[squid-users] Intermittent Cache DNS problem

[Venieris Yiannos]

Hi All,

I am using Squid from within Smoothwall. Lately, (2 to 3 times a day) I get the 
following error:

"The cache was not able to resolve the hostname presented in the URL"

I resolve it by restarting the firewall. Is there a better way?

Thanks in advance

Yiannos

[squid-users] acl aclname user ??? does this exist?

[Greg Cunningham]

The squid.conf doco list of acltypes has an acltype of "user".  There is no
explanation of this acltype & I got a parse error when trying to implement
it. Does it in fact exist?

I want to match an acl against the authenticated user cache.  Is it
possible? (I thought mabe that was what the "user" acltype was) or do I have
to do selective authentication before:
acl password proxy_auth REQUIRED

--
Greg Cunningham BAppComp, RHCE   ph +61 3 6440 7453
Systems Analyst  fx +61 3 6440 6455
Harris & Company Pty. Ltd.   mo0407 056 788
mailto:[EMAIL PROTECTED]

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from any
computer.

RE: [squid-users] Re: ntlm won't prompt

[Robert Collins]

On Fri, 2003-07-11 at 13:18, Adam Aube wrote:
> >Digest, per se, doesn't require clear text password storage.
> >Squids supplied helper uses cleartext, but that is simply -a-
> >implementation. Squid itself never needs the cleartext password.
> 
> Technically, yes - digest auth does not require the password to be 
> stored in cleartext. However, as you pointed out, the Squid-supplied 
> helper does, and I know of no other digest helper for Squid.

Well, there's a little project then :}. In point of fact, in 3.0 squid
can read pre-digested passwords in the supplied helper.

> Furthermore, since knowledge of the clear text password is needed 
> to verify the digest sent, the password would need to be stored either 
> in clear text or reversible encryption - unless I completely misunderstand 
> how digest auth works (which is also quite possible).

You completely misunderstand how digest auth works. See RFC 2617 for the
spec..

> Digest could be improved upon by using a hash of the password instead 
> of the password itself. 

Digest -does- use a hash of the password. It' uses the MD5 of the
password, to be precise. (Thats Message Digest - thus the name)

Mozilla, IE, squid, apache, all use the MD5 - no cleartext passwords are
used for either verification or over the wire.

What is needed to verify the password is the HHA1 (see the spec), which
is MD5(user:realm:password) - possibly combined with one time nonces
from the client and the server (thats md5-sess, which we don't support
(yet)).

Once you have HHA1, then you can issue challenges and verify responses,
without knowledge of the password.

Rob
-- 
GPG key available at: .


signature.asc
Description: This is a digitally signed message part

RE: [squid-users] Re: ntlm won't prompt

[Adam Aube]

>Digest, per se, doesn't require clear text password storage.
>Squids supplied helper uses cleartext, but that is simply -a-
>implementation. Squid itself never needs the cleartext password.

Technically, yes - digest auth does not require the password to be 
stored in cleartext. However, as you pointed out, the Squid-supplied 
helper does, and I know of no other digest helper for Squid.

Furthermore, since knowledge of the clear text password is needed 
to verify the digest sent, the password would need to be stored either 
in clear text or reversible encryption - unless I completely misunderstand 
how digest auth works (which is also quite possible).

Digest could be improved upon by using a hash of the password instead 
of the password itself. Of course, there's something of a chicken-
and-egg problem here: proxy and web servers won't support it until 
browsers support it, and browsers won't support it until proxy and 
web servers support it. Additionally, since digest auth is an RFC,
someone would have to draft another RFC. So even if it is a great 
idea, it can't be implemented quickly (if at all).

Adam

RE: [squid-users] Re: ntlm won't prompt

[Robert Collins]

On Fri, 2003-07-11 at 12:49, Adam Aube wrote:

> A good compromise would be for Mozilla to prompt for username, password,
> and domain, then use that info to do NTLM. Wouldn't have all the 
> benefits of Windows NTLM, but would be more secure than basic and 
> wouldn't require cleartext password storage like digest.

Digest, per se, doesn't require clear text password storage.

Squids supplied helper uses cleartext, but that is simply -a-
implementation. Squid itself never needs the cleartext password.

Rob
-- 
GPG key available at: .


signature.asc
Description: This is a digitally signed message part

RE: [squid-users] Re: ntlm won't prompt

[Adam Aube]

>>Mozilla 1.4 claims to support NTLM authentication.
>
>That would rock. I hope it happens.

Should have checked the Mozilla site before responding - 1.4 has 
been out for a week and a half.

Too bad it only works for Windows, but then it would probably be 
very difficult to implement under Linux.

A good compromise would be for Mozilla to prompt for username, password,
and domain, then use that info to do NTLM. Wouldn't have all the 
benefits of Windows NTLM, but would be more secure than basic and 
wouldn't require cleartext password storage like digest.

Adam

RE: [squid-users] Re: ntlm won't prompt

[Adam Aube]

>Mozilla 1.4 claims to support NTLM authentication.

That would rock. I hope it happens.

Adam

RE: [squid-users] ACL Regex Browser - for Adobe Web capture?

[mwestern]

hehe.  yep  i mean basic.  sorry.

ta for tcpdump.

interesting idea.  i might put basic first and see if IE takes the best
option, not the last option in the list (if it makes a diference that is)
and then see if adobe takes the basic option.  then i'll be set.

i'll follow it up with adobe anyway.  what's a pain is i probably have to go
and find the license numbers and reg info just to log a bug.these
closed source companies, i ask you.

thanks 
Matt

-Original Message-
From: Robert Collins [mailto:[EMAIL PROTECTED]
Sent: Friday, 11 July 2003 11:55 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [squid-users] ACL Regex Browser - for Adobe Web capture?


On Fri, 2003-07-11 at 12:03, [EMAIL PROTECTED] wrote:
> Hi Robert,
> 
> >you can simply allow adobe based on a browser regex before your auth
> >triggering http_access lines.
> 
> that's what i'm hoping to do to get around this problem.  have you managed
> to do this?  i've not experimented yet as i didn't know what adobe tells
> squid what browser it is.  i'm going to tcpdump eventually and see if i
can
> figure it out.

Yup. tcpdump -s 1500 -X port 8080 host 

that should do it for you.

> >As far as the adobe tool working with plain, not when NTLM is enabled,
> >that smells like a bug - RFC 2617 specifies that user agents should
> >select the -best supported- auth scheme offered by the proxy - and as
> >you have plain enabled, adobe should select that and use it.
> 
> just plain works with adobe.  ntlm doesn't.  and ntlm first and plain
second
> doesn't.  sad that.  

Uhm 'plain'? I presume you are referring to 'basic' - there is no such
scheme as plain.

> i'm guessing that adobe is selecting the best supported one which is ntlm
> and failing because it doesn't like it.  it's version 5 of pdf which isn't
> the latest (6 is out).

Thats the point - if it doesn't like NTLM, it shouldn't select it
according to the RFC. This is grounds for a bug report to the vendor -
adobe- IMO. I was giving you the description, to help you make the case
to them :}.

Anecdotally MSIE has(perhaps had - I haven't tested for a while) a bug
that it always chooses the first offered scheme, even if it is less
secure than others in the list. 

Rob
-- 
GPG key available at: .

RE: [squid-users] ACL Regex Browser - for Adobe Web capture?

[Robert Collins]

On Fri, 2003-07-11 at 12:03, [EMAIL PROTECTED] wrote:
> Hi Robert,
> 
> >you can simply allow adobe based on a browser regex before your auth
> >triggering http_access lines.
> 
> that's what i'm hoping to do to get around this problem.  have you managed
> to do this?  i've not experimented yet as i didn't know what adobe tells
> squid what browser it is.  i'm going to tcpdump eventually and see if i can
> figure it out.

Yup. tcpdump -s 1500 -X port 8080 host 

that should do it for you.

> >As far as the adobe tool working with plain, not when NTLM is enabled,
> >that smells like a bug - RFC 2617 specifies that user agents should
> >select the -best supported- auth scheme offered by the proxy - and as
> >you have plain enabled, adobe should select that and use it.
> 
> just plain works with adobe.  ntlm doesn't.  and ntlm first and plain second
> doesn't.  sad that.  

Uhm 'plain'? I presume you are referring to 'basic' - there is no such
scheme as plain.

> i'm guessing that adobe is selecting the best supported one which is ntlm
> and failing because it doesn't like it.  it's version 5 of pdf which isn't
> the latest (6 is out).

