Re: [squid-users] Re: Constant Login Prompt for NTLM Auth against Samba PDC
> I figured it out to a point: > > I had this config, which worked on another setup: > > #Samba PDC Auth > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > #auth_param ntlm max_challenge_reuses 0 > #auth_param ntlm max_challenge_lifetime 2 minutes > auth_param ntlm children 40 > auth_param basic program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-basic > auth_param basic children 40 > auth_param basic realm Cache NTLM Authentication > auth_param basic credentialsttl 2 hours > > Though this setup now works: > auth_param ntlm program /usr/lib/squid/ntlm_auth 01Networks/Debian-PDC > auth_param ntlm children 5 > #auth_param ntlm max_challenge_reuses 0 > #auth_param ntlm max_challenge_lifetime 2 minutes > > > The reason I have two lines commented out on each is because even > though tons of sites claim to use max_challenge but they always error > out. Did something change? This is a perfect example of the squid vs Samba bundled confusion. The top config uses the Samba helper for full NTLM auth with some kerberos support by rumour. It also has basic auth input accepted as a backup if the client fails NTLM handshake. The second config uses the squid helper for partial SMB LanManager auth. Amos > > On Wed, Nov 5, 2008 at 12:50 AM, Adam McCarthy > <[EMAIL PROTECTED]> wrote: >> I currently have a Samba 3 PDC. >> >> Everything seems to work, except IE/Firefox both bring up a prompt for >> username and password. >> >> I'm using the exact same config files from another setup that worked >> fine. >> >> You for some reason can't type in just the username and password, like >> you would think. >> >> For example, my workgroup is 01Networks, and even though the XP Pro >> machine is logged in sucessfully with that same name, unless I type in >> >> 01Networks/adam and password, the prompts never go away. >> >> After I type those in they work. >> >> Why is this setup acting strange after a previous setup done exactly >> the same way works fine? >> >> Also, why would I be required to put in my Domain/User instead of just >> User when normally I only ever needed User? >> >> Also normally IE/Firefox just sent out my info. >> >
Re: [squid-users] Vedio streming erros
> Hi, > > We want to go to below website which contains streaming vedio. When We > get there all the images. But We will NOT get streaming vedio. If We > bypass squid, We get streamig Vedio. > > http://uticctv.mine.nu/index.htm > > The above site has a user name and password. I can Not give it you. > sorry for it. > > Anyway, This is squid version , Pls see below > > Squid Cache: Version 2.6.STABLE6 > Please verify that the video is actually sent via HTTP. Most common breakage with streaming media is people blocking RTSP protocol ports or other custom stream ports and assuming media client and server can use the proxy. Amos
[squid-users] Re: Constant Login Prompt for NTLM Auth against Samba PDC
I figured it out to a point: I had this config, which worked on another setup: #Samba PDC Auth auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 40 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 40 auth_param basic realm Cache NTLM Authentication auth_param basic credentialsttl 2 hours Though this setup now works: auth_param ntlm program /usr/lib/squid/ntlm_auth 01Networks/Debian-PDC auth_param ntlm children 5 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes The reason I have two lines commented out on each is because even though tons of sites claim to use max_challenge but they always error out. Did something change? On Wed, Nov 5, 2008 at 12:50 AM, Adam McCarthy <[EMAIL PROTECTED]> wrote: > I currently have a Samba 3 PDC. > > Everything seems to work, except IE/Firefox both bring up a prompt for > username and password. > > I'm using the exact same config files from another setup that worked fine. > > You for some reason can't type in just the username and password, like > you would think. > > For example, my workgroup is 01Networks, and even though the XP Pro > machine is logged in sucessfully with that same name, unless I type in > > 01Networks/adam and password, the prompts never go away. > > After I type those in they work. > > Why is this setup acting strange after a previous setup done exactly > the same way works fine? > > Also, why would I be required to put in my Domain/User instead of just > User when normally I only ever needed User? > > Also normally IE/Firefox just sent out my info. >
Re: [squid-users] SSL Site Problem...
