[squid-users] using MSN over two subnets
hi, masters I was going to make others log on MSN through my Squid server. The Squid server is installed at my side, and others' PC are located within another different subnet. The routing between the two subnet is via a router, and accessible. However, in this case, they can access Internet via the Squid except MSN I got the following logs from the access.log. 095832661.396 8 192.167.49.86 TCP_DENIED/407 2207 POST http://gateway.messl 1095832664.77612 192.167.49.86 TCP_DENIED/407 2207 POST http://gateway.messl 1095832770.269 4 192.167.49.86 TCP_DENIED/407 396 HEAD http://toolbar.msn.cl 1095832770.443 5 192.167.49.86 TCP_DENIED/407 396 HEAD http://toolbar.msn.cl 1095832774.865 4 192.167.49.86 TCP_DENIED/407 2106 GET http://g.msn.com/8SEl Can you tell me why? *** Li Wei ^_^ Have A Good Day ^_^ JFTT Contact: 86-512-68250097 COINS: 7991-322 E-mail: [EMAIL PROTECTED] ***
Re: [squid-users] Authenticating against NT4 domain using squid-proxy
On Wed, 22 Sep 2004, [ISO-8859-1] Jürgen Fischer wrote: Or your can use the NTLM authentication proxy to make the proxy authenticate using NTLM to the web server and Client That means, the User is not authenticated with his Windows-Client User, but the Proxy uses one User and Password for all connections to the WebServer ? - NTLM authentication proxy using Basic authentication. The client provides the user and password via Basic authentication to the NTLM authentication proxy, which turns it into NTLM authentication to the web server. Client (basic) - Squid (forwards basic) - NTLM authentication proxy (translates to NTLM) - Web server Regards Henrik
RE: AW: [squid-users] Is it possible to add cookies to requests going thru Squid?
On Wed, 22 Sep 2004, Hannes Schmidt wrote: Unfortunately it's not. If it were static, I could simply use IP-based filtering on the website and I wouldn't need to involve the proxy at all, right? I thougt you wanted to handle different local users differently.. If all you need is to identify traffic coming via your proxy then there is the Via header you can use to identify the requests. If the web server is an Apache or similar it should not be hard to translate this into a suitable identifier in the access log. In Apache this is done via the SetEnvIf directive IIRC. Regards Henrik
[squid-users] Cisco Router 7206 wccp connection reset with cache server
Hi everybody, I see these messages in the gateway router all the time Normally these messages should come only when the Cache Engines are discovered by the router for the fist time. gw-7206sho log .Sep 15 12:53:07: %WCCP-1-CACHELOST: Web Cache 0.0.0.142 lost .Sep 15 12:53:20: %WCCP-5-CACHEFOUND: Web Cache 0.0.0.142 acquired .Sep 15 12:55:53: %WCCP-1-CACHELOST: Web Cache 0.0.0.144 lost .Sep 15 12:56:04: %WCCP-5-CACHEFOUND: Web Cache 0.0.0.144 acquired .Sep 15 13:05:44: %WCCP-1-CACHELOST: Web Cache 0.0.0.144 lost .Sep 15 13:06:02: %WCCP-5-CACHEFOUND: Web Cache 0.0.0.144 acquired .Sep 15 13:10:12: %WCCP-1-CACHELOST: Web Cache 0.0.0.144 lost .Sep 15 13:10:30: %WCCP-1-CACHELOST: Web Cache 0.0.0.142 lost We are using router7206 IOS Version 12.2(12a),and All 4 cache servers have kernel-2.4.20, squid2.5.STABLE3 and wccp version 1,running on round-robin through the router. I am running of router7206 IOS Version 12.2(12a), . When I trace wccp details It shows frequently connection broken(connection time) with cache server. Due to this Net browsing is dam slow through squid . gw-7206sh ip wccpweb-cache detail WCCP Cache-Engine information: IP Address:0.0.0.0 Protocol Version: 0.4 State: Usable Initial Hash Info: Assigned Hash Info: Hash Allotment:64 (25.00%) Packets Redirected:16650 Connect Time: 00:01:15 IP Address:0.0.0.0 Protocol Version: 0.4 State: Usable Initial Hash Info: Assigned Hash Info: Hash Allotment:64 (25.00%) Packets Redirected:26773 Connect Time: 00:01:53 All our client are complaining of slow browsing. How to trouble shoot this problem ? I search different squid and cisco faq sites but I didnt find the solution of this. Any help to troubleshoot this problem will be appreciated. Best regards, Eswari Sharma
