[squid-users] R: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
Hi Clem, As I know there is something different in the WinHttp API used by Outlook, but I cannot be able to find any detail about ... Regards Guido Serassio Acme Consulting S.r.l. Microsoft Silver Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Clem [mailto:clemf...@free.fr] Inviato: giovedì 5 aprile 2012 9.30 A: Guido Serassio; squid-users@squid-cache.org Oggetto: RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm Hi Guido, Thanks for this link but I've already read it, and already set that parameter (EXPR), and no change, I've made more tests yesterday : .. WinXP - squid - exchange 2007 With lan manager parameters (secpol.msc) AND with msstd option checked in outlook http proxy parameters : . LM et NTLM only : working . NTLM only : working . NTLMv2 only : working .. Windows7 - squid - exchange 2007 With lan manager parameters (secpol.msc) AND with msstd option checked in outlook http proxy parameters : . LM et NTLM only : NOT working . NTLM only : NOT working . NTLMv2 only : NOT working With lan manager parameters (secpol.msc) AND with msstd option NOT checked in outlook http proxy parameters : . LM et NTLM only : working . NTLM only : NOT working . NTLMv2 only : NOT working Without squid, so outlook connected directly to exchange via outlook anywhere, that works with any parameters, for XP and 7. I'm so confused ... Why with XP that works with any parameters and Windows7 only with 2 parameters on ? What is the thing that do the difference between these two OS ? Regards, Clem -Message d'origine- De : Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Envoyé : mercredi 4 avril 2012 19:32 À : Clem; squid-users@squid-cache.org Objet : R: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm Hi Clem, Try reading this: http://blogs.technet.com/b/exchange/archive/2008/09/29/3406352.aspx Regards Guido Serassio Acme Consulting S.r.l. Microsoft Silver Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Clem [mailto:clemf...@free.fr] Inviato: lunedì 2 aprile 2012 15.34 A: squid-users@squid-cache.org Oggetto: RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm Re, I've found the option that generate issue only with windows7, in outlook proxy http settings window, we have this checked automatically : connect only to server proxy certificate that use this principal (common) name : Msstd : externalfqdn When I uncheck this option, my outlook (2007/2010) can connect trough squid with ntlm in my Exchange via outlook anywhere, If it's checked I've got a : server is unavailable. In windows XP, checked or not, that works. By the way, after connection to exchange succeed in w7, that option rechecks itself automatically ... The point is, why ? Maybe windows7 is more paranoid with certificate ?? Have you an idea ? Regards Clem -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : mardi 27 mars 2012 23:27 À : squid-users@squid-cache.org Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm On 27.03.2012 21:31, Clem wrote: Hi Amos, Administrateur is the french AD name for Administrator :) Yes. I'm just wondering if it is correct for what your IIS is checking against. Amos
[squid-users] R: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
Hi Clem, Try reading this: http://blogs.technet.com/b/exchange/archive/2008/09/29/3406352.aspx Regards Guido Serassio Acme Consulting S.r.l. Microsoft Silver Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Clem [mailto:clemf...@free.fr] Inviato: lunedì 2 aprile 2012 15.34 A: squid-users@squid-cache.org Oggetto: RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm Re, I've found the option that generate issue only with windows7, in outlook proxy http settings window, we have this checked automatically : connect only to server proxy certificate that use this principal (common) name : Msstd : externalfqdn When I uncheck this option, my outlook (2007/2010) can connect trough squid with ntlm in my Exchange via outlook anywhere, If it's checked I've got a : server is unavailable. In windows XP, checked or not, that works. By the way, after connection to exchange succeed in w7, that option rechecks itself automatically ... The point is, why ? Maybe windows7 is more paranoid with certificate ?? Have you an idea ? Regards Clem -Message d'origine- De : Amos Jeffries [mailto:squ...@treenet.co.nz] Envoyé : mardi 27 mars 2012 23:27 À : squid-users@squid-cache.org Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm On 27.03.2012 21:31, Clem wrote: Hi Amos, Administrateur is the french AD name for Administrator :) Yes. I'm just wondering if it is correct for what your IIS is checking against. Amos
[squid-users] R: TR: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
Hi Clem, I hav already verified that Windows Vista and 7 talks differently to Exchange. The patched 3.1.19 build fixed my problem, and also Mac EWS clients seems to almost work. I'm waiting for 3.2 STABLE before run new tests on it. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Silver Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Clem [mailto:clemf...@free.fr] Inviato: venerdì 23 marzo 2012 15.48 A: squid-users@squid-cache.org Oggetto: RE: TR: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm Back with my windows7 test, and failed ... I dunno exactly why, but It times out with a server is is unavailable. In my IIS httperr log I have : HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?xx.xx.fr:6004 400 1 BadRequest DefaultAppPool HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?xx.xx.fr:6001 400 1 Connection_Dropped DefaultAppPool Ok with XP, not with windows7 and vista I guess Can you help me with this ? Thx Clem -Message d'origine- De : Clem [mailto:clemf...@free.fr] Envoyé : jeudi 22 mars 2012 21:40 À : squid-users@squid-cache.org Objet : Re: TR: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm For infos, I'm using squid 3.2016 beta, exchange 2007 sp3 and a test client on XP, I'll test a client on windows7. No config for blackberry devices, they don't use activesync but the connection to blackberry server directly connected to our exchange. Le 22/03/2012 15:50, Clem a écrit : I've tested activesync with this tool https://store.accessmylan.com/main/diagnostic-tools , all is OK ! I will be able to put my front-end squid proxy for exchange 2007 in production soon ! -Message d'origine- De : Clem [mailto:clemf...@free.fr] Envoyé : jeudi 22 mars 2012 14:40 À : 'Clem'; 'squid-users@squid-cache.org' Cc : 'Amos Jeffries'; 'squid-users@squid-cache.org' Objet : RE: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm Forgot the powershell command : get-outlookanywhere | set-outlookanywhere -IISauthentication basic,Ntlm Infos there : http://marckean.wordpress.com/2009/02/06/exchange-2007-sp1-outlook- anywhere- ntlm-authentication-for-domain-based-and-workgroup-based-computers/ -Message d'origine- De : Clem [mailto:clemf...@free.fr] Envoyé : jeudi 22 mars 2012 14:32 À : squid-users@squid-cache.org Cc : Amos Jeffries; squid-users@squid-cache.org Objet : RE: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm Hello all I'm glad to inform you that's I have found a workaround solution for outlook anywhere client via NTLM. I really didn't want to change any config of my clients outlook, who are actually configured on NTLM auth via Outlook RPC Proxy settings. Outlook Anywhere is configured in NTLM. Recently I have found that the main problem with squid was the double hop NTLM. So I though a different way : NTLM Clients credentials - SQUID - Basic Squid Auth - IIS RPC PROXY - NTLM client Credentials carried by squid - Outlook Anywhere And that works !! The trick is to enable both Integrated Windows Authentication (NTLM) AND Basic authentication on the Rpc virtual directory of IIS (6 for my own). On Squid you have to use login:DOMAIN\user:password to send a credential that can auth (I have used Admin one). Dunno if it's secure to use AD admin user/pass directly in squid.conf ? Anyway that works so I'll continue to test now with that config. Now I've to test activesync with Iphone, and after with my Blackberry Server Express. I can paste you some of my configurations if you need Regards Clem -Message d'origine- De : Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Envoyé : dimanche 18 mars 2012 12:36 À : clemf...@free.fr Cc : Amos Jeffries; squid-users@squid-cache.org Objet : R: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm Hi Clem, Currently it seems that a fully working reverse Proxy Open Source solution for Exchange 2007 and 2010 is not available. Squid is really near to be fully functional, but there are still some problems. Look my comments in this bug: http://bugs.squid-cache.org/show_bug.cgi?id=3141 Currently I'm running a patched Squid 3.1.19 with http 1.1 support enabled in front of a Exchange 2010 Server. RPC over HTTPS seems to work fine, while EWS from Apple and BlackBerry clients is still problematic. I have tried also to use 3.2, but things seems to be worse: RPC doesn't work at all. Regards Guido
[squid-users] R: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm
Hi Clem, Currently it seems that a fully working reverse Proxy Open Source solution for Exchange 2007 and 2010 is not available. Squid is really near to be fully functional, but there are still some problems. Look my comments in this bug: http://bugs.squid-cache.org/show_bug.cgi?id=3141 Currently I'm running a patched Squid 3.1.19 with http 1.1 support enabled in front of a Exchange 2010 Server. RPC over HTTPS seems to work fine, while EWS from Apple and BlackBerry clients is still problematic. I have tried also to use 3.2, but things seems to be worse: RPC doesn't work at all. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Silver Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Amos Jeffries [mailto:squ...@treenet.co.nz] Inviato: venerdì 16 marzo 2012 11.54 A: squid-users@squid-cache.org Oggetto: Re: TR: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm On 14/03/2012 11:32 p.m., Clem wrote: Hello, Ok so I know exactly why squid can't forward ntlm credentials and stop at type1. It's facing the double hop issue, ntlm credentials can be sent only on one hop, and is lost with 2 hops like : client - squid (hop1) - IIS6 rpx proxy (hop2) - exchange 2007 That's why when I connect directly to my iis6 rpc proxy that works and when I connect through squid that request login/pass again and again. And we can clearly see that on https analyzes. ISA server has a workaround about this double hop issue as I have wrote in my last mail, I don't know if squid can act like this. I'm searching atm how to set iis6 perhaps to resolve this problem, but I don't want to break my exchange so I've to do my tests very carefully Cheers. I've added a mention of this to the NTLM issiues wiki page now for others to find along with the archive of these messages. Amos
[squid-users] R: [squid-users] squid 3.1.x with IIS SharePoint as back-end.
