Re: [squid-users] Attached file on OWA with Squid

[Amos Jeffries]

On 26/04/2016 3:16 a.m., Sebastien.Boulianne wrote:
> Hi all,
> 
> I changed the status from 302 to 308.
> 
> I can now upload a small txt files but if I try to attach a file bigger than 
> 1meg, I got the same issue as the begginning... The browser freeze and 
> nothing happens.
> 

Hmm. That sounds familiar but my mind is too fuzzy with other things
right now. You might have some luck searching this lists archives for
earlier posts about OWA.


> What else can I try ?

Telling us the output of squid -v ?

"latest Squid" could be any one of the 4 tarballs we publish, or several
dozen downstream binary versions which vendors publish.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL Bump

[Amos Jeffries]

On 25/04/2016 2:34 p.m., skeetz9r wrote:
> UPDATE **
> 
> On more digging it seems like the SSL server is using SHA 1 and that may be
> the issue here. Any way around that?
> 

Check out the options your OpenSSL library supports. It may or may not
support SHA1 being added to the allowed hashes list. You will need to do
that as well as adding the broken cert to the set loaded by
sslproxy_cafiles directive.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NTLM_AUTH authentification send BH SPNEGO request invalid prefix

[Amos Jeffries]

On 25/04/2016 2:11 a.m., Hack Ensolo wrote:
> Hi,
> I try to log a user who is in active directory group "webusers" with
> ntlm_auth
> but I have some problems.
> 

The first being that "SPNEGO ..." is a Kerberos authentication error
output by Negotiate authentication.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Logging ACL that triggered denied access with http_access

[Amos Jeffries]

On 26/04/2016 3:51 a.m., Stephen Borrill wrote:
> Is there a way to log which ACL caused a block with http_access? This
> information is present for deny_info to use, but I cannot see a entry I
> can add to logformat to present such a thing in a custom log format (if
> using an external acl helper, you can spoof something up with the et and
> ea formats).
> 

There is no single ACL which does so. Even if you configure only one ACL
name per access control line in all access controls of squid.conf it is
sequences of ACLs both matching and non-matching (across multiple access
control types) which lead to a particular denial *line* happening.

The deny_info is not logging any single one ACL that did blocking. It is
logging the ACL name to which the deny_info action is attached. Same for
the external_acl_type %ACL parameter displaying the ACL it has been
called on.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] change between squid 3.1 and 3.3.8

[Amos Jeffries]

