Re: [squid-users] Squid 3.5.20 compile issue

2016-09-19 Thread James Lay 
On Tue, 2016-09-20 at 11:05 +0930, LYMN wrote:
> On Mon, Sep 19, 2016 at 07:20:14PM -0600, James Lay wrote:
> > 
> > 
> > Well last word on this...squid starts but dies with:
> > /squid: symbol lookup error: ./squid: undefined symbol:
> > SSL_set_alpn_protos
> > So at this point I'll just go back to linking to libressl.  Thanks
> > all.
> > 
> 
> What does a "ldd squid" output?  You have built your openssl
> libraries
> to a non-standard place so perhaps squid cannot find them at run
> time?
> If this was the case then you either need to use LD_LIBRARY_PATH at
> run
> time or set LDFLAGS="-L/opt/openssl/lib -Wl,-R/opt/openssl/lib" at
> squid
> configure time.
> 
> 
Woo hoo!  Success!  Looks like this works with openssl-1.0.1.  Thanks
much all!
James___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.20 compile issue

2016-09-19 Thread LYMN 
On Mon, Sep 19, 2016 at 07:20:14PM -0600, James Lay wrote:
>
> Well last word on this...squid starts but dies with:
> /squid: symbol lookup error: ./squid: undefined symbol:
> SSL_set_alpn_protos
> So at this point I'll just go back to linking to libressl.  Thanks all.
>


What does a "ldd squid" output?  You have built your openssl libraries
to a non-standard place so perhaps squid cannot find them at run time?
If this was the case then you either need to use LD_LIBRARY_PATH at run
time or set LDFLAGS="-L/opt/openssl/lib -Wl,-R/opt/openssl/lib" at squid
configure time.


-- 
Brett Lymn
This email has been sent on behalf of one of the following companies within the 
BAE Systems Australia group of companies:

BAE Systems Australia Limited - Australian Company Number 008 423 005
BAE Systems Australia Defence Pty Limited - Australian Company Number 006 
870 846
BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 
228 864

Our registered office is Evans Building, Taranaki Road, Edinburgh Parks,
Edinburgh, South Australia, 5111. If the identity of the sending company is
not clear from the content of this email please contact the sender.

This email and any attachments may contain confidential and legally
privileged information.  If you are not the intended recipient, do not copy or
disclose its content, but please reply to this email immediately and highlight
the error to the sender and then immediately delete the message.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.20 compile issue

2016-09-19 Thread James Lay 
On Mon, 2016-09-19 at 18:44 -0600, James Lay wrote:
> On Tue, 2016-09-20 at 10:12 +0930, LYMN wrote:
> > On Mon, Sep 19, 2016 at 06:37:44PM -0600, Alex Rousskov wrote:
> > > 
> > > On 09/19/2016 06:22 PM, James Lay wrote:
> > > > 
> > > > Ok so this is with the 1.0.2 branch of openssl:
> > > > 
> > > > dso_dlfcn.c:(.text+0x11): undefined reference to `dlopen'
> > > > dso_dlfcn.c:(.text+0x24): undefined reference to `dlsym'
> > > > dso_dlfcn.c:(.text+0x2f): undefined reference to `dlclose'
> > > You can probably force you way through this by linking with more
> > > system
> > > libraries, but I do not know exactly which ones you need. This
> > > smells
> > > like an environment or build configuration problem to me -- the
> > > linker
> > > does not know that your OpenSSL library depends on another system
> > > library that provides those [dynamic linking] functions.
> > > 
> > At a guess add this to the libraries list after openssl: -ldl
> > 
> Thank you...where would I add that to?  My config line?  Here it is:
> 
> ./configure --prefix=/opt --with-openssl=/opt/openssl --enable-ssl --
> enable-ssl-crtd --enable-linux-netfilter --enable-follow-x-forwarded-
> for --with-large-files --sysconfdir=/opt/etc/squid --enable-external-
> acl-helpers=none
> 
> James
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
Well last word on this...squid starts but dies with:
/squid: symbol lookup error: ./squid: undefined symbol:
SSL_set_alpn_protos
So at this point I'll just go back to linking to libressl.  Thanks all.
James___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.20 compile issue