Hi, Look at this bug: http://bugs.squid-cache.org/show_bug.cgi?id=3141 Likely it's the same problem. I hope that it will be fixed in the incoming 3.2. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Silver Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: kimi ge(巍俊葛) [mailto:weiju...@gmail.com] Inviato: mercoledì 11 gennaio 2012 8.47 A: Amos Jeffries Cc: squid-users@squid-cache.org Oggetto: Re: [squid-users] squid 3.1.x with IIS SharePoint as back-end. Thanks Amos. I did the lynx test on back-end web site on squid system like this: sudo lynx http://wtestsm1.asiapacific.hpqcorp.net First, it show the message: Alert!: Invalid header 'WWW-Authenticate: NTLM' Then it show the following message. Show the 401 message body? (y/n) For the domain auth, I mean the back-end web site need corp domain user to be accessed. I put this in this way, if I log on with my corp domain on my laptop, then I could acces IIS Share Point without any credentials window pop up. If not, I have to input my domain account on credentials window to access the Share Point Site. The following is my squid configuration about this case which I ignore some default sections. #added by kimi acl hpnet src 16.0.0.0/8# RFC1918 possible internal network #added by kimi acl origin_servers dstdomain ids-ams.elabs.eds.com http_access allow origin_servers http_access allow hpnet http_port 192.85.142.88:80 accel defaultsite=ids-ams.elabs.eds.com connection-auth=on forwarded_for on request_header_access WWW-Authenticate allow all cache_peer wtestsm1.asiapacific.hpqcorp.net parent 80 0 no-query no-digest originserver name=main connection-auth=on login=PASS cache_peer_domain main .elabs.eds.com hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_dir aufs /data/squid/cache 12000 64 256 cache_mem 1024 MB maximum_object_size_in_memory 1024 KB maximum_object_size 51200 KB visible_hostname ids-ams.elabs.eds.com debug_options ALL,5 http_access deny all While let squid be running, I do test like this http://ids-ams.elabs.eds.com The 404 error page is shown. That's why I am wondering squid could be as reverse-proxy with IIS SharePoint as back-end? Thanks, ~Kimi On 11/01/2012, Amos Jeffries squ...@treenet.co.nz wrote: On 11/01/2012 6:28 p.m., kimi ge(巍俊葛) wrote: Hi, I have an issue to make squid 3.1.x to work with IIS SharePoint as the back-end. The details are listed below. 1. squid 3.1.x is running as a reverse-proxy. 2. The back-end is IIS SharePoint Site with domain authentication required. That means only the valid domain user could access this SharePoint site. The issue is it always return 404 error page. And the logon window is not prompted. What is this domain authentication you mention? All of the HTTP auth mechanisms count as domain auth to a reverse proxy, and none of them are named Domain. My question is whether squid supports this kind of case or not? If supports, how should I do configuration on squid.conf file? Thanks in advance. ~Kimi 404 status is about the resource being requested _not existing_. Login only operates when there is something to be authorized fetching. So I think auth is not relevant at this point in your testing. Probably the URL being passed to IIS is not what you are expecting to be passed and IIS is not setup to handle it. You will need to share your squid.conf details for more help. Amos
[squid-users] R: [squid-users] Re: Configuring SQUID in Windows to authenticate with Active Directory
Hi, You are using wrong auth_param negotiate options: auth_param negotiate realm Internet-Access auth_param negotiate credentialsttl 5 minute Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Lakshman Liyanage [mailto:one.laksh...@gmail.com] Inviato: mercoledì 23 marzo 2011 7.36 A: squid-users@squid-cache.org Oggetto: Fwd: [squid-users] Re: Configuring SQUID in Windows to authenticate with Active Directory -- Forwarded message -- From: Lakshman Liyanage one.laksh...@gmail.com Date: Wed, Mar 23, 2011 at 4:34 PM Subject: Re: [squid-users] Re: Configuring SQUID in Windows to authenticate with Active Directory To: Markus Moeller hua...@moeller.plus.com, squid-users@squid-cache.org Thank You Marcus for reply. The reason I asked about squid_kerb_auth is that someone on the list (Rafal Zawierta) mentioned that he/she got it to work in Windows 2008R2 (AD). Anyway, I tried what you suggested. Now I do not get a logon window in the browser for me to enter credentials - instead it throws me Cache Access Denied message. As I mentioned earlier I am a newbie - so excuse me if I am missing obvious. I have the following lines in my squid.conf: auth_param negotiate program c:/squid/libexec/mswin_negotiate_auth.exe auth_param negotiate children 5 auth_param negotiate realm Internet-Access auth_param negotiate credentialsttl 5 minute acl password proxy_auth REQUIRED http_access allow password # http_accesss allow localhost What am I missing in my .conf? Many thanks Lakshman On Wed, Mar 23, 2011 at 9:47 AM, Markus Moeller hua...@moeller.plus.com wrote: Look ay Amos's reply. Three is no squid_kerb_auth on Windows. You must use mswin_negotiate_auth Markus Liyanage, Lakshman lakshman.liyan...@jcu.edu.au wrote in message news:1997817097853D4CB2B2AD655359FD28051173BF65@SG1RD3XVS171.red003.local. .. Hi All, Just hoping thise Windows guys will help me with my query below - where/how would I find squid_kerb_auth helper for 2.7? Thanks Lakshman From: Liyanage, Lakshman Sent: Wednesday, 16 March 2011 10:08 AM To: squid-users@squid-cache.org Subject: FW: Configuring SQUID in Windows to authenticate with Active Directory Hello All, I am trying configure SQUID 2.7 in Windows 2008 R2 (Sometime ago, then I had to postpone the project for a while) and I posted my cry for help here - for which Rafal responded (see below). However, I can not see squid_kerb_auth helper in my SQUID installation. Ho do I get this? Thanks and Regards L. --- From: Rafal Zawierta [zawie...@gmail.com] Sent: Saturday, 12 February 2011 8:10 PM To: Liyanage, Lakshman Subject: Re: [squid-users] Configuring SQUID in Windows to authenticate with Active Directory Hello, try squid_kerb_auth instead ldap. For me it works with AD 2008R2. Regards R From: Liyanage, Lakshman [lakshman.liyan...@jcu.edu.au] Sent: Saturday, 12 February 2011 1:41 PM To: squid-users@squid-cache.org Subject: [squid-users] Configuring SQUID in Windows to authenticate with Active Directory Hello All, I am new to SQUID and hence require some help. I have SQUID 2.7 Stable8 installed on a Windows Server 2008 R2. I am now trying to configure it to use MS Active Directory. I have the following lines in the .conf file: - auth_param basic program c:/squid/libexec/squid_ldap_auth -R -b dc=ad- mycompany,dc=domain,dc=com -D cn=admin,cn=Users,dc=ad- mycompany,dc=domain,dc=com -w password -f sAMAccountName=%s -h myipnumber auth_param basic children 5 auth_param basic realm My_Company auth_param basic credentialsttl 5 minute -- When I try to start SQUID, Windows throws Error 1067: The process terminated unexpectedly at me. I have a web server/service running on port 80 and 443. What am I missing here? Many many thanks for your help Lakshman
[squid-users] R: [squid-users] Configuring SQUID in Windows to authenticate with Active Directory
Hi, You should test if the helper works running it from command line. But you really need LDAP authentication against Active Directory ? Are you sure that you cannot use native Windows helpers ? Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Liyanage, Lakshman [mailto:lakshman.liyan...@jcu.edu.au] Inviato: lunedì 14 febbraio 2011 3.07 A: squid-users@squid-cache.org Oggetto: FW: [squid-users] Configuring SQUID in Windows to authenticate with Active Directory Hi Guido, Thank you for your email. I added the .exe extension and now squid starts without any errors. However, I have a feeling that it does not talk to Micosoft Active Directory to authenticate users - if I key in an arbitary value for the -w password option, squid still starts. I was expecting to see an error. cache.log has the following entry: 2011/01/27 16:51:09| Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 14. Is that normal? Also if I try to use a browser (I used Firefox)- it prompts for user credentials, but if I use any usernames in Microsoft Active Directory it does not authenticate against those usernames. The browser keeps on promptimng for a username and a password. access.log is filled with TCP_DENIED/407 errors. Any assistance is muchly appreciated. Thanks and Regards Lakshman From: Guido Serassio [guido.seras...@acmeconsulting.it] Sent: Sunday, 13 February 2011 5:35 PM To: Liyanage, Lakshman; squid-users@squid-cache.org Subject: R: [squid-users] Configuring SQUID in Windows to authenticate with Active Directory Hi, You must add the .exe extension after squid_ldap_auth as noted in the documentation. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Liyanage, Lakshman [mailto:lakshman.liyan...@jcu.edu.au] Inviato: sabato 12 febbraio 2011 4.41 A: squid-users@squid-cache.org Oggetto: [squid-users] Configuring SQUID in Windows to authenticate with Active Directory Hello All, I am new to SQUID and hence require some help. I have SQUID 2.7 Stable8 installed on a Windows Server 2008 R2. I am now trying to configure it to use MS Active Directory. I have the following lines in the .conf file: - auth_param basic program c:/squid/libexec/squid_ldap_auth -R -b dc=ad- mycompany,dc=domain,dc=com -D cn=admin,cn=Users,dc=ad- mycompany,dc=domain,dc=com -w password -f sAMAccountName=%s -h myipnumber auth_param basic children 5 auth_param basic realm My_Company auth_param basic credentialsttl 5 minute -- When I try to start SQUID, Windows throws Error 1067: The process terminated unexpectedly at me. I have a web server/service running on port 80 and 443. What am I missing here? Many many thanks for your help Lakshman
[squid-users] R: [squid-users] Configuring SQUID in Windows to authenticate with Active Directory
Hi, You must add the .exe extension after squid_ldap_auth as noted in the documentation. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Liyanage, Lakshman [mailto:lakshman.liyan...@jcu.edu.au] Inviato: sabato 12 febbraio 2011 4.41 A: squid-users@squid-cache.org Oggetto: [squid-users] Configuring SQUID in Windows to authenticate with Active Directory Hello All, I am new to SQUID and hence require some help. I have SQUID 2.7 Stable8 installed on a Windows Server 2008 R2. I am now trying to configure it to use MS Active Directory. I have the following lines in the .conf file: - auth_param basic program c:/squid/libexec/squid_ldap_auth -R -b dc=ad- mycompany,dc=domain,dc=com -D cn=admin,cn=Users,dc=ad- mycompany,dc=domain,dc=com -w password -f sAMAccountName=%s -h myipnumber auth_param basic children 5 auth_param basic realm My_Company auth_param basic credentialsttl 5 minute -- When I try to start SQUID, Windows throws Error 1067: The process terminated unexpectedly at me. I have a web server/service running on port 80 and 443. What am I missing here? Many many thanks for your help Lakshman
[squid-users] R: Squid 2.7 for Windows Bug Report
Hi, Hi I am still finding difficult to compile squid with enable ssl option, see the attached for my efforts so far. How can you help me resolve this error either in stable8 or stable9. However, can i take full advantage of HTTPS feature in squid if i don't compile squid with --enable-ssl option? Sorry, but really I don't know how to help you. squid2.7.8make_error.txt: no errors ... squid2.7.9make_error.txt: no errors ... I have just run a build process of latest 2.7 with OpenSSL, no errors I cannot reproduce the Stack.c error. Your configure output seems to be OK. You should ask OpenSSL people about problems related to latest OpenSSL on MinGW. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it
[squid-users] R: [squid-users] Stable (non-experimental) SSL support in Windows version? Or anyone use Squid with stunnel?
