RE: [squid-users] Does any cache in a proxy chain but the last one need to resolve URLs?
Thanks for the hint! I'll check it too. I think, we should also replace the ip dsts within all of the intermediate caches by domain names thus saving all of the unnecessary dns lookups (about 80% -- Internet). Yes, we have a local caching dns. - Ursprüngliche Mail Von: Eliezer Croitoru elie...@ec.hadorhabaac.com An: squid-users@squid-cache.org Gesendet: Samstag, den 30. April 2011, 12:39:56 Uhr Betreff: Re: AW: AW: AW: [squid-users] Does any cache in a proxy chain but the last one need to resolve URLs? On 30/04/2011 11:58, Jannis Kafkoulas wrote: OK, I see! Thanks very much! dont you have a local caching dns? if you dont it's one of the basics recommendations. and another good thing is to change the udp and tcp times on the linux kernel\sysctl. i dont remember the basic TCP settings for close_wait and others but they are way too much for any usage i know. also the udp ones are way to high for dns and other services and a faster network then a 5 MB. Eliezer
[squid-users] more that 1 port en accel squid3
hello: i want to accept request en two or more ports in reverse mode. 80, 8080 and 8081 is that configuration correct? : ... http_port 80 vhost http_port 8080 vhost http_port 8081 vhost acl Safe_ports 80 acl Safe_ports 8080 acl Safe_ports 8081 cache_peer 1.1.1.1 parent 80 0 originserver name=first cache_peer_domain first first.domain.com cache_peer 1.1.1.2 parent 8080 0 originserver name=second cache_peer_domain second second.domain.com cache_peer 1.1.1.3 parent 8081 0 originserver name=last cache_peer_domain last last.domain.com ... thanks, Javier
Re: [squid-users] Re: Re: Re: Help me configure Kerberos Authentication
I changed my approach a lil bit and swicthed to centos from ubuntu hehe. I installed centos and configured kerberos/squid as mentioned in squid-cache kerberos guide, I used msktutil to create the keytab file. On the windows server I checked the machine, it was listed as a workstation I went on to properties and selected delegation tab and tried to allow delagation of kerberos but it didnt work. So I right clicked on the computer name and clicked on properties security and given full permission to Administrator and then gave full permission to same computer name. Now im able to authenticate users and use squid to browse. I will be monitoring squid for next couple of days and see if it gives that log entries of libntlmssp. How safe is it to use negotiate_wrapper in production? What is the difference between using negogiate_wrapper and a 2nd auth param statement for ntlm in squid.conf Regards On 2 May 2011 09:20, Go Wow gow...@gmail.com wrote: I will check that and inform you. But how did you troubleshoot that the entry is missing from AD? On 1 May 2011 14:51, Markus Moeller hua...@moeller.plus.com wrote: It looks like you do not have an entry in AD. Can you search AD for entries with serviceprincipalname = HTTP/proxyserver.orangegroup.com ? Markus Go Wow gow...@gmail.com wrote in message news:banlktinuivd8yfnnx+gp6azxd0rhztk...@mail.gmail.com... On 1 May 2011 00:00, Markus Moeller hua...@moeller.plus.com wrote: Hi Go, For Windows 2008 the wiki says use --enctypes 28. Did you use it ? Yes I used --enctypes 28 what does klist -e show and what does kinit user kvno HTTP/proxyserver.orangegroup.com show (user being your userid ) ? Here is the complete output root@proxyserver:/home/owner# whoami root root@proxyserver:/home/owner# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) root@proxyserver:/home/owner# klist -e klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) root@proxyserver:/home/owner# kinit Administrator Password for administra...@orangegroup.com: root@proxyserver:/home/owner# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@orangegroup.com Valid starting Expires Service principal 05/01/11 09:36:33 05/01/11 19:36:38 krbtgt/orangegroup@orangegroup.com renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with HMAC/md5,ArcFour with HMAC/md5 root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com kvno: Server not found in Kerberos database while getting credentials for http/proxyserver.orangegroup@orangegroup.com root@proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com kvno: Server not found in Kerberos database while getting credentials for HTTP/proxyserver.orangegroup@orangegroup.com When you purge tickets (with kerbtray) , start wireshark with a filter on port 88 and access a webpage via the proxy do you see any errors in wireshark ? Can you send me the capture ? I will email you the port 88 capture in a sec. Thanks for your help. Markus Go Wow gow...