Most likely a window scaling issue. There is still very many broken firewalls out there.. Squid FAQ System Wierdness - Linux - Some sites load extremely slowly or not at all: http://wiki.squid-cache.org/SquidFaq/SystemWeirdnesses#head-4920199b311ce7d20b9a0d85723fd5d0dfc9bc84 Regards Henrik On ons, 2008-11-05 at 15:07 +, Andy McCall wrote: > Hi Folks, > > I have a problem accessing an SSL site through my Squid setup, IE just spins > its blue circle forever, and doesn't seem to ever actually time out. The > same site works when going direct. I have tried multiple browsers to > eliminate the browser as the issue. > > Any help is appreciated, as I am really stuck now... > > The site is: > > https://secure.crtsolutions.co.uk > > I am using: > > Squid Cache: Version 2.6.STABLE18 > configure options: '--prefix=/usr' '--exec_prefix=/usr' '--bindir=/usr/sbin' > '--sbindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid' > '--localstatedir=/var/spool/squid' '--datadir=/usr/share/squid' > '--enable-async-io' '--with-pthreads' > '--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-linux-netfilter' > '--enable-arp-acl' '--enable-epoll' '--enable-removal-policies=lru,heap' > '--enable-snmp' '--enable-delay-pools' '--enable-htcp' > '--enable-cache-digests' '--enable-underscores' '--enable-referer-log' > '--enable-useragent-log' '--enable-auth=basic,digest,ntlm' '--enable-carp' > '--enable-follow-x-forwarded-for' '--with-large-files' '--with-maxfd=65536' > 'i386-debian-linux' 'build_alias=i386-debian-linux' > 'host_alias=i386-debian-linux' 'target_alias=i386-debian-linux' 'CFLAGS=-Wall > -g -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' > > The entry in access.log is: > > 1225894644.785 3106 10.XX.XX.XX TCP_MISS/200 174 CONNECT > secure.crtsolutions.co.uk:443 - DIRECT/195.114.102.18 - > > The cache.log entry is (if there is too much here, I apologise, I am not sure > how much to post!): > > 2008/11/05 14:17:25| parseHttpRequest: Client HTTP version 1.0. > 2008/11/05 14:17:25| parseHttpRequest: Method is 'CONNECT' > 2008/11/05 14:17:25| parseHttpRequest: URI is 'secure.crtsolutions.co.uk:443' > 2008/11/05 14:17:25| parseHttpRequest: req_hdr = {User-Agent: Mozilla/4.0 > (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media > Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)^M > Proxy-Connection: Keep-Alive^M > Content-Length: 0^M > Host: secure.crtsolutions.co.uk^M > Pragma: no-cache^M > ^M > } > 2008/11/05 14:17:25| parseHttpRequest: end = {} > 2008/11/05 14:17:25| parseHttpRequest: prefix_sz = 294, req_line_sz = 48 > 2008/11/05 14:17:25| parseHttpRequest: Request Header is > User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET > CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)^M > Proxy-Connection: Keep-Alive^M > Content-Length: 0^M > Host: secure.crtsolutions.co.uk^M > Pragma: no-cache^M > ^M > > 2008/11/05 14:17:25| parseHttpRequest: Complete request received > 2008/11/05 14:17:25| conn->in.offset = 0 > 2008/11/05 14:17:25| commSetTimeout: FD 44 timeout 86400 > 2008/11/05 14:17:25| init-ing hdr: 0x191b82c8 owner: 2 > 2008/11/05 14:17:25| parsing hdr: (0x191b82c8) > User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET > CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)^M > Proxy-Connection: Keep-Alive^M > Content-Length: 0^M > Host: secure.crtsolutions.co.uk^M > Pragma: no-cache^M > > 2008/11/05 14:17:25| creating entry 0x1a1f39a0: near 'User-Agent: Mozilla/4.0 > (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media > Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)' > 2008/11/05 14:17:25| created entry 0x1a1f39a0: 'User-Agent: Mozilla/4.0 > (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media > Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)' > 2008/11/05 14:17:25| 0x191b82c8 adding entry: 50 at 0 > 2008/11/05 