Re: [squid-users] content scanning with squid
dansguardian can be used for virus scanning, squid-vscan is also another good tool, but these helpers adversly effect the browsing speed and cache engine purpose. For scaning certain words, you have to write some kind of parser in perl or what so ever which can parse the HTTP content for specific strings. --- Lars Roland [EMAIL PROTECTED] wrote: Virus scanning, is what I am looking for but also the possibility to scan the downloaded webpages for certain words, scripts and other stuff. Regards. Lars roland On Tue, 21 Sep 2004 03:31:31 -0700 (PDT), Mohsin Khan [EMAIL PROTECTED] wrote: Content scanning? for the sake of what, If you say virus, than there are few solutions available, also you can check the filtering module for squid. It all depends on your exact need. --- Lars Roland [EMAIL PROTECTED] wrote: Hi All I have been googling a around for a squid configuration that will allow for scanning the data received from a web server before passing it to the client, but I have not found anything. Can this not be done ?. I am thinking of the possibility to add third party scanners and letting them return a score to squid, that would indicate if the content is allowed (same method that qmail scanner uses to indicate if an email contains virus or not in qmail). If this is not possible, can someone then tell me iff there has been any attempts to implement this, searching the archives has revelad some patches, but it is not clear if any of them are succefully working. Regards. Lars Roland = Regards, Mohsin Khan CCNA ( Cisco Certified Network Associate 2.0 ) http://forum.aaghaz.net Happy is the one who can smile __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail = Regards, Mohsin Khan CCNA ( Cisco Certified Network Associate 2.0 ) http://forum.aaghaz.net Happy is the one who can smile __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail
[squid-users] Better Bandwidth Management
Hi Folks, Just have some questions about delay_pools here. I have a DSL line here width 1000 users on it. HTTP-access need to be shaped and our proxy is squid-2.5-STABLE-6. All users needs to be shaped at the same speed. What I want to slow down are HTTP-downloads. When no users are on the internet, I want to give full access for download, but when some other people are browsing, I want to slow down the download. Can anyone give me some tips how to do this? I have tested this: delay_pools 1 delay_class 1 3 delay_access 1 allow all delay_parameters 1 20/10 17/10 -1/-1 This means: Limit total at 200kB/s, starting at files bigger than 100kB.. Limit the subnet on 170kB/s, starting at files bigger than 100kB. All users in subnet get's the max of the subnet (I want: when possible, please shape fair). Anybody in the same situation having any tips? Thanks! Janno. Janno de Wit DNA services B.V.
[squid-users] traffic accounting via access.log named pipe (FIFO)
We have a accounting/billing system, based on Squid on FreeBSD 4.x/5.x. Squid writes its access.log to a named pipe (created by command mkfifo). A separate daemon reads data from this pipe, and communicates with the database, decreaseing users' limits after they download something. However, we discovered, that a user with small non-zero traffic limit can download any 1 file, even if he has not enough limit. For example, a user with $0.01 can download a huge ISO-image (of course, if TCP connection won't break), because the record about it is written to access.log AFTER he downloads it. Is there a way solve this problem? I think about a patch for Squid, which will make it write a record after every N bytes of downloaded data (or every N minutes) in every session. If there's no better solution, please help to write this patch. I can test it immediately.