Thats the point - if it doesn't like NTLM, it shouldn't select it
according to the RFC. This is grounds for a bug report to the vendor -
adobe- IMO. I was giving you the description, to help you make the case
to them :}.

Anecdotally MSIE has(perhaps had - I haven't tested for a while) a bug
that it always chooses the first offered scheme, even if it is less
secure than others in the list. 

Rob
-- 
GPG key available at: .


signature.asc
Description: This is a digitally signed message part

[squid-users] Re: Norton AntiVirus detected and quarantined a virus in a messageyo u sent.

[Robert Collins]

On Fri, 2003-07-11 at 11:45, SEMELE NAV for Microsoft Exchange wrote:
> Recipient of the infected attachment:  Eider Silva de Oliveira\Inbox
> Subject of the message:  RE: [squid-users] ACL Regex Browser - for Adobe Web
> capture?
> One or more attachments were quarantined.
>   Attachment  was Quarantined for the following reasons:
> Virus UNAUTHORIZED FILE was found.

You know, this is really annoying. My emails to the squid-users list are
gpg-signed emails, according to a several year old RFC. There are -no-
files there at all.

I've disabled signing for this one email in the hopes that the admins
for oulinc.com, or Eider Silva De Oliveira will see this and get SEMELE
NAV fixed or reconfigured...

Rob

-- 
GPG key available at: .

RE: [squid-users] Re: ntlm won't prompt

[Ken Thomson]

Mozilla 1.4 claims to support NTLM authentication.

-Original Message-
From: Adam Aube [mailto:[EMAIL PROTECTED]
Sent: Friday, 11 July 2003 11:41
To: [EMAIL PROTECTED]
Subject: Re: [squid-users] Re: ntlm won't prompt



>Please excuse my ignorance. Would passwords be passed in clear text 
using
>basic auth? Is there an authentication scheme that works without 
clear text.

There are 3 types of auth supported in Squid:

1) Basic auth
  - Works with virutally any browser
  - Password is sent in clear text
  - Password can be stored any number of ways (depending on helper)
2) Digest auth
  - Works with most browsers
  - Password is not sent cleartext
  - Password must be stored in clear text
3) NTLM auth
  - Works only with IE; Does not prompt for username/password
  - Password is not sent cleartext
  - Password is not stored cleartext

Quite frankly, if you can use NTLM auth, do it. That is the one feature 
in IE that I wish other browsers would emulate.

Adam

RE: [squid-users] Re: ntlm won't prompt

[mwestern]

i don't think the developers if squid would agree with you on that one.  :)


>Quite frankly, if you can use NTLM auth, do it. That is the one feature 
>in IE that I wish other browsers would emulate.

http://devel.squid-cache.org/ntlm/client_proxy_protocol.html  seems to think
that 'it couldn't get much dumber than this'.

from a programmers perspective it's probably a pain but from our point of
view it seems the best.

a big thanks to all the squid guys.  you rock.
M

RE: [squid-users] ACL Regex Browser - for Adobe Web capture?

[mwestern]

Hi Robert,

>you can simply allow adobe based on a browser regex before your auth
>triggering http_access lines.

that's what i'm hoping to do to get around this problem.  have you managed
to do this?  i've not experimented yet as i didn't know what adobe tells
squid what browser it is.  i'm going to tcpdump eventually and see if i can
figure it out.

>As far as the adobe tool working with plain, not when NTLM is enabled,
>that smells like a bug - RFC 2617 specifies that user agents should
>select the -best supported- auth scheme offered by the proxy - and as
>you have plain enabled, adobe should select that and use it.

just plain works with adobe.  ntlm doesn't.  and ntlm first and plain second
doesn't.  sad that.  

i'm guessing that adobe is selecting the best supported one which is ntlm
and failing because it doesn't like it.  it's version 5 of pdf which isn't
the latest (6 is out).

thanks and regards
Matthew

Re: [squid-users] Re: ntlm won't prompt

[Adam Aube]

>Please excuse my ignorance. Would passwords be passed in clear text 
using
>basic auth? Is there an authentication scheme that works without 
clear text.

There are 3 types of auth supported in Squid:

1) Basic auth
  - Works with virutally any browser
  - Password is sent in clear text
  - Password can be stored any number of ways (depending on helper)
2) Digest auth
  - Works with most browsers
  - Password is not sent cleartext
  - Password must be stored in clear text
3) NTLM auth
  - Works only with IE; Does not prompt for username/password
  - Password is not sent cleartext
  - Password is not stored cleartext

Quite frankly, if you can use NTLM auth, do it. That is the one feature 
in IE that I wish other browsers would emulate.

Adam

RE: [squid-users] ACL Regex Browser - for Adobe Web capture?

[Robert Collins]

On Fri, 2003-07-11 at 11:27, [EMAIL PROTECTED] wrote:

> err.  adobe PDF web capture you basically start adobe and say capture a web
> page and paste in a url and say grab.  it's very very good at making A4 pdfs
> out of fairly bad web pages.  it doesn't go to 'capture servers' as
> such.  i may have misled you a little.

you can simply allow adobe based on a browser regex before your auth
triggering http_access lines.

As far as the adobe tool working with plain, not when NTLM is enabled,
that smells like a bug - RFC 2617 specifies that user agents should
select the -best supported- auth scheme offered by the proxy - and as
you have plain enabled, adobe should select that and use it.

Rob
-- 
GPG key available at: .


signature.asc
Description: This is a digitally signed message part

RE: [squid-users] ntlm won't prompt

[mwestern]

9pm?  isn't it time you stopped working?  :)thanks for the advice.  i'll
post if i find the cure...
M

-Original Message-
From: Adam Aube [mailto:[EMAIL PROTECTED]
Sent: Friday, 11 July 2003 10:49 AM
To: [EMAIL PROTECTED]
Subject: RE: [squid-users] ntlm won't prompt


>damn.  sorry.  aarrghhh.  It's a friday here and i'm looking forward 
tothe
>w/end.  

Don't worry about it - I did the same thing myself, once (though 
not on this list).

Enjoy the upcoming weekend - it's only 9 PM Thursday here.

Adam

RE: [squid-users] ntlm won't prompt

[Adam Aube]

>damn.  sorry.  aarrghhh.  It's a friday here and i'm looking forward 
tothe
>w/end.  

Don't worry about it - I did the same thing myself, once (though 
not on this list).

Enjoy the upcoming weekend - it's only 9 PM Thursday here.

Adam

[squid-users] Re: ntlm won't prompt

[Norman Zhang]

>> I am trying to get squid to prompt me for password before granting
>> access to the internet.
>
> The whole point of NTLM auth is not having to enter the password.
> If you want the password prompt, you need to use basic auth and
> the wb_auth helper.

Please excuse my ignorance. Would passwords be passed in clear text using
basic auth? Is there an authentication scheme that works without clear text.

Regards,
Norman

RE: [squid-users] ACL Regex Browser - for Adobe Web capture?

[mwestern]

idiot me re: last message.


>The IP of the client doesn't matter. All that matters is that you 
>put in the IP addresses of the Adobe PDF capture servers. This will 
>allow anyone to access those server's without having to go through 
>authentication.

>It's a hack, but it works.


err.  adobe PDF web capture you basically start adobe and say capture a web
page and paste in a url and say grab.  it's very very good at making A4 pdfs
out of fairly bad web pages.  it doesn't go to 'capture servers' as
such.  i may have misled you a little.

basically it's like a browser in the same manner as IE, but converts to PDF.
there is a FAQ on adobe that says basically no you can't have auth on your
proxy for this to work.  sux badly that does, but basic auth still does
work.  quite baffling.

re:  capture of header?  excellent.  i'll try that.  i tried tcpdump and
just viewing the data with a -X but all the junk went past faster than the
eye could blink.  good call.

M

RE: [squid-users] Issues with Windows Update (transparent proxy + squid guard + seperate squid box)

[Nick Pappas]

For the record, in case there are other who may be / will be in the same
case as us; this solved the problem completely.  No more issues with Windows
Update, and a host of other ssl-based sites now function properly.

Thank you for your assistance.


Nick Pappas
The Keyes Company



-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 08, 2003 5:57 PM
To: Nick Pappas; [EMAIL PROTECTED] Org
Subject: Re: [squid-users] Issues with Windows Update (transparent proxy +
squid guard + seperate squid box)


On Tuesday 08 July 2003 23.03, Nick Pappas wrote:

> So the goal at the moment is to find a way to transparently make https 
> traffic go in and out of the squid box (from the NAT box).

See advanced routing.