14:17:25| creating entry 0x1a1ea180: near 'Proxy-Connection: > Keep-Alive' > 2008/11/05 14:17:25| created entry 0x1a1ea180: 'Proxy-Connection: Keep-Alive' > 2008/11/05 14:17:25| 0x191b82c8 adding entry: 41 at 1 > 2008/11/05 14:17:25| creating entry 0x82b4a88: near 'Content-Length: 0' > 2008/11/05 14:17:25| created entry 0x82b4a88: 'Content-Length: 0' > 2008/11/05 14:17:25| 0x191b82c8 adding entry: 14 at 2 > 2008/11/05 14:17:25| creating entry 0x1a1f38d0: near 'Host: > secure.crtsolutions.co.uk' > 2008/11/05 14:17:25| created entry 0x1a1f38d0: 'Host: > secure.crtsolutions.co.uk' > 2008/11/05 14:17:25| 0x191b82c8 adding entry: 27 at 3 > 2008/11/05 14:17:25| creating entry 0x1a1f3910: near 'Pragma: no-cache' > 2008/11/05 14:17:25| created entry 0x1a1f3910: 'Pragma: no-cache' > 2008/11/05 14:17:25| 0x191b82c8 adding entry: 37 at 4 > 2008/11/05 14:17:25| 0x191b82c8 lookup for 20 > 2008/11/05 14:17:25| clientSetKeepaliveFlag: http_ver = 1.0 > 2008/11/05 14:17:25| clientSetKeepaliveFlag: method = CONNECT > 2008/11/05
Re: [squid-users] squid 2.6/block https
On ons, 2008-11-05 at 17:57 +0530, sohan krishi wrote: > My configuration is Ubuntu-iptables-squid2.6/Transparent Proxy. I > block gmail to all employees in my company. My problem is, squid does > not block https://gmail.com. And does not even log https://gmail.com ! > I didn't knew this until I've seen one of our employe browsing gmail! It's because https is encrypted on port 443. > I did add this to my iptables : #iptables -t nat -A PREROUTING -i eth1 > -p tcp --dport 443 -j DNAT --to eth0:3128 but get this meesage in > access.log : error:unsupported-request-method It's because https is encrypted. It sort of works it you redirect it to an https_port, but probably not what you want as it breaks many things. The proper soultion to all this is to use proxy settings. It's fairly easy to roll out proxy settings company wide using group policies or login scripts or eeven auto discovery using WPAD, and then use interception and firewalling only as a backup method for those who for some reason did not get the prexy settings. > Can anyone please help me how to block gmail. I want to block > gmail/gtalk to all IPs except couple of IPs. You'll have to block pore 443 traffic to all addresses used by google servers almost.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] WCCP load balancing and TPROXY fully transparent interception
Thanks for your reply. > The redirection in both directions must match for this to work. See the > wiki for a configuration example > > http://wiki.squid-cache.org/ConfigExamples/FullyTransparentWithTPROXY The configuration example does not mention the scenario that one router talks to *MULTIPLE* squid servers. As far as I know, cisco routers does not fully track connections, they just redirect packets by their IP addresses and source/destination ports. With TPROXY enabled, router can not tell which outgoing request packet to original destination server is sent by which squid server, as the source IP address is original client's address. So the question arises: I have 2 squid servers, squid A and squid B, both implented TPROXY and connected to the same Cisco router: Internet | | squid ARoutersquid B | | Customers Here squid A wants to send a HTTP request to original destination server, the routers just forwards this packet, it's OK; but when the response packet from the original server returns in, how does the router redirect that packet? Redirect it to squid A or squid B? As there's no connection table in router memory or any mark in the packet, how can the router determine that this response packet should be forwarded to squid A? squid A -- (request to original server) --> router --> original server -- (response) --> router --> squid A or B? Many thanks again. Regards
[squid-users] SSL Site Problem...
