Re: [squid-users] Issues with Radius,Squid3, 64 Bit
tor 2010-03-25 klockan 01:34 +1300 skrev Amos Jeffries: > micky...@gmx.de wrote: > > Thx for the quick reply. > > > > Do you know if there is a timeline for adjusting the RADIUS module for > > squid/64? Or is there no priority for this? > > > > There is no plans for RADIUS in Squid. Not entirely correct. The RADIUS helper shipped with Squid is supported as part of Squid. But it's correct that there is no plans for any larger changes, at least not unless any problems is seen. Regards Henrik
Re: [squid-users] Issues with Radius,Squid3, 64 Bit
ons 2010-03-24 klockan 12:50 +0100 skrev micky...@gmx.de: > Hi, > > I am using Squid3S25 on Suse SLES 10, 64 bit, squid_radius_auth-1.10. Please try with the squid_radius_auth shipped with Squid instead. The separate archive is no longer maintained since the helper has been included in the Squid distribution. >From what I can tell the helper shipped with Squid produces correct auth requests when compiled 64-bits. Tested with freeradius. Regards Henrik
Re: [squid-users] Can someone check a site?
fre 2010-03-26 klockan 08:46 +1100 skrev Ivan .: > Hi, > > Can someone running Squid v2.6 STABLE21 check this site for me? > http://www.usp.ac.fj > > Nothing in the access.log to give me a hint as to where the issue is. > > I can access it direct, but through Squid it just hangs there after > the inital TCP handshake? Such symptoms is usually TCP Window issues caused by a broken firewall at the requested site. See FAQ for details. Regards Henrik
Re: [squid-users] Authentication caching
lör 2010-03-27 klockan 18:42 +0100 skrev Khaled Blah: > Hi all, > > I'm developing an authentication helper (Negotiate/NTLM) for squid and > I am trying to understand more how squid handles this process > internally. Most of all I'd like to know how and how long squid caches > authentication results. I have looked at the debug logs and they show > that squid seems to do "less caching" for Negotiate/NTLM than it does > for Basic/Digest authentication. Due to the nature of NTLM & Negotate authentication it's the helper performing the Negotiate/NTLM handshake, and because of this there is no cache in Squid for these schemes as there is nothing to use as cache key. basic & digest auth is handled internally by Squid, and enables Squid to cache the credentials validity. In theory we could implement NTLM in similar manner, but it would then not be possible to integrate with Windows domain controllers / active directory. Don't know enough of Kerberos to tell what possibilities there may be to cache in Negotiate auth. > I am wondering whether I can do > something about this so that a once verified user will only get his > credentials re-verified after a certain time and not all during. I am > grateful to any insight the list can give me. Thanks in advance! In 2.7 there is a generic auth cache based on source IP, useful when the clients are single-user workstations. Regards Henrik
Re: [squid-users] Cache size is decreasing
lör 2010-04-03 klockan 23:39 +0300 skrev Mr. Issa(*): > 2010/03/27 12:26:40| Rebuilding storage in /cache1 (DIRTY) > 2010/03/27 12:26:40| Rebuilding storage in /cache2 (DIRTY) Looks like you did not allow Squid to shut down cleanly before. > 2010/03/27 12:27:00| store_swap_size = 103396892k So there is 103 GB on-disk cache Squid knows about from it's indexes.. which seem to be considerably less than what's in your cache directories. > Also today i did find this in the cache.log > 2010/03/27 00:43:43| storeUpdateCopy: Aborted at 24617 (0) Unrelated and harmless. > Every day the cache is decreasing about 10GB or more. What does cachemgr say about cache usage? A guess is that the index only got partially saved when you shut down Squid earlier causing a lot of objects to get forgotten, and that the background cleaner job is now slowly removing unknown objects from the cache directories. Regards Henrik
Re: [squid-users] a bug?