Hi, Googling that, all I find is the maintainer of the Acme Windows Squid package pointing out that that's why SSL is labeled experimental. I checked, and ALL of the versions from Acme have this disclaimer. (not casting blame) So . does anyone know of a Windows version of Squid that's in wide use, using SSL, and known to be stable? You have pointed the problem: The SSL binaries that you are using are generated automatically, without testing SSL functionality. But really I don't know if they works, because nobody has reported any kind of information to us in the last 2 years . Same thing happened with the 3.0.20 experimental build, so we assumed that no reporting means non interest at all ... I don't know how to help you, because I don't have any kind of knowledge about OpenSSL on Windows. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it
[squid-users] R: [squid-users] AD integration for user authentication in Squid 2.7 Windows version
Hi, It works just out the box. You just need to install it on a Domain Member machine. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: tony@oocl.com [mailto:tony@oocl.com] Inviato: martedì 10 agosto 2010 3.23 A: squid-users@squid-cache.org Oggetto: [squid-users] AD integration for user authentication in Squid 2.7 Windows version Dear All I found the feature 'Native Windows Basic, Negotiate and NTLM Authenticators with NTLMv2 support' on Squid2.7 for Windows. But I explored but seldom share found to indicate how to implement this. In Linux Samba+Krb5 can make Squid talk with AD, but not sure if addtional packages need install to let Squid for Windows integrated with AD. Would you pls enlighten me, if can share some similar case and sample config will be very appreciated! Best Regards Tony Fei IMPORTANT NOTICE Email from OOCL is confidential and may be legally privileged. If it is not intended for you, please delete it immediately unread. The internet cannot guarantee that this communication is free of viruses, interception or interference and anyone who communicates with us by email is taken to accept the risks in doing so. Without limitation, OOCL and its affiliates accept no liability whatsoever and howsoever arising in connection with the use of this email. Under no circumstances shall this email constitute a binding agreement to carry or for provision of carriage services by OOCL, which is subject to the availability of carrier's equipment and vessels and the terms and conditions of OOCL's standard bill of lading which is also available at http://www.oocl.com.
[squid-users] R: [squid-users] squid on Windows
Hi Markus, I wrote the native Windows helpers many time ago, but now I don't remember exactly if the NTLM one needs a DC, but it should, because is a full negotiating NTLM helper. It seems to me that only the Basic one can work using local accounts. Again, I'm not sure, and now I don't have the possibility to make a check. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Markus Moeller [mailto:hua...@moeller.plus.com] Inviato: venerdì 6 agosto 2010 11.34 A: squid-users@squid-cache.org Oggetto: [squid-users] squid on Windows Hi Can I run squid on Windows XP or Vista and provide NTLM authentication for the XP/Vista local accounts or do I need a DC ? Thank you Markus
[squid-users] R: [squid-users] IE6 and Kerberos-Authentication doesn't work
Hi, Sorry, You cannot. IE6 supports Kerberos Auth only for Web server authentication, not for proxy Authentication. Kerberos support for proxy authentication was first added in IE7, but you cannot use it on Windows 2000 On Windows 2000 Firefox works fine with Kerberos proxy authentication, so you could try it. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Tom Tux [mailto:tomtu...@gmail.com] Inviato: giovedì 1 luglio 2010 13.27 A: squid-users Oggetto: [squid-users] IE6 and Kerberos-Authentication doesn't work Hi I've found several documents describing that IE6 SP1 doesn't support kerberos-authentication and other documents like http://support.microsoft.com/kb/299838 which describes a solution, how I can enable the kerberos-authentication in IE6. I've enabled it and rebootet the client, but I'm not able to authenticate with kerberos with IE6 Windows2000. Any hints or is it definitely not possible to authenticate the W2K-IE6 with kerberos? Thanks. Regards, Tom
[squid-users] R: [squid-users] setsockopt(IP_TOS) not supported on this platform
Hi, The knowledge of which OS/Platform could help answering to you From your previous messages on the list, I can suppose that you are speaking about Windows. If so, the message is correct, Windows sockets don't provide IP_TOS support. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: winet...@gmail.com [mailto:winet...@gmail.com] Inviato: giovedì 24 giugno 2010 13.26 A: squid-users@squid-cache.org Oggetto: [squid-users] setsockopt(IP_TOS) not supported on this platform I set tcp_outgoing_tos 0x30 And I keep getting error on cache log: comm_open: setsockopt(IP_TOS) not supported on this platform Thus the TOS is not working. Anyone fix it yet? Thanks Sent from my BlackBerry® powered by Sinyal Kuat INDOSAT
[squid-users] R: [squid-users] Is there a way to get transparent proxy to work with Squid 2.7 stable 8 on Windows 2003 Server?
Hi, On Windows a transparent interception driver is missing. But if you can use some L3/L4 device able to redirect the http requests (like a firewall or a L3 switch) to the Windows Squid box, yes, it should works. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Milan [mailto:compguy030...@gmail.com] Inviato: giovedì 22 aprile 2010 14.59 A: squid-users@squid-cache.org Oggetto: [squid-users] Is there a way to get transparent proxy to work with Squid 2.7 stable 8 on Windows 2003 Server? We have a squid 2.7 stable 8 running on Windows 2003 server on a VM. Is it possible to get transparent proxy working on this version or is still impossible for windows?