Hint: You don't nat either of http or https on the "NAT" gateway, just 
route them.

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org

If you need commercial Squid support or cost effective Squid or firewall
appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]

RE: [squid-users] ntlm won't prompt

[mwestern]

damn.  sorry.  aarrghhh.  It's a friday here and i'm looking forward tothe
w/end.  

-Original Message-
From: Adam Aube [mailto:[EMAIL PROTECTED]
Sent: Friday, July 11, 2003 10:39 AM
To: [EMAIL PROTECTED]
Subject: RE: [squid-users] ntlm won't prompt


At Friday, 11 July 2003, [EMAIL PROTECTED] wrote:

>I don't want the password prompt, but i do want people with linux 
boxes that
>NTLM won't work to still use basic.  this also works if in the conf 
you have
>ntlm first and then basic.  very very nice.
>
>just the adobe thing is the pain.   that's why i was hoping for 
an acl that
>says this is adobe, use no auth (as most people won't be doing much
>'surfing' from adobe web capture.

I think you replied to the wrong message. See my reply under the 
"ACL Regex Browser - for Adobe Web capture?" subject for your answer.

RE: [squid-users] ntlm won't prompt

[Adam Aube]

At Friday, 11 July 2003, [EMAIL PROTECTED] wrote:

>I don't want the password prompt, but i do want people with linux 
boxes that
>NTLM won't work to still use basic.  this also works if in the conf 
you have
>ntlm first and then basic.  very very nice.
>
>just the adobe thing is the pain.   that's why i was hoping for 
an acl that
>says this is adobe, use no auth (as most people won't be doing much
>'surfing' from adobe web capture.

I think you replied to the wrong message. See my reply under the 
"ACL Regex Browser - for Adobe Web capture?" subject for your answer.

RE: [squid-users] ntlm won't prompt

[mwestern]

I don't want the password prompt, but i do want people with linux boxes that
NTLM won't work to still use basic.  this also works if in the conf you have
ntlm first and then basic.  very very nice.

just the adobe thing is the pain.   that's why i was hoping for an acl that
says this is adobe, use no auth (as most people won't be doing much
'surfing' from adobe web capture.

-Original Message-
From: Adam Aube [mailto:[EMAIL PROTECTED]
Sent: Friday, July 11, 2003 10:26 AM
To: [EMAIL PROTECTED]
Subject: Re: [squid-users] ntlm won't prompt


>I am trying to get squid to prompt me for password before granting 
access
>to the internet.

The whole point of NTLM auth is not having to enter the password.
If you want the password prompt, you need to use basic auth and 
the wb_auth helper.

Adam

Re: [squid-users] ntlm won't prompt

[Adam Aube]

>I am trying to get squid to prompt me for password before granting 
access
>to the internet.

The whole point of NTLM auth is not having to enter the password.
If you want the password prompt, you need to use basic auth and 
the wb_auth helper.

Adam

RE: [squid-users] ACL Regex Browser - for Adobe Web capture?

[Adam Aube]

>a bug to Adobe?  ok. sounds like a plan.

Yeah, I know. You might as well report it to brick wall, but at least 
you're doing the right thing. Who knows, maybe if enough people do 
it, they may even list it as a known issue :).

>does anybody know how to use tcpdump to sniff what the browser is 
sending as
>it's header?

Use tcpdump to capture the raw data, then read it in Ethereal. Ethereal 
will decode the readable portions of the data for you. Just make 
sure you grab the whole packet and not just the headers.

>thanks for that acl.  problem is i've got say 6 or 8 people using 
Adobe PDF
>capture.  they're all on DHCP.

The IP of the client doesn't matter. All that matters is that you 
put in the IP addresses of the Adobe PDF capture servers. This will 
allow anyone to access those server's without having to go through 
authentication.

It's a hack, but it works.

Adam

RE: [squid-users] ACL Regex Browser - for Adobe Web capture?

[mwestern]

a bug to Adobe?  ok. sounds like a plan.

does anybody know how to use tcpdump to sniff what the browser is sending as
it's header?

thanks for that acl.  problem is i've got say 6 or 8 people using Adobe PDF
capture.  they're all on DHCP.  i've got a similar acl for our servers which
obviously are on static numbers...



-Original Message-
From: Adam Aube [mailto:[EMAIL PROTECTED]
Sent: Friday, July 11, 2003 9:36 AM
To: [EMAIL PROTECTED]
Subject: Re: [squid-users] ACL Regex Browser - for Adobe Web capture?


>I've got a beautifully working squid server with NTLM then BASIC 
auth so
>windows automatically authenticates and Linux can use basic auth.   

Sweet, isn't it?

>1.  We have a number of users that use Adobe Web Capture to PDF 
file.  with
>basic auth only turned on it prompts for a password like it should.
with
>NTLM and then basic turned on (which works for everything else),
it says
>failed to authenticate.  i gather it's trying to use NTLM and failing.
>Linux machines work fine because they use the basic auth.

I've generally had the opposite problem (programs had problems with 
basic auth; work fine with NTLM). I've developed a workaround which 
may work for you, too. I'll integrate my example with your squid.
conf:

acl noauth dst [IP Address]
acl lonsdaleall proxy_auth REQUIRED
http_access allow noauth
http_access allow lonsdaleall

The order of the acl lines doesn't matter, but the order of the http_access 
lines does. Substitute [IP Adress] for the IP Addresses of the Adobe 
Web Capture servers.

Oh, and report a bug to Adobe, also.

As to your other question, I've never had that problem. But then,
we're all on IE 5.5, and XP uses 6.0.

Adam

[squid-users] ntlm won't prompt

[Norman Zhang]

Hi,

I am trying to get squid to prompt me for password before granting access to
the internet. But for every page I go to the password challenge is skipped.
winbind-auth-challenge is compiled in. I tried

wbinfo -a username%password

both a plaintext and challenge-response is successful. Sorry for attaching
my squid.conf below. Would someone please give me a few pointers? Thanks.

Regards,
Norman

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 16 MB
cache_dir ufs /var/spool/squid 200 16 256
ftp_user [EMAIL PROTECTED]
auth_param ntlm program /usr/lib/squid/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

acl authusrs proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 488  # gss-http
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
acl CONNECT method CONNECT
acl localnet src 192.168.11.0/26 192.168.22.0/25

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow authusrs localnet
http_access allow localhost
http_access deny all

icp_access allow all

Re: [squid-users] ACL Regex Browser - for Adobe Web capture?

[Adam Aube]

>I've got a beautifully working squid server with NTLM then BASIC 
auth so
>windows automatically authenticates and Linux can use basic auth.   

Sweet, isn't it?

>1.  We have a number of users that use Adobe Web Capture to PDF 
file.  with
>basic auth only turned on it prompts for a password like it should.
with
>NTLM and then basic turned on (which works for everything else),
it says
>failed to authenticate.  i gather it's trying to use NTLM and failing.
>Linux machines work fine because they use the basic auth.

I've generally had the opposite problem (programs had problems with 
basic auth; work fine with NTLM). I've developed a workaround which 
may work for you, too. I'll integrate my example with your squid.
conf:

acl noauth dst [IP Address]
acl lonsdaleall proxy_auth REQUIRED
http_access allow noauth
http_access allow lonsdaleall

The order of the acl lines doesn't matter, but the order of the http_access 
lines does. Substitute [IP Adress] for the IP Addresses of the Adobe 
Web Capture servers.

Oh, and report a bug to Adobe, also.

As to your other question, I've never had that problem. But then,
we're all on IE 5.5, and XP uses 6.0.

Adam

[squid-users] ACL Regex Browser - for Adobe Web capture?

[mwestern]

Hi All,
I've got a beautifully working squid server with NTLM then BASIC auth so
windows automatically authenticates and Linux can use basic auth.   

basically it's  compiled with ntlm,basic support.

2 questions:

1.  We have a number of users that use Adobe Web Capture to PDF file.  with
basic auth only turned on it prompts for a password like it should.  with
NTLM and then basic turned on (which works for everything else), it says
failed to authenticate.  i gather it's trying to use NTLM and failing.
Linux machines work fine because they use the basic auth.

According to http://www.squid-cache.org/Doc/FAQ/FAQ-10.html i can use a
regex for what the browser sends in the header or something.  IE sends
'Mozzilla' but i've no idea what Adobe sends or if it even sends something
different.  (here's hoping it does).   can someone help out with that one?