On 26/04/2016 4:41 a.m., TRIFILETTI Frank (Adjoint au chef du DO Sud-Est
/ Chef du groupe expertise technique) - SG/SPSSI/CPII/DOSE/ET wrote:
> Hello Amos,
> 
> thanks for your answer
> 
> my answer in the body of the message below
> 
> Frank
> 
> Le 23/04/2016 05:29, "> Amos Jeffries (par Internet, dépôt
> squid-users-boun...@lists.squid-cache.org)" a écrit :
>> On 23/04/2016 2:40 a.m., FTRIF wrote:
>>> Hello,
>>> i have a problem using /usr/lib/squid3/ext_ldap_group_acl which
>>> appears in
>>> 3.3.8
>>>
>>> i have a ldap attribut called InternetAccess which contains the value
>>> "ACCESSINTER"
>>>
>>> i want to make an ACL to authorize such people to surf on the net by
>>> using a
>>> ldap_group, built with the people who had the value ACCESSINTER in
>>> the ldap
>>> attribut called InternetAccess
>>>
>>> in command line it works both with squid 3.1 and 3.3.8, the answer is
>>> OK:
>>>
>>> /usr/lib/squid3/ext_ldap_group_acl -d -b dc=eq,dc=fr -f
>>> "(&(objectclass=person)(InternetAccess=%a)(uid=%u))" myLdapDNSname
>>>
>>> fk.tf ACCESSINTER
>>> ext_ldap_group_acl.cc(587): pid=25599 :Connected OK
>>> ext_ldap_group_acl.cc(726): pid=25599 :group filter
>>> '(&(objectclass=person)(InternetAccess=ACCESSINTER)(uid=fk.tf))',
>>> searchbase
>>> 'dc=eq,dc=fr'
>>> OK
>>
>> Use '%g' macro for group. It will not to collide with URL-encoding of
>> the parameters.
>>
> 
> in the squid.conf i forget indicate that i have a line
> acl profil_ACCESSINTERNET external ldap_group ACCESSINTER
> 
> in command line i replace %a by '%g' in command line but it doesn't work
> only if i put %g
> 
> but in squid.conf i put '%g' instead of %a and i have the same result
> with in the cache.log
> 
> 2016/04/25 18:17:25.835| Acl.cc(319) checklistMatches:
> ACL::checklistMatches: checking 'profil_ACCESSINTERNET'
> 2016/04/25 18:17:25.835| external_acl.cc(793) aclMatchExternal:
> acl="ldap_group"
> 2016/04/25 18:17:25.835| external_acl.cc(822) aclMatchExternal: No
> helper entry available
> 2016/04/25 18:17:25.835| external_acl.cc(826) aclMatchExternal:
> ldap_group check user authenticated.
> 2016/04/25 18:17:25.835| external_acl.cc(832) aclMatchExternal:
> ldap_group user is authenticated.
> 2016/04/25 18:17:25.835| external_acl.cc(856) aclMatchExternal:
> ldap_group("fk.tf ACCESSINTER") = lookup needed
> 2016/04/25 18:17:25.835| external_acl.cc(858) aclMatchExternal: "fk.tf
> ACCESSINTER": entry=@0, age=0
> 2016/04/25 18:17:25.835| external_acl.cc(861) aclMatchExternal: "fk.tf
> ACCESSINTER": queueing a call.
> 2016/04/25 18:17:25.835| external_acl.cc(863) aclMatchExternal: "fk.tf
> ACCESSINTER": return -1.
> 2016/04/25 18:17:25.835| Acl.cc(321) checklistMatches:
> ACL::ChecklistMatches: result for 'profil_ACCESSINTERNET' is -1

These lines are important:

> 2016/04/25 18:17:25.835| Acl.cc(346) matches: profil_ACCESSINTERNET
> needs async lookup
> 2016/04/25 18:17:25.835| Acl.cc(354) matches: profil_ACCESSINTERNET
> result is false
> 2016/04/25 18:30:36.709| Checklist.cc(275) matchNode: 0x7ffdc7f66fb0
> matched=0 async=1 finished=0
> 2016/04/25 18:30:36.709| Checklist.cc(146) markFinished: 0x7ffdc7f66fb0
> answer DUNNO for async required but prohibited
> 2016/04/25 18:30:36.709| Checklist.cc(308) matchNode: 0x7ffdc7f66fb0
> DUNNO because cannot async
> 2016/04/25 18:30:36.709| FilledChecklist.cc(77) ~ACLFilledChecklist:
> ACLFilledChecklist destroyed 0x7ffdc7f66fb0
> 2016/04/25 18:30:36.709| Checklist.cc(334) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x7ffdc7f66fb0
> 2016/04/25 18:30:36.709| Checklist.cc(153) preCheck: 0x7ffdc7f66fb0
> checking fast rules
> 2016/04/25 18:30:36.709| Checklist.cc(414) fastCheck: aclCheckFast:
> list: 0x56353080b548
> 
> is it these last lines indicate the followup where the helper responds
> you asked for ?

Better. Those lines are saying you are using the group lookup in an
access control list which cannot do group lookups or any other kind of
delayed (async) data lookup.

The answer is needed immediately by the access control and all Squid has
to work with is DUNNO / "insufficient data".

See 

> 
> if not which type of text i have to search ?
> 
> my debug_options 28,9 82,9 84,9
> section 82 External AC
> section 84 Helper process maintenance
> section 28 Access Control
> 

Okay.

The -d parameter on the helper command line for Squid helpers produces
their internal debug.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.4.8 helpers doesn't work how I want !

[Amos Jeffries]

On 26/04/2016 3:28 a.m., Jok Thuau wrote:
> On Mon, Apr 25, 2016 at 7:33 AM, Hack Ensolo wrote:
> 
>> ### http_access rules
>> http_access allow manager localhost
>> http_access allow auth
>> http_access deny !auth
>> http_access allow kerbusers
>> http_access allow localnet
>> http_access deny manager
>> http_access deny all
>>
>>
> Since the rules are "first match", once you have "allow auth", squid is
> done. it will not look at the group membership (under "kerbusers").
> 
> you should look at the acl type "all-of" and "any-of" to build your logic:
> acl authn_authz all-of auth kerbusers
> 
> might be helpful and would make your config slightly easier to read...