@gmail.com wrote in message news:banlktinski+d9qe6nxrfglxjjkad2gn...@mail.gmail.com... I tried with msktutil version 0.4 but same thing is happening. I followed your guide, firstly with samba/winbind, I created the keytab and configure negotiate parameters in squid.conf but when I open browser pointing to squid3 as proxy server (with fqdn not IP) it prompts for username/password. This system is Windows 7 64 Bit. Then I tried msktutil. The command I used is same as I mentioned below. msktutil -c -b CN=COMPUTERS -s HTTP/proxyserver.orangegroup.com -h proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server ad01.orangegroup.com --verbose The output of the command gives me one error saying but creates the keytab file -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) I have kerbtray installed on client system and I can see my domains krtgt/domain.com listed. As a matter of fact I'm using sharepoint server which uses the same method to authenticate and im able to login to it without entering username/password. I tried with purging tickets but no change. Regards On 30 April 2011 16:17, Markus Moeller hua...@moeller.plus.com wrote: Hi Go, Can you describe in detail what you did ( e.g. exact msktutil command). BTW I updated yesterday the wiki pointing to a newer msktutil (version 0.4) which you should try in the case you use an older version. It looks to me that your client is not able to get the Kerberos ticket from AD why the client falls back to NTLM and the negotiate wrapper deals now with these case. To find out why the client does not get the ticket you can run wireshark and look for traffic on port 88. Markus Go Wow gow...@gmail.com wrote in message
[squid-users] Re: Re: Re: Re: Help me configure Kerberos Authentication
You can use adsiedit.msc or any ldapbrowser. Can you send me your verbose output from the msktutil command. Markus Go Wow gow...@gmail.com wrote in message news:BANLkTin0odmNEAdKnL=4-omzqacveat...@mail.gmail.com... I will check that and inform you. But how did you troubleshoot that the entry is missing from AD? On 1 May 2011 14:51, Markus Moeller hua...@moeller.plus.com wrote: It looks like you do not have an entry in AD. Can you search AD for entries with serviceprincipalname = HTTP/proxyserver.orangegroup.com ? Markus Go Wow gow...@gmail.com wrote in message news:banlktinuivd8yfnnx+gp6azxd0rhztk...@mail.gmail.com... On 1 May 2011 00:00, Markus Moeller hua...@moeller.plus.com wrote: Hi Go, For Windows 2008 the wiki says use --enctypes 28. Did you use it ? Yes I used --enctypes 28 what does klist -e show and what does kinit user kvno HTTP/proxyserver.orangegroup.com show (user being your userid ) ? Here is the complete output root@proxyserver:/home/owner# whoami root root@proxyserver:/home/owner# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) root@proxyserver:/home/owner# klist -e klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) root@proxyserver:/home/owner# kinit Administrator Password for administra...@orangegroup.com: root@proxyserver:/home/owner# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@orangegroup.com Valid starting Expires Service principal 05/01/11 09:36:33 05/01/11 19:36:38 krbtgt/orangegroup@orangegroup.com renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with HMAC/md5,ArcFour with HMAC/md5 root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com kvno: Server not found in Kerberos database while getting credentials for http/proxyserver.orangegroup@orangegroup.com root@proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com kvno: Server not found in Kerberos database while getting credentials for HTTP/proxyserver.orangegroup@orangegroup.com When you purge tickets (with kerbtray) , start wireshark with a filter on port 88 and access a webpage via the proxy do you see any errors in wireshark ? Can you send me the capture ? I will email you the port 88 capture in a sec. Thanks for your help. Markus Go Wow gow...@gmail.com wrote in message news:banlktinski+d9qe6nxrfglxjjkad2gn...