2.  has anybody noticed with the latest build with NTLM that some browsers
just go to sleep for a while and after about 2 mins squid comes back and
says dest server not available or something.  client i noticed it on was XP
with all the latest updates.  

here's my conf file:

auth_param
#CHANGING TO THIS TESTING   disabling for a tick
#auth_param ntlm program /usr/lib/squid/ntlm_auth lonsdale/sun
lonsdale/electra$
#auth_param ntlm children 5
#auth_param ntlm max_challenge_reuses 5
#auth_param ntlm credentialsttl 2 hours


#THIS IS WORKING AT THE MOMENT
auth_param basic program /usr/lib/squid/smb_auth -W LONSDALE -S
/netlogon/proxy$
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

---acl
acl lonsdaleall proxy_auth REQUIRED
http_access allow lonsdaleall

RE: [squid-users] ACL's and blocking URL's

[Greg Darby]

Thanks for your response.

I have worked it out with your help.

I just created 2 groups of users and 2 url_regex lines, popped them in the
config file in order and it works perfectly.

Thanks again..

Regards,

Greg

-Original Message-
From: Adam Aube [mailto:[EMAIL PROTECTED]
Sent: Friday, 11 July 2003 9:06 AM
To: [EMAIL PROTECTED]
Subject: Re: [squid-users] ACL's and blocking URL's


>I currently have an ACL setup (using regex -i) to block certain
files from
>being viewed or downloaded (eg EXE, ZIP etc) which effects everyone
using
>the cache. I now have the requirement to allow certain users from
accessing
>some websites which require the unblocking of ZIP attachments so
i would
>like to ask if anyone can advise how to setup 2 completley seperate
regex -i
>statements in the config file. All our users have static ip's so
i think
>that will make it easier.

Easy enough:

acl programs url_regex -i \.exe$ \.zip$
acl program_users src 192.168.0.1 192.168.0.2

http_access allow programs program_users
http_access deny programs

Adam







Disclaimer : 
This email and it's attachments are confidential. If you are not the intended 
recipient you must not disclose, distribute or re-produce any of it's contents as it 
may be a breach of confidentiality.  If you have received this message in error, 
please advise us immediatley by return email and delete the entire document. Ramelec 
Pty Ltd cannot guarantee the security of any information electronically transmitted 
across the Internet. Ramelec Pty Ltd does not accept responsibility for improper or 
incomplete information within this message, any delay in it's receipt and that this 
message is free of any known Virus. The address from which this email has been sent is 
strictly intended for business email only and Ramelec Pty Ltd reserves the right to 
monitor / alter it's contents at it's discretion.

This message has been scanned for the prescence of known Virus's by Gordano's GMS 
Virus Protection Package.

Re: [squid-users] ACL's and blocking URL's

[Adam Aube]

>I currently have an ACL setup (using regex -i) to block certain 
files from
>being viewed or downloaded (eg EXE, ZIP etc) which effects everyone 
using
>the cache. I now have the requirement to allow certain users from 
accessing
>some websites which require the unblocking of ZIP attachments so 
i would
>like to ask if anyone can advise how to setup 2 completley seperate 
regex -i
>statements in the config file. All our users have static ip's so 
i think
>that will make it easier.

Easy enough:

acl programs url_regex -i \.exe$ \.zip$
acl program_users src 192.168.0.1 192.168.0.2

http_access allow programs program_users
http_access deny programs

Adam

[squid-users] ACL's and blocking URL's

[Greg Darby]

Hi,

I currently have an ACL setup (using regex -i) to block certain files from
being viewed or downloaded (eg EXE, ZIP etc) which effects everyone using
the cache. I now have the requirement to allow certain users from accessing
some websites which require the unblocking of ZIP attachments so i would
like to ask if anyone can advise how to setup 2 completley seperate regex -i
statements in the config file. All our users have static ip's so i think
that will make it easier.

Thanking you in advance.

Greg



Disclaimer : 
This email and it's attachments are confidential. If you are not the intended 
recipient you must not disclose, distribute or re-produce any of it's contents as it 
may be a breach of confidentiality.  If you have received this message in error, 
please advise us immediatley by return email and delete the entire document. Ramelec 
Pty Ltd cannot guarantee the security of any information electronically transmitted 
across the Internet. Ramelec Pty Ltd does not accept responsibility for improper or 
incomplete information within this message, any delay in it's receipt and that this 
message is free of any known Virus. The address from which this email has been sent is 
strictly intended for business email only and Ramelec Pty Ltd reserves the right to 
monitor / alter it's contents at it's discretion.

This message has been scanned for the prescence of known Virus's by Gordano's GMS 
Virus Protection Package.

RE: [squid-users] Wb_ntlmauth breaks persistant_request_timeout?

[Adam Aube]

>The work-around seemed to work when persistent connections are required 

>for forms. However, it only solved half of the pages that die. The 
other 
>pages, as stated before are .jsp and .asp.

>Right now I am on Support.Nokia. com and cruising around in their 
Secure
>Knowledge database. It is over an SSL connection. There is no time
>associated with these connections. They will just die randomly.

I assume this just occurs in the knowledgebase? I was just on the 
secure site you gave a link to and had no problems, but I couldn't 
access the secure knowledgebase to check that. Are there any other 
sites you have this problem with that are publicly accessible?

My setup is similar to yours: Squid 2.5STABLE3 on RedHat 7.3, IE 
5.5SP2, wb_ntlmauth and wb_group auth.

If you could give me some other sites with this problem I can try 
it also.

Adam

Re: [squid-users] Re: Squid with IE 6 SP1

[Jean Marcel Vosch]

Very Very Thanks

Works...
[]´s
- Original Message - 
From: "Henrik Nordstrom" <[EMAIL PROTECTED]>
To: "Jean Marcel Vosch" <[EMAIL PROTECTED]>; "Ola"
<[EMAIL PROTECTED]>; "Adam Aube" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, July 10, 2003 6:18 PM
Subject: [squid-users] Re: Squid with IE 6 SP1


> On Thursday 10 July 2003 21.59, Jean Marcel Vosch wrote:
> > I have a Linux server with Red Hat 7.3 and Squiq 2.4.
> > In IE 6 SP1 the authentication show the message: "The Server Not
> > Found", but, i reloaded the page then functions.
>
> This is a IE6SP1 bug. See the Squid FAQ.
>
> Regards
> Henrik
>




PEREIRA GIONÉDIS - ADVOCACIA
Rua David Carneiro, 270 - Alto São Francisco
CEP 80530-070  -  Curitiba/PR
Fone: (41) 3028-4022 
Fax:  (41) 3028-3434 / 3028-3435
_
Antivirus - instalado no Servidor de Email do dominio @pereiragionedis.com.br
Ajuda: [EMAIL PROTECTED]

RE: [squid-users] Wb_ntlmauth breakspersistant_request_timeout?

[Mark Pelkoski]

Henrik,
The work-around seemed to work when persistent connections are required for forms. 
However, it only solved half of the pages that die. The other pages, as stated before 
are .jsp and .asp. Right now I am on Support.Nokia.com and cruising around in their 
Secure Knowledge database. It is over an SSL connection. There is no time associated 
with these connections. They will just die randomly. I have ran tcpdump and watched 
the communication between my pc and squid and squid to the site. I have also run 
winbindd -I -d 5 and watched the wb_ntlmauth authenticate. When the page dies, this is 
what I see:
1. No traffic between squid and the www server

2. A GET from my pc to squid, then a bunch of resets from squid
15:46:10.237360 172.30.40.9.4837 > 172.30.40.129.webcache: P 26148:26696(548) ack 
392302 win 63914 (DF)
15:46:10.237400 172.30.40.129.webcache > 172.30.40.9.4837: R 3142048205:3142048205(0) 
win 0 (DF)
15:46:10.240155 172.30.40.9.4881 > 172.30.40.129.webcache: P 7478:8026(548) ack 97709 
win 63140 (DF)
15:46:10.240168 172.30.40.129.webcache > 172.30.40.9.4881: R 3246741445:3246741445(0) 
win 0 (DF)
15:46:10.242944 172.30.40.9.4884 > 172.30.40.129.webcache: P 4283:4831(548) ack 39913 
win 63896 (DF)
15:46:10.242955 172.30.40.129.webcache > 172.30.40.9.4884: R 3274480944:3274480944(0) 
win 0 (DF)
15:46:10.322882 172.30.40.9.4888 > 172.30.40.129.webcache: P 2130:2682(552) ack 2949 
win 63051 (DF)
15:46:10.322927 172.30.40.129.webcache > 172.30.40.9.4888: R 3278875919:3278875919(0) 
win 0 (DF)
15:46:10.330602 172.30.40.9.4889 > 172.30.40.129.webcache: P 2129:2681(552) ack 3075 
win 62925 (DF)
15:46:10.330613 172.30.40.129.webcache > 172.30.40.9.4889: R 3283117104:3283117104(0) 
win 0 (DF)
15:46:10.338955 172.30.40.9.4857 > 172.30.40.129.webcache: P 19720:20272(552) ack 
123192 win 62913 (DF)
15:46:10.338968 172.30.40.129.webcache > 172.30.40.9.4857: R 3165722545:3165722545(0) 
win 0 (DF)
15:46:17.518763 172.30.40.9.4891 > 172.30.40.129.webcache: P 1279:1754(475) ack 2279 
win 63721 (DF)
15:46:17.518811 172.30.40.129.webcache > 172.30.40.9.4891: R 3287382486:3287382486(0) 
win 0 (DF)