[squid-users] ncsa_auth reject
Hi all, I've setup Squid-2.5.Stable4 using ncsa_auth and created a new password file using htpasswd. When I try to visit any web-sites I get the login box as expected but it doesn't accept my username or password. The access.log file makes the following entry for every attempt: 1095855758.491 12 128.0.0.0 TCP_DENIED/407 1738 GET http://www.mozilla.org/products/firefox/start/ gevans NONE/- text/html I've tried echoing my username and password to ncsa_auth from the prompt and it returns an 'OK' or an 'ERR' if I send the wrong details. I know that I'm missing something but I can't see what! Does anyone have any ideas? Thanks in advance, Gareth Evans. Minerva Dental Ltd. E-Mail:- [EMAIL PROTECTED]
Re: [squid-users] Problems with https links
Thanks, it worked fine, my only new problem is the security in the authentication. Setting client_persistent_connections off, the user and password is passing in plain text. Do you know how can I solve both problems at the same time? Thanks, Eduardo Henrik Nordstrom [EMAIL PROTECTED] 09/22/04 03:40am On Tue, 21 Sep 2004, Eduardo Naiderman wrote: I'm using squid/2.5.STABLE3 with authentication and I'm having some poblems when I use a https link in a mail or in a Word Document. I've debug in my PC with Ethereal and Windows is not sending the complete GET after the log in. The error is: Your browser is seriously broken and forgot to set up the SSL encryption when making the https request when requested to authenticate by the proxy. Setting client_persistent_connections off may work around the buggy browser, but only if you are using basic authentication. For NTLM there is no workaround other than to get the browser fixed. Regards Henrik - - The information contained in this message is private and confidential, intended only for the use of the individual or entity to whom it is addressed. If you are not the intended recipient, your are hereby notified that any disclosure, copying, or distribution is strictly prohibited. If you have received this message in error, please notify us immediately by responding to this email an then delete it from your system. Thank you. La informacion contenida en este mensaje es privada y confidencial. Si usted no es el destinatario del mismo, queda notificado por este medio que esta prohibido revelar, copiar o distribuir esta informacion. Si ha recibido este mensaje por error, por favor notifique al remitente en forma inmediata y proceda a borrarlo del sistema. Muchas gracias. -
[squid-users] TCP_MISS:FIRST_UP_PARENT
Dear list, my configuration is: Version is Squid 2 Stable 3, system is SuSE 6.4 Problem: Internal Proxy forwarded to next proxy: cache_peer IP_Adress parent 8080 7 no-query acl all src 0.0.0.0/0.0.0.0 never_direct allow all I'm trying to get an ftp connection via SmartFTP and http connection tunnel and receive this error (CONNECT Command is enabled) : IP User - [22/Sep/2004:14:51:15 +0200] CONNECT oracle-ftp.oracle.com:21 HTTP/1.1 0 226 TCP_MISS:FIRST_UP_PARENT Thanks in Advance, Thomas Important: This e-mail is intended for the above-named person(s) only and is confidential, proprietary and/or legally privileged. If this message has come to you in error, please immediately notify the sender by telephone or return e-mail and delete the original transmission and its attachments without reading or saving in any manner. Thank you.