I this simple case it will just make it a bit more confusing. Especially
since the admin is clearly not understanding the basics properly yet.

It also slows down Squid with additional authentication checks compared
to the config he does need.

> 
> With that in mind, reconsider how you organize the rules...
> 

Seconded. 

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] change between squid 3.1 and 3.3.8

[TRIFILETTI Frank (Adjoint au chef du DO Sud-Est / Chef du groupe expertise technique) - SG/SPSSI/CPII/DOSE/ET]

Hello Amos,

thanks for your answer

my answer in the body of the message below

Frank

Le 23/04/2016 05:29, "> Amos Jeffries (par Internet, dépôt 
squid-users-boun...@lists.squid-cache.org)" a écrit :

On 23/04/2016 2:40 a.m., FTRIF wrote:

Hello,
i have a problem using /usr/lib/squid3/ext_ldap_group_acl which appears in
3.3.8

i have a ldap attribut called InternetAccess which contains the value
"ACCESSINTER"

i want to make an ACL to authorize such people to surf on the net by using a
ldap_group, built with the people who had the value ACCESSINTER in the ldap
attribut called InternetAccess

in command line it works both with squid 3.1 and 3.3.8, the answer is OK:

/usr/lib/squid3/ext_ldap_group_acl -d -b dc=eq,dc=fr -f
"(&(objectclass=person)(InternetAccess=%a)(uid=%u))" myLdapDNSname

fk.tf ACCESSINTER
ext_ldap_group_acl.cc(587): pid=25599 :Connected OK
ext_ldap_group_acl.cc(726): pid=25599 :group filter
'(&(objectclass=person)(InternetAccess=ACCESSINTER)(uid=fk.tf))', searchbase
'dc=eq,dc=fr'
OK


Use '%g' macro for group. It will not to collide with URL-encoding of
the parameters.



in the squid.conf i forget indicate that i have a line
acl profil_ACCESSINTERNET external ldap_group ACCESSINTER

in command line i replace %a by '%g' in command line but it doesn't work only if 
i put %g


but in squid.conf i put '%g' instead of %a and i have the same result with in 
the cache.log


2016/04/25 18:17:25.835| Acl.cc(319) checklistMatches: ACL::checklistMatches: 
checking 'profil_ACCESSINTERNET'

2016/04/25 18:17:25.835| external_acl.cc(793) aclMatchExternal: acl="ldap_group"
2016/04/25 18:17:25.835| external_acl.cc(822) aclMatchExternal: No helper entry 
available
2016/04/25 18:17:25.835| external_acl.cc(826) aclMatchExternal: ldap_group check 
user authenticated.
2016/04/25 18:17:25.835| external_acl.cc(832) aclMatchExternal: ldap_group user 
is authenticated.
2016/04/25 18:17:25.835| external_acl.cc(856) aclMatchExternal: 
ldap_group("fk.tf ACCESSINTER") = lookup needed
2016/04/25 18:17:25.835| external_acl.cc(858) aclMatchExternal: "fk.tf 
ACCESSINTER": entry=@0, age=0
2016/04/25 18:17:25.835| external_acl.cc(861) aclMatchExternal: "fk.tf 
ACCESSINTER": queueing a call.
2016/04/25 18:17:25.835| external_acl.cc(863) aclMatchExternal: "fk.tf 
ACCESSINTER": return -1.
2016/04/25 18:17:25.835| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: 
result for 'profil_ACCESSINTERNET' is -1
2016/04/25 18:17:25.835| Acl.cc(346) matches: profil_ACCESSINTERNET needs async 
lookup