sön 2010-03-28 klockan 08:49 +1000 skrev HC Barfield: > forgot to say that my cache manager had THREE fields instead of the four > fields that you have. "cache server" was just a drop down box where i could > only select 'localhost' there was no "Port" text box, and i had manager name > and password. THis because there is a cachemgr.conf these days listing the hosts you may connect to. Security reasons to avoid cachemgr.cgi being abused for unintended purposes. Regards Henrik
Re: [squid-users] CONNECT method support(for https) using squid3.1.0.6 + tproxy4
sön 2010-03-28 klockan 21:14 +0900 skrev Mikio Kishi: > Hi, Amos > > I'm sorry in the old topic. > In this case, I'd also like to use authentication. You can't on intercepted request. Does not matter by which method you intercept the requests. For authentication the browser MUST be configured to use the proxy. This is a protocol requirement, not a limitation of the proxy. The conditions in Squid is just there to help you noticing when trying to make such non-working configuration and to stop you from breaking the HTTP protocol in some situations. Regards Henrik
Re: [squid-users] Cache size is decreasing
2010/03/27 12:26:40| Starting Squid Cache version 2.7.STABLE9 for x86_64-unknown-linux-gnu... 2010/03/27 12:26:40| Process ID 3534 2010/03/27 12:26:40| With 8192 file descriptors available 2010/03/27 12:26:40| Using epoll for the IO loop 2010/03/27 12:26:40| Performing DNS Tests... 2010/03/27 12:26:40| Successful DNS name lookup tests... 2010/03/27 12:26:40| DNS Socket created at 0.0.0.0, port 41053, FD 6 2010/03/27 12:26:40| Adding nameserver 127.0.0.1 from squid.conf 2010/03/27 12:26:40| Adding nameserver 8.8.8.8 from squid.conf 2010/03/27 12:26:40| Adding nameserver 208.67.220.220 from squid.conf 2010/03/27 12:26:40| User-Agent logging is disabled. 2010/03/27 12:26:40| Referer logging is disabled. 2010/03/27 12:26:40| Unlinkd pipe opened on FD 10 2010/03/27 12:26:40| Swap maxSize 2734168064 + 5242880 KB, estimated 210723918 objects 2010/03/27 12:26:40| Target number of buckets: 21072391 2010/03/27 12:26:40| Using 33554432 Store buckets 2010/03/27 12:26:40| Max Mem size: 5242880 KB 2010/03/27 12:26:40| Max Swap size: 2734168064 KB 2010/03/27 12:26:40| Local cache digest enabled; rebuild/rewrite every 43200/43200 sec 2010/03/27 12:26:40| Store logging disabled 2010/03/27 12:26:40| Rebuilding storage in /cache1 (DIRTY) 2010/03/27 12:26:40| Rebuilding storage in /cache2 (DIRTY) 2010/03/27 12:26:40| Using Least Load store dir selection 2010/03/27 12:26:40| Set Current Directory to /var/spool/squid 2010/03/27 12:26:40| Loaded Icons. 2010/03/27 12:26:40| Accepting transparently proxied HTTP connections at 172.20.1.254, port 3128, FD 15. 2010/03/27 12:26:40| Accepting transparently proxied HTTP connections at 127.0.0.1, port 3128, FD 16. 2010/03/27 12:26:40| Accepting SNMP messages on port 3401, FD 17. 2010/03/27 12:26:40| WCCP Disabled. 2010/03/27 12:26:40| Pinger socket opened on FD 18 2010/03/27 12:26:40| Ready to serve requests. 2010/03/27 12:26:40| Store rebuilding is 0.1% complete 2010/03/27 12:26:55| Store rebuilding is 78.8% complete 2010/03/27 12:26:58| Done reading /cache1 swaplog (4559020 entries) 2010/03/27 12:26:58| Done reading /cache2 swaplog (4563428 entries) 2010/03/27 12:26:58| Finished rebuilding storage from disk. 2010/03/27 12:26:58| 9122448 Entries scanned 2010/03/27 12:26:58| 0 Invalid entries. 