2016-09-19 Thread James Lay 
On Tue, 2016-09-20 at 10:26 +0930, LYMN wrote:
> On Mon, Sep 19, 2016 at 06:44:38PM -0600, James Lay wrote:
> > 
> > > 
> > > > 
> > > > 
> > > At a guess add this to the libraries list after openssl: -ldl
> > > 
> > Thank you...where would I add that to?  My config line?  Here it
> > is:
> > ./configure --prefix=/opt --with-openssl=/opt/openssl --enable-ssl
> > --
> > enable-ssl-crtd --enable-linux-netfilter --enable-follow-x-
> > forwarded-
> > for --with-large-files --sysconfdir=/opt/etc/squid --enable-
> > external-
> > acl-helpers=none
> > 
> try setting LIBS="-ldl" in the environment before you do the
> configure.
> 
> 
Thanks again Brett.  Turns out you have to add the "shared" option:
./Configure enable-chacha enable-poly1305 --prefix=/opt/openssl shared
linux-x86_64
which you knowkind of makes sense because it's like...a SHARED
library 8-|  Yugh..I hate being dumb.
James___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.20 compile issue

2016-09-19 Thread James Lay 
On Tue, 2016-09-20 at 10:12 +0930, LYMN wrote:
> On Mon, Sep 19, 2016 at 06:37:44PM -0600, Alex Rousskov wrote:
> > 
> > On 09/19/2016 06:22 PM, James Lay wrote:
> > > 
> > > Ok so this is with the 1.0.2 branch of openssl:
> > > 
> > > dso_dlfcn.c:(.text+0x11): undefined reference to `dlopen'
> > > dso_dlfcn.c:(.text+0x24): undefined reference to `dlsym'
> > > dso_dlfcn.c:(.text+0x2f): undefined reference to `dlclose'
> > You can probably force you way through this by linking with more
> > system
> > libraries, but I do not know exactly which ones you need. This
> > smells
> > like an environment or build configuration problem to me -- the
> > linker
> > does not know that your OpenSSL library depends on another system
> > library that provides those [dynamic linking] functions.
> > 
> At a guess add this to the libraries list after openssl: -ldl
> 
Thank you...where would I add that to?  My config line?  Here it is:
./configure --prefix=/opt --with-openssl=/opt/openssl --enable-ssl --
enable-ssl-crtd --enable-linux-netfilter --enable-follow-x-forwarded-
for --with-large-files --sysconfdir=/opt/etc/squid --enable-external-
acl-helpers=none
James___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.20 compile issue

2016-09-19 Thread LYMN 
On Mon, Sep 19, 2016 at 06:37:44PM -0600, Alex Rousskov wrote:
> On 09/19/2016 06:22 PM, James Lay wrote:
> > Ok so this is with the 1.0.2 branch of openssl:
> > 
> > dso_dlfcn.c:(.text+0x11): undefined reference to `dlopen'
> > dso_dlfcn.c:(.text+0x24): undefined reference to `dlsym'
> > dso_dlfcn.c:(.text+0x2f): undefined reference to `dlclose'
> 
> You can probably force you way through this by linking with more system
> libraries, but I do not know exactly which ones you need. This smells
> like an environment or build configuration problem to me -- the linker
> does not know that your OpenSSL library depends on another system
> library that provides those [dynamic linking] functions.
> 

At a guess add this to the libraries list after openssl: -ldl

-- 
Brett Lymn
This email has been sent on behalf of one of the following companies within the 
BAE Systems Australia group of companies:

BAE Systems Australia Limited - Australian Company Number 008 423 005
BAE Systems Australia Defence Pty Limited - Australian Company Number 006 
870 846
BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 
228 864

Our registered office is Evans Building, Taranaki Road, Edinburgh Parks,
Edinburgh, South Australia, 5111. If the identity of the sending company is
not clear from the content of this email please contact the sender.