[squid-users] R: [squid-users] External users from Child AD domain unable to use local Squid proxy
Hi, We have the below acl for users in the Ad global group external_acl_type AD_global_group ttl=120 %LOGIN c:/squid/libexec/mswin_check_ad_group.exe -G and another acl below that allows full access thru the squid proxy using an ad group acl InetAllow external AD_global_group CLW.Squid.Full any ideas AGAIN: When using mswin_check_ad_group.exe 1.x in global mode (-G options), the check is done always against a global group placed in the user's domain. So the question is: On which AD domain is defined the CLW.Squid.Full group ? Regards Guido Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it
[squid-users] R: [squid-users] External users from Child AD domain unable to use local Squid proxy
Hi, Yes, but only if you are using the 2.x version of the helper and the CLW.Squid.Full group is group with the appropriate scope (Local, Global or Universal). Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Milan [mailto:compguy030...@gmail.com] Inviato: mercoledì 21 aprile 2010 14.52 A: Guido Serassio Cc: squid-users@squid-cache.org Oggetto: Re: [squid-users] External users from Child AD domain unable to use local Squid proxy So instead of the way the line is now: acl InetAllow external AD_global_group CLW.Squid.Full The domain would be added to the group like below: acl InetAllow external AD_global_group NA\CLW.Squid.Full On Wed, Apr 21, 2010 at 06:19, Guido Serassio guido.seras...@acmeconsulting.it wrote: Hi, We have the below acl for users in the Ad global group external_acl_type AD_global_group ttl=120 %LOGIN c:/squid/libexec/mswin_check_ad_group.exe -G and another acl below that allows full access thru the squid proxy using an ad group acl InetAllow external AD_global_group CLW.Squid.Full any ideas AGAIN: When using mswin_check_ad_group.exe 1.x in global mode (-G options), the check is done always against a global group placed in the user's domain. So the question is: On which AD domain is defined the CLW.Squid.Full group ? Regards Guido Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it
[squid-users] R: [squid-users] External users from Child AD domain unable to use local Squid proxy
Hi, When using mswin_check_ad_group.exe 1.x in global mode (-G options), the check is done always against a global group placed in the user's domain. Starting from 2.7 STABLE 8, mswin_check_ad_group.exe 2.x is now a full AD group helper supporting full forest wide group recursion. Take a look to the included docs for details. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Milan [mailto:compguy030...@gmail.com] Inviato: giovedì 15 aprile 2010 17.17 A: squid-users@squid-cache.org Oggetto: [squid-users] External users from Child AD domain unable to use local Squid proxy We are using Squid on windpow as a proxy and we are having an issue when users that come from a child domain to our office do not authenticate properly. Example: our domain is na.myworld.com and users from eu.myworld.com come to our office and do not authenticate correctly The log of the connection is below. 1271280071.727 47 172.23.5.54 TCP_DENIED/407 1766 GET http://www.yahoo.com/ - NONE/- text/html 1271280071.774 31 172.23.5.54 TCP_DENIED/407 2082 GET http://www.yahoo.com/ - NONE/- text/html 1271280099.086 27312 172.23.5.54 TCP_DENIED/403 1449 GET http://www.yahoo.com/ eu\vbonafe NONE/- text/html 1271280104.258 47 172.23.5.54 TCP_DENIED/407 1763 GET http://www.yahoo.es/ - NONE/- text/html 1271280104.289 31 172.23.5.54 TCP_DENIED/407 2079 GET http://www.yahoo.es/ - NONE/- text/html 1271280104.524 235 172.23.5.54 TCP_DENIED/403 1447 GET http://www.yahoo.es/ eu\vbonafe NONE/- text/html 1271280110.274 391 172.23.5.54 TCP_MISS/200 5128 GET http://www.google.com/ - DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html 1271280110.524 63 172.23.5.54 TCP_MISS/204 494 GET http://clients1.google.com/generate_204 - DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html 1271280110.649 157 172.23.5.54 TCP_MISS/204 434 GET http://www.google.com/csi? - DIRECT/72.14.204.103 text/html We have the below acl for users in the Ad global group external_acl_type AD_global_group ttl=120 %LOGIN c:/squid/libexec/mswin_check_ad_group.exe -G and another acl below that allows full access thru the squid proxy using an ad group acl InetAllow external AD_global_group CLW.Squid.Full any ideas
[squid-users] R: [squid-users] Squid 2.7 port on Windows scenario
Hi, From the provided release notes about Windows limitations: * DISKD: still needs to be ported * WCCP: cannot work because user space GRE support on Windows is missing * Transparent Proxy: missing Windows non commercial interception driver * Some code sections can make blocking calls. * Some external helpers may not work. * File Descriptors number hard-limited to 2048. So, you cannot do transparent proxy on Windows. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: 4N0 [mailto:sinko...@gmail.com] Inviato: martedì 13 aprile 2010 9.17 A: squid-users@squid-cache.org Oggetto: [squid-users] Squid 2.7 port on Windows scenario Hello, I have a following scenario: Squid on one frontend Windows server that is needed to serve as image cache from two backend windows servers running asp.net applications. Sqiud also is needed for intelligent switch in case any of backened servers is dead (if server 2 is dead switch to server 3 and vice versa). My question is, how I can achieve this scenario with squid on configuration and hardware level? I've read squid documentation, example scenarios but can't get it to run. AFAIK my proxy needs to fulfill transparent proxy to remote box scenario. But maybe also reverse proxy? (I only want to cache static content, and balance switching). Configuration examples are welcomed. -- View this message in context: http://n4.nabble.com/Squid-2-7-port-on- Windows-scenario-tp1838068p1838068.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] R: [squid-users] Re: Does Squid support Winsock proxy
Hi, No: Winsock proxy is a Microsoft proprietary Windows only functionality. Is supported only from Microsoft ISA server using the Microsoft Firewall Client. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: TONY FEI [mailto:tony@oocl.com] Inviato: venerdì 9 aprile 2010 10.29 A: squid-users@squid-cache.org Oggetto: [squid-users] Re: Does Squid support Winsock proxy Dear All, anyone can help answer my question kindly. Thanks! -- View this message in context: http://n4.nabble.com/Does-Squid-support- Winsock-proxy-tp1788864p1819045.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] R: [squid-users] Re: Re: SSO with Active Directory-Squid Clients
Hi Markus, If you have a Windows client and the proxy send WWW-Proxy-Authorize: Negotiate the Windows client will try first to get a Kerberos ticket and if that succeeds sends a Negotiate response with a Kerberos token to the proxy. If the Windows client fails to get a Kerberos ticket the client will send a Negotiate response with a NTLM token to the proxy. Unfortunately there is yet no squid helper which can handle both a Negotiate/Kerberos response and a Negotiate/NTLM response (although maybe the samba ntlm helper can). So there is a fallback when you use Negotiate, but it has some caveats. This is not true when Squid is running on Windows: the Windows native Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM responses. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it
[squid-users] R: [squid-users] Supporting ie6/win2k clients
Hi, Just use Firefox instead of IE. The Squid Kerberos/Negotiate was initially tested on Windows 2000 Using Firefox. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Joseph L. Casale [mailto:jcas...@activenetwerx.com] Inviato: mercoledì 3 febbraio 2010 22.58 A: 'squid-users@squid-cache.org' Oggetto: [squid-users] Supporting ie6/win2k clients Is there an alternative to ntlm_auth supporting these browsers in active directory to facilitate access w/o asking for creds (such as if used with LDAP auth) with out joining the server to active directory and using Samba? We have Kerberos auth functioning and the few win2k/ie6 clients obviously don't authenticate. I have an LDAP fallback and want to avoid Samba. Thanks, jlc
[squid-users] R: [squid-users] kerberos authentication and ldap
Hi, The patch is already included since the following STABLE versions: 2.7 STABLE1 3.0 STABLE2 Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Joseph L. Casale [mailto:jcas...@activenetwerx.com] Inviato: domenica 31 gennaio 2010 0.48 A: 'squid-users@squid-cache.org' Oggetto: [squid-users] kerberos authentication and ldap We are getting some Win7 machines so I am migrating our ntlm setup to Kerberos. Looking at Markus Moeller's kerb guide, I see that it doesn't state how to control access after successful auth. Looking online, http://klaubert.wordpress.com/2008/01/09/squid-kerberos- authentication-and-ldap-authorization-in-active-directory/ suggests an ldap companion method but this involves a patch. Is that patch still needed, or does there exist a stock approach to facilitate this, as our access is done by group ad membership? Thanks, jlc
[squid-users] R: [squid-users] NTLM v2
Hi, You cannot force the NTLM version: the choiche is done from the Windows SSPI on the proxy machine during the negotiate phase, and NTLMv2 can be used only if both the peers are able to use it. Look here for more details: http://davenport.sourceforge.net/ntlm.html I don't know if Apache httpclient is able to use NTLMv2. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Ho, Oiling [mailto:oiling...@credit-suisse.com] Inviato: mercoledì 6 gennaio 2010 18.16 A: Guido Serassio; squid-users@squid-cache.org Cc: Svanes, Torkel Oggetto: RE: [squid-users] NTLM v2 Hi, Thanks for your reply. Is there a way we can configure squid to use only NTLMV2? Can we tell from one of the log files if NTLMV2 is used instead NTLMV1? Instead of using a windows browser to connect to squid, I am connecting to squid using a Apache Httpclient. Thanks, Oiling -Original Message- From: Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Sent: Wednesday, January 06, 2010 11:44 AM To: Ho, Oiling; squid-users@squid-cache.org Subject: R: [squid-users] NTLM v2 Hi, On Windows, the native NTLM helper, when running on a domain member machine, will always negotiate the highest usable NTLM protocol version, so if both the authentication peers can use NTLMv2, NTLMv2 is automatically selected. Please note that, if you want to USE NTLMv2, you need to have a Windows Domain and you must use domain accounts only. All Windows modern browser are NTLMv2 capable. Regards Guido Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Ho, Oiling [mailto:oiling...@credit-suisse.com] Inviato: martedì 5 gennaio 2010 16.23 A: squid-users@squid-cache.org Oggetto: [squid-users] NTLM v2 Hi All, I have squid running on windows XP as a proxy server, I set up my computer to use NTLM V2 according to this link http://www.imss.caltech.edu/cms.php?op=wikiwiki_op=viewid=396 and rebooted my machine, then I used apache http client to connect to squid, it should not work since apache does not support NTLM V2, but somehow I was able to connect. Does anyone know what is going on? How can I tell from squid if it is using NTLM V1 or NTLM V2? Thanks, Oiling == = Please access the attached hyperlink for an important electronic communications disclaimer: http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html == = == = Please access the attached hyperlink for an important electronic communications disclaimer: http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html == =