3. No winbindd activity (probably because it's still reusing the last auth)

4. access.log shows the following for that get:
1057873610.209  30424 172.30.40.9 TCP_MISS/200 529 CONNECT support.nokia.com:443 
DOMAIN\USER DIRECT/192.100.104.50 -
1057873610.219  30406 172.30.40.9 TCP_MISS/200 511 CONNECT support.nokia.com:443 
DOMAIN\USER DIRECT/192.100.104.50 -
1057873610.420  30309 172.30.40.9 TCP_MISS/200 567 CONNECT support.nokia.com:443 
DOMAIN\USER DIRECT/192.100.104.50 -
1057873610.429  30291 172.30.40.9 TCP_MISS/200 537 CONNECT support.nokia.com:443 
DOMAIN\USER DIRECT/192.100.104.50 -

I don't know how else to T-shoot this. Is there any other way to put squid in a 
detailed debug and interactive mode?

Just to refresh your memory:
Client: IE6.0 SP-1
Server: RH9.0
Squid: 2.5.3
Auth: wb_group and wb_ntlmauth

Thanks for your help.

-Mark

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 07, 2003 10:02 AM
To: Mark Pelkoski
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] Wb_ntlmauth breaks persistant_request_timeout?



mån 2003-07-07 klockan 16.55 skrev Mark Pelkoski:
> This appears to be a bug to me. I have 800 users and many of them are 
> complaining about this. I am trying to get rid of our M$ proxy servers 
> for other reasons mentioned in past postings. Please help with this. I 
> can provide .conf files and ethereal dumps if requested. I have 
> duplicated this on two different servers. TIA.

>From your description it sound like you are bitten by

  Bug #267 Form POSTing troubles with NTLM authentication
  http://www.squid-cache.org/bugs/show_bug.cgi?id=267>

If this is your problem then as a workaround you can try allowing POST requests 
without requiring authentication.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful. 
https://www.paypal.com/xclick/business=hno%40squid-cache.org

Please consult the Squid FAQ and other available documentation before asking Squid 
questions, and use the squid-users mailing-list when no answer can be found. Private 
support questions is only answered for a fee or as part of a commercial Squid support 
contract.

If you need commercial Squid support or cost effective Squid and firewall appliances 
please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]

[squid-users] Re: Squid with IE 6 SP1

[Henrik Nordstrom]

On Thursday 10 July 2003 21.59, Jean Marcel Vosch wrote:
> I have a Linux server with Red Hat 7.3 and Squiq 2.4.
> In IE 6 SP1 the authentication show the message: "The Server Not
> Found", but, i reloaded the page then functions.

This is a IE6SP1 bug. See the Squid FAQ.

Regards
Henrik

[squid-users] help extracting the contents of the cache

[shane . thorson]

  I have a requirement to dump the contents of a webcache into viewable files. 
My question:  Is their any software that will strip the headers off the cached
files and rename them to their original filenames?

  Thanks in advance

  S

[Re: [squid-users] Trouble connecting to site]

[Stephen J. McCracken]

On Wed, 2003-07-09 at 18:07, Adam wrote:
> Stephen wrote:
> > We can't seem to get Squid to connect to
> >
> > http://wxd.slu.edu:8900/SCRIPT/NR_N50020/scripts/serve_home
> 
Found it.  It wasn't the acls or the organizational firewall, but the
iptables firewall on the proxy box.  Thanks for the hints!

[squid-users] Squid with IE 6 SP1

[Jean Marcel Vosch]

I have a Linux server with Red Hat 7.3 and Squiq 2.4.
In IE 6 SP1 the authentication show the message: "The Server Not Found",
but, i reloaded the page then functions.

In Squid 2.5 STABLE3 this function fully works?

Thanks




PEREIRA GIONÉDIS - ADVOCACIA
Rua David Carneiro, 270 - Alto São Francisco
CEP 80530-070  -  Curitiba/PR
Fone: (41) 3028-4022 
Fax:  (41) 3028-3434 / 3028-3435
_
Antivirus - instalado no Servidor de Email do dominio @pereiragionedis.com.br
Ajuda: [EMAIL PROTECTED]

RE: [squid-users] Problems with ACL max_user_ip on squid2.5 stable3

[Ola]

curiously, if i login as domainname\username on both
machines, it works perfectly i.e i can only login as a
username from one machine, the other is denied but by
default, Windows shows the username as
machine\username and on supplying same password, squid
allows a login (i.e domainname\username and
machinename\password with same password succeed.
Can squid be configured to enforce the domain-name or
can the domain controller be configured to allow only
domainname\username and not machinename\username?
thanks for the help,
ola


 --- Henrik Nordstrom <[EMAIL PROTECTED]> wrote: >
tor 2003-07-10 klockan 16.02 skrev Adam Aube:
> 
> > This makes your squid.conf easier to read and a 
> > little more efficient. However, I do not see any 
> > reason why you are having the problem you report.
> 
> I am of the opposite opiniton. I find it easier to
> read rules where acl
> lines only relevant to one rule is next to that
> rule.
> 
> One thing to note about the configuration. Both ntlm
> and basic is used.
> The IP addresses are only counted within each
> scheme, meaning that with
> max_user_ip 1, the user can use two stations by
> using different
> authentication schemes on the two stations (i.e. run
> Explorer on one,
> Netscape/Mozilla on the other).
> 
> Regards
> Henrik
> 
> -- 
> Donations welcome if you consider my Free Squid
> support helpful.
>
https://www.paypal.com/xclick/business=hno%40squid-cache.org
> 
> Please consult the Squid FAQ and other available
> documentation before
> asking Squid questions, and use the squid-users
> mailing-list when no
> answer can be found. Private support questions is
> only answered
> for a fee or as part of a commercial Squid support
> contract.
> 
> If you need commercial Squid support or cost
> effective Squid and
> firewall appliances please refer to MARA Systems AB,
> Sweden
> http://www.marasystems.com/, [EMAIL PROTECTED]
>  


Want to chat instantly with your online friends?  Get the FREE Yahoo!
Messenger http://uk.messenger.yahoo.com/

Re: [squid-users] Question

[Henrik Nordstrom]

On Thursday 10 July 2003 18.02, Zand, Nooshin wrote:
> Hi,
>
> Some clients are using proxy servers in DMZ for Intranet access.
> In other words they hardcode proxy in browser in use.
> Is it anyway I notify, transparently, client's browser/application
> to go directly to web server rather than hitting proxy server.

Why would you want to do that?

Manual proxy configuration is highly preferred in favor of transparent 
interception.

> I am looking for solution better than deny, blocking, or
> even fetch the page.

If the browser insist on using a proxy then the proxy has to react to 
the connection. It can either

a) Not respond to the connection, which will cause browsers using 
autoconfig scripts to move on to the next priority proxy server

b) Accept the connection and return a error message to the user 
(preferrably including instructions on what the user should do to get 
rid of the error)

c) Accept the request and fetch the requested object for the user, 
which would be the normal action for a proxy.


Regards
Henrik


-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org

If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]

[squid-users] Question

[Zand, Nooshin]

Hi,

Some clients are using proxy servers in DMZ for Intranet access.
In other words they hardcode proxy in browser in use.
Is it anyway I notify, transparently, client's browser/application to go directly to 
web server rather than hitting proxy server.
I am looking for solution better than deny, blocking, or even fetch the page.

Thanks,
Nooshin 

Re: [squid-users] Squid overloading when RAID drive cache in use?

[Henrik Nordstrom]

On Thursday 10 July 2003 16.17, Peter Smith wrote:

> I am wondering if having cache_dir drives on a RAID controller that
> has Read/Write cache turned on might cause problems?

Depends on the RAID level and the load you plan on putting on the 
RAID.