This email and any attachments may contain confidential and legally
privileged information.  If you are not the intended recipient, do not copy or
disclose its content, but please reply to this email immediately and highlight
the error to the sender and then immediately delete the message.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.20 compile issue

2016-09-19 Thread James Lay 
Thanks...off to git cloning the 1.0.1 branch...all this work for chacha
and poly...yugh 8-|
James
On Mon, 2016-09-19 at 18:37 -0600, Alex Rousskov wrote:
> On 09/19/2016 06:22 PM, James Lay wrote:
> > 
> > Ok so this is with the 1.0.2 branch of openssl:
> > 
> > dso_dlfcn.c:(.text+0x11): undefined reference to `dlopen'
> > dso_dlfcn.c:(.text+0x24): undefined reference to `dlsym'
> > dso_dlfcn.c:(.text+0x2f): undefined reference to `dlclose'
> You can probably force you way through this by linking with more
> system
> libraries, but I do not know exactly which ones you need. This smells
> like an environment or build configuration problem to me -- the
> linker
> does not know that your OpenSSL library depends on another system
> library that provides those [dynamic linking] functions.
> 
> 
> > 
> > Should I just try something different?  1.0.1?  1.0?
> I know that both v1.0 and v1.0.1 work in many environments. YMMV.
> 
> Alex.___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.20 compile issue

2016-09-19 Thread Alex Rousskov 
On 09/19/2016 06:22 PM, James Lay wrote:
> Ok so this is with the 1.0.2 branch of openssl:
> 
> dso_dlfcn.c:(.text+0x11): undefined reference to `dlopen'
> dso_dlfcn.c:(.text+0x24): undefined reference to `dlsym'
> dso_dlfcn.c:(.text+0x2f): undefined reference to `dlclose'

You can probably force you way through this by linking with more system
libraries, but I do not know exactly which ones you need. This smells
like an environment or build configuration problem to me -- the linker
does not know that your OpenSSL library depends on another system
library that provides those [dynamic linking] functions.


> Should I just try something different?  1.0.1?  1.0?

I know that both v1.0 and v1.0.1 work in many environments. YMMV.

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.5.20 compile issue

2016-09-19 Thread James Lay 
Ok so this is with the 1.0.2 branch of openssl:

make[3]: Entering directory `/home//nobackup/build/squid-
3.5.20/src/ssl'
/bin/bash ../../libtool  --tag=CXX   --mode=link g++ -Wall -Wpointer-
arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual -Werror
-pipe -D_REENTRANT -m64   -g -O2 -march=native -std=c++11  -m64 -g -o
ssl_crtd ssl_crtd.o certificate_db.o libsslutil.la -L/opt/openssl/lib
-lssl -lcrypto../../compat/libcompat-squid.la  
libtool: link: g++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments
-Wshadow -Woverloaded-virtual -Werror -pipe -D_REENTRANT -m64 -g -O2
-march=native -std=c++11 -m64 -g -o ssl_crtd ssl_crtd.o
certificate_db.o  ./.libs/libsslutil.a -L/opt/openssl/lib -lssl
-lcrypto ../../compat/.libs/libcompat-squid.a
/opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function
`dlfcn_globallookup':
dso_dlfcn.c:(.text+0x11): undefined reference to `dlopen'
dso_dlfcn.c:(.text+0x24): undefined reference to `dlsym'
dso_dlfcn.c:(.text+0x2f): undefined reference to `dlclose'
/opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function
`dlfcn_bind_func':
dso_dlfcn.c:(.text+0x334): undefined reference to `dlsym'
dso_dlfcn.c:(.text+0x3db): undefined reference to `dlerror'
/opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function
`dlfcn_bind_var':
dso_dlfcn.c:(.text+0x454): undefined reference to `dlsym'
dso_dlfcn.c:(.text+0x4fb): undefined reference to `dlerror'
/opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_load':
dso_dlfcn.c:(.text+0x569): undefined reference to `dlopen'
dso_dlfcn.c:(.text+0x5cb): undefined reference to `dlclose'
dso_dlfcn.c:(.text+0x603): undefined reference to `dlerror'
/opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function
`dlfcn_pathbyaddr':
dso_dlfcn.c:(.text+0x68f): undefined reference to `dladdr'
dso_dlfcn.c:(.text+0x6f1): undefined reference to `dlerror'
/opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload':
dso_dlfcn.c:(.text+0x742): undefined reference to `dlclose'
collect2: error: ld returned 1 exit status
make[3]: *** [ssl_crtd] Error 1
make[3]: Leaving directory `/home/nobackup/build/squid-3.5.20/src/ssl'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/nobackup/build/squid-3.5.20/src'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/home/nobackup/build/squid-3.5.20/src'
make: *** [all-recursive] Error 1