@mail.gmail.com... I tried with msktutil version 0.4 but same thing is happening. I followed your guide, firstly with samba/winbind, I created the keytab and configure negotiate parameters in squid.conf but when I open browser pointing to squid3 as proxy server (with fqdn not IP) it prompts for username/password. This system is Windows 7 64 Bit. Then I tried msktutil. The command I used is same as I mentioned below. msktutil -c -b CN=COMPUTERS -s HTTP/proxyserver.orangegroup.com -h proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server ad01.orangegroup.com --verbose The output of the command gives me one error saying but creates the keytab file -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) I have kerbtray installed on client system and I can see my domains krtgt/domain.com listed. As a matter of fact I'm using sharepoint server which uses the same method to authenticate and im able to login to it without entering username/password. I tried with purging tickets but no change. Regards On 30 April 2011 16:17, Markus Moeller hua...@moeller.plus.com wrote: Hi Go, Can you describe in detail what you did ( e.g. exact msktutil command). BTW I updated yesterday the wiki pointing to a newer msktutil (version 0.4) which you should try in the case you use an older version. It looks to me that your client is not able to get the Kerberos ticket from AD why the client falls back to NTLM and the negotiate wrapper deals now with these case. To find out why the client does not get the ticket you can run wireshark and look for traffic on port 88. Markus Go Wow gow...@gmail.com wrote in message news:banlktinqnrms5t2tq7frn+-noezsmy5...@mail.gmail.com... When I run msktutil I get this line in the output. krb5_get_init_creds_keytab failed (Client not found in Kerberos database) I did kinit before issuing msktutil and it ran successfully. I can see tickets when I issue klist. On 30 April 2011 10:43, Go Wow gow...@gmail.com wrote: Hi, I'm trying to configure Kerberos Authentication for squid. I'm running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the kerberos authentication guide on squid-cache and many other guides, I always end up with these logs in my cache.log. My client browser keeps prompting for username/password. Even a valid set of credentials are not accepted. 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM token 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error validating user via
[squid-users] Re: Re: Re: Re: Help me configure Kerberos Authentication
Hi Go, There is no need to use delegation and you must not enable delegation as it creates a risk that your squid system can create tickets for other users (e.g. impersonate another user). Negotiate handles both Kerberos and NTLM authentication. If Kerberos is setup correctly it is the preferred option for the client, but if Kerberos fails for some reason the client will fall back to NTLM and replies to an Negotiate authentication request with a NTLM token. To deal with this situation I created the negotiate wrapper which sends Kerberos tokens to the kerberos authentication handler and NTLM token to the NTLM authentication handler. Unfortunately there are applications like IM clients which use proxies, but only support NTLM (not Negotiate). To cater for this case squid has to offer NTLM too. So you need: negotiate_wrapper with negotiate_kerberos_auth and ntlm_auth for Negotiate Kerberos/NTLM and ntlm_auth for pure NTLM Squid trunk (3.2) has still a problem with the negotiate_wrapper and NTLM. I haven't found the reason yet. Markus Go Wow gow...@gmail.com wrote in message news:BANLkTi=ikahhul8tuoght4qn08ckcdz...@mail.gmail.com... I changed my approach a lil bit and swicthed to centos from ubuntu hehe. I installed centos and configured kerberos/squid as mentioned in squid-cache kerberos guide, I used msktutil to create the keytab file. On the windows server I checked the machine, it was listed as a workstation I went on to properties and selected delegation tab and tried to allow delagation of kerberos but it didnt work. So I right clicked on the computer name and clicked on properties security and given full permission to Administrator and then gave full permission to same computer name. Now im able to authenticate users and use squid to browse. I will be monitoring squid for next couple of days and see if it gives that log entries of libntlmssp. How safe is it to use negotiate_wrapper in production? What is the difference between using negogiate_wrapper and a 2nd auth param statement for ntlm in squid.conf Regards On 2 May 2011 09:20, Go Wow gow...