RE: [squid-users] Problems with https links
On Weds 22 Sep 2004, Henrik Nordstrom wrote: On Tue, 21 Sep 2004, Eduardo Naiderman wrote: I'm using squid/2.5.STABLE3 with authentication and I'm having some poblems when I use a https link in a mail or in a Word Document. I've debug in my PC with Ethereal and Windows is not sending the complete GET after the log in. The error is: Your browser is seriously broken and forgot to set up the SSL encryption when making the https request when requested to authenticate by the proxy. Setting client_persistent_connections off may work around the buggy browser, but only if you are using basic authentication. For NTLM there is no workaround other than to get the browser fixed. client_persistent_connections off worked for me. Interestingly, I have been tasked with evaluating a number of different proxies on both Windows and Linux. To date, the only one that has exhibited this https/auth/domain name stripping problem has been Squid. Does that mean that the others are effectively all using non persistent connections, or is Squid missing a trick somewhere? Martyn Bright
Re: [squid-users] Problems with https links
On Wed, 22 Sep 2004, Eduardo Naiderman wrote: Thanks, it worked fine, my only new problem is the security in the authentication. Setting client_persistent_connections off, the user and password is passing in plain text. This is always the case when using basic authentication, no matter what the client_persistent_connections setting is. Regards Henrik
Re: [squid-users] traffic accounting via access.log named pipe (FIFO)
On Wed, 22 Sep 2004, Michael Smirnov wrote: I think about a patch for Squid, which will make it write a record after every N bytes of downloaded data (or every N minutes) in every session. There was such patch posted not long ago, probably on the squid-dev list.. Regards Henrik
RE: [squid-users] Problems with https links
On Wed, 22 Sep 2004, Martyn Bright wrote: Interestingly, I have been tasked with evaluating a number of different proxies on both Windows and Linux. To date, the only one that has exhibited this https/auth/domain name stripping problem has been Squid. Does that mean that the others are effectively all using non persistent connections, or is Squid missing a trick somewhere? Could be either. What I know for certain is that this problem is a browser bug, not a Squid bug. And a quite serious one as it risks revealing personal details in plain text which was supposed to be SSL encrypted (credit card into etc, depending on what that https request contains). But it is entirely possible the other proxies you tried all have workarounds for this browser bug, or that they did not use persistent connections, or otherwise manage to avoid triggering the browser bug. Regards Henrik
Re: [squid-users] TCP_MISS:FIRST_UP_PARENT
On Wed, 22 Sep 2004, Mueller, Thomas wrote: I'm trying to get an ftp connection via SmartFTP and http connection tunnel and receive this error (CONNECT Command is enabled) : IP User - [22/Sep/2004:14:51:15 +0200] CONNECT oracle-ftp.oracle.com:21 HTTP/1.1 0 226 TCP_MISS:FIRST_UP_PARENT Probably your parent does not allow CONNECT to port 21. And neither should your Squid to be honest. This is serious abuse of the CONNECT method. You SHOULD install a FTP proxy for the purpose of proxying FTP, or a SOCKS proxy if you want generic proxying. Regards Henrik
AW: [squid-users] TCP_MISS:FIRST_UP_PARENT
Thanks for your fast answer. I found the problem: I'm running SuSE Proxy Suite and the suite is listening on port 21. The suite shouldn't establish a connection directly to the Internet, because I want to have a next proxy (Viruswall) which scans all the http and ftp traffic. Is it possible to tell the Proxy Suite that it should route all traffic over my next proxy ? (Viruswall) I didn't found any thing in the conf file. Regards, Thomas -Ursprüngliche Nachricht- Von: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 22. September 2004 15:55 An: Mueller, Thomas Cc: '[EMAIL PROTECTED]' Betreff: Re: [squid-users] TCP_MISS:FIRST_UP_PARENT On Wed, 22 Sep 2004, Mueller, Thomas wrote: I'm trying to get an ftp connection via SmartFTP and http connection tunnel and receive this error (CONNECT Command is enabled) : IP User - [22/Sep/2004:14:51:15 +0200] CONNECT oracle-ftp.oracle.com:21 HTTP/1.1 0 226 TCP_MISS:FIRST_UP_PARENT Probably your parent does not allow CONNECT to port 21. And neither should your Squid to be honest. This is serious abuse of the CONNECT method. You SHOULD install a FTP proxy for the purpose of proxying FTP, or a SOCKS proxy if you want generic proxying. Regards Henrik Important: This e-mail is intended for the above-named person(s) only and is confidential, proprietary and/or legally privileged. If this message has come to you in error, please immediately notify the sender by telephone or return e-mail and delete the original transmission and its attachments without reading or saving in any manner. Thank you.