2016/04/25 18:17:25.835| Acl.cc(354) matches: profil_ACCESSINTERNET result is 
false
2016/04/25 18:30:36.709| Checklist.cc(275) matchNode: 0x7ffdc7f66fb0 matched=0 
async=1 finished=0
2016/04/25 18:30:36.709| Checklist.cc(146) markFinished: 0x7ffdc7f66fb0 answer 
DUNNO for async required but prohibited
2016/04/25 18:30:36.709| Checklist.cc(308) matchNode: 0x7ffdc7f66fb0 DUNNO 
because cannot async
2016/04/25 18:30:36.709| FilledChecklist.cc(77) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x7ffdc7f66fb0
2016/04/25 18:30:36.709| Checklist.cc(334) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x7ffdc7f66fb0
2016/04/25 18:30:36.709| Checklist.cc(153) preCheck: 0x7ffdc7f66fb0 checking 
fast rules
2016/04/25 18:30:36.709| Checklist.cc(414) fastCheck: aclCheckFast: list: 
0x56353080b548


is it these last lines indicate the followup where the helper responds you asked 
for ?


if not which type of text i have to search ?

my debug_options 28,9 82,9 84,9
section 82 External AC
section 84 Helper process maintenance
section 28 Access Control





but in the squid.conf v3.3.8, i put the line below  :

external_acl_type ldap_group ipv4 %LOGIN /usr/lib/squid3/ext_ldap_group_acl
-d -b dc=eq,dc=fr -f "(&(objectclass=person)(InternetAccess=%a)(uid=%u))"
myLdapDNSname

it don't work and in my cache.log i found :




779298:2016/04/22 15:56:40.335| external_acl.cc(861) aclMatchExternal:
"fk.tf ACCESSINTER": queueing a call.
779299:2016/04/22 15:56:40.335| external_acl.cc(863) aclMatchExternal:
"fk.tf ACCESSINTER": return -1.


That is sending the lookup. Now Squid awaits the helper response.




It's work in squid 3.1 with the external acl called "squid_ldap_group"
instead of "ext_ldap_group_acl"

perhaps i used something in 3.1 which was a bug corrected in 3.3 ?



There is no sign of any problem in that log snippet. Can you find the
followup where the helper responds?

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Logging ACL that triggered denied access with http_access

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Usually for this task uses external url rewriter which has own block
log. For example, ufdbguard/squidguard/dansguardian etc.

Also you can use DB-based ACL's to this task. Which is better than
manual maintained huge plain-text inclusions in squid.conf.


25.04.16 21:51, Stephen Borrill пишет:
> Is there a way to log which ACL caused a block with http_access? This
> information is present for deny_info to use, but I cannot see a entry I
> can add to logformat to present such a thing in a custom log format (if
> using an external acl helper, you can spoof something up with the et and
> ea formats).
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXHj5MAAoJENNXIZxhPexGIMAH/3giepHwCBEANSzk+6HiwNfv
Av1NDBpjwlNWKvSnFbeaENpJOPzr5T8eWxT0jLIBaLaZzO79odsNTxDCtdmR1yaD
2bLk+yG3S14DNfP4aVYS/h5pYTh/86gA+ukSGLaZrHyj0R0bNuLFz9GaZqMkuZDn
aVRsHYfGV8GkC6qd1wMLgq7Zw4fltZp9wD8M/0g1hsaqJ2Mlrg13aitHPoxNFnnf
UHsTLM/cKVFfFKuKrE4ZYoRJlLOvygQpB+PuE2wkm4wFuBPELB35X2T1vrn27ZON
g0DakHUH4vCP8AoLctCf1JDbF+xLMR7bq6+3AoCbE/WBea3fieOrFGWeyMVulQQ=
=TWu+
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Logging ACL that triggered denied access with http_access

[Stephen Borrill]

Is there a way to log which ACL caused a block with http_access? This
information is present for deny_info to use, but I cannot see a entry I
can add to logformat to present such a thing in a custom log format (if
using an external acl helper, you can spoof something up with the et and
ea formats).

-- 
Stephen
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.4.8 helpers doesn't work how I want !

[Jok Thuau]

On Mon, Apr 25, 2016 at 7:33 AM, Hack Ensolo  wrote:

> ### http_access rules
> http_access allow manager localhost
> http_access allow auth
> http_access deny !auth
> http_access allow kerbusers
> http_access allow localnet
> http_access deny manager
> http_access deny all
>
>
Since the rules are "first match", once you have "allow auth", squid is
done. it will not look at the group membership (under "kerbusers").

you should look at the acl type "all-of" and "any-of" to build your logic:
acl authn_authz all-of auth kerbusers

might be helpful and would make your config slightly easier to read...