@gmail.com wrote: I will check that and inform you. But how did you troubleshoot that the entry is missing from AD? On 1 May 2011 14:51, Markus Moeller hua...@moeller.plus.com wrote: It looks like you do not have an entry in AD. Can you search AD for entries with serviceprincipalname = HTTP/proxyserver.orangegroup.com ? Markus Go Wow gow...@gmail.com wrote in message news:banlktinuivd8yfnnx+gp6azxd0rhztk...@mail.gmail.com... On 1 May 2011 00:00, Markus Moeller hua...@moeller.plus.com wrote: Hi Go, For Windows 2008 the wiki says use --enctypes 28. Did you use it ? Yes I used --enctypes 28 what does klist -e show and what does kinit user kvno HTTP/proxyserver.orangegroup.com show (user being your userid ) ? Here is the complete output root@proxyserver:/home/owner# whoami root root@proxyserver:/home/owner# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) root@proxyserver:/home/owner# klist -e klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) root@proxyserver:/home/owner# kinit Administrator Password for administra...@orangegroup.com: root@proxyserver:/home/owner# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@orangegroup.com Valid starting Expires Service principal 05/01/11 09:36:33 05/01/11 19:36:38 krbtgt/orangegroup@orangegroup.com renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with HMAC/md5,ArcFour with HMAC/md5 root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com kvno: Server not found in Kerberos database while getting credentials for http/proxyserver.orangegroup@orangegroup.com root@proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com kvno: Server not found in Kerberos database while getting credentials for HTTP/proxyserver.orangegroup@orangegroup.com When you purge tickets (with kerbtray) , start wireshark with a filter on port 88 and access a webpage via the proxy do you see any errors in wireshark ? Can you send me the capture ? I will email you the port 88 capture in a sec. Thanks for your help. Markus Go Wow gow...@gmail.com wrote in message news:banlktinski+d9qe6nxrfglxjjkad2gn...@mail.gmail.com... I tried with msktutil version 0.4 but same thing is happening. I followed your guide, firstly with samba/winbind, I created the keytab and configure negotiate parameters in squid.conf but when I open browser pointing to squid3 as proxy server (with fqdn not IP) it prompts for username/password. This system is Windows 7 64 Bit. Then I tried msktutil. The command I used is same as I mentioned below. msktutil -c -b CN=COMPUTERS -s HTTP/proxyserver.orangegroup.com -h proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server ad01.orangegroup.com --verbose The output of the command gives me one error
Re: [squid-users] Re: Re: Re: Re: Help me configure Kerberos Authentication
Hi Markus, Thanks for your reply. Is it safe to use negotiate wrapper with squid 3.1.8? I didnt add delegation to that system, I have just given full permisions to admin user and that computer. Does it matter? Regards On 2 May 2011 17:56, Markus Moeller hua...@moeller.plus.com wrote: Hi Go, There is no need to use delegation and you must not enable delegation as it creates a risk that your squid system can create tickets for other users (e.g. impersonate another user). Negotiate handles both Kerberos and NTLM authentication. If Kerberos is setup correctly it is the preferred option for the client, but if Kerberos fails for some reason the client will fall back to NTLM and replies to an Negotiate authentication request with a NTLM token. To deal with this situation I created the negotiate wrapper which sends Kerberos tokens to the kerberos authentication handler and NTLM token to the NTLM authentication handler. Unfortunately there are applications like IM clients which use proxies, but only support NTLM (not Negotiate). To cater for this case squid has to offer NTLM too. So you need: negotiate_wrapper with negotiate_kerberos_auth and ntlm_auth for Negotiate Kerberos/NTLM and ntlm_auth for pure NTLM Squid trunk (3.2) has still a problem with the negotiate_wrapper and NTLM. I haven't found the reason yet. Markus Go Wow gow...@gmail.com wrote in message news:BANLkTi=ikahhul8tuoght4qn08ckcdz...