2010/03/27 12:26:58| 0 With invalid flags. 2010/03/27 12:26:58| 4563438 Objects loaded. 2010/03/27 12:26:58| 0 Objects expired. 2010/03/27 12:26:58| 0 Objects cancelled. 2010/03/27 12:26:58| 0 Duplicate URLs purged. 2010/03/27 12:26:58| 4559010 Swapfile clashes avoided. 2010/03/27 12:26:58| Took 18.8 seconds (243064.3 objects/sec). 2010/03/27 12:26:58| Beginning Validation Procedure 2010/03/27 12:26:59|262144 Entries Validated so far. 2010/03/27 12:26:59|524288 Entries Validated so far. 2010/03/27 12:26:59|786432 Entries Validated so far. 2010/03/27 12:26:59| 1048576 Entries Validated so far. 2010/03/27 12:26:59| 1310720 Entries Validated so far. 2010/03/27 12:26:59| 1572864 Entries Validated so far. 2010/03/27 12:26:59| 1835008 Entries Validated so far. 2010/03/27 12:26:59| 2097152 Entries Validated so far. 2010/03/27 12:26:59| 2359296 Entries Validated so far. 2010/03/27 12:26:59| 2621440 Entries Validated so far. 2010/03/27 12:26:59| 2883584 Entries Validated so far. 2010/03/27 12:26:59| 3145728 Entries Validated so far. 2010/03/27 12:26:59| 3407872 Entries Validated so far. 2010/03/27 12:27:00| 3670016 Entries Validated so far. 2010/03/27 12:27:00| 3932160 Entries Validated so far. 2010/03/27 12:27:00| 4194304 Entries Validated so far. 2010/03/27 12:27:00| 4456448 Entries Validated so far. 2010/03/27 12:27:00| Completed Validation Procedure 2010/03/27 12:27:00| Validated 4563438 Entries 2010/03/27 12:27:00| store_swap_size = 103396892k 2010/03/27 12:27:04| storeLateRelease: released 0 objects 2010/03/27 12:28:56| icmpSend: send: (111) Connection refused 2010/03/27 12:28:56| Closing Pinger socket on FD 18 Also today i did find this in the cache.log 2010/03/27 00:43:43| storeUpdateCopy: Aborted at 24617 (0) 2010/03/27 00:43:43| storeUpdateCopy: Aborted at 24617 (0) 2010/03/27 00:43:43| storeUpdateCopy: Aborted at 24617 (0) 2010/03/27 00:43:43| storeUpdateCopy: Aborted at 24617 (0) 2010/03/27 00:43:44| storeUpdateCopy: Aborted at 24617 (0) Btw the cache size is still decreasing its now /dev/sdc1 1.8T 317G 1.4T 19% /cache1 /dev/sdd1 1.8T 311G 1.4T 18% /cache2 the 1st time i did send this message the directories where 20% used . Every day the cache is decreasing about 10GB or more. Waiting a reply, Thank you in advance On Sat, Apr 3, 2010 at 10:01 PM, Henrik Nordstrom wrote: > lör 2010-03-27 klockan 10:43 +0200 skrev Mr. Issa(*): >> Dear mates, I hope you enjoy your weekend... :) >> >> I did compile/install Squid2.7Stable9 and i noticed something >> >> /dev/sdc1 1.8T 355G 1.4T 21% /cache1 >> /dev/sdd1 1.8T 352G 1.4T 21% /cach
Re: [squid-users] Error building 2.7.STABLE9 on OSX 10.5.8
mån 2010-03-29 klockan 05:46 -0700 skrev Ricardo Newbery: > I get the following error when trying to build 2.7.STABLE9 on OSX > 10.5.8. Any suggestions? your error seem similar to an error we have been seeing with 3.0 in the built test farm, where it seems that some OS:es have trouble with that very long sed line, escpecially when the install prefix is a little longer than usual. Maybe the attached patch will help. In either case please file a bug report http://bugs.squid-cache.org/ Regards Henrik Index: src/Makefile.am === RCS file: /cvsroot/squid/squid/src/Makefile.am,v retrieving revision 1.66.2.2 diff -u -p -r1.66.2.2 Makefile.am --- src/Makefile.am 14 Mar 2010 20:25:55 - 1.66.2.2 +++ src/Makefile.am 3 Apr 2010 20:34:03 - @@ -390,7 +390,7 @@ cf_gen_defines.h: $(srcdir)/cf_gen_defin ## FIXME: generate a sed command file from configure. Then this doesn't ## depend on the Makefile. cf.data: cf.data.pre Makefile - sed "\ + cat $(srcdir)/cf.data.pre | sed "\ s...