only. Having detected some DNS-issues, does anybody use squid on openWRT, and which squid version ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Anybody-using-squid -on-openWRT-tp4667335.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Nudity Images Filter for Squid
Hi Guys, We just released a new free tool for Squid: Nudity Images Filter for Squid https://sourceforge.net/projects/nudityimagesfilterforsquid/ You can specify the MaxResol and the MaxScore for the block. All details are in the readme.txt http://sourceforge.net/projects/nudityimagesfilterforsquid/files/readme.txt/download Important: - We provide the API for free, we can not warranty it'll work with your Squid installation, that's why you must test on a separated Squid before going to production. - We do not compile statistics based on your requests and we do not share data with Marketing teams or external companies, we also do not use your data for our internal needs. - If you are interested for a local implementation of our API in your network, just drop us an email at supp...@unveiltech.com Your feadbacks are welcome... Bye Fred -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Nudity-Images-Filter-for-Squid-tp4667345.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
On 08/21/2014 07:06 PM, Jatin Bhasin wrote: So, can somebody suggest me if there is a way to pass a flag to squid from ecap adapter to decrypt a site regardless of what ACL says. For example if I have an acl as below which says do not decrypt www.888.com but If my ecap adapter could pass a message to squid asking it to decrypt www.888.com (for that session only) and ignore the below acl. Is it possible? Given a recent-enough Squid version, an adaptation service can control Squid behavior via the annotations mechanism and the note ACL associated with it. For example, your eCAP adapter can return an X-Bump:yes annotation(**) that Squid can then match using the note ACL. Something along these untested lines: acl note toBump X-Bump yes ssl_bump server-first toBump ssl_bump server-first ... ssl_bump none all This mechanism should be supported for ssl_bump ACLs but I have not tested that claim myself. HTH, Alex. (**) In eCAP terminology, an X-Bump:yes annotation is an adapter transaction option named X-Bump with a yes value. See libecap::Options, which is a parent of libecap::adapter::Xaction.
[squid-users] Filter squid cached files to multiple cache dirs
I am currently setting up a small home network - I've chosen to go with squid proxy and I am wondering if it is possible to setup a single squid instance with multiple cache_dirs so that different files (more precisely, files with different sizes) end up on different cache_dirs? The reason for this is that I'll be running squid as a VM on a machine with semi-cannibalized hardware. I have a small SSD (which I'm hoping to use for caching small, dynamic, very transient files such as web pages, small pics and such) and a large, slow HDD (which I'd like to use for caching larger, static content such as windows updates, youtube transfers, large pics and the like). This is my first foray into squid and it's only a small network so I would like to avoid introducing complexities such as multiple squid instances or hierarchical caches. Ideally, there would be a way to specify some simple set of criteria that would place the given file either in cache dir A or cache dir B. I have sifted through SquidFAQ but I found nothing similar mentioned there so I may have missed something really elemental. How could this be done? Is there a pattern people use to cater for such cases? Is it even necessary/advisable? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Filter-squid-cached-files-to-multiple-cache-dirs-tp4667347.html Sent from the Squid - Users mailing list archive at Nabble.com.