@mail.gmail.com... I changed my approach a lil bit and swicthed to centos from ubuntu hehe. I installed centos and configured kerberos/squid as mentioned in squid-cache kerberos guide, I used msktutil to create the keytab file. On the windows server I checked the machine, it was listed as a workstation I went on to properties and selected delegation tab and tried to allow delagation of kerberos but it didnt work. So I right clicked on the computer name and clicked on properties security and given full permission to Administrator and then gave full permission to same computer name. Now im able to authenticate users and use squid to browse. I will be monitoring squid for next couple of days and see if it gives that log entries of libntlmssp. How safe is it to use negotiate_wrapper in production? What is the difference between using negogiate_wrapper and a 2nd auth param statement for ntlm in squid.conf Regards On 2 May 2011 09:20, Go Wow gow...@gmail.com wrote: I will check that and inform you. But how did you troubleshoot that the entry is missing from AD? On 1 May 2011 14:51, Markus Moeller hua...@moeller.plus.com wrote: It looks like you do not have an entry in AD. Can you search AD for entries with serviceprincipalname = HTTP/proxyserver.orangegroup.com ? Markus Go Wow gow...@gmail.com wrote in message news:banlktinuivd8yfnnx+gp6azxd0rhztk...@mail.gmail.com... On 1 May 2011 00:00, Markus Moeller hua...@moeller.plus.com wrote: Hi Go, For Windows 2008 the wiki says use --enctypes 28. Did you use it ? Yes I used --enctypes 28 what does klist -e show and what does kinit user kvno HTTP/proxyserver.orangegroup.com show (user being your userid ) ? Here is the complete output root@proxyserver:/home/owner# whoami root root@proxyserver:/home/owner# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) root@proxyserver:/home/owner# klist -e klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) root@proxyserver:/home/owner# kinit Administrator Password for administra...@orangegroup.com: root@proxyserver:/home/owner# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@orangegroup.com Valid starting Expires Service principal 05/01/11 09:36:33 05/01/11 19:36:38 krbtgt/orangegroup@orangegroup.com renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with HMAC/md5,ArcFour with HMAC/md5 root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com kvno: Server not found in Kerberos database while getting credentials for http/proxyserver.orangegroup@orangegroup.com root@proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com kvno: Server not found in Kerberos database while getting credentials for HTTP/proxyserver.orangegroup@orangegroup.com When you purge tickets (with kerbtray) , start wireshark with a filter on port 88 and access a webpage via the proxy do you see any errors in wireshark ? Can you send me the capture ? I will email you the port 88 capture in a sec. Thanks for your help. Markus Go Wow gow...@gmail.com wrote in message news:banlktinski+d9qe6nxrfglxjjkad2gn...@mail.gmail.com... I tried with msktutil version 0.4 but same thing is happening. I followed your guide, firstly with samba/winbind, I created the keytab and configure negotiate parameters in squid.conf but when I open browser pointing to squid3 as proxy server (with fqdn not IP) it prompts for username/password. This system is Windows 7 64
[squid-users] Re: Re: Re: Re: Re: Help me configure Kerberos Authentication
You don't have to give permissions to the admin user. Any user could own and manage that account. If I remember right the wrapper should work with 3.1 Markus Go Wow gow...@gmail.com wrote in message news:BANLkTikz_WCcVfbNAin==uhu-fenpgq...@mail.gmail.com... Hi Markus, Thanks for your reply. Is it safe to use negotiate wrapper with squid 3.1.8? I didnt add delegation to that system, I have just given full permisions to admin user and that computer. Does it matter? Regards On 2 May 2011 17:56, Markus Moeller hua...@moeller.plus.com wrote: Hi Go, There is no need to use delegation and you must not enable delegation as it creates a risk that your squid system can create tickets for other users (e.g. impersonate another user). Negotiate handles both Kerberos and NTLM authentication. If Kerberos is setup correctly it is the preferred option for the client, but if Kerberos fails for some reason the client will fall back to NTLM and replies to an Negotiate authentication request with a NTLM token. To deal with this situation I created the negotiate wrapper which sends Kerberos tokens to the kerberos authentication handler and NTLM token to the NTLM authentication handler. Unfortunately there are applications like IM clients which use proxies, but only support NTLM (not Negotiate). To cater for this case squid has to offer NTLM too. So you need: negotiate_wrapper with negotiate_kerberos_auth and ntlm_auth for Negotiate Kerberos/NTLM and ntlm_auth for pure NTLM Squid trunk (3.2) has still a problem with the negotiate_wrapper and NTLM. I haven't found the reason yet. Markus Go Wow gow...