@default_http_port@%$(DEFAULT_HTTP_PORT)%g;\ s...@default_icp_port@%$(DEFAULT_ICP_PORT)%g;\ s...@default_mime_table@%$(DEFAULT_MIME_TABLE)%g;\ @@ -402,6 +402,7 @@ cf.data: cf.data.pre Makefile s...@default_cache_log@%$(DEFAULT_CACHE_LOG)%g;\ s...@default_access_log@%$(DEFAULT_ACCESS_LOG)%g;\ s...@default_store_log@%$(DEFAULT_STORE_LOG)%g;\ + " | sed "\ s...@default_pid_file@%$(DEFAULT_PID_FILE)%g;\ s...@default_netdb_file@%$(DEFAULT_NETDB_FILE)%g;\ s...@default_swap_dir@%$(DEFAULT_SWAP_DIR)%g;\ @@ -411,7 +412,7 @@ cf.data: cf.data.pre Makefile s...@default_prefix@%$(DEFAULT_PREFIX)%g;\ s...@default_hosts@%$(DEFAULT_HOSTS)%g;\ s...@[v]ersion@%$(VERSION)%g;"\ - < $(srcdir)/cf.data.pre >$@ + >$@ store_modules.c: store_modules.sh Makefile $(SHELL) $(srcdir)/store_modules.sh $(STORE_MODULES) >store_modules.c Index: src/Makefile.in === RCS file: /cvsroot/squid/squid/src/Makefile.in,v retrieving revision 1.295.2.4 diff -u -p -r1.295.2.4 Makefile.in --- src/Makefile.in 14 Mar 2010 20:27:27 - 1.295.2.4 +++ src/Makefile.in 3 Apr 2010 20:34:03 - @@ -1240,7 +1240,7 @@ cf_gen_defines.h: $(srcdir)/cf_gen_defin awk -f $(srcdir)/cf_gen_defines <$(srcdir)/cf.data.pre >cf_gen_defines.h cf.data: cf.data.pre Makefile - sed "\ + cat $(srcdir)/cf.data.pre | sed "\ s...@default_http_port@%$(DEFAULT_HTTP_PORT)%g;\ s...@default_icp_port@%$(DEFAULT_ICP_PORT)%g;\ s...@default_mime_table@%$(DEFAULT_MIME_TABLE)%g;\ @@ -1252,6 +1252,7 @@ cf.data: cf.data.pre Makefile s...@default_cache_log@%$(DEFAULT_CACHE_LOG)%g;\ s...@default_access_log@%$(DEFAULT_ACCESS_LOG)%g;\ s...@default_store_log@%$(DEFAULT_STORE_LOG)%g;\ + " | sed "\ s...@default_pid_file@%$(DEFAULT_PID_FILE)%g;\ s...@default_netdb_file@%$(DEFAULT_NETDB_FILE)%g;\ s...@default_swap_dir@%$(DEFAULT_SWAP_DIR)%g;\ @@ -1261,7 +1262,7 @@ cf.data: cf.data.pre Makefile s...@default_prefix@%$(DEFAULT_PREFIX)%g;\ s...@default_hosts@%$(DEFAULT_HOSTS)%g;\ s...@[v]ersion@%$(VERSION)%g;"\ - < $(srcdir)/cf.data.pre >$@ + >$@ store_modules.c: store_modules.sh Makefile $(SHELL) $(srcdir)/store_modules.sh $(STORE_MODULES) >store_modules.c
Re: [squid-users] squid 2.7 against 3.1.1
tis 2010-03-30 klockan 09:07 -0300 skrev Leonardo Carneiro - Veltrac: > I keep hearding that squid 3.0 is no speed demon, but the new squid > 3.1.1 is said to be much faster. Have anyone benchmarked the 3.1.1 > against the 2.7? Not sure there has been any recent benchmarks, but 3.1 is no expected to be faster than 2.7. Regards Henrik
Re: [squid-users] reverse proxy for OWA 2010 - firts issue
mån 2010-03-29 klockan 23:23 + skrev Amos Jeffries: > OS distributions are prevented from packaging an HTTPS server-enabled > version of Squid which https_port requires. Apparently different vendors have different views on this. At least Fedora/RedHat legal don't seem to have a problem with this, by the reasoning that OpenSSL is an integral part of the Fedora OS. There is an open task in Fedora to replace OpenSSL by another SSL library, but that's mainly from technical reasons and not license issues. Regards Henrik
Re: [squid-users] CONNECT over HTTPS doesn't work.