[squid-users] delay parameters
I'am using delay_pools but I really does not understand assigned parameters using delay_parameters for example delay_pools 1 delay_class 1 1 delay parameters 1 4000/4000 I undestood that the first 4000 is given bw to bucket what is second 4000 and if I did delay_parameters 1 4000/12000 what does this mean? thank you for your help _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus
[squid-users] Re: ncsa_auth reject
Gareth Evans wrote: I've setup Squid-2.5.Stable4 using ncsa_auth and created a new password file using htpasswd. When I try to visit any web-sites I get the login box as expected but it doesn't accept my username or password. I've tried echoing my username and password to ncsa_auth from the prompt and it returns an 'OK' or an 'ERR' if I send the wrong details. Is the password file readable by the user Squid runs as? Adam
[squid-users] Squid and Apache Authentication
I would like to be able to use a web page on my Apache server to validate a users id and password, and then redirect them on to another external site via a copy of Squid installed on the same machine. I have seen numerous references to this as a possibility, but can anyone give me confirmation that it works and what steps I will require to configure it. Thanks Martyn Bright
[squid-users] providing a secure basic authentication
Chaps, I'm currently using a basic auth scheme on our squid caches that uses a radius authentication module From the squid FAQ NOTE: The name and password are encoded using ``base64'' (See section 11.1 of RFC 2616). However, base64 is a binary-to-text encoding only, it does NOT encrypt the information it encodes. This means that the username and password are essentially ``cleartext'' between the browser and the proxy. Therefore, you probably should not use the same username and password that you would use for your account login. Is there any way I can perform the authentication scheme over a secure connection TIA Alex Sent using Mulberry 3.1.2
Re: Fwd: [squid-users] Re: ncsa_auth reject
Hi Adam, Thanks for your quick reply. The Squid user has full access to the password file. Cheers, Gareth. -Original Message- From: Adam Aube [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Wed, 22 Sep 2004 10:32:00 -0400 Subject: [squid-users] Re: ncsa_auth reject Gareth Evans wrote: I've setup Squid-2.5.Stable4 using ncsa_auth and created a new password file using htpasswd. When I try to visit any web-sites I get the login box as expected but it doesn't accept my username or password. I've tried echoing my username and password to ncsa_auth from the prompt and it returns an 'OK' or an 'ERR' if I send the wrong details. Is the password file readable by the user Squid runs as? Adam
[squid-users] Re: Fwd: Re: ncsa_auth reject
Gareth Evans wrote: Adam Aube wrote: Gareth Evans wrote: I've setup Squid-2.5.Stable4 using ncsa_auth and created a new password file using htpasswd. When I try to visit any web-sites I get the login box as expected but it doesn't accept my username or password. I've tried echoing my username and password to ncsa_auth from the prompt and it returns an 'OK' or an 'ERR' if I send the wrong details. Is the password file readable by the user Squid runs as? The Squid user has full access to the password file. Post your squid.conf (without comments or blank lines). Adam
[squid-users] Could not connect to ICAP server
Hello there, recently, I experience a lot of problems with the ICAP patch. From time to time, clients receive the Squid error page telling that ICAP is unavailable. The ICAP server is ISS Proventia Web Filter. Here is what the log file says: 2004/09/22 07:35:11| Ready to serve requests. 2004/09/22 09:17:47| icapReqModBodyHandler: (104) Connection reset by peer 2004/09/22 09:17:47| icapLineLength: warning lineLen (8) len (7) 2004/09/22 09:17:47| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/22 09:27:04| icapReqModBodyHandler: (104) Connection reset by peer 2004/09/22 09:53:38| urlParse: Illegal character in hostname 'www.motorrad-püschel.de' 2004/09/22 10:51:15| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/22 10:51:16| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/22 11:17:12| icapReqModBodyHandler: (104) Connection reset by peer 2004/09/22 11:18:41| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/22 12:35:58| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/22 12:36:05| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/22 13:15:59| icapReadHeader: FD 12 recv EOF 2004/09/21 07:35:13| Ready to serve requests. 