@gmail.com wrote in message news:BANLkTi=ikahhul8tuoght4qn08ckcdz...@mail.gmail.com... I changed my approach a lil bit and swicthed to centos from ubuntu hehe. I installed centos and configured kerberos/squid as mentioned in squid-cache kerberos guide, I used msktutil to create the keytab file. On the windows server I checked the machine, it was listed as a workstation I went on to properties and selected delegation tab and tried to allow delagation of kerberos but it didnt work. So I right clicked on the computer name and clicked on properties security and given full permission to Administrator and then gave full permission to same computer name. Now im able to authenticate users and use squid to browse. I will be monitoring squid for next couple of days and see if it gives that log entries of libntlmssp. How safe is it to use negotiate_wrapper in production? What is the difference between using negogiate_wrapper and a 2nd auth param statement for ntlm in squid.conf Regards On 2 May 2011 09:20, Go Wow gow...@gmail.com wrote: I will check that and inform you. But how did you troubleshoot that the entry is missing from AD? On 1 May 2011 14:51, Markus Moeller hua...@moeller.plus.com wrote: It looks like you do not have an entry in AD. Can you search AD for entries with serviceprincipalname = HTTP/proxyserver.orangegroup.com ? Markus Go Wow gow...@gmail.com wrote in message news:banlktinuivd8yfnnx+gp6azxd0rhztk...@mail.gmail.com... On 1 May 2011 00:00, Markus Moeller hua...@moeller.plus.com wrote: Hi Go, For Windows 2008 the wiki says use --enctypes 28. Did you use it ? Yes I used --enctypes 28 what does klist -e show and what does kinit user kvno HTTP/proxyserver.orangegroup.com show (user being your userid ) ? Here is the complete output root@proxyserver:/home/owner# whoami root root@proxyserver:/home/owner# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) root@proxyserver:/home/owner# klist -e klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) root@proxyserver:/home/owner# kinit Administrator Password for administra...@orangegroup.com: root@proxyserver:/home/owner# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@orangegroup.com Valid starting Expires Service principal 05/01/11 09:36:33 05/01/11 19:36:38 krbtgt/orangegroup@orangegroup.com renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with HMAC/md5,ArcFour with HMAC/md5 root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com kvno: Server not found in Kerberos database while getting credentials for http/proxyserver.orangegroup@orangegroup.com root@proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com kvno: Server not found in Kerberos database while getting credentials for HTTP/proxyserver.orangegroup@orangegroup.com When you purge tickets (with kerbtray) , start wireshark with a filter on port 88 and access a webpage via the proxy do you see any errors in wireshark ? Can you send me the capture ? I will email you the port 88 capture in a sec. Thanks for your help. Markus Go Wow gow...@gmail.com wrote in message news:banlktinski+d9qe6nxrfglxjjkad2gn...@mail.gmail.com... I tried with msktutil version 0.4 but same thing is happening. I followed your guide, firstly with samba/winbind, I created the keytab and
Re: [squid-users] Does any cache in a proxy chain but the last one need to resolve URLs?
On 02/05/2011 12:32, Jannis Kafkoulas wrote: Thanks for the hint! I'll check it too. I think, we should also replace the ip dsts within all of the intermediate caches by domain names thus saving all of the unnecessary dns lookups (about 80% -- Internet). i dont know about the amount of traffic and your system size but if you will make statistics (and it can be done) about your dns traffic you will might find that it's not as much as you think (can be good or bad). you can force squid to cache dns lookups for longer time but you better not try it unless your users have usage of a almost non changing dns - ip. most of the dynamic sites like google search have pretty stable and static ip\dns but there are many distant sites that will use 24 + dynamic ip's every day. so if it's not this specific case and your network doesnt have a connection with such dynamic domains i think you can increase the dns cache leases\ttl\timeout\validation on squid or you dns caching server. it will be much more efficient in many cases rather using unreadable\understanble acls\rules. Regards Eliezer Yes, we have a local caching dns. - Ursprüngliche Mail Von: Eliezer Croitoruelie...