Should I just try something different?  1.0.1?  1.0?  Thank you.

James___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.20 fails to compile with openssl

2016-09-19 Thread James Lay 

On 2016-09-19 16:05, Alex Rousskov wrote:

On 09/19/2016 04:01 PM, James Lay wrote:


Openssl git latest commit version commit
e2562bbbe1e1c68ec5a3e02c1f151fd6149ee2ae.


Please see http://bugs.squid-cache.org/show_bug.cgi?id=4599


Thank you,

Alex.


And there you go...thanks Alex.

James
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.20 fails to compile with openssl

2016-09-19 Thread Alex Rousskov 
On 09/19/2016 04:01 PM, James Lay wrote:

> Openssl git latest commit version commit
> e2562bbbe1e1c68ec5a3e02c1f151fd6149ee2ae.

Please see http://bugs.squid-cache.org/show_bug.cgi?id=4599


Thank you,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.5.20 fails to compile with openssl

2016-09-19 Thread James Lay 
So I know I posted this a while ago...thought I'd give it a shot today, 
but still no luck:


make[3]: Entering directory `/home/nobackup/build/squid-3.5.20/src/anyp'
depbase=`echo PortCfg.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/bash ../../libtool  --tag=CXX   --mode=compile g++ 
-DHAVE_CONFIG_H   -I../.. -I../../include -I../../lib -I../../src 
-I../../include-I/opt/openssl/include  -Wall -Wpointer-arith 
-Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual -Werror -pipe 
-D_REENTRANT -m64   -g -O2 -march=native -std=c++11 -MT PortCfg.lo -MD 
-MP -MF $depbase.Tpo -c -o PortCfg.lo PortCfg.cc &&\

mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  g++ -DHAVE_CONFIG_H -I../.. -I../../include 
-I../../lib -I../../src -I../../include -I/opt/openssl/include -Wall 
-Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual 
-Werror -pipe -D_REENTRANT -m64 -g -O2 -march=native -std=c++11 -MT 
PortCfg.lo -MD -MP -MF .deps/PortCfg.Tpo -c PortCfg.cc  -fPIC -DPIC -o 
.libs/PortCfg.o

In file included from ../../src/anyp/PortCfg.h:18:0,
 from PortCfg.cc:10:
../../src/ssl/gadgets.h:83:45: error: ‘CRYPTO_LOCK_X509’ was not 
declared in this scope
 typedef LockingPointer 
X509_Pointer;

 ^
../../src/ssl/gadgets.h:83:61: error: template argument 3 is invalid
 typedef LockingPointer 
X509_Pointer;

 ^
../../src/ssl/gadgets.h:83:75: error: invalid type in declaration before 
‘;’ token
 typedef LockingPointer 
X509_Pointer;
 
  ^
../../src/ssl/gadgets.h:89:53: error: ‘CRYPTO_LOCK_EVP_PKEY’ was not 
declared in this scope
 typedef LockingPointer EVP_PKEY_Pointer;

 ^
../../src/ssl/gadgets.h:89:73: error: template argument 3 is invalid
 typedef LockingPointer EVP_PKEY_Pointer;
 
^
../../src/ssl/gadgets.h:89:91: error: invalid type in declaration before 
‘;’ token
 typedef LockingPointer EVP_PKEY_Pointer;
 