lör 2010-04-03 klockan 17:10 +0200 skrev Krist van Besien: > This worked before I enabled https on both sides of the link. But > without https the password that the local proxy uses to authenticate > to the remote proxy gets send in the clear, which I don't want. > Therefore I configured ssl. > > With ssl enabled it only works when I request http pages. However, > when I try https I see how the local proxy performs a "CONNECT" on the > parent proxy in the US, but the US proxy throws an error. This is a known bug/defect. Not sure there is a bug report on it however. If you can't find one please file one. http://bugs.squid-cache.org/ The bug is that Squid's handling of CONNECT can't handle ssl enabled peers (ssl flag ignored when processing a CONNECT request). > Is maybe my local proxy attempting to do the "CONNECT" over a plain > http on the https port? It is.. which it should not. Regards Henrik
RE: [squid-users] HTTPS passthrough
fre 2010-04-02 klockan 17:57 -0500 skrev Johnson, S: > Ok, I see what you mean. > > Yes, I tried the https://www.openssl.org and it worked a-ok but it's still > not showing in my squid log. using wget or your browser? Is your browser configured to use the proxy? Regards Henrik
Re: [squid-users] Squid loops on epoll/read/gettimeofday
fre 2010-04-02 klockan 19:00 -0300 skrev Marcus Kool: > > I use this Squid at home and it lightly used so maybe it does have > the same FDs allocated after a restart... Seems not. So we have to wait until you see the problem again to match up with cachemgr filedescriptor page. Regards Henrik
Re: [squid-users] Issue with some files and templates
fre 2010-04-02 klockan 20:30 +0100 skrev a...@gmail: > My http_port settings are Nothing obviously odd there, except that you should not need the 3128 port. So keep a close eye on access.log of both Squid and your web server when seeing the problem. > I have this in my cache.log but I don't know where it's coming from > > WARNING: CONNECT method received on http Accelerator port 3128 Someone is trying to use your reverse proxy port as a normal proxy. See access.log for who. > lientProcessRequest: Invalid Request > 2010/04/02 13:35:00| Failed to select source for 'http://mysite.net/' > 2010/04/02 13:35:00| always_direct = 0 > 2010/04/02 13:35:00|never_direct = 0 > 2010/04/02 13:35:00|timedout = 0 Not mysite.net is in your list of sites for the main server. > 2010/04/02 13:46:43| Failed to select source for > 'http://81.XX.XX.XX/install.txt' ((This is my public IP) Probably a bot looking for a known vulnerability in some other server / shopping cart application. Nothing to worry about. > And finally my access.log fills up within minutes, it is now in the size of > 23, 780, 835 bytes (23.5 MB) > This is far too large, sometimes it's even difficult to empty them, as they > won't open because they are too large. > Any ideas please? I have tried the squid -k rotate but it doesn't seem to > work for the access.log access.log is rotated by "squid -k rotate" just as the other logs. But maybe your Squid is configured for using external rotation by logrotate or similar.. > access.log > 1270183340.294615 204.152.200.138 TCP_MISS/200 167 CONNECT > 203.188.197.10:25 - DIRECT/203.188.197.10 - Ouch.. someone are using your server as a spam relay. Do you have any http_port not configured in accel mode? > For the above question, the answer is yes if it is what I understood > the bottom one I didn't understand what you meant > > " > Including host component." scheme://hostcomponent/urlpath Regards Henrik
Re: [squid-users] Cache size is decreasing
lör 2010-03-27 klockan 10:43 +0200 skrev Mr. Issa(*): > Dear mates, I hope you enjoy your weekend... :) > > I did compile/install Squid2.7Stable9 and i noticed something > > /dev/sdc1 1.8T 355G 1.4T 21% /cache1 > /dev/sdd1 1.8T 352G 1.4T 21% /cache2 > the /cache1 & cache2 dirs where 370G each.. suddenly they are > decreasing and the servers load is approximately high What could > cause that? What did cache.log say about the caches when you started Squid? Regards Henrik
[squid-users] CONNECT over HTTPS doesn't work.