@ec.hadorhabaac.com An: squid-users@squid-cache.org Gesendet: Samstag, den 30. April 2011, 12:39:56 Uhr Betreff: Re: AW: AW: AW: [squid-users] Does any cache in a proxy chain but the last one need to resolve URLs? On 30/04/2011 11:58, Jannis Kafkoulas wrote: OK, I see! Thanks very much! dont you have a local caching dns? if you dont it's one of the basics recommendations. and another good thing is to change the udp and tcp times on the linux kernel\sysctl. i dont remember the basic TCP settings for close_wait and others but they are way too much for any usage i know. also the udp ones are way to high for dns and other services and a faster network then a 5 MB. Eliezer
Re: [squid-users] Mesh
See, I'm configuring my squid.conf intending it to run in mesh: cache_peer 192.168.15.200 parent 3128 0 no-query round robin cache_peer 192.168.15.201 parent 3128 0 no-query round robin cache_peer 192.168.15.202 parent 3128 0 no-query round robin cache_peer 192.168.15.203 parent 3128 0 no-query round robin My scenario is that there are four nodes, a front-end and the other nodes. As it is configured, when sent to the node IP , he accumulates more bytes than the other three nodes. I wonder whether we can make an ideal balancing ? If yes, how to do it? Thanks! Igor Rafael da Rocha 2011/4/30 Amos Jeffries squ...@treenet.co.nz: On 30/04/11 23:43, igor rocha wrote: Hello everybody, wonder if someone me would one model implementation squid.conf that really works with mesh've worked with one configuration from own Squid documentation but' there one hierarchy occultly happening because directs first for he,one cache particularly of the cluster and always fills first this cache someone have some hint ? Thanks Please outline what you what you are trying to achieve. There are several very different models called mesh and Squid does all of them. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
Re: [squid-users] Mesh
On Mon, 2 May 2011 18:07:53 -0300, igor rocha wrote: See, I'm configuring my squid.conf intending it to run in mesh: cache_peer 192.168.15.200 parent 3128 0 no-query round robin cache_peer 192.168.15.201 parent 3128 0 no-query round robin cache_peer 192.168.15.202 parent 3128 0 no-query round robin cache_peer 192.168.15.203 parent 3128 0 no-query round robin My scenario is that there are four nodes, a front-end and the other nodes. As it is configured, when sent to the node IP , he accumulates more bytes than the other three nodes. I wonder whether we can make an ideal balancing ? If yes, how to do it? You are missing a - in the option name round-robin. If Squid is ignoring them that would drop you back to the default first-available logics which acts like you describe. Amos
Re: [squid-users] Mesh
hello, no, this is not the problem, it was a typo, I checked in my file and it are with -, ie to round-robin . 2011/5/2 Amos Jeffries squ...@treenet.co.nz: On Mon, 2 May 2011 18:07:53 -0300, igor rocha wrote: See, I'm configuring my squid.conf intending it to run in mesh: cache_peer 192.168.15.200 parent 3128 0 no-query round robin cache_peer 192.168.15.201 parent 3128 0 no-query round robin cache_peer 192.168.15.202 parent 3128 0 no-query round robin cache_peer 192.168.15.203 parent 3128 0 no-query round robin My scenario is that there are four nodes, a front-end and the other nodes. As it is configured, when sent to the node IP , he accumulates more bytes than the other three nodes. I wonder whether we can make an ideal balancing ? If yes, how to do it? You are missing a - in the option name round-robin. If Squid is ignoring them that would drop you back to the default first-available logics which acts like you describe. hello, no, this is not the problem, i erred in the hour of the copy, I checked in my file and it are with -, ie to round-robin . Amos
[squid-users] Squid support ssl .pfs cert?
Hi all, Is squid support .pfs cert or only pem cert? Regards, Gary
Re: [squid-users] Squid support ssl .pfs cert?