  ^
../../src/ssl/gadgets.h:116:43: error: ‘CRYPTO_LOCK_SSL’ was not 
declared in this scope

 typedef LockingPointer SSL_Pointer;
   ^
../../src/ssl/gadgets.h:116:58: error: template argument 3 is invalid
 typedef LockingPointer SSL_Pointer;
  ^
../../src/ssl/gadgets.h:116:71: error: invalid type in declaration 
before ‘;’ token

 typedef LockingPointer SSL_Pointer;
   ^
make[3]: *** [PortCfg.lo] Error 1
make[3]: Leaving directory `/home/nobackup/build/squid-3.5.20/src/anyp'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/nobackup/build/squid-3.5.20/src'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/home/nobackup/build/squid-3.5.20/src'
make: *** [all-recursive] Error 1

Openssl git latest commit version commit 
e2562bbbe1e1c68ec5a3e02c1f151fd6149ee2ae.  thank you.


James
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] What's the algorithm to achieve AclRandom

2016-09-19 Thread Alex Rousskov 
On 09/19/2016 06:29 AM, ysu yang wrote:
>> A. Define "session" in HTTP or Squid terms that Squid understands. Write
>> ACLs (likely including an external ACL or an eCAP adapter) that will 
>> define a "session" for any given transaction and annotate same-session 
>> transactions accordingly. Load balance based on sessions instead of 
>> random events. The same external ACL or eCAP adapter can define load 
>> balancing by annotating the transaction according to the ICAP service it 
>> should be directed to. 

> I see your point,but I didn't find what I wanted in ACLs.  i would like to
> achieve load balancing based on IP(maybe implement by Source IP hash
> algorithm).Do you have a idea.

Consider using an external ACL (i.e., Squid calling your custom script
when deciding whether the ACL matched). Your script gets the client IP
from Squid and, as a side effect, returns a transaction annotation to
Squid. Squid uses that annotation (via the "note" ACL) in the
adaptation_access rules to route the traffic to the right ICAP service
(or service set).


> And,If one ICAP sever go down, can squid check  it is down and will not send
> message to it

See http://www.squid-cache.org/Doc/config/adaptation_service_set/

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Web Whatsapp, Dropbox... problem

2016-09-19 Thread Jok Thuau 
On Mon, Sep 19, 2016 at 10:39 AM, erdosain9  wrote:

> mm
> so...
> i think this is working for non take the certificate
>
> acl step1 at_step SslBump1
> acl excludeSSL ssl::server_name_regex web/.whatsapp/.com
>

wrong slashes... you want "\"


>
> ssl_bump peek step1
> ssl_bump splice excludeSSL
> ssl_bump bump all
>
> but, anyway something more is happening because well... dosent work.
> another point of view??
>

Yes, you still had something wrong. Also, i'm not sure if you need to
anchor the RE to prevent it matching something like
"web.whatsapp.com.malware.tld" in the server name. Maybe someone closer to
the code can answer that question...

Jok
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Web Whatsapp, Dropbox... problem

2016-09-19 Thread erdosain9 
mm
so...
i think this is working for non take the certificate

acl step1 at_step SslBump1 
acl excludeSSL ssl::server_name_regex web/.whatsapp/.com 

ssl_bump peek step1 
ssl_bump splice excludeSSL 
ssl_bump bump all 

but, anyway something more is happening because well... dosent work.
another point of view??



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Web-Whatsapp-Dropbox-problem-tp4679299p4679596.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC

2016-09-19 Thread L . P . H . van Belle 
Yes, 

You can fix that by setting the SPN : HTTP/host.you.domain.tld in UPN 
I had that too, changed it and it is working perfect now. 