2004/09/21 09:36:55| icapReqModBodyHandler: (104) Connection reset by peer 2004/09/21 09:49:19| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/21 09:49:26| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/21 09:54:58| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/21 09:54:59| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/21 09:54:59| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/21 10:08:00| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/21 10:08:00| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/21 10:23:56| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/21 10:24:04| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/21 11:01:27| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/21 11:01:28| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/21 11:14:41| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/21 11:14:46| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/21 11:27:28| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/21 11:27:28| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/21 11:42:51| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/21 11:42:52| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/21 11:49:36| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/21 11:49:39| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/21 12:20:52| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/21 12:20:53| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/21 12:33:27| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/21 12:33:27| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/21 12:45:10| icapReadHeader: FD 12 recv EOF 2004/09/21 12:45:25| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/21 16:39:49| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/21 16:39:50| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/22 07:28:25| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/22 07:28:25| icapReadHeader: FD 14 recv EOF 2004/09/22 07:28:26| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/22 07:28:26| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/22 07:35:11| Reconfiguring Squid Cache (version 2.5.STABLE6)... 2004/09/22 07:35:11| FD 8 Closing HTTP connection 2004/09/20 07:35:13| Ready to serve requests. 2004/09/20 09:33:24| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/20 09:33:24| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/20 10:07:30| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/20 10:07:31| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/20 11:14:37| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/20 11:14:39| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/20 11:23:50| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/20 11:23:53| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/20 11:35:04| icapParseChunkSize: WARNING in mid-line, ret 0 2004/09/20 11:35:07| Could not connect to ICAP server 192.168.10.254:1344: (111) Connection refused 2004/09/20 11:43:27|
Re: AW: [squid-users] TCP_MISS:FIRST_UP_PARENT
On Wed, 22 Sep 2004, Mueller, Thomas wrote: Thanks for your fast answer. I found the problem: I'm running SuSE Proxy Suite and the suite is listening on port 21. The suite shouldn't establish a connection directly to the Internet, because I want to have a next proxy (Viruswall) which scans all the http and ftp traffic. Is it possible to tell the Proxy Suite that it should route all traffic over my next proxy ? (Viruswall) I didn't found any thing in the conf file. There is several other FTP proxies if the Suse Proxy Suite does not support forwarding to another proxy. I would recommend looking into Frox which as a bonus also integrates with Squid for caching. For questions regarding the SuSe Proxy Suite it is better to use the appropriate forum for that software. This forum is about Squid. REgards Henrik
Re: [squid-users] delay parameters
On Wed, 22 Sep 2004, Mustafa ERGUC wrote: delay_parameters 1 4000/12000 what does this mean? That there will be a bucket size of 12000 bytes and each second 4000 bytes is added to this bucket. Or in other words, the clients of this pool can download bursts of up to 12000 bytes without getting limited as long as the average is no more than 4000 Regards Henrik
Re: [squid-users] providing a secure basic authentication
On Wed, 22 Sep 2004, Alex Sharaz wrote: Is there any way I can perform the authentication scheme over a secure connection Pick one (or two): * Use of Digest authentication. * Use of NTLM authentication. * SSL encryption of the client-proxy traffic. Requires a client wich supports SSL encryption of proxy connections or the use of a SSL tunnel on the client (browser - SSL tunnel on localhost - proxy). Regards Henrik
Re: [squid-users] Could not connect to ICAP server
On Wed, 22 Sep 2004, Florian Effenberger wrote: recently, I experience a lot of problems with the ICAP patch. From time to time, clients receive the Squid error page telling that ICAP is unavailable. The ICAP server is ISS Proventia Web Filter. Have you verified it is not the ICAP server software which is failing? Regards Henrik
Re: [squid-users] Could not connect to ICAP server