Hi Folks, I have a problem accessing an SSL site through my Squid setup, IE just spins its blue circle forever, and doesn't seem to ever actually time out. The same site works when going direct. I have tried multiple browsers to eliminate the browser as the issue. Any help is appreciated, as I am really stuck now... The site is: https://secure.crtsolutions.co.uk I am using: Squid Cache: Version 2.6.STABLE18 configure options: '--prefix=/usr' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid' '--datadir=/usr/share/squid' '--enable-async-io' '--with-pthreads' '--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-linux-netfilter' '--enable-arp-acl' '--enable-epoll' '--enable-removal-policies=lru,heap' '--enable-snmp' '--enable-delay-pools' '--enable-htcp' '--enable-cache-digests' '--enable-underscores' '--enable-referer-log' '--enable-useragent-log' '--enable-auth=basic,digest,ntlm' '--enable-carp' '--enable-follow-x-forwarded-for' '--with-large-files' '--with-maxfd=65536' 'i386-debian-linux' 'build_alias=i386-debian-linux' 'host_alias=i386-debian-linux' 'target_alias=i386-debian-linux' 'CFLAGS=-Wall -g -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' The entry in access.log is: 1225894644.785 3106 10.XX.XX.XX TCP_MISS/200 174 CONNECT secure.crtsolutions.co.uk:443 - DIRECT/195.114.102.18 - The cache.log entry is (if there is too much here, I apologise, I am not sure how much to post!): 2008/11/05 14:17:25| parseHttpRequest: Client HTTP version 1.0. 2008/11/05 14:17:25| parseHttpRequest: Method is 'CONNECT' 2008/11/05 14:17:25| parseHttpRequest: URI is 'secure.crtsolutions.co.uk:443' 2008/11/05 14:17:25| parseHttpRequest: req_hdr = {User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)^M Proxy-Connection: Keep-Alive^M Content-Length: 0^M Host: secure.crtsolutions.co.uk^M Pragma: no-cache^M ^M } 2008/11/05 14:17:25| parseHttpRequest: end = {} 2008/11/05 14:17:25| parseHttpRequest: prefix_sz = 294, req_line_sz = 48 2008/11/05 14:17:25| parseHttpRequest: Request Header is User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)^M Proxy-Connection: Keep-Alive^M Content-Length: 0^M Host: secure.crtsolutions.co.uk^M Pragma: no-cache^M ^M 2008/11/05 14:17:25| parseHttpRequest: Complete request received 2008/11/05 14:17:25| conn->in.offset = 0 2008/11/05 14:17:25| commSetTimeout: FD 44 timeout 86400 2008/11/05 14:17:25| init-ing hdr: 0x191b82c8 owner: 2 2008/11/05 14:17:25| parsing hdr: (0x191b82c8) User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)^M Proxy-Connection: Keep-Alive^M Content-Length: 0^M Host: secure.crtsolutions.co.uk^M Pragma: no-cache^M 2008/11/05 14:17:25| creating entry 0x1a1f39a0: near 'User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)' 2008/11/05 14:17:25| created entry 0x1a1f39a0: 'User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)' 2008/11/05 14:17:25| 0x191b82c8 adding entry: 50 at 0 2008/11/05 14:17:25| creating entry 0x1a1ea180: near 'Proxy-Connection: Keep-Alive' 2008/11/05 14:17:25| created entry 0x1a1ea180: 'Proxy-Connection: Keep-Alive' 2008/11/05 14:17:25| 0x191b82c8 adding entry: 41 at 1 2008/11/05 14:17:25| creating entry 0x82b4a88: near 'Content-Length: 0' 2008/11/05 14:17:25| created entry 0x82b4a88: 'Content-Length: 0' 2008/11/05 14:17:25| 0x191b82c8 adding entry: 14 at 2 2008/11/05 14:17:25| creating entry 0x1a1f38d0: near 'Host: secure.crtsolutions.co.uk' 2008/11/05 14:17:25| created entry 0x1a1f38d0: 'Host: secure.crtsolutions.co.uk' 2008/11/05 14:17:25| 0x191b82c8 adding entry: 27 at 3 2008/11/05 14:17:25| creating