Hello all, I have two squid proxies, one is a Squid 2.7 on a Ubuntu 9.4 machine located here in Switzerland. The other is ubuntu 8.04 LTS with Squid 2.6, located in the US. I'm trying to do the following: Certain requests for servers in the US need to go out of the US proxy. The connection between the local and the US proxy needs to be secure. So I did the following: - Recompiled squid from the source .deb on both machines so ssl works. - Configured the US proxy squid server to accept https request. - Configured the Switzerland proxy to forward certain requests to the US. This worked before I enabled https on both sides of the link. But without https the password that the local proxy uses to authenticate to the remote proxy gets send in the clear, which I don't want. Therefore I configured ssl. With ssl enabled it only works when I request http pages. However, when I try https I see how the local proxy performs a "CONNECT" on the parent proxy in the US, but the US proxy throws an error. In the local proxy log file I see the following: 1270305276.757149 192.168.1.185 TCP_MISS/000 375 CONNECT www.somesite.com:443 - FIRST_UP_PARENT/us.mydomain.net - So the local proxy does know that to get https://www.somesite.com it needs to pass via my US proxy, and so it attempts a "CONNECT" there. On the US proxy I notice this in the log: 2010/04/03 14:34:36| clientNegotiateSSL: Error negotiating SSL connection on FD 17: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) What is actually going on here? Is maybe my local proxy attempting to do the "CONNECT" over a plain http on the https port? Thanks in advance for any hints. -- krist.vanbes...@gmail.com kr...@vanbesien.org Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions?
[squid-users] Re: SSO with Active Directory-Squid Clients
Have a look at http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos and http://sourceforge.net/projects/squidkerbauth/files/squidkerbldap/squid_kerb_ldap-1.2.1/squid_kerb_ldap-1.2.1.tar.gz/download Regards Markus "GIGO ." wrote in message news:snt134-w171836624ce7937ad90d3eb9...@phx.gbl... Dear All/Amos, I want to allow certain(not all) Active Directory users to use squid by way of SSO with Active Directory. So means when any one from those specific users will login into Active Directory they should have automatically access to internet via Squid Proxy. Other AD users which have not permissions granted in Squid will be disallowed. Is it possible? How please guide in detail. This was my assumption of how it would be done: I needed to compile squid with these additional options --enable-basic-auth-helpers="LDAP" --enable-auth="basic,negotiate,ntlm" --enable-external-acl-helpers="wbinfo_group,ldap_group" --enable-negotiate-auth-helpers="squid_kerb_auth" Right?? I need to configure krb5.conf to point to AD as Default_realm on CENTOS 5.4 to right? I think that i must need to make Centos 5.4 member of the domain? Am i right or its not necessary How these specific AD users(with internet access allowed) will be told/mentioned to the squid? I have also studied your article http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap?action=print However this is allowing all(not specific) Active Directory or LDAP users internet access. This logic is just checking the validity of user account with Active directory by popping up a login/password and if succeeded network access is granted. Am i right? Bottom line is that i am completely lost and have not much idea what and how to do it. We previously are using Microsoft ISA server and are about to move to Squid and this requirement is very necessary. regards, Bilal Aslam _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
Re: [squid-users] SSO with Active Directory-Squid Clients