> I'm fairly sure that Squid manages the latency, etc of its
> cache_dir drives. 

Nope, but if a lot of requests get queued for the drive then Squid 
backs off (applies to aufs and diskd drivers only, not ufs).

> The drives that my Squids use are all on RAID controllers as single
> volumes.  However I recently found that if I enable Read/Write
> cache on the cache_dir drives that load on the processor goes off
> the scale.

Do this RAID controller have embedded CPU for the buffer management 
etc, or do it use the main CPU?

> Could it be that Squid gets such a quick response from
> the drive that it thinks the drive is super fast and thus slams it,
> causing it to run out of Read/Write cache and then gets overloaded
> as the requests backlog?

Not very likely.

But on the other hand, if your Squid previously was throttled by the 
disk I/O due to the lack of buffers then enabling the cache may speed 
things up, allowing Squid to catch up on the traffic and thus use 
more CPU.

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org

If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]

Re: [squid-users] No Last-Modified?

[Henrik Nordstrom]

On Thursday 10 July 2003 17.10, Leeann BENT wrote:

> I have a quick question about how Squid handles objects with no
> Last-Modified timestamp. The options (as I see them) are (1) cache
> the object, but always refresh it with an If-Modified-Since or (2)
> never cache the item. Can anyone tell me what policy Squid uses?

By the min age of the refresh pattern which applies to the requested 
URL.

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org

If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]

Re: [squid-users] Problems accessing certain webmail sites with2.5 STABLE1

[Henrik Nordstrom]

On Thursday 10 July 2003 16.58, Simon Rae wrote:

> Thanks for your reply, Henrik. I've tried that and it now works OK
> if I run as a normal proxy without using the firewall interception.
>
> Out of interest, do you know why this was happening? Is it a common
> fault?

There can be many reasons. Interception is a big hack to start with 
and not meant to be there.

First thing to check is what you got in access.log when seeing the 
error. This will provide valuable hints as to where look next.

Second is to look at how your interception is set up. If you are 
running NAT on another box than the proxy, or have not configured the 
proxy with support for the NAT method used locally on the same server 
to intercept the traffic then the error is most likely here, maybe in 
combination with buggy browsers not always sending a correct HTTP 
request (such bugs is usually triggered by javascripts) making it 
impossible for the proxy to reconstruct the intercepted request 
properly.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org

If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]

[squid-users] No Last-Modified?

[Leeann BENT]

Hi All -

I have a quick question about how Squid handles objects with no
Last-Modified timestamp. The options (as I see them) are (1) cache the
object, but always refresh it with an If-Modified-Since or (2) never cache
the item. Can anyone tell me what policy Squid uses? I've peeked at the
code and it looks to me like Squid does not cache these objects?

Thanks,
Leeann

RE: [squid-users] Problems accessing certain webmail sites with2.5 STABLE1

[Simon Rae]

> Are you running Squid as a transparent proxy? If so, try using it as a
> normal proxy and disable the interception rules in your firewall.
>
> Regards
> Henrik
>
> --
> Donations welcome if you consider my Free Squid support helpful.
> https://www.paypal.com/xclick/business=hno%40squid-cache.org
>
> Please consult the Squid FAQ and other available documentation before
> asking Squid questions, and use the squid-users mailing-list when no
> answer can be found. Private support questions is only answered
> for a fee or as part of a commercial Squid support contract.
>
> If you need commercial Squid support or cost effective Squid and
> firewall appliances please refer to MARA Systems AB, Sweden
> http://www.marasystems.com/, [EMAIL PROTECTED]
>
>

Thanks for your reply, Henrik. I've tried that and it now works OK if I run
as a normal proxy without using the firewall interception.

Out of interest, do you know why this was happening? Is it a common fault?

Regards,

Simon

Re: [squid-users] --> Redirecting URLs

[Henrik Nordstrom]

tor 2003-07-10 klockan 16.05 skrev Alex Carlos Braga Antão:
> Hello,
>  
> I have some users here that cannot access some pages, and I´d like to
> redirect the page (e.g. when he type www.download.com, goto http://intranet
> ). Squid does it just with a redirector installed 

This does not even require a redirector if you use Squid-2.5.STABLE3 +
the bugfix for deny_info.. (bugfix only needed if you need more than one
deny_info line).

As you have some access controls involved in who should get this I would
recommend using SquidGuard if you are using the redirector approach, but
personally I would use the deny_info directive of Squid-2.5.STABLE3.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org

Please consult the Squid FAQ and other available documentation before
asking Squid questions, and use the squid-users mailing-list when no
answer can be found. Private support questions is only answered
for a fee or as part of a commercial Squid support contract.

If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]

RE: [squid-users] Problems with ACL max_user_ip on squid2.5 stable3

[Henrik Nordstrom]

tor 2003-07-10 klockan 16.02 skrev Adam Aube:

> This makes your squid.conf easier to read and a 
> little more efficient. However, I do not see any 
> reason why you are having the problem you report.

I am of the opposite opiniton. I find it easier to read rules where acl
lines only relevant to one rule is next to that rule.

One thing to note about the configuration. Both ntlm and basic is used.
The IP addresses are only counted within each scheme, meaning that with
max_user_ip 1, the user can use two stations by using different
authentication schemes on the two stations (i.e. run Explorer on one,
Netscape/Mozilla on the other).

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org

Please consult the Squid FAQ and other available documentation before
asking Squid questions, and use the squid-users mailing-list when no
answer can be found. Private support questions is only answered
for a fee or as part of a commercial Squid support contract.

If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]

Re: [squid-users] Problems accessing certain webmail sites with2.5 STABLE1

[Henrik Nordstrom]

tor 2003-07-10 klockan 15.39 skrev Simon Rae:
> Hi all,
> 
> We currently use Squid 2.5 STABLE1 running on Red Hat Linux 7 with a pretty
> much
> default squid.conf. A number of our users access their Yahoo and Hotmail
> accounts from the office and since we started using Squid, they receive
> errors like the following once they are logged into the site:
>
> >While trying to retrieve the URL: /ym/ShowFolder?rb=Inbox&reset=1&YY=72315
> >
> >The following error was encountered:


Are you running Squid as a transparent proxy? If so, try using it as a
normal proxy and disable the interception rules in your firewall.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org

Please consult the Squid FAQ and other available documentation before
asking Squid questions, and use the squid-users mailing-list when no
answer can be found. Private support questions is only answered
for a fee or as part of a commercial Squid support contract.

If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]

[squid-users] Squid overloading when RAID drive cache in use?

[Peter Smith]

I am wondering if having cache_dir drives on a RAID controller that has 
Read/Write cache turned on might cause problems?  I'm fairly sure that 
Squid manages the latency, etc of its cache_dir drives.  The drives that 
my Squids use are all on RAID controllers as single volumes.  However I 
recently found that if I enable Read/Write cache on the cache_dir drives 
that load on the processor goes off the scale.  Could it be that Squid 
gets such a quick response from the drive that it thinks the drive is 
super fast and thus slams it, causing it to run out of Read/Write cache 
and then gets overloaded as the requests backlog?  I'm hoping that this 
would explain a number of my Squid servers that can be very unstable.  
The cache I'm talking about is in the order of only about 128MB worth, 
and from 3-4 cache_dir drives.

Peter Smith

Re: [squid-users] Problems accessing certain webmail sites with 2.5 STABLE1

[Marc Elsen]

Simon Rae wrote:
> 
> Hi all,
> 
> We currently use Squid 2.5 STABLE1 running on Red Hat Linux 7 with a pretty
> much
> default squid.conf. A number of our users access their Yahoo and Hotmail
> accounts from the office and since we started using Squid, they receive
> errors like the following once they are logged into the site:
> 
> >ERROR
> >The requested URL could not be retrieved
> >
> >---
> -
> >
> >While trying to retrieve the URL: /ym/ShowFolder?rb=Inbox&reset=1&YY=72315
> >
> >The following error was encountered:
> >
> >Invalid URL
> >Some aspect of the requested URL is incorrect. Possible problems:
> >
> >Missing or incorrect access protocol (should be `http://'' or similar)
> >Missing hostname
> >Illegal double-escape in the URL-Path
> >Illegal character in hostname; underscores are not allowed
> 
> Squid appears to be chopping off the start of the URL
> 
> I've added the following lines to the squid.conf as suggested elsewhere but
> to no avail.
> 
> >hierarchy_stoplist hotmail.com
> >hierarchy_stoplist yahoo.com
> >hierarchy_stoplist msn.com
> 
> as well as:
> 
> >acl hotmail dstdomain .hotmail.com
> >always_direct allow hotmail
> >acl yahoo dstdomain .yahoo.com
> >always_direct allow yahoo
> >acl msn dstdomain .msn.com
> >always_direct allow msn
> 
> The strange thing is that very occasionally, it works OK. Any ideas??
> 
> Many thanks,

  - We have no problems using hotmail,for years, now using squid 2.5S3
(curr).
on Redhat 6.2
 
  Some issues perhaps :

  + The directives mentioned are  unrelated to your problem,unless
you are using parent caches and or siblings.