With that in mind, reconsider how you organize the rules...

Jok
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Attached file on OWA with Squid

[Sebastien.Boulianne]

Hi all,

I changed the status from 302 to 308.

I can now upload a small txt files but if I try to attach a file bigger than 
1meg, I got the same issue as the begginning... The browser freeze and nothing 
happens.

What else can I try ?

Thanks.

-Message d'origine-
De : squid-users [mailto:squid-users-boun...@lists.squid-cache.org] De la part 
de sebastien.boulia...@cpu.ca
Envoyé : 19 avril 2016 09:05
À : squ...@treenet.co.nz; squid-users@lists.squid-cache.org
Cc : Marc-Andre Bouchard 
Objet : Re: [squid-users] Attached file on OWA with Squid

Hi Amos, Eliezer and all ;),
As I wrote, if I connect to our VPN then I try to attach a file with the OWA, 
it works.
If I forward all owa requests directly to the mail server, I can attach a file 
without any issues.

I isolated the issue and we can see the problem happens when owa requests pass 
thru the Squid.

Is it a server issue or a Squid issue ?
Im running MS Exchange 2007 SP3 x64.

Im using the very latest version of Squid.

I will try to change the 302 status to 308.

Thanks you very much for ur help guys.

-Message d'origine-
De : squid-users [mailto:squid-users-boun...@lists.squid-cache.org] De la part 
de Amos Jeffries Envoyé : 9 avril 2016 00:16 À : 
squid-users@lists.squid-cache.org Objet : Re: [squid-users] Attached file on 
OWA with Squid

On 7/04/2016 5:24 a.m., Sebastien.Boulianne wrote:
> I configured my OWA to pass thru the Squid.
> Auth work perfectly.
> Browsing is working perfectly.
> All is working perfectly except when I try to attach files or documents to an 
> email.
> 
> [cid:image002.png@01D19007.A7E26D20]
> 
> 
> And It stops here. Nothing else happens.
> 
> I did some tests and I noticed that happens when I am connecting from 
> external to OWA.
> If I connect to the VPN then I try to send an attached file with the OWA, it 
> works.

If you mean that you are using Squid through the VPN, then that probably means 
its not a Squid problem.


> 
> Here is my config for my OWA.
> 
> ### OWA
> cache_peer owa.domain.qc.ca parent 443 0 no-query originserver 
> login=PASS ssl sslcert=/etc/pki/tls/certs/domain.qc.ca.cert.pem
> sslkey=/etc/pki/tls/private/domain.qc.ca.key.pem
> options=NO_SSLv2:NO_SSLv3:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE
> dhparams=/etc/pki/tls/private/dhparams.pem
> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+E
> CDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:E
> DH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> name=owa acl owahttps url_regex ^https://owa\.domain\.qc\.ca 
> cache_peer_access owa allow owahttps http_access allow www443 owahttps 
> acl owahttp url_regex ^http://owa\.domain\.qc\.ca http_access deny 
> owahttp deny_info 302:https://%H%R owahttp

You probably need to use 308 status here. 302 tells the client to try again 
using the *GET* method. Sending of things is not a GET action.


> 
> Thanks you very much for your advice.
> 

What version of Squid (squid -v) ?

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.4.8 helpers doesn't work how I want !

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Logs from AD, man.