Hi What you are trying to do is definitly possible. Unfortunatelly I haven't compiled squid from source, but instead used the prebuild debian package. Therefore I can't really help you with the compilation-flags. However they seem to be reasonnable. > I need to configure krb5.conf to point to AD as Default_realm on CENTOS 5.4 > to right? Yes. This has to be done. I have attached my krb5.conf to this mail, so that you can compare. > I think that i must need to make Centos 5.4 member of the domain? Am i right > or its not necessary As far as I know, this is neccessary and I have done it for my setup. Just do a net join -U administrator to make your machine a domain member. However before that you need to change some lines in /etc/samba/smb.conf. I have also attached the relevant lines to this E-Mail, as I have them in my smb.conf > How these specific AD users(with internet access allowed) will be > told/mentioned to the squid? They will be for example told by an ACL line using the wbinfo_group.pl script. A prerequisit for this is, however that the people, which should have squid access are all in a group in your aktive directory. (More groups are also possible, as long as everyone in the groups should be granted access). Squid will then query the aktive directory whether the user (identified by his login+password) belongs to the group you defined in your ACL. If so, squid will grant the request, otherwise squid will deny it. I have attached the relevant part of the squid.conf to this mail as a reference for you (the privileged group). You will probably also have to change the nsswitch.conf. I have also atached the relevant snipped of mine. You can use this information as a starting point. Getting squid to work with an active-directory can be quite tricky and you will probably experience some problems along the way. However don`t hesitate to ask on the list, as many of these problems can be debugged quite straigt forward. Here is an outline in which order you should try to get things working: 1) Modify the smb.conf nsswitch.sconf and krb5.conf 2) After restarting samba and winbind do net join -U adminstrator 3) Check whether everything is working via wbinfo -g und wbinfo -t 4) Modify the squid.conf 5) Restart squid and test things. Hopefully this helps you a bit. Greetings Benedikt auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours /usr/lib/squid/wbinfo_group.plexternal_acl_type winbind_group_helper %LOGIN /usr/lib/squid/wbinfo_group.pl acl lehrer external winbind_group_helper g_privileged_users http_access allow g_privileged_users http_access deny all security = ADS realm = muster.musterfirma.com password server = * dns proxy = yes idmap uid = 1-2 idmap gid = 1-2 winbind separator = + winbind use default domain = yes winbind enum users = yes winbind enum groups = yes encrypt passwords = true # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/ksadmind.log [libdefaults] default_realm = muster.musterfirma.com clockskew = 300 v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } [realms] MY.REALM = { kdc = muster.musterfirma.com } OTHER.REALM = { v4_instance_convert = { kerberos = kerberos computer = computer.some.other.domain } } [domain_realm] .my.domain = muster.musterfirma.com [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
[squid-users] SSO with Active Directory-Squid Clients
Dear All/Amos, I want to allow certain(not all) Active Directory users to use squid by way of SSO with Active Directory. So means when any one from those specific users will login into Active Directory they should have automatically access to internet via Squid Proxy. Other AD users which have not permissions granted in Squid will be disallowed. Is it possible? How please guide in detail. This was my assumption of how it would be done: I needed to compile squid with these additional options --enable-basic-auth-helpers="LDAP" --enable-auth="basic,negotiate,ntlm" --enable-external-acl-helpers="wbinfo_group,ldap_group" --enable-negotiate-auth-helpers="squid_kerb_auth" Right?? I need to configure krb5.conf to point to AD as Default_realm on CENTOS 5.4 to right? I think that i must need to make Centos 5.4 member of the domain? Am i right or its not necessary How these specific AD users(with internet access allowed) will be told/mentioned to the squid? I have also studied your article http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap?action=print However this is allowing all(not specific) Active Directory or LDAP users internet access. This logic is just checking the validity of user account with Active directory by popping up a login/password and if succeeded network access is granted. Am i right? Bottom line is that i am completely lost and have not much idea what and how to do it. We previously are using Microsoft ISA server and are about to move to Squid and this requirement is very necessary. regards, Bilal Aslam _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969