  + Are you using transp. proxying ?

  + Is this problem related to a particular browser type and or version
or not ,or does the problem occur in several browser types
(netscape, ie, mozilla, ...) ?


> 
> Si

-- 

 'Love is truth without any future.
 (M.E. 1997)

[squid-users] --> Redirecting URLs

[Alex Carlos Braga Antão]

Hello,
 
I have some users here that cannot access some pages, and I´d like to
redirect the page (e.g. when he type www.download.com, goto http://intranet
). Squid does it just with a redirector installed 
Which one do you recommend ? Wich one is more stable and more easy to
configure ?

Thanks...
Alex C. B. Antão
Analista de Sistemas e Suporte
ICQ: 5144629http://motoviagens.pagina.de
http://e-modelismo.pagina.de
 
 
Um "bom" pouso é aquele do qual você sai caminhando. Um "ótimo" pouso é aquele depois 
do qual você pode usar o avião novamente.

RE: [squid-users] Problems with ACL max_user_ip on squid2.5 stable3

[Adam Aube]

I would recommend you rewrite this section:

acl me src 192.168.0.0/24
http_access deny !me
acl authenticated proxy_auth REQUIRED
http_access deny !authenticated
acl onlyonce max_user_ip 1
http_access deny onlyonce
http_access allow authenticated
http_access deny all

to this:

[other acl lines]
acl onlyonce max_user_ip -s 1
acl me src 192.168.0.0/24
acl authenticated proxy_auth REQUIRED

[other http_access lines]
http_access deny onlyonce
http_access allow me authenticated
http_access deny all

This makes your squid.conf easier to read and a 
little more efficient. However, I do not see any 
reason why you are having the problem you report.

Is there any kind of NAT device between the clients 
and Squid? That would mess up the user/IP mapping.

Adam
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001

[squid-users] Re: password problem with squid-2.4Stable7 and 2.5STABLE3

[Henrik Nordstrom]

Squid-2.5 URL encodes the login and password to be able to deal with
complex passwords. Beacuse of this any auth helpers used with Squid-2.5
or later should be designed for use with Squid-2.5 and later (needs to
URL-decode the login and password fields).
http://www.squid-cache.org/Versions/v2/2.5/RELEASENOTES.html

Squid-2.4 sends them as is, which causes troubles between Squid and the
helper on certain complex login names or passwords.

Regards
Henrik


tor 2003-07-10 klockan 14.52 skrev Hartmann.Josef Fa. secunet:
> Dear Henrik,
> 
> I just found a new issue with squid 2.4Stable7 and 2.5Stable3.
> 
> Users are authenticated by squid_rad_auth module. If a user has a rather "complex" 
> passwords e.g. beginning with # character squid encodes those characters (as far as 
> I can tell off by using strace). As I'm not a real programmer but would like to 
> change that conversion back to a "real" character within squid_rad_auth could you 
> tell me how to do that?
> 
> 
> Regards,
> 
> Josef
-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org

Please consult the Squid FAQ and other available documentation before
asking Squid questions, and use the squid-users mailing-list when no
answer can be found. Private support questions is only answered
for a fee or as part of a commercial Squid support contract.

If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]

RE: [squid-users] Problems with ACL max_user_ip on squid2.5 stable3

[Ola]

here is my squid configuration - 

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
 cache_dir ufs /usr/cache 100 16 256
 debug_options ALL,1 33,2
auth_param ntlm program /etc/squid3/libexec/ntlm_auth
hq/dc01
auth_param ntlm children 3
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 1 minutes
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
 authenticate_ttl 3 minutes
 authenticate_ip_ttl 180 seconds
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern .   0   20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl me src 192.168.0.0/24
http_access deny !me
acl authenticated proxy_auth REQUIRED
http_access deny !authenticated
acl onlyonce max_user_ip 1
http_access deny onlyonce
http_access allow authenticated
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname me.com
coredump_dir /etc/squid3/var/cache

thanks



 --- Adam Aube <[EMAIL PROTECTED]> wrote: > >
i am using authenticate_ip_ttl 20 minutes
> > and max_user_ip -s 1 but the problem persists.
> > what could be wrong?
> 
> The items you include from your squid.conf look good
> 
> (though a little over-complex). Could you post your 
> entire squid.conf (minus comments, of course)?
> 
> Adam
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system
> (http://www.grisoft.com).
> Version: 6.0.237 / Virus Database: 115 - Release
> Date: 3/7/2001
>  


Want to chat instantly with your online friends?  Get the FREE Yahoo!
Messenger http://uk.messenger.yahoo.com/

[squid-users] Problems accessing certain webmail sites with 2.5 STABLE1

[Simon Rae]

Hi all,

We currently use Squid 2.5 STABLE1 running on Red Hat Linux 7 with a pretty
much
default squid.conf. A number of our users access their Yahoo and Hotmail
accounts from the office and since we started using Squid, they receive
errors like the following once they are logged into the site:

>ERROR
>The requested URL could not be retrieved
>
>---
-
>
>While trying to retrieve the URL: /ym/ShowFolder?rb=Inbox&reset=1&YY=72315
>
>The following error was encountered:
>
>Invalid URL
>Some aspect of the requested URL is incorrect. Possible problems:
>
>Missing or incorrect access protocol (should be `http://'' or similar)
>Missing hostname
>Illegal double-escape in the URL-Path
>Illegal character in hostname; underscores are not allowed

Squid appears to be chopping off the start of the URL

I've added the following lines to the squid.conf as suggested elsewhere but
to no avail.

>hierarchy_stoplist hotmail.com
>hierarchy_stoplist yahoo.com
>hierarchy_stoplist msn.com

as well as:

>acl hotmail dstdomain .hotmail.com
>always_direct allow hotmail
>acl yahoo dstdomain .yahoo.com
>always_direct allow yahoo
>acl msn dstdomain .msn.com
>always_direct allow msn

The strange thing is that very occasionally, it works OK. Any ideas??

Many thanks,

Si

Re: [squid-users] filtering java applets

[Neil A. Hillard]

Bernie,

> I'd like to use Squid for filtering java applets.
> 
> Any idea how to realise it?
> 
> Yes, Squid is a proxy cache, not a police man, but maybe someone knows
> an add-on or an http proxy specialized for java applet filtering could
> be contacted upwards.
One way of achieving this is to use Trusted Information Systems' Firewall
Toolkit (FWTK) - it's rather old but does the job !!!

For information on downloading the toolkit, etc. see:

http://www.fwtk.org/fwtk/download/downloading.html#1.1


You will need to ensure that you check through the list of patches and
definitely install this one (otherwise you WILL encounter the javascript
quoting bug):

http://www.fwtk.org/fwtk/patches/patches.html#1.1


You will then need to set the http-gw as squid's parent and tell the
http-gw what to filter - javascript / java / activeX.

You will have to add something similar to the following to the
netperm-table file:

http-gw:permit-hosts 127.0.0.1 -nojava -noactivex


We are successfully using this to block both activeX and java applets.
Any sites that we trust go into squid's always_direct allow list.


Hope this helps.


Neil.

-- 
Neil Hillard[EMAIL PROTECTED]
Westland Helicopters Ltd.   http://www.whl.co.uk/

Disclaimer: This message does not necessarily reflect the
views of Westland Helicopters Ltd.

[squid-users] filtering java applets

[Bernhard Erdmann]

Hi,

I'd like to use Squid for filtering java applets.

Any idea how to realise it?

Yes, Squid is a proxy cache, not a police man, but maybe someone knows
an add-on or an http proxy specialized for java applet filtering could
be contacted upwards.