[squid-users] R: [squid-users] NTLM v2
Hi, On Windows, the native NTLM helper, when running on a domain member machine, will always negotiate the highest usable NTLM protocol version, so if both the authentication peers can use NTLMv2, NTLMv2 is automatically selected. Please note that, if you want to USE NTLMv2, you need to have a Windows Domain and you must use domain accounts only. All Windows modern browser are NTLMv2 capable. Regards Guido Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Ho, Oiling [mailto:oiling...@credit-suisse.com] Inviato: martedì 5 gennaio 2010 16.23 A: squid-users@squid-cache.org Oggetto: [squid-users] NTLM v2 Hi All, I have squid running on windows XP as a proxy server, I set up my computer to use NTLM V2 according to this link http://www.imss.caltech.edu/cms.php?op=wikiwiki_op=viewid=396 and rebooted my machine, then I used apache http client to connect to squid, it should not work since apache does not support NTLM V2, but somehow I was able to connect. Does anyone know what is going on? How can I tell from squid if it is using NTLM V1 or NTLM V2? Thanks, Oiling == = Please access the attached hyperlink for an important electronic communications disclaimer: http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html == =
[squid-users] R: [squid-users] NTLM v2
Hi, You are already using NTLMv2. As you can read in the provided documentation, mswin_ntlm_auth.exe supports both NTLM/NTLMv2. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Ho, Oiling [mailto:oiling...@credit-suisse.com] Inviato: venerdì 18 dicembre 2009 22.20 A: squid-users@squid-cache.org Oggetto: [squid-users] NTLM v2 Hi, I am running squid 2.7 on windows and it is configured to use NTLM authentication. Does any know how to configure it to use NTLM v2 on windows? Thanks, Oiling == = Please access the attached hyperlink for an important electronic communications disclaimer: http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html == =
[squid-users] R: [squid-users] Squid Service on windows Starts and stops automatically
Hi, Try the following: - Remove squid service (squid -r) - clean the following registry keys: HKLM\SOFTWARE\GNU\Squid HKLM\SYSTEM\CurrentControlSet\Services\Squid - Install Squid Service (squid -i) using the local administrator account with UAC disabled If Squid must run in a different path from c:\squid, don't forget to specify the -f option after -i when installing the squid service) Regards Guido Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Preetham N. [mailto:preetha...@gmail.com] Inviato: lunedì 14 dicembre 2009 10.03 A: Squid Users; Guido Serassio Oggetto: Fwd: [squid-users] Squid Service on windows Starts and stops automatically Hi, I still have the same problem..Can some one help please? Hi, Sorry for the late update. I had not disabled UAC before installing squid. So i disabled it, uninstalled the squid service cleared the contents of the log file and and then installed the service again. Its the same problem but now, it is not writing anything into the logfile, its blank. When i try starting the service from the command prompt it says the service could not be started but there were no errors reported. Again, nothing in the log file. Any help? Regards, Preetham -- Forwarded message -- From: Preetham N. preetha...@gmail.com Date: Mon, Dec 7, 2009 at 7:00 PM Subject: Re: [squid-users] Squid Service on windows Starts and stops automatically To: Kinkie gkin...@gmail.com hi, below is the snippet from the log 2009/12/01 16:23:52| Starting Squid Cache version 2.7.STABLE7 for i686-pc-winnt... 2009/12/01 16:23:52| Running on Windows Server 2008 2009/12/01 16:23:52| Process ID 1972 2009/12/01 16:23:52| With 2048 file descriptors available 2009/12/01 16:23:52| With 512 CRT stdio descriptors available 2009/12/01 16:23:52| Windows sockets initialized 2009/12/01 16:23:52| Using select for the IO loop 2009/12/01 16:23:52| Performing DNS Tests... 2009/12/01 16:23:52| Successful DNS name lookup tests... 2009/12/01 16:23:52| DNS Socket created at 0.0.0.0, port 57426, FD 4 2009/12/01 16:23:52| Adding nameserver 125.22.47.125 from Registry 2009/12/01 16:23:52| Adding nameserver 202.56.230.6 from Registry 2009/12/01 16:23:52| Adding domain from Registry 2009/12/01 16:23:52| User-Agent logging is disabled. 2009/12/01 16:23:52| Referer logging is disabled. 2009/12/01 16:23:52| logfileOpen: opening log c:/squid/var/logs/access.log 2009/12/01 16:23:52| Unlinkd pipe opened on FD 7 2009/12/01 16:23:52| Swap maxSize 102400 + 8192 KB, estimated 8507 objects 2009/12/01 16:23:52| Target number of buckets: 425 2009/12/01 16:23:52| Using 8192 Store buckets 2009/12/01 16:23:52| Max Mem size: 8192 KB 2009/12/01 16:23:52| Max Swap size: 102400 KB 2009/12/01 16:23:52| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2009/12/01 16:23:52| logfileOpen: opening log c:/squid/var/logs/store.log 2009/12/01 16:23:52| Rebuilding storage in c:/squid/var/cache (CLEAN) 2009/12/01 16:23:52| Using Least Load store dir selection 2009/12/01 16:23:52| Set Current Directory to c:/squid/var/cache 2009/12/01 16:23:52| Loaded Icons. 2009/12/01 16:23:52| Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 13. 2009/12/01 16:23:52| Accepting ICP messages at 0.0.0.0, port 3130, FD 14. 2009/12/01 16:23:52| Accepting HTCP messages on port 4827, FD 15. 2009/12/01 16:23:52| Accepting SNMP messages on port 3401, FD 16. 2009/12/01 16:23:52| Ready to serve requests. 2009/12/01 16:23:53| Done reading c:/squid/var/cache swaplog (0 entries) 2009/12/01 16:23:53| Finished rebuilding storage from disk. 2009/12/01 16:23:53| 0 Entries scanned 2009/12/01 16:23:53| 0 Invalid entries. 2009/12/01 16:23:53| 0 With invalid flags. 2009/12/01 16:23:53| 0 Objects loaded. 2009/12/01 16:23:53| 0 Objects expired. 2009/12/01 16:23:53| 0 Objects cancelled. 2009/12/01 16:23:53| 0 Duplicate URLs purged. 2009/12/01 16:23:53| 0 Swapfile clashes avoided. 2009/12/01 16:23:53| Took 1.0 seconds ( 0.0 objects/sec). 2009/12/01 16:23:53| Beginning Validation Procedure 2009/12/01 16:23:53| Completed Validation Procedure 2009/12/01 16:23:53| Validated 0 Entries 2009/12/01 16:23:53| store_swap_size = 0k 2009/12/01 16:23:54| storeLateRelease: released 0 objects 2009/12/01 16:23:57| Preparing for shutdown after 0 requests 2009/12/01 16:23:57| Waiting 0 seconds for active connections to finish 2009/12/01 16:23:57| FD 13 Closing HTTP connection 2009/12/01 16:23:57| Shutting down... 2009/12/01 16:23:57| FD 14 Closing ICP connection 2009/12/01 16:23:57| FD 15 Closing HTCP socket 2009/12/01 16:23:57| FD 16 Closing
[squid-users] R: [squid-users] Squid Service on windows Starts and stops automatically
Hi, Very hard to help someone, if the reply e-mails are sent only to Kinkie Regards Guido Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Kinkie [mailto:gkin...@gmail.com] Inviato: lunedì 7 dicembre 2009 20.24 A: Preetham N.; Squid Users Oggetto: Re: [squid-users] Squid Service on windows Starts and stops automatically On Mon, Dec 7, 2009 at 2:30 PM, Preetham N. preetha...@gmail.com wrote: hi, below is the snippet from the log Strange.. it seems to start and then voluntarily stop, no mention of errors. Maybe Guido can help you more than I can.. -- /kinkie
[squid-users] R: [squid-users] Squid Service on windows Starts and stops automatically
Hi, How is starting this Squid instance ? The following is a log fragment of a Squid service: 2009/11/29 09:13:44| Starting Squid Cache version 2.7.STABLE7-CVS for i686-pc-winnt... 2009/11/29 09:13:44| Running as Squid Windows System Service on Windows XP 2009/11/29 09:13:44| Service command line is: 2009/11/29 09:13:44| Process ID 1472 2009/11/29 09:13:44| With 2048 file descriptors available 2009/11/29 09:13:44| With 2048 CRT stdio descriptors available While your log seems to come from a command line interactive start: 2009/12/01 16:23:52| Starting Squid Cache version 2.7.STABLE7 for i686-pc-winnt... 2009/12/01 16:23:52| Running on Windows Server 2008 2009/12/01 16:23:52| Process ID 1972 2009/12/01 16:23:52| With 2048 file descriptors available 2009/12/01 16:23:52| With 512 CRT stdio descriptors available Do you have disabled UAC before installing Squid as noted in the release notes ? Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it
[squid-users] R: [squid-users] SquidNT Authentication Question
Hi, The binary kit of 2.7 STABLE7 is already available. But there are some little problems with the new helper regarding universal group usage. A new version will be available shortly. For now, if you like, I could provide to you the new executable. Regards -Messaggio originale- Da: Jacques Kruger (DHL NA) [mailto:jacques.kru...@dhl.com] Inviato: martedì 22 settembre 2009 8.32 A: Amos Jeffries Cc: squid-users@squid-cache.org Oggetto: RE: [squid-users] SquidNT Authentication Question Hi Amos, Thanks for the feedback. You are right, I should check my terminology as I am in fact referring to Squid for Windows. I'll have a go with the 2.7 release today and advise if that solves my issue. Have a fun day! Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it
[squid-users] R: [squid-users] SquidNT Authentication Question