entry 0x1a1f3910: near 'Pragma: no-cache' 2008/11/05 14:17:25| created entry 0x1a1f3910: 'Pragma: no-cache' 2008/11/05 14:17:25| 0x191b82c8 adding entry: 37 at 4 2008/11/05 14:17:25| 0x191b82c8 lookup for 20 2008/11/05 14:17:25| clientSetKeepaliveFlag: http_ver = 1.0 2008/11/05 14:17:25| clientSetKeepaliveFlag: method = CONNECT 2008/11/05 14:17:25| 0x191b82c8 lookup for 41 2008/11/05 14:17:25| 0x191b82c8: joining for id 41 2008/11/05 14:17:25| 0x191b82c8: joined for id 41: Keep-Alive 2008/11/05 14:17:25| 0x191b82c8 lookup for 52 2008/11/05 14:17:25| 0x191b82c8 lookup for 41 2008/11/05 14:17:25| 0x191b82c8: joining for id 41 2008/11/05 14:17:25| 0x191b82c8: joined for id 41: Keep-Alive 2008/11/05 14:17:25| commSetSelect: FD 44 type 1 2008/11/05 14:17:25| commSetEvents(fd=44) 2008/11/05 14:17:25| 0x191b82c8 lookup for 59 2008/11/05 14:17:25| cbdataLock: 0x82a9c78 2008/11/05 14:1
Re: [squid-users] Ignoring query string from url
nitesh naik wrote: Hi All, Issues was with Disk I/O. I have used null cache dir and squid response is much faster now. cache_dir null /empty Thanks everyone for your help. Regards Nitesh Oh dear, I can't believe I overlooked this. cache_dir aufs (linux) or diskd (FreeBSD) is likely to solve the disk speed issues. Particularly if you don't use a blocking IOEngine (leaving it unset is usually best). Amos On Tue, Nov 4, 2008 at 9:40 AM, nitesh naik <[EMAIL PROTECTED]> wrote: Does these Redirector statistics mean url rewrite helper program is slowing down squid response ? avg service time is 1550 msec. Redirector Statistics: program: /home/zdn/bin/redirect_parallel.pl number running: 2 of 2 requests sent: 1069753 replies received: 1069752 queue length: 0 avg service time: 1550 msec # FD PID # Requests Flags TimeOffset Request 1 10 18237 12645 B 0.002 38 (none) 2 15 18238 12335 2.144 0 (none) Regards Nitesh On Mon, Nov 3, 2008 at 2:46 PM, nitesh naik <[EMAIL PROTECTED]> wrote: Not sure if url rewrite helper is slowing down process because via cache manager interface it didn't show any connection back log. What information I should look for in cache manager to find out the cause of the slow serving of requests ? Redirector Statistics: program: /home/zdn/bin/redirect_parallel.pl number running: 2 of 2 requests sent: 155697 replies received: 155692 queue length: 0 avg service time: 0 msec # FD PID # Requests Flags TimeOffset Request 1 8 21149 104125 BW 0.033 38 http://s2.xyz.com/1821/78/570/1789/563/i88.js?z=4258 81.52.249.106/- - GET myip=10.0.0.165 myport=80\n 2 9 21150 51572 BW 0.039 0 http://s2.xyz.com/1813/2/570/1781/563/i7.js?z=8853 81.52.249.106/- - GET myip=10.0.0.165 myport=80\n Following are my squid settings. acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1 acl to_localhost dst 127.0.0.0/255.0.0.0 acl localnet src 10.0.0.0/255.0.0.0 acl SSL_ports port 443 acl Safe_ports port 80 21 443 70 210 1025-65535 280 488 591 777 acl CONNECT method CONNECT http_access Allow manager localhost http_access Deny manager http_access Deny !Safe_ports http_access Deny CONNECT !SSL_ports http_access Allow all http_access Allow localnet http_access Deny all icp_access Allow localnet icp_access Deny all htcp_access Allow localnet htcp_access Deny all htcp_clr_access Deny all ident_lookup_access Deny all http_port 0.0.0.0:80 defaultsite=s1.xyz.com vhost cache_peer 10.0.0.175 Parent 80 0 no-query round-robin originserver cache_peer 10.0.0.177 Parent 80 0 no-query round-robin originserver cache_peer 10.0.0.179 Parent 80 0 no-query round-robin originserver cache_peer 