See subject : Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 
minorbugsmaybe ) 

Greetz, 

Louis




> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Silamael Darkomen
> Verzonden: maandag 19 september 2016 14:20
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Problem with Kerberos and
> ext_kerberos_ldap_group_acl not being able to reach realm's KDC
> 
> 
> On 19.09.2016 14:08, L.P.H. van Belle wrote:
> > Well thats strange.
> > No i cant speak about openBSD, but below is pretty general.
> >
> > When you test, did you set this before the test.
> > KRB5_KTNAME=/etc/squid/proxy.keytab
> > And does that keytab contain the HTTP/SPN
> > And test/check if you see http/SPN in the UPN, if not try that also.
> > After that change the
> > I just tested again to make my groups more flexible.
> >
> > /usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4  \
> > -D YOUR.REALM.TLD \
> > -N ntdom...@your.realm.tld \
> > - S dc1.your.dnsdomain@your.realm.tld \
> > -i -d
> > This one is without the -g so we can use more group names,
> > but test with -g first.
> >
> > from this example like. But i change the ldap group to kerberos group
> here.
> >
> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Prox
> y
> 
> That's all there, environment is correctly set up. Keytab looks good.
> As said before, the negotiate_kerberos_auth part works like a charm.
> All I get is a bunch of messages complaining about not being able to
> reach any KDC in realm while initializing the credentials of the keytab...
> Thought that it might be a DNS issue but even configuring DNS so that
> the AD server does all the DNS stuff did not change a bit :(
> 
> -- Matthias
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] What's the algorithm to achieve AclRandom

2016-09-19 Thread ysu yang 
Firstly of all.Thanks for your advice.

> B. Adjust the ICAP service to store information about "sessions" in
> such 
> a way that different service instances can share it. For example, if
> all 
> ICAP services run on the same machine, they can use shared memory 
> segments to exchange information among each other. 

I have no ability to achieve that different ICAP servers share same memory.

> A. Define "session" in HTTP or Squid terms that Squid understands.
> Write
> ACLs (likely including an external ACL or an eCAP adapter) that will 
> define a "session" for any given transaction and annotate same-session 
> transactions accordingly. Load balance based on sessions instead of 
> random events. The same external ACL or eCAP adapter can define load 
> balancing by annotating the transaction according to the ICAP service
> it 
> should be directed to. 

I see your point,but I didn't find what I wanted in ACLs.  i would like to
achieve load balancing based on IP(maybe implement by Source IP hash
algorithm).Do you have a idea.

And,If one ICAP sever go down, can squid check  it is down and will not send
message to it

Thanks in advance




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/c-icap-load-balancing-tp4679500p4679592.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC

2016-09-19 Thread Silamael Darkomen 

On 19.09.2016 14:08, L.P.H. van Belle wrote:
> Well thats strange. 
> No i cant speak about openBSD, but below is pretty general. 
> 
> When you test, did you set this before the test. 
> KRB5_KTNAME=/etc/squid/proxy.keytab
> And does that keytab contain the HTTP/SPN
> And test/check if you see http/SPN in the UPN, if not try that also. 
> After that change the 
> I just tested again to make my groups more flexible. 
> 
> /usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4  \
> -D YOUR.REALM.TLD \
> -N ntdom...@your.realm.tld \
> - S dc1.your.dnsdomain@your.realm.tld \
> -i -d 
> This one is without the -g so we can use more group names, 
> but test with -g first.
> 
> from this example like. But i change the ldap group to kerberos group here.
> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy 

That's all there, environment is correctly set up. Keytab looks good.
As said before, the negotiate_kerberos_auth part works like a charm.
All I get is a bunch of messages complaining about not being able to
reach any KDC in realm while initializing the credentials of the keytab...
Thought that it might be a DNS issue but even configuring DNS so that
the AD server does all the DNS stuff did not change a bit :(

-- Matthias
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC

2016-09-19 Thread L . P . H . van Belle 
Well thats strange. 
No i cant speak about openBSD, but below is pretty general. 

When you test, did you set this before the test. 
KRB5_KTNAME=/etc/squid/proxy.keytab
And does that keytab contain the HTTP/SPN
And test/check if you see http/SPN in the UPN, if not try that also. 
After that change the 
I just tested again to make my groups more flexible. 

/usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4  \
-D YOUR.REALM.TLD \
-N ntdom...@your.realm.tld \
- S dc1.your.dnsdomain@your.realm.tld \
-i -d 
This one is without the -g so we can use more group names, 
but test with -g first.

from this example like. But i change the ldap group to kerberos group here.
http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy 


When i now put in "username groupname" after staring with the line above to 
testout im getting. 

support_member.cc(69): pid=23472 :2016/09/19 13:55:39| kerberos_ldap_group: 
INFO: User username is member of group@domain groupn...@your.realm.tld
OK
kerberos_ldap_group.cc(408): pid=23472 :2016/09/19 13:55:39| 
kerberos_ldap_group: DEBUG: OK

this is all i have in krb5.conf
[libdefaults]
default_keytab_name = /etc/krb5.keytab
default_realm = YOUR.REALM.TLD
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 24h
ccache_type = 4
forwardable = true

and the ad dc lookup works, if you set the SPN in the UPN, at least works for 
me. 
I have my systems keytab as default keytab and  
KRB5_KTNAME=/etc/squid/proxy.keytab
export KRB5_KTNAME

TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt
export TLS_CACERTFILE

Is set in the /etc/default/squid3 

So im thinking review the keytab setup and the variable. 

And:
>The AD is reachable from the proxy machine but DNS is not done by the AD
>but on the proxy machine itself.

Same here, but i do have a forward zone in the dns for my ad domain.


Hope this helps a bit. 

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Silamael Darkomen
> Verzonden: maandag 19 september 2016 13:35
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Problem with Kerberos and
> ext_kerberos_ldap_group_acl not being able to reach realm's KDC
> 
> On 16.09.2016 10:52, L.P.H. van Belle wrote:
> > I think you forgot in your test, that you may need to modify the default
> > kerberos ticket used.
> >
> >
> >
> >
> >
> > I suggest you change you config a bit to something like
> >
> >
> >
> > external_acl_type internet-win-allowed %LOGIN
> > /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \
> >
> > -D YOUR.REALM.TLD \
> >
> > -g allowed-inter...@your.realm.tld \
> >
> > -N ntdom...@your.realm.tld \
> >
> > -S
> >
> dc1.your.dnsdomain@your.realm.tld:dc2.your.dnsdomain@your.realm.tl
> D
> 
> Hello,
> 
> Tried your suggestions but that doesn't change anything.
> Furthermore the ext_kerberos_ldap_group_acl creates a core dump after
> iterating over all the entries for the keytab...
> Any further ideas?
> 
> -- Matthias
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC

2016-09-19 Thread Silamael Darkomen 


On 16.09.2016 22:11, Markus Moeller wrote:
> Hi Silamael,
> 
> Can you perform a kinit u...@example.com ?   Does the squid user
> have read access to  krb5.conf ?
> 
> Markus

Hello Markus,

Yes, the permissions are correctly set up so that Squid and it's
processes can read every file needed.
For it seems that the Heimdal library ignores the dns_lookup_kdc and
dns_lookup_realm options in the krb5.conf...
As written in my other response, the helper also crashes at the end.
I'll take a look on the stack trace...

-- Matthias
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC

2016-09-19 Thread Silamael Darkomen 
On 16.09.2016 10:52, L.P.H. van Belle wrote:
> I think you forgot in your test, that you may need to modify the default
> kerberos ticket used.
> 
>  
> 
>  
> 
> I suggest you change you config a bit to something like
> 
>  
> 
> external_acl_type internet-win-allowed %LOGIN
> /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \
> 
> -D YOUR.REALM.TLD \
> 
> -g allowed-inter...@your.realm.tld \
> 
> -N ntdom...@your.realm.tld \
> 
> -S
> dc1.your.dnsdomain@your.realm.tld:dc2.your.dnsdomain@your.realm.tld

Hello,

Tried your suggestions but that doesn't change anything.
Furthermore the ext_kerberos_ldap_group_acl creates a core dump after
iterating over all the entries for the keytab...
Any further ideas?

-- Matthias
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users