Hi, After any change in group memberships you must reconfigure Squid because the helper response is cached for 1 our from Squid. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Jacques Kruger (DHL NA) [mailto:jacques.kru...@dhl.com] Inviato: martedì 22 settembre 2009 10.31 A: Guido Serassio; Amos Jeffries Cc: squid-users@squid-cache.org Oggetto: RE: [squid-users] SquidNT Authentication Question Hi Guido, I would appreciate it if you can provide me with the executable. I have installed and configured 2.7 Stable and the authentication is not going as expected. The setup is as follows: GroupA with GroupB as a member. GroupB has testuser as a member. If I set authentication against GroupB everything works as expected. If I set Authentication against GroupA, the user is granted full access even if I remove the user from GroupB. Thanks in advance. Jacques Kruger -Original Message- From: Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Sent: 22 September 2009 09:19 To: Jacques Kruger (DHL NA); Amos Jeffries Cc: squid-users@squid-cache.org Subject: R: [squid-users] SquidNT Authentication Question Hi, The binary kit of 2.7 STABLE7 is already available. But there are some little problems with the new helper regarding universal group usage. A new version will be available shortly. For now, if you like, I could provide to you the new executable. Regards -Messaggio originale- Da: Jacques Kruger (DHL NA) [mailto:jacques.kru...@dhl.com] Inviato: martedì 22 settembre 2009 8.32 A: Amos Jeffries Cc: squid-users@squid-cache.org Oggetto: RE: [squid-users] SquidNT Authentication Question Hi Amos, Thanks for the feedback. You are right, I should check my terminology as I am in fact referring to Squid for Windows. I'll have a go with the 2.7 release today and advise if that solves my issue. Have a fun day! Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it
[squid-users] R: [squid-users] Squid and two Active Directory
Hi, If the the two domains are placed in two different AD Forests, a forest trust is needed for Kerberos authentication. But the two AD forests must be at least Windows 2003 AD Forests running in forest and domain Windows 2003 native mode. Here you can find more details: http://technet.microsoft.com/en-us/library/cc736526(WS.10).aspx Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Henrik Nordstrom [mailto:hen...@henriknordstrom.net] Inviato: mercoledì 2 settembre 2009 20.26 A: SecureSoft - Daniel Merino Cc: squid-users@squid-cache.org Oggetto: RE: [squid-users] Squid and two Active Directory ons 2009-09-02 klockan 12:52 -0500 skrev SecureSoft - Daniel Merino: How works this? Because when i configure the squid Server in the Kerberos and samba i set up a active directory config and I don't know how to add another one. Trust relations is configured in the active directory servers. But for kerberos I think you can just use a merged keytab with principals from both trees. But not entirely sure.. This trust relation, its like the 2 active directory know each other and when I ask groups and users from the first active directory it also give me the users and groups from the other AD in trust relation? Yes. Regards Henrik
Re: [squid-users] Building squid 3.1.0.13 on MS-Windows (minGW)
Hi Amos, At 14.25 16/08/2009, Amos Jeffries wrote: CC'ing to squi-dev. This really should be over there. Maybe Guido can help. Probably the solution is not simple. As you know, the development of Squid 3 is stopped since April 2008 after the bazaar migration. This means that ALL subsequent code changes to Squid 3 are fully untested on Windows. Two months ago I was able to fix all the build failures of Squid 3 when building using MinGW, but nothing was done on functionality side. Today, according to Canonical people, bazaar should really work on Windows, but the there are too much outstanding code changes to be checked for a single developer: looking to Squid 3.1 project summary, there are 1022 changesets with 204446 line insertion and 295342 line deletion. For my point of view, currently the Windows port of Squid 3.0 must be considered fully broken because is incomplete and untested. Regards Guido - = Guido Serassio Acme Consulting S.r.l. - Microsoft Gold Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] Kerberos authentication pre-caching in Squid for Windows
Hi, At 11.30 07/08/2009, Holly King wrote: Hello, I'm trying to set up a pilot to replace proprietary caches in schools. Because of training issues with on-site technicians I'm kinda stuck with using Windows but would like to use Squid. Stumbling block 1 - I've not been able to find any documentation on Kerberos authentication by Squid for Windows (just on *nix), can anyone point me in the right direction? Ideally I would want to be able to authenticate on a group level so site technicians just move accounts into/out of a group to allow or deny access. Also, is there a way to add whitelists regardless so pupils can be banned from the internet yet still access resources needed for lessons? A Windows native Negotiate (Kerberos) helper is included in official Squid sources starting from Squid 2.6 STABLE 1. Just download the latest 2.7 binaries for Windows (http://wiki.squid-cache.org/SquidFaq/BinaryPackages) and configure squid to use the mswin_negotiate_auth.exe helper for negotiate auth schema, no options are required, it works just out of the box. Regards Guido - = Guido Serassio Acme Consulting S.r.l. - Microsoft Gold Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
[squid-users] R: [squid-users] next Squid 2.7 release?
Hi, They are alredy many Windows changes to be included, and I think that they should be in a final STABLE 2.7 release. But if 2.7 STABLE6 will be considered the final STABLE 2.7 release, we will build an updated 2.7 STABLE6-2 binary for Windows. But I think also that a new STABLE release could be better and more clear for users. Regards Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: i...@acmeconsulting.it WWW: http://www.acmeconsulting.it/ -Messaggio originale- Da: Amos Jeffries [mailto:squ...@treenet.co.nz] Inviato: mercoledì 3 giugno 2009 2.13 A: Balaji Ganesan Cc: squid-users@squid-cache.org Oggetto: Re: [squid-users] next Squid 2.7 release? Priorità: Alta On Tue, 2 Jun 2009 16:44:50 -0700, Balaji Ganesan bgane...@venturiwireless.com wrote: Hi, Can anyone please let me know when is the next stable 2.7 release intended. I believe Windows 7 support is on the next release and I would like to have that for my work. Also please let me know which STABLE version will that one be. Thanks Balaji Henrik who maintains Squid-2 and makes these decisions for that branch is taking a long overdue break from squid at present. He will be back at some undefined point in the future. The next numerical release of 2.7 will be 2.7.STABLE7 if it comes out. No release is timelined at present, though I have little doubt there will be one eventually. Meanwhile you should contact Acme Consulting (http://squid.acmeconsulting.it/) about an updated build. Amos
Re: [squid-users] Security of NTLM authentication
Hi, At 01.59 03/06/2009, Amos Jeffries wrote: On Tue, 02 Jun 2009 19:44:03 -0300, Leonardo Rodrigues leolis...@solutti.com.br wrote: Hello Guys, a simple question . i know that basic authentication schemas transmit username/password in cleartext over the wire. It' base64 encoded, but it's trivially detected and decoded, which make them not the most secure ones to use. do NTLM authentication schemas are more secure than basic ones, i mean, do NTLM authentication schema transmit cleartext (or simply encoded) username/passwords over the wire ? NTLM uses a side channel directly between the domain control server and the machine needing to check auth. I'm not sure how that is coded. The HTTP side of the triangle includes a hash of the credentials. One thing to be wary of is that NTLM hash strength is pretty much limited by the Windows releases involved. The older versions used by Win9x are hashes which are now trivially broken, none are completely secure. The latest windows releases have deprecated it in favor of the much more secure Kerberos (but that won't work with anything much older than XP and IE6). Just some more explanation here: There are two flavors of NTLM: V1 (the windows 9x version) and V2. Squid is able to use both, but V2 is more secure. On the Kerberos side, you need the negotiate authentication schema, but there are some requirements to meet Browser: - Internet Explorer 7.0 or later - Firefox 1.5 or later OS: - Windows 2000 or later So on Windows 2000 you can use Negotiate with Firefox only, while on XP/2003 you need to Install at least IE7 or Firefox. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] squid_ldap_group group names cannot have spaces?
Hi, At 04.04 23/05/2009, Amos Jeffries wrote: Justin Yaple wrote: Hello, I have been working on getting my first squid proxy server up, and its been going slow, but good. I got LDAP authentication working, and then group authentication working also. The only problem I found is that a LDAP group with spaces in the name does not work. I have ready online that you should use single quotes to specify group names with spaces but it still does not work. My group name is like G SG GroupName, and if I use 'G SG GroupName' when I try to start squid it returns strtokFile: G not found. I have also tried to escapel the space using \. Doing that I could get squid to start without any error, but the login would not work. Anything I can do to get this working with the spaces? This was my guide to getting it setup. http://www.papercut.com/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory Not easily. \ indicates reading from a file as you noticed. Squid-2 has not natural support for character escaping. Squid-3 contains a token function for this which is not always used despite places like this where it should be. Patches to make 3.HEAD use it routinely are very welcome. There is a trick for Windows native helpers, it should apply also to LDAP. From the readme of mswin_check_ad_group: Groups with spaces in name, for example Domain Users, must be quoted and the acl data (Domain Users) must be placed into a separate file included by specifying /path/to/file. The previous example will be: acl ProxyUsers external NT_global_group /usr/local/squid/etc/DomainUsers and the DomainUsers files will contain only the following line: Domain Users Hoping that it works with LDAP quoting. Regards Guido Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.7 - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
[squid-users] R: [squid-users] Compiling squid 4 windows