10.0.0.181 Parent 80 0 no-query round-robin originserver dead_peer_timeout 10 seconds hierarchy_stoplist cgi-bin hierarchy_stoplist ? cache_mem 0 bytes maximum_object_size_in_memory 1048576 bytes memory_replacement_policy lru cache_replacement_policy lru cache_dir ufs /home/zdn/squid/var/cache 6000 16 256 IOEngine=Blocking store_dir_select_algorithm least-load max_open_disk_fds 0 minimum_object_size 0 bytes maximum_object_size 4194304 bytes cache_swap_low 90 cache_swap_high 95 logformat combined %>a %ui %un [%[tl] "%"rm %"ru HTTP/%">v" %Hs %h" "%"{User-Agent}>h" %Ss:%Sh access_log /home/zdn/squid/var/logs/access.log squid cache_log /home/zdn/squid/var/logs/cache.log cache_store_log /home/zdn/squid/var/logs/store.log logfile_rotate 10 emulate_httpd_log off log_ip_on_direct on mime_table /home/zdn/squid/etc/mime.conf log_mime_hdrs off pid_filename /home/zdn/squid/var/logs/squid.pid debug_options ALL,1 log_fqdn off client_netmask 255.255.255.255 strip_query_terms off buffered_logs off url_rewrite_program /home/zdn/bin/redirect_parallel.pl url_rewrite_children 2 url_rewrite_concurrency 2000 url_rewrite_host_header off url_rewrite_bypass off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 quick_abort_min 16 KB quick_abort_max 16 KB quick_abort_pct 95 read_ahead_gap 16384 bytes negative_ttl 0 seconds positive_dns_ttl 21600 seconds negative_dns_ttl 60 seconds range_offset_limit 0 bytes minimum_expiry_time 60 seconds store_avg_object_size 13 KB store_objects_per_bucket 20 request_header_max_size 20480 bytes reply_header_max_size 20480 bytes request_body_max_size 0 bytes via off ie_refresh off vary_ignore_expire off request_entities off relaxed_header_parser on forward_timeout 240 seconds connect_timeout 10 seconds peer_connect_timeout 5 seconds read_timeout 120 seconds request_timeout 10 seconds persistent_request_timeout 120 seconds client_lifetime 86400 seconds half_closed_clients off pconn_timeout 60 seconds ident_timeout 10 seconds shutdown_lifetime 30 seconds cache_mgr webmaster mail_program mail cache_effective_user zdn httpd_suppress_version
[squid-users] squid 2.6/block https
Hi All, My configuration is Ubuntu-iptables-squid2.6/Transparent Proxy. I block gmail to all employees in my company. My problem is, squid does not block https://gmail.com. And does not even log https://gmail.com ! I didn't knew this until I've seen one of our employe browsing gmail! I did add this to my iptables : #iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to eth0:3128 but get this meesage in access.log : error:unsupported-request-method Can anyone please help me how to block gmail. I want to block gmail/gtalk to all IPs except couple of IPs. Thanks Sohan Krishi
Re: [squid-users] squid cache proxy + Exchange 2007 problems
Retaliator wrote: Hello, i found out after few months i have problems with clients using office 2007 against exchange 2007. if proxy is enabled out of office and more issues wont work becasue squid blocks them, the autodiscover service is a part of exchange 2007, if you remove the proxy it works. Please define what you mean by "proxy is enabled". do you mean browsers configured with proxy? proxy sitting in middle intercepting traffic? proxy reversed for acceleration of the exchange server? my proxy ip is a real ip, the exchange servers are internal. while the user try to use out of office on his client with office 2007 he recieves an error "your out of office settings cannot be displayed, because the server is currently unavailable" on the squid log i see TCP_MISS/404 0 CONNECT SERVERNAME.SUBDOMAIN.beeper.co.il:443 - DIRECT/- - servername and subdomain are smt else i changed. Appears that browsers are configured to tunnel requests through a proxy. you likely need to setup a correct reverse-proxy config to access the internal servers while outside. if i add to internet explorer exceptions to the exchange servers its ok, but how can i fix that in squid configuration that the local domain or those two servers it will allow/find em? Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1