Regards
Bernie

RE: [squid-users] AdZapper with Win NT

[Rick Matthews]

Try the wrapzap script that is mentioned on the Ad Zapper 
page: 

Rick



> -Original Message-
> From: Carolyn Longfoot [mailto:[EMAIL PROTECTED]
> Sent: Thursday, July 10, 2003 3:26 AM
> To: [EMAIL PROTECTED]
> Subject: [squid-users] AdZapper with Win NT
> 
> 
> I know I know I know that technically this is not a Squid question but if 
> anybody has managed to get AdZapper to work with Windoze then please post 
> the details here. I use the installer package from here 
> http://albaweb.albacom.net/acmeconsulting.it/download/squid.htm and use PERL 
> from ActiveState. Testing the AdZapper script manually works ok (without any 
> changes to the script) but I can't seem to be able to properly add it to 
> quid.conf. I called the script squid_redirect.pl and added this line to 
> squid.conf:
> redirect_program C:/Squid/etc/squid_redirect.pl
> 
> After restarting the service Squid does not find any page anymore, so I 
> suspect somehow everything gets stuck in the redirector. I have seen an 
> error that Squid exited because the redirector queue was full.
> 
> Anybody?
> 
> 
> Cheers,
> Caro
> 
> _
> Add photos to your e-mail with MSN 8. Get 2 months FREE*.  
> http://join.msn.com/?page=features/featuredemail
> 

RE: [squid-users] Problems with ACL max_user_ip on squid2.5 stable3

[Adam Aube]

> i am using authenticate_ip_ttl 20 minutes
> and max_user_ip -s 1 but the problem persists.
> what could be wrong?

The items you include from your squid.conf look good 
(though a little over-complex). Could you post your 
entire squid.conf (minus comments, of course)?

Adam
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001

Re: [squid-users] AdZapper with Win NT

[Carolyn Longfoot]

Ah so good you're there. Using the suggested line below worked like 
a charm.

Thanks a lot,
Caro

I think you need to make a cmd file wrapper for starting the helper
alternatively tell Squid to run perl with the helper as argument.
redirect_program C:/path/to/perl.exe C:/Squid/etc/squid_redirect.pl

Regards
Henrik
_
The new MSN 8: advanced junk mail protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

Re: [squid-users] AdZapper with Win NT

[Henrik Nordstrom]

tor 2003-07-10 klockan 10.26 skrev Carolyn Longfoot:
> I know I know I know that technically this is not a Squid question but if 
> anybody has managed to get AdZapper to work with Windoze then please post 
> the details here. I use the installer package from here 
> http://albaweb.albacom.net/acmeconsulting.it/download/squid.htm and use PERL 
> from ActiveState. Testing the AdZapper script manually works ok (without any 
> changes to the script) but I can't seem to be able to properly add it to 
> quid.conf. I called the script squid_redirect.pl and added this line to 
> squid.conf:
> redirect_program C:/Squid/etc/squid_redirect.pl

I think you need to make a cmd file wrapper for starting the helper
alternatively tell Squid to run perl with the helper as argument.

redirect_program C:/path/to/perl.exe C:/Squid/etc/squid_redirect.pl

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org

Please consult the Squid FAQ and other available documentation before
asking Squid questions, and use the squid-users mailing-list when no
answer can be found. Private support questions is only answered
for a fee or as part of a commercial Squid support contract.

If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]

Re: [squid-users] let squid read a file

[Henrik Nordstrom]

tor 2003-07-10 klockan 12.39 skrev rem mek:
> please help me how to let squid read a certain file
> say:
> 
> acl myaclname ??? /usr/local/squid/etc/myfile.txt

acl myaclname ??? "/usr/local/squid/etc/myfile.txt"

Regards
Henrik


-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org

Please consult the Squid FAQ and other available documentation before
asking Squid questions, and use the squid-users mailing-list when no
answer can be found. Private support questions is only answered
for a fee or as part of a commercial Squid support contract.

If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]

Re: [squid-users] Squid Forwarding to an other Cache

[Henrik Nordstrom]

tor 2003-07-10 klockan 10.23 skrev patrick deroudilhe:
> Hi guys 
> 
> Do you know how to configure Squid in order to forward
> incoming traffic (with TCP port 8080 defined in the
> clients browsers) to an other Cache. The traffic has
> to be forwared on port 8080

Squid FAQ 4.9 How do I configure Squid forward all requests to another
proxy?

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org

Please consult the Squid FAQ and other available documentation before
asking Squid questions, and use the squid-users mailing-list when no
answer can be found. Private support questions is only answered
for a fee or as part of a commercial Squid support contract.

If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]

[squid-users] let squid read a file

[rem mek]

please help me how to let squid read a certain file
say:

acl myaclname ??? /usr/local/squid/etc/myfile.txt

what i want to do is to put all userid in myfile.txt
and allow them to access the net only on mondays. the
others will have no restrictions.

i am using NCSA authentication

thanks for the help

rem


__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

Re: [squid-users] Squid Forwarding to an other Cache

[Marc Elsen]

patrick deroudilhe wrote:
> 
> Hi guys
> 
> Do you know how to configure Squid in order to forward
> incoming traffic (with TCP port 8080 defined in the
> clients browsers) to an other Cache. The traffic has
> to be forwared on port 8080
> 
> I know the following commands
> . edit the /etc/squid/squid.conf file with the
> following lines :
> cache_peer 1.2.3.4 parent 8080 0 no-query
> prefer_direct off
> 
> But this seems to work only for incoming traffic with
> port 80 (not 8080)
> 
 8080 on the cache_peer line,is the port where the parent
 is supposed to listen on when accepting forwarded requests,
 by your local squid.

 If the browsers use 8080 as the proxy port, then you must set this
 value as http_port in you squid.
 
 M.

[squid-users] AdZapper with Win NT

[Carolyn Longfoot]

I know I know I know that technically this is not a Squid question but if 
anybody has managed to get AdZapper to work with Windoze then please post 
the details here. I use the installer package from here 
http://albaweb.albacom.net/acmeconsulting.it/download/squid.htm and use PERL 
from ActiveState. Testing the AdZapper script manually works ok (without any 
changes to the script) but I can't seem to be able to properly add it to 
quid.conf. I called the script squid_redirect.pl and added this line to 
squid.conf:
redirect_program C:/Squid/etc/squid_redirect.pl

After restarting the service Squid does not find any page anymore, so I 
suspect somehow everything gets stuck in the redirector. I have seen an 
error that Squid exited because the redirector queue was full.

Anybody?

Cheers,
Caro
_
Add photos to your e-mail with MSN 8. Get 2 months FREE*.  
http://join.msn.com/?page=features/featuredemail

[squid-users] Squid Forwarding to an other Cache

[patrick deroudilhe]

Hi guys 

Do you know how to configure Squid in order to forward
incoming traffic (with TCP port 8080 defined in the
clients browsers) to an other Cache. The traffic has
to be forwared on port 8080

I know the following commands 
. edit the /etc/squid/squid.conf file with the
following lines :
cache_peer 1.2.3.4 parent 8080 0 no-query
prefer_direct off

But this seems to work only for incoming traffic with
port 80 (not 8080)

Thanks for your help

Regards

Patrick


__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

Re: [squid-users] Problems with ACL max_user_ip on squid2.5 stable3

[Ola]

i am using authenticate_ip_ttl 20 minutes
and max_user_ip -s 1 but the problem persists.
what could be wrong?

 --- Li Wei <[EMAIL PROTECTED]> wrote: > you seem
to miss the "authenticate_ip_ttl" setting
> 
> And, for max_user_ip, you'd better add -s option.
> 
> - Original Message - 
> From: "Ola" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, July 10, 2003 7:14 AM
> Subject: [squid-users] Problems with ACL max_user_ip
> on squid2.5 stable3
> 
> 
> > good day. I want to discourage users from sharing
> > their passwords (or logging in from from more than
> one
> > PC) so I use the "max_user_ip -s" ACL; and
> > in this configuration on squid-2.5-stable3-
> > 
> > acl me src 192.168.0.0/24
> > http_access deny !me
> > 
> > acl authenticated proxy_auth REQUIRED
> > http_access deny !authenticated
> > 
> > acl onlyonce max_user_ip 1
> > http_access deny onlyonce
> > 
> > http_access allow authenticated
> > 
> > # And finally deny all other access to this proxy
> > http_access deny all
> > 
> > 
> > however, this isn't working. same user still
> > authenticates from more than one machine at same
> time,
> > i am using ntlm authentication against a windows
> 2000
> > domain controller.
> > 
> > what can be wrong?
> > thanks, ola
> > 
> >
>

> > Want to chat instantly with your online friends? 
> Get the FREE Yahoo!
> > Messenger http://uk.messenger.yahoo.com/
>  


Want to chat instantly with your online friends?  Get the FREE Yahoo!
Messenger http://uk.messenger.yahoo.com/