Hi, http://www.squid-cache.org/Download/binaries.dyn Regards Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: i...@acmeconsulting.it WWW: http://www.acmeconsulting.it/ -Messaggio originale- Da: Vicks [mailto:ondemandema...@yahoo.com] Inviato: sabato 23 maggio 2009 5.51 A: squid cache Oggetto: [squid-users] Compiling squid 4 windows Dear frnds, i m looking forward to compile squid 4 windows in MAC based filtering environment. but when i checked on internet, it bcom cumbersome to know me what to download from where. can any 1 tell me what are the softs that i will be needing + the complete way to compile in the given way the latest or the stable version. i will be very thankful. thnx bye Explore and discover exciting holidays and getaways with Yahoo! India Travel http://in.travel.yahoo.com/
[squid-users] R: [squid-users] RE: Error with ntlm authentication
Hi, Wrong helper here: auth_param basic program c:/squid/libexec/mswin_ntlm_auth.exe -d auth_param basic program c:/squid/libexec/mswin_auth.exe Regards Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: i...@acmeconsulting.it WWW: http://www.acmeconsulting.it/ -Messaggio originale- Da: Delgado Contreras, Verónica [mailto:vdelg...@cajadeburgos.es] Inviato: mercoledì 13 maggio 2009 9.11 A: Guido Serassio; squid-users@squid-cache.org Oggetto: RE: [squid-users] RE: Error with ntlm authentication Hi, I have solved the Error 1054.Buy I also have this error. Type: Error User: N/A Source: Application Error Category: (100) EventID: 1000 Description: Faulting application mswin_ntlm_auth.exe, version 0.0.0.0, faulting module msvcrt.dll, version 7.0.3790.3959, fault address 0x00037e23. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. This is my configuration in squid.conf: auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe -d auth_param ntlm children 50 auth_param basic program c:/squid/libexec/mswin_ntlm_auth.exe -d auth_param basic children 50 auth_param basic keep_alive on auth_param ntlm keep_alive on auth_param negotiate keep_alive on auth_param basic credentialsttl 5 minutes external_acl_type AD_global_group %LOGIN c:/squid/libexec/mswin_check_ad_group.exe -D cajadeburgos.des -G -d acl GProxyUsers external AD_global_group c:/squid/etc/DomainUsers acl dstcomun dstdomain C:/squid/etc/comun.acl acl ntlm-users proxy_auth REQUIRED http_access allow ntlm-users GProxyUsers When a user open the first time a web page in a Browser, the user and domain are send and the proxy allow the web, but the next times the user and domain aren't send and the proxy don´t allow the web and in the event Viwer Aplication sow the EventID 1000. It can see in the file access.log 1242042166.237782 172.24.4.123 TCP_MISS/302 612 GET http://go.microsoft.com/fwlink/? dodes\administrator DIRECT/64.4.52.189 text/html 1242042166.831593 172.24.4.123 TCP_MISS/403 1010 GET http://runonce.msn.com/runonce3.aspx dodes\administrator DIRECT/213.199.181.20 text/html 1242042177.426 0 172.24.4.123 TCP_DENIED/407 1782 GET http://www.google.es/ - NONE/- text/html Thank you. Verónica Delgado Depto. Sistemas CAJA DE BURGOS C: 947 258 495 : vdelg...@cajadeburgos.es -Mensaje original- De: Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Enviado el: martes, 12 de mayo de 2009 19:46 Para: Delgado Contreras, Verónica; squid-users@squid-cache.org Asunto: R: [squid-users] RE: Error with ntlm authentication Hi, The errors that you can see in the event log of your machine are not related to Squid, but are the symptom of some malfunction in the acces to AD from the machine itself. So likely any ntlm problem could be related. But, what is the helpers command line in squid.conf ? Regards Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: i...@acmeconsulting.it WWW: http://www.acmeconsulting.it/ -Messaggio originale- Da: Delgado Contreras, Verónica [mailto:vdelg...@cajadeburgos.es] Inviato: martedì 12 maggio 2009 8.20 A: squid-users@squid-cache.org Oggetto: [squid-users] RE: Error with ntlm authentication Hello, I´m testing Squid 3 for Windows. I try to configure squid with ntlm authentication but I have a error in event viewer-Application. Type: Error User: NT AUTHORITY\SYSTEM Computer: LOBO Source: Userenv Category: None Event ID: 1054 Description: Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. And the “cache .log” show this: ntlm-auth[2828](ntlm_auth.c:385): c:/squid/libexec/mswin_ntlm_auth.exe build Mar 6 2009, 23:32:18 starting up... ntlm-auth[2828](ntlm_auth.c:391): SSPI initialized OK ntlm-auth[796](ntlm_auth.c:385): c:/squid/libexec/mswin_ntlm_auth.exe build Mar 6 2009, 23:32:18 starting up... ntlm-auth[796](ntlm_auth.c:391): SSPI initialized OK ntlm-auth[5620](ntlm_auth.c:385): c:/squid/libexec/mswin_ntlm_auth.exe build Mar 6 2009, 23:32:18 starting up... ntlm-auth[5620](ntlm_auth.c:391): SSPI initialized OK ntlm-auth[2864](ntlm_auth.c:385): c:/squid/libexec/mswin_ntlm_auth.exe build Mar 6 2009, 23:32:18 starting up... ntlm-auth[2864](ntlm_auth.c:391): SSPI initialized OK ntlm-auth[5644](ntlm_auth.c:385): c:/squid/libexec/mswin_ntlm_auth.exe
[squid-users] R: [squid-users] RE: Error with ntlm authentication
Hi, The errors that you can see in the event log of your machine are not related to Squid, but are the symptom of some malfunction in the acces to AD from the machine itself. So likely any ntlm problem could be related. But, what is the helpers command line in squid.conf ? Regards Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: i...@acmeconsulting.it WWW: http://www.acmeconsulting.it/ -Messaggio originale- Da: Delgado Contreras, Verónica [mailto:vdelg...@cajadeburgos.es] Inviato: martedì 12 maggio 2009 8.20 A: squid-users@squid-cache.org Oggetto: [squid-users] RE: Error with ntlm authentication Hello, I´m testing Squid 3 for Windows. I try to configure squid with ntlm authentication but I have a error in event viewer-Application. Type: Error User: NT AUTHORITY\SYSTEM Computer: LOBO Source: Userenv Category: None Event ID: 1054 Description: Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. And the “cache .log” show this: ntlm-auth[2828](ntlm_auth.c:385): c:/squid/libexec/mswin_ntlm_auth.exe build Mar 6 2009, 23:32:18 starting up... ntlm-auth[2828](ntlm_auth.c:391): SSPI initialized OK ntlm-auth[796](ntlm_auth.c:385): c:/squid/libexec/mswin_ntlm_auth.exe build Mar 6 2009, 23:32:18 starting up... ntlm-auth[796](ntlm_auth.c:391): SSPI initialized OK ntlm-auth[5620](ntlm_auth.c:385): c:/squid/libexec/mswin_ntlm_auth.exe build Mar 6 2009, 23:32:18 starting up... ntlm-auth[5620](ntlm_auth.c:391): SSPI initialized OK ntlm-auth[2864](ntlm_auth.c:385): c:/squid/libexec/mswin_ntlm_auth.exe build Mar 6 2009, 23:32:18 starting up... ntlm-auth[2864](ntlm_auth.c:391): SSPI initialized OK ntlm-auth[5644](ntlm_auth.c:385): c:/squid/libexec/mswin_ntlm_auth.exe build Mar 6 2009, 23:32:18 starting up... ntlm-auth[5644](ntlm_auth.c:391): SSPI initialized OK 2009/05/11 12:56:47| helperOpenServers: Starting 5 'mswin_check_ad_group.exe' processes ntlm-auth[3248](ntlm_auth.c:385): c:/squid/libexec/mswin_ntlm_auth.exe build Mar 6 2009, 23:32:18 starting up... ntlm-auth[3248](ntlm_auth.c:391): SSPI initialized OK ntlm-auth[5980](ntlm_auth.c:385): c:/squid/libexec/mswin_ntlm_auth.exe build Mar 6 2009, 23:32:18 starting up... ntlm-auth[5980](ntlm_auth.c:391): SSPI initialized OK /mswin_check_ad_group.exe[3012]: Member of Domain DODES /mswin_check_ad_group.exe[3012]: Into forest cajadeburgos.des /mswin_check_ad_group.exe[3012]: External ACL win32 group helper build Mar 6 2009, 23:48:40 starting up... /mswin_check_ad_group.exe[3012]: Domain Global group mode enabled using 'cajadeburgos.de' as default domain. ntlm-auth[5664](ntlm_auth.c:385): c:/squid/libexec/mswin_ntlm_auth.exe build Mar 6 2009, 23:32:18 starting up... ntlm-auth[5664](ntlm_auth.c:391): SSPI initialized OK /mswin_check_ad_group.exe[1160]: Member of Domain DODES /mswin_check_ad_group.exe[1160]: Into forest cajadeburgos.des /mswin_check_ad_group.exe[1160]: External ACL win32 group helper build Mar 6 2009, 23:48:40 starting up... /mswin_check_ad_group.exe[1160]: Domain Global group mode enabled using 'cajadeburgos.de' as default domain. /mswin_check_ad_group.exe[3268]: Member of Domain DODES /mswin_check_ad_group.exe[3268]: Into forest cajadeburgos.des /mswin_check_ad_group.exe[3268]: External ACL win32 group helper build Mar 6 2009, 23:48:40 starting up... /mswin_check_ad_group.exe[3268]: Domain Global group mode enabled using 'cajadeburgos.de' as default domain. /mswin_check_ad_group.exe[5656]: Member of Domain DODES /mswin_check_ad_group.exe[5656]: Into forest cajadeburgos.des /mswin_check_ad_group.exe[5656]: External ACL win32 group helper build Mar 6 2009, 23:48:40 starting up... /mswin_check_ad_group.exe[5656]: Domain Global group mode enabled using 'cajadeburgos.de' as default domain. 2009/05/11 12:56:47| User-Agent logging is disabled. 2009/05/11 12:56:47| Referer logging is disabled. /mswin_check_ad_group.exe[3016]: Member of Domain DODES /mswin_check_ad_group.exe[3016]: Into forest cajadeburgos.des /mswin_check_ad_group.exe[3016]: External ACL win32 group helper build Mar 6 2009, 23:48:40 starting up... /mswin_check_ad_group.exe[3016]: Domain Global group mode enabled using 'cajadeburgos.de' as default domain. 2009/05/11 12:56:47| Unlinkd pipe opened on FD 428 2009/05/11 12:56:47| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2009/05/11 12:56:47| Swap maxSize 1024000 KB, estimated 78769 objects 2009/05/11 12:56:47| Target number of buckets: 3938 2009/05/11 12:56:47| Using 8192 Store buckets 2009/05/11 12:56:47| Max Mem size
[squid-users] R: [squid-users] Squid 2.X for Windows 7
Hi, -Messaggio originale- Da: Balaji Ganesan [mailto:bgane...@venturiwireless.com] Inviato: lunedì 11 maggio 2009 18.55 A: squid-users@squid-cache.org Oggetto: [squid-users] Squid 2.X for Windows 7 Hi, Recently we found out that Squid 2.X is not compatible with Windows 7. It does however run when I do the Windows VISTA compatibility mode. However, we can't use it that way for my work. Can anyone please let me know if there is a roadmap for Windows 7 support and when it will be available? Thanks Balaji Sure, Windows 7 support is already into 2.HEAD, and it will be available in the next 2.7 STABLE release. Regards Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: i...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
[squid-users] R: [squid-users] Error 1067 when starting service in Windows 2003 Server