Re: [squid-users] MSNT authentication - login window
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It worked! Thanks so much for your help. Henrik Nordstrom escreveu: > On mån, 2008-11-03 at 09:25 -0200, Luciano Cassemiro wrote: > > >> http_access deny our_networks users forbidden_sites !directors > > This line requests authentication as the last acl on the line is > authentication related (directors). > > Rewrite it to > > http_acccess deny out_networks !directors forbidden_sites > > and it will show an "access denied" message instead. And it also makes > deny_info more natural if you want a custom error message based on > forbidden_sites. > > Regards > Henrik -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJEYet4/f2ihDUoIkRAsdRAKC7oDpn8GWk4rDjnwZkUmaKEhuCCgCggcI6 SfFyWe4JjyP4bJVKQNOisJg= =2S1K -END PGP SIGNATURE-
Re: [squid-users] Squid-3 + Tproxy4 clarification
Arun Srinivasan wrote: Thanks for the response. " - does the client IP have access to use the hidden peer proxy?" Yes. To ensure this I tried it out with an 'nc' utility instead of peer proxy. "- do the connections between peers go over lo interface? I'm not sure what the special kernel behavior with public IPs on localhost interface would be." Yes. I could see the connections go over lo interface. However, it is not getting handled by the stack. Aha, there is the problem then. Henriks other post described the problem clearly, so I won't repeat. To get this to work you will likely need to try having both squid instances listening on different ports of the machines public IP. You will still loose the spoofing ability within the second-hop proxy, but the traffic should at least flow properly. Amos 2008/11/4 Amos Jeffries <[EMAIL PROTECTED]>: Arun Srinivasan wrote: Hi List, Has anyone successfully used cache_peer support with tproxy4 enabled? Not that I'm aware of at this point. The scenario is running Squid proxy with tproxy4 enabled and another http proxy (no tproxy4) on the same box. First Squid would receive the request from the user, then connects to its cache_peer which is the other http proxy. With tproxy enabled, am not able to establish connection between Squid and the other proxy. However, in interception mode, am able to do this. Please advise if I am missing out anything. Following are the packages and its versions used: Kernel version: 2.6.26 Tproxy version: tproxy4-2.6.26-200809262032 iptables version: tproxy-iptables-1.4.0-20080521-113954-1211362794 Squid version: squid-3.HEAD-20081021 The new TPROXY/Squid interaction is that it natively spoofs the client IP on all outbound links made newly for that request. Two things to check are: - does the client IP have access to use the hidden peer proxy? - do the connections between peers go over lo interface? I'm not sure what the special kernel behavior with public IPs on localhost interface would be. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1 -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1
Re: [squid-users] CACHEMGR - What`s wrong?