25.04.16 20:33, Hack Ensolo пишет:
> Hi,
> I try to authenticate a user in AD (windows server 2008 R2).
> When he is in a group Webusers he must authenticated and when I remove
the user of this group, he must not authenticated.
> And this process doesn't work because he is always authticated.
>
> Sorry for my english.
>
> I post the squid configuration...
> I don't post the logs because I 'm not errors.
>
> cache_mgr service.informatique@
example.com 
>
> ### Negotiate kerberos authentification
> auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth
-s HTTP/rex.example@example.com 
> auth_param negotiate children 20 startup=0 idle=1
> auth_param negotiate keep_alive off
>
> ### ldap authorisation
> external_acl_type kerbgroup ttl=60 children-max=15 children-startup=10
ipv4 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -b
ou=students,dc=server,dc=example,dc=com -D sq...@example.com
 -W /etc/squid3/ldappass.txt -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=students,dc=server,dc=example,dc=com))"
-h dc1.server.example.com 
>
> ### acl for proxy auth and ldap authorizations
> acl auth proxy_auth REQUIRED
> acl kerbusers external kerbgroup webusers
>
> ### squid defaults
> acl localnet src 172.17.0.0/16 
> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
>
> ### http_access rules
> http_access allow manager localhost
> http_access allow auth
> http_access deny !auth
> http_access allow kerbusers
> http_access allow localnet
> http_access deny manager
> http_access deny all
>
> ### logging
> access_log stdio:/var/log/squid3/access.log
> cache_store_log stdio:/var/log/squid3/store.log
>
> ### squid Debian defaults
> http_port 3128
> cache_effective_user proxy
> cache_effective_group proxy
> cache_dir ufs /cache1 2 16 256
> cache_dir ufs /cache2 2 16 256
> coredump_dir /var/spool/squid3
>
> ### default squid rules
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXHiwmAAoJENNXIZxhPexGErgIAMHORuxEGPdj5UKhoKAa3dDK
jp9wcb0vrgH0F2YT+vM5AdlgPqG97/7UlB/jrfbmrMOwXcz0e1mdxDlRo9vJbeJA
eC9k9u7AxqTTBCeOTMdIW11CGF8Fh8gVr5lhO6ue7YIfAzr1CzrhlWhBNxqNKxD+
LvzkSGNXdn6JCaNRTLYcSJJGKYj7pGjS/RClEnoi2LADpO66N3k4dOFYgrASRKU2
J+kn1EOLM/FkKJOUQPrKeUo8fTZ/v04ysxdI5UWqqdFj7hE1ISBJT5XzKQmQ/U0P
qmI6Y8ypL8IClEvbevi6xIacVezVJols+Cj3tS35fAxJVjiY3q4VfhkMAHRopLo=
=kg1R
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.4.8 helpers doesn't work how I want !

[Hack Ensolo]

Hi,
I try to authenticate a user in AD (windows server 2008 R2).
When he is in a group Webusers he must authenticated and when I remove the
user of this group, he must not authenticated.
And this process doesn't work because he is always authticated.

Sorry for my english.

I post the squid configuration...
I don't post the logs because I 'm not errors.

cache_mgr service.informatique@ example.com

### Negotiate kerberos authentification
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s
HTTP/rex.example@example.com
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive off

### ldap authorisation
external_acl_type kerbgroup ttl=60 children-max=15 children-startup=10 ipv4
%LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -b
ou=students,dc=server,dc=example,dc=com -D sq...@example.com -W
/etc/squid3/ldappass.txt -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=students,dc=server,dc=example,dc=com))"
-h dc1.server.example.com

### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
acl kerbusers external kerbgroup webusers

### squid defaults
acl localnet src 172.17.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost

### http_access rules
http_access allow manager localhost
http_access allow auth
http_access deny !auth
http_access allow kerbusers
http_access allow localnet
http_access deny manager
http_access deny all

### logging
access_log stdio:/var/log/squid3/access.log
cache_store_log stdio:/var/log/squid3/store.log

### squid Debian defaults
http_port 3128
cache_effective_user proxy
cache_effective_group proxy
cache_dir ufs /cache1 2 16 256
cache_dir ufs /cache2 2 16 256
coredump_dir /var/spool/squid3

### default squid rules
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Never expire any object Squid configuration

[Veiko Kukk]

On 20/04/16 13:07, Amos Jeffries wrote:

On 20/04/2016 7:24 p.m., Veiko Kukk wrote:

Hi,

We have a Squid between our server application and openstack swift
backend in accel/reverse mode with store-id configuraton (to strip
temporary authentication URL-s). We want that any object that has been
stored in squid cache is never again fetched from source and never again
checked if it is fresh. Well, never in this case could be one year.


The usual resonse to this is "Squid is a cache, not an archive".


I turned out, what we need was offline_mode on.
http://www.squid-cache.org/Versions/v3/3.5/cfgman/offline_mode.html

Best regards,
Veiko


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users