Hello there, Have you verified it is not the ICAP server software which is failing? I've just re-installed my old .STABLE5 ICAP version which worked fine. Will have a look at this one. If it works, I'll let you know, then it must be a bug in the ICAP patch. Florian
Re: [squid-users] delay parameters
On Wed, 22 Sep 2004, Mustafa ERGUC wrote: delay_parameters 1 4000/12000 what does this mean? That there will be a bucket size of 12000 bytes and each second 4000 bytes is added to this bucket. Or in other words, the clients of this pool can download bursts of up to 12000 bytes without getting limited as long as the average is no more than 4000 Regards Henrik I found out that what client actually download is burst of up to maximum * (DL_SPEED) / (DL_SPEED - restore) bytes without getting limited, where DL_SPEED is speed at which pool is being emptied (phys. downlink speed) in bytes/sec. restore/maximum is 4000/12000 in here. Przemek
[squid-users] ncsa_auth reject after passwd file updated
I've been using Squid up to 2.4 in roughly the same configuration for 5 years with nary a problem. I updated to 2.5-STABLE5 in May, and recently to STABLE6 and am having occasional authentication problems ( 6 times in 5 months ). Several times a day I gather passwd files from various servers and munge them into one large file with unique uids. This file then replaces the one that ncsa_auth uses. I just copy overtop. Occasionally, all new authentication attempts are rejected after updating the passwd file that ncsa_auth uses. Squid must be stopped and then restarted before it will accept new users. 'squid -k reconfigure' has no effect. Already authenticated users experience no problems. Server details: SunFire v210, Solaris 2.9, 1GB RAM. Squid Cache: Version 2.5.STABLE6 configure options: --prefix=/export/home/squid --enable-storeio=ufs,null, -enable-basic-auth-helpers=NCSA I'm not seeing anything in the logs, though I only have debug_options ALL,1 in the squid.conf file. I'm guessing I should run as debug_options ALL,1 29,9? Anyone seen this problem or have a suggestion? Again, this scheme worked for 5 years on older versions of Squid.
RE: [squid-users] Squid and Apache Authentication
There was a patch, just mentioned recently, that was posted here about a month ago. We had it created for us to do the following: In reverse proxy (accelerated mode): User wants to hit internal webserver. Browser sends the user to the proxy which uses a redirector that sends them to a webpage. The webpage collects username/password from the user and auth's against a ldap directory. At that point we can also modify the headers, create headers, copy headers, etc and then, if authenticated OK, they are allowed to continue on their way. If not they get an error via a webpage on the same validated webserver. (Apache in this case). As to the very in depth details, I can't help much there, which is why we decided to hire folks to assist us. Also...we are using squid 3 pre for this. If you don't need to modify the headers you probably still can create a redirector, as was done for us. The patch was used to modify headers we wanted to populate. Chris -Original Message- From: Martyn Bright [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 22, 2004 10:43 AM To: '[EMAIL PROTECTED]' Subject: [squid-users] Squid and Apache Authentication I would like to be able to use a web page on my Apache server to validate a users id and password, and then redirect them on to another external site via a copy of Squid installed on the same machine. I have seen numerous references to this as a possibility, but can anyone give me confirmation that it works and what steps I will require to configure it. Thanks Martyn Bright
Re: [squid-users] delay parameters
On Wed, 22 Sep 2004, Przemek Czerkas wrote: I found out that what client actually download is burst of up to maximum * (DL_SPEED) / (DL_SPEED - restore) Correct, when the bucket is larger than the download speed of the client. Regards Henrik
Re: [squid-users] Squid and Apache Authentication
On 22.09 15:42, Martyn Bright wrote: I would like to be able to use a web page on my Apache server to validate a users id and password, and then redirect them on to another external site via a copy of Squid installed on the same machine. I have seen numerous references to this as a possibility, but can anyone give me confirmation that it works and what steps I will require to configure it. I think you should use only apac he or only squid for this. For apache, you can easily set up virtualhost or directory with authentication needed (see AuthUserFile, require and satisfy directives), and proxied (see ProxyPass and PRoxyPassReverse) to other host/port. You can do this with squid ACL's, with and without squid behaving as http accelerator (iirc) using acl directives. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Re: [squid-users] Re: proxy RDP with squid