On tis, 2008-11-04 at 14:22 -0300, Rodrigo de Oliveira Gomes wrote: >Cache Manager Error > >target 192.168.47.89:3128 not allowed in cachemgr.conf > __ >cachemgr.conf: >localhost >192.168.47.89:3128 > > Am I doing something wrong? Lack configuration? Permission? I look forward to > in a hand. Can cachemgr.cgi open cachemgr.conf? Is cachemgr.conf in the proper location? Either same directory as cachemgr.cgi (or to be exact the current working directory when cachemgr.cgi runs.. usually the same directory but depends on web server setup), or if not there then /etc/cachemgr.conf If you are unsure about the location then strings cachemgr.cgi | grep cachemgr.conf should tell you. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid-3 + Tproxy4 clarification
On tis, 2008-11-04 at 22:37 +0530, Arun Srinivasan wrote: > Yes. I could see the connections go over lo interface. However, it is > not getting handled by the stack. Public addresses can not talk to loopback addresses (127.X). This is an intentional security restriction in the TCP/IP stack. Also I don't think using TPROXY internally on the same server is even intended to work. It's intended use is on traffic being routed by the proxy to some other servers (i.e. Internet). Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] squid cache proxy + Exchange 2007 problems
On tis, 2008-11-04 at 01:58 -0800, Retaliator wrote: > on the squid log i see > TCP_MISS/404 0 CONNECT SERVERNAME.SUBDOMAIN.beeper.co.il:443 - DIRECT/- - > servername and subdomain are smt else i changed. From this it looks like yout Squid can not resolve te requested hostname into an IP. Check your DNS Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] Vedio streming erros
Hi, We want to go to below website which contains streaming vedio. When We get there all the images. But We will NOT get streaming vedio. If We bypass squid, We get streamig Vedio. http://uticctv.mine.nu/index.htm The above site has a user name and password. I can Not give it you. sorry for it. Anyway, This is squid version , Pls see below Squid Cache: Version 2.6.STABLE6 Your Idead expected -- Thank you Indunil Jayasooriya
Re: [squid-users] Timezone issue
On tis, 2008-11-04 at 18:02 +1100, Rod Taylor wrote: > My squid is running on a machine that is set to local time in both > software and hardware. Squid shows GMT in all error messages and uses > GMT in the ACLs. How do I set Squid to use local time not GMT. Squid is > the only program to do this... Squid FAQ I want to use local time zone in error messages. http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-de11286b4accdede48d411359ab365725673c88a Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] R: [squid-users] Connection to webmail sites problem using more than one parent proxy
On tis, 2008-11-04 at 19:49 +0100, Sergio Marchi wrote: > cache_peer myparentproxy1.dipvvf.it parent 3128 3130 sourcehash > round-robin no-query Don't mix round-robin and sourcehash. Not sure what will happen in such confusing setup. But you should indeed use no-query if you use sourcehash or round-robin. > It seems to work , but the connection are established only on one > parentproxy, even if the clients ip addresses are different. How many addresses did you try with? There is a 1/3 probability of two addresses to end up on the same parent when having 3 srchash parents. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] MSNT authentication - login window
On mån, 2008-11-03 at 09:25 -0200, Luciano Cassemiro wrote: > http_access deny our_networks users forbidden_sites !directors This line requests authentication as the last acl on the line is authentication related (directors). Rewrite it to http_acccess deny out_networks !directors forbidden_sites and it will show an "access denied" message instead. And it also makes deny_info more natural if you want a custom error message based on forbidden_sites. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] WCCP load balancing and TPROXY fully transparent interception
On mån, 2008-11-03 at 16:57 +0800, Bin Liu wrote: > Hi, > > I'm going to deploy multiple squid servers in a ISP for HTTP traffic > caching. I'm now considering using WCCP for load balancing and TPROXY > for fully transparent interception. > > Here is the problem. As far as I know, Cisco WCCP module does not > maintain connection status, it just redirect packets based on their IP > addresses and ports. I'm just wondering if it's possible that one > squid server(squid A, for example) sends a outbound request, but the > router redirects the corresponding inbound response to another > squid(squid B)? Then that's totally messed. The redirection in both directions must match for this to work. See the wiki for a configuration example http://wiki.squid-cache.org/ConfigExamples/FullyTransparentWithTPROXY Regards Henrik signature.asc Description: This is a digitally signed message part