On Tue, 3 May 2011 09:08:20 +0800, Gary K wrote: Hi all, Is squid support .pfs cert or only pem cert? Regards, Gary Only PEM. Amos
Re: [squid-users] squid config help required
Is anyone using squirm successfully with squid v3.1.x? I can't get anything to match Questions - Does the url_rewrite_program work correctly in 3.1.4? - At what stage are URLs passed to url_rewrite_program? - I believe I need to rewrite in both directions, can I do this with url_rewrite_program? Looking at http://www.squid-cache.org/Doc/config/url_rewrite_program/, are the changes to the explanatory text below correct/better? --- -Specify the location of the executable for the URL rewriter. +Specify the location of the executable URL rewriter to use. Since they can perform almost any function there isn't one included. -For each requested URL rewriter will receive on line with the format +For each requested URL, the rewriter will receive one line with the format --- The documentation may be clear, but it isn't clear to me. Apologies to the continuing questions on this. CC -- RHCE#805007969328369
Re: [squid-users] squid config help required
On Tue, 3 May 2011 10:13:28 +0800, Colin Coe wrote: Is anyone using squirm successfully with squid v3.1.x? I can't get anything to match Yes, several. Not me, I just know of people. Questions - Does the url_rewrite_program work correctly in 3.1.4? Yes. The only bugs are around invalid URL output from the helper. - At what stage are URLs passed to url_rewrite_program? Right after request ICAP/eCAP adaptation, which is itself immediately after parsing and http_access. - I believe I need to rewrite in both directions, can I do this with url_rewrite_program? No. location_rewrite_program is needed to re-write server redirect URLs. That has not been ported to Squid-3 yet. Patches *very* welcome. Looking at http://www.squid-cache.org/Doc/config/url_rewrite_program/, are the changes to the explanatory text below correct/better? --- -Specify the location of the executable for the URL rewriter. +Specify the location of the executable URL rewriter to use. Since they can perform almost any function there isn't one included. -For each requested URL rewriter will receive on line with the format +For each requested URL, the rewriter will receive one line with the format --- The documentation may be clear, but it isn't clear to me. That does read better. Applied. Amos
Re: [squid-users] squid config help required
Hi Amos On Tue, May 3, 2011 at 10:56 AM, Amos Jeffries squ...@treenet.co.nz wrote: On Tue, 3 May 2011 10:13:28 +0800, Colin Coe wrote: Is anyone using squirm successfully with squid v3.1.x? I can't get anything to match Yes, several. Not me, I just know of people. Questions - Does the url_rewrite_program work correctly in 3.1.4? Yes. The only bugs are around invalid URL output from the helper. - At what stage are URLs passed to url_rewrite_program? Right after request ICAP/eCAP adaptation, which is itself immediately after parsing and http_access. - I believe I need to rewrite in both directions, can I do this with url_rewrite_program? No. location_rewrite_program is needed to re-write server redirect URLs. That has not been ported to Squid-3 yet. Patches *very* welcome. Is the re-write server redirect the act of rewriting the URL coming back from the origin? Does squid v2.6STABLE21 work in this respect? If so, I'll downgrade to RHEL5. Looking at http://www.squid-cache.org/Doc/config/url_rewrite_program/, are the changes to the explanatory text below correct/better? --- -Specify the location of the executable for the URL rewriter. +Specify the location of the executable URL rewriter to use. Since they can perform almost any function there isn't one included. -For each requested URL rewriter will receive on line with the format +For each requested URL, the rewriter will receive one line with the format --- The documentation may be clear, but it isn't clear to me. That does read better. Applied. Amos Thanks CC -- RHCE#805007969328369
Re: [squid-users] squid config help required
On 03/05/11 15:15, Colin Coe wrote: Hi Amos On Tue, May 3, 2011 at 10:56 AM, Amos Jeffriessqu...@treenet.co.nz wrote: On Tue, 3 May 2011 10:13:28 +0800, Colin Coe wrote: Is anyone using squirm successfully with squid v3.1.x? I can't get anything to match Yes, several. Not me, I just know of people. Questions - Does the url_rewrite_program work correctly in 3.1.4? Yes. The only bugs are around invalid URL output from the helper. - At what stage are URLs passed to url_rewrite_program? Right after request ICAP/eCAP adaptation, which is itself immediately after parsing and http_access. - I believe I need to rewrite in both directions, can I do this with url_rewrite_program? No. location_rewrite_program is needed to re-write server redirect URLs. That has not been ported to Squid-3 yet. Patches *very* welcome. Is the re-write server redirect the act of rewriting the URL coming back from the origin? When they are in a redirect message from the origin server. Does squid v2.6STABLE21 work in this respect? If so, I'll downgrade to RHEL5. No. Only 2.7 has both re-writes. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1