Thanks, Adam somebody knows, some proxy that support RDP? Thanks! Lucky --- Adam Aube [EMAIL PROTECTED] escribió: lucas baresi wrote: Squid is able to proxy RDP protocol? No. Squid is an HTTP proxy only. Adam __ Renovamos el Correo Yahoo!: ¡100 MB GRATIS! Nuevos servicios, más seguridad http://correo.yahoo.es
Re: [squid-users] Re: proxy RDP with squid
I use sockscap from NEC/Permeo technologies with a socks5 server, socks is nice for those kind of applications, Permeo also have another product which has a heap more functionality but is based on socks5 which you may also find usefull for what you are attempting. Check out www.permeo.com or www.socks.permeo.com for sockscap, there are quite a few socks servers out there if you can find the one from NEC it works well, there is also a opensource socks5 server called Dante. Also if your using *nix you can download runsocks which can be used like sockscap for windows for example: runsocks ssh -l username host.domain.com Hope this helps.. On Wed, 22 Sep 2004 23:26:22 +0200 (CEST), lucas baresi [EMAIL PROTECTED] wrote: Thanks, Adam somebody knows, some proxy that support RDP? Thanks! Lucky --- Adam Aube [EMAIL PROTECTED] escribió: lucas baresi wrote: Squid is able to proxy RDP protocol? No. Squid is an HTTP proxy only. Adam __ Renovamos el Correo Yahoo!: ¡100 MB GRATIS! Nuevos servicios, más seguridad http://correo.yahoo.es
Re: [squid-users] Squid and Apache Authentication
Through some help from this list i figured out how to do something similar just last night. In squid 3.0 there is the cache_peer option login=PROXYPASS - this option converts proxy-authorization to http-authorization and then passes it to the nominated cache_peer. So what we do is make everyone authenticate to the proxy and then if they are going to auth.domain they go through cache_peer with login=PROXYPASS and the auth credentials are passed to the target webpage which can then use an apache auth or php to allow them access to the requested page. All requests not destined for auth.domain are passed to a different cache_peer - they could just go direct - we are using the upstream peer to do content filtering as the particular content filter software we were forced to use uses a proprietry Cisco IFP protocol to communicate with caches :( Not exactly what you are looking for but might help Cheers __ David Brown RHCE MCP CCA CSM Technology 99 Frome St, Adelaide SA 5001 Ph: (08) 8418 7804 Fax: (08) 8418 7820 Mob: 0414 494 802 Email: [EMAIL PROTECTED] Martyn Bright [EMAIL PROTECTED] ukTo 23/09/2004 12:12 cc AM Subject [squid-users] Squid and Apache Authentication I would like to be able to use a web page on my Apache server to validate a users id and password, and then redirect them on to another external site via a copy of Squid installed on the same machine. I have seen numerous references to this as a possibility, but can anyone give me confirmation that it works and what steps I will require to configure it. Thanks Martyn Bright
Re: [squid-users] Squid and Apache Authentication
On Thu, 23 Sep 2004 [EMAIL PROTECTED] wrote: - they could just go direct - we are using the upstream peer to do content filtering as the particular content filter software we were forced to use uses a proprietry Cisco IFP protocol to communicate with caches :( May I ask which content filter software you use? Regards Henrik
Re: [squid-users] Squid and Apache Authentication
Hi Henrik, n2h2 content filter is the product we are using - I believe the actual product line name is Bess. it can work with squid as the n2h2 people have written a redirector for squid but (by n2h2s own admission) it doesnt work very well. It doesnt do user or group based filtering and it can only handle 150 connections per second - our environment will be generating 300 connections per second. We wanted to use squid but our customer decided they wanted the user and group filtering so we had to go to a Cisco Content Engine. Cheers __ David Brown RHCE MCP CCA CSM Technology 99 Frome St, Adelaide SA 5001 Ph: (08) 8418 7804 Fax: (08) 8418 7820 Mob: 0414 494 802 Email: [EMAIL PROTECTED] Henrik Nordstrom [EMAIL PROTECTED] org To [EMAIL PROTECTED] 23/09/2004 09:48 cc AM'[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject Re: [squid-users] Squid and Apache Authentication On Thu, 23 Sep 2004 [EMAIL PROTECTED] wrote: - they could just go direct - we are using the upstream peer to do content filtering as the particular content filter software we were forced to use uses a proprietry Cisco IFP protocol to communicate with caches :( May I ask which content filter software you use? Regards Henrik
[squid-users] how to configure it in squid box
dear all i have squid machine , i want set every user who use my squid machine get some info like picture in header or popup like anonymizer . who do that in squid thx --sonjaya--