Hi, The problem is IIS: it will bind to ANY () IP addresses of the machine, even if there is no website using it http://support.microsoft.com/kb/813368/ Regards Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: i...@acmeconsulting.it WWW: http://www.acmeconsulting.it/ -Messaggio originale- Da: Philip de Souza [mailto:pdeso...@itstrategists.com] Inviato: mercoledì 15 aprile 2009 18.49 A: Guido Serassio; squid-users@squid-cache.org Oggetto: RE: [squid-users] Error 1067 when starting service in Windows 2003 Server Hi Guido, Thank you for your reply. The cache log states the following at the very end: 2009/04/15 11:11:11| Loaded Icons. 2009/04/15 11:11:11| commBind: Cannot bind socket FD 12 to xx.xx.xxx.xxx:80: (10013) WSAEACCES, Permission denied. FATAL: Cannot open HTTP Port Squid Cache (Version 2.7.STABLE5): Terminated abnormally. Our server has 3 IP addresses linked onto the one NIC, could it have something to do with this do you think? The other two IPs are being used by two websites already, but the IP we are using is free... Many thanks, Philip -Original Message- From: Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Sent: Wednesday, April 15, 2009 4:06 AM To: Philip de Souza; squid-users@squid-cache.org Subject: Re: [squid-users] Error 1067 when starting service in Windows 2003 Server Hi, At 22.11 14/04/2009, Philip de Souza wrote: Wow this is frustrating! Sorry, but I need help again. I had everything working on our testbed Windows 2003 platform (for reverse proxy accelerator services), and so when I go and deploy Squid in the same fashion on the live proxy server, I get the following when trying to start the SQUID service: Could not start the Squid service on local computer. Error 1067: the process terminated unexpectedly. I actually received this error when trying to start it on the test server as well, but was able to resolve it by upgrading the server to SP2. The live server already has SP2 installed but I installed all outstanding patches on it anyway, just in case - no deal. On both machines I ran the squid -z command to establish the log directory first. I'm really floored by why this is happening though and would GREATLY appreciate anybody's help. We're supposed to be going live with this now and this recurring issue is really raining on the parade! Many thanks as ever. Look the following: - cache.log messages - squid.exe.log in the sbin folder - Try to start squid from command line and see what happens Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] Fw: multiple A records with squid
Hi, At 09.01 15/04/2009, martin.pichlma...@continental-corporation.com wrote: Hello all, some of my users complain that a page (www.bestjobs.ro) with cookies and some other stuff hangs sometimes, returns Connection reset by peer and so on. Some problems can be resolved by reloading the page, some can not. The pages that make problems are not the normal ones but after logging in and using some of the more advanced features of the web server regarding commenting to some of the information there. If the users access the web server without squid -- directly connected to the internet -- it all works. It seems to me that the problems have something to do with DNS; www.bestjobs.ro returns not one but 5 IPv4 addresses. With Windows XP and no proxy the browser always uses only one IP; squid -- I use version 3.0-STABLE 11 on RedHat AS 5 -- uses all 5 IPs in a round-robin fashion. The web servers do not serve static but dynamic pages and therefore I think the requests _should_ always go to the same IP address. But the load balancing probably makes the problems. I am fully aware that the problem is not the fault of squid but of the DNS loadbalancing of the web servers. Nevertheless I have to provide a solution... Is there a parameter within squid to change the behaviour of DNS load balancing when there is more than one IP in a DNS response? I do not want to disable load balancing but put a on hold parameter so that squid uses the same IP maybe a minute and then switches to the next IP and uses that for the next one minute and not a different IP for every request. Even better would be a source address affinity -- for one client all requests go to IP 1 of the pool, the next client is routed over squid to IP 2 and so on. Is there a solution to that? Sure, try: http://www.squid-cache.org/Versions/v3/3.0/cfgman/balance_on_multiple_ip.html Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] Error 1067 when starting service in Windows 2003 Server
Hi, At 22.11 14/04/2009, Philip de Souza wrote: Wow this is frustrating! Sorry, but I need help again. I had everything working on our testbed Windows 2003 platform (for reverse proxy accelerator services), and so when I go and deploy Squid in the same fashion on the live proxy server, I get the following when trying to start the SQUID service: Could not start the Squid service on local computer. Error 1067: the process terminated unexpectedly. I actually received this error when trying to start it on the test server as well, but was able to resolve it by upgrading the server to SP2. The live server already has SP2 installed but I installed all outstanding patches on it anyway, just in case - no deal. On both machines I ran the squid -z command to establish the log directory first. I'm really floored by why this is happening though and would GREATLY appreciate anybody's help. We're supposed to be going live with this now and this recurring issue is really raining on the parade! Many thanks as ever. Look the following: - cache.log messages - squid.exe.log in the sbin folder - Try to start squid from command line and see what happens Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] R: Squid 2.7STABLE6 for Windows?
Hi, At 18.07 06/03/2009, Guido Serassio wrote: Hi Amos, Correct, it's in the way. Just released. Regards Guido -Messaggio originale- Da: Amos Jeffries [mailto:squ...@treenet.co.nz] Inviato: venerdì 6 marzo 2009 9.40 A: joost.deh...@getronics.com Cc: squid-users@squid-cache.org Oggetto: Re: [squid-users] Squid 2.7STABLE6 for Windows? joost.deh...@getronics.com wrote: Hello, Usually I download the Windows binary from Acme (http://squid.acmeconsulting.it/download/dl-squid.html), but 2.7STABLE6 hasn't been published there (yet). Is this service discontinued, is it commercial now, or is there another place I can get Windows binaries? In case no one provides Windows binaries anymore: Is there a manual somewhere how to create the Windows binaries with Visual Studio? Joost Guido and Acme are still active. I saw the 2.7.STABLE6 updates being adjusted for windows in CVS the other day, so it should be out shortly. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.6 - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
[squid-users] R: [squid-users] Squid 2.7STABLE6 for Windows?
Hi Amos, Correct, it's in the way. Regards Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: i...@acmeconsulting.it WWW: http://www.acmeconsulting.it/ -Messaggio originale- Da: Amos Jeffries [mailto:squ...@treenet.co.nz] Inviato: venerdì 6 marzo 2009 9.40 A: joost.deh...@getronics.com Cc: squid-users@squid-cache.org Oggetto: Re: [squid-users] Squid 2.7STABLE6 for Windows? joost.deh...@getronics.com wrote: Hello, Usually I download the Windows binary from Acme (http://squid.acmeconsulting.it/download/dl-squid.html), but 2.7STABLE6 hasn't been published there (yet). Is this service discontinued, is it commercial now, or is there another place I can get Windows binaries? In case no one provides Windows binaries anymore: Is there a manual somewhere how to create the Windows binaries with Visual Studio? Joost Guido and Acme are still active. I saw the 2.7.STABLE6 updates being adjusted for windows in CVS the other day, so it should be out shortly. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.6
Re: [squid-users] windows seven beta build 7000
Hi, At 02.53 29/01/2009, Keerthan jai.c wrote: hi, i am having a few problems with squid in windows seven i am using squid-3.0.STABLE11-RC1-bin firstly squid starts only in compatibility mode(im using windows vista compatibility mode) I think that test an experimental Squid build on the first beta of a new OS is a bad thing ... Currently Squid doesn't Support Windows 7 and there is no Squid version tested on it. Only future 2.x version will include it, while 3.x Windows development is still stopped. Please run your tests on a supported OS. Regards Guido squid service dosent start .. it just says starting but never starts thirdly squid does not store any cache here is my squid.conf http_port 127.0.0.1:3128 icp_port 0 htcp_port 0 # # cache_dir ufs c:/squid/var/cache 3000 16 256 redirect_program c:/Perl/bin/perl.exe c:/squid/adzap/scripts/squid_redirect.pl acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # cache_peer 10.1.1.20 parent 8080 0 no-query proxy-only round-robin cache_peer 10.1.1.24 parent 8080 0 no-query proxy-only round-robin never_direct allow all never_direct allow CONNECT access_log c:/squid/var/logs/access.log squid cache_log c:/squid/var/logs/cache.log cache_store_log c:/squid/var/logs/store.log mime_table c:/squid/etc/mime.conf pid_filename c:/squid/var/logs/squid.pid unlinkd_program c:/squid/libexec/unlinkd.exe visible_hostname localhost thank you - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] NTLM Authenticator with big requests number
Hi Amos, At 16.55 12/01/2009, Amos Jeffries wrote: Razvan Grigore wrote: From: Serassio Guido guido.seras...@dont-contact.us Date: Fri, 24 Jun 2005 09:37:06 +0200 Hi, This behaviour is correct by Microsoft NTLM design. When negotiated, NTLM authentication cannot be cached: You are using use_ntlm_negotiate on, so every Challenge/Response request must be handled from Winbind. When using use_ntlm_negotiate on, max_challenge_reuses and max_challenge_lifetime are not (and cannot be) used. This is the only stable configuration using NTLM, disabling use_ntlm_negotiate is a worst option. Regards Guido Hello, I want to know if this is true. Very high likelihood of being true. Guido is the author of the NTLM negotiate code. Not exactly, I'm the author of all the Windows NTLM and Negotiate native helpers. The majority of the Squid NTLM code comes from Kinkie, Robert and Henrik. About the question, yes, this is the NTLM and Negotiate nature: there is always a live challenge-response exchange between the client and the NTLM/Negotiate server. Please note, starting from Squid 2.6 the NTLM negotiation is hard coded to on. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] NTLM and transparent/interception confusion
Hi Kinkie, At 18.45 02/01/2009, Kinkie wrote: Could you try to get a network trace of a successfully authenticated http transaction? I would love to see how they do it... Websense too is using something similar for filtering: They maintain an IP Address/Username table on the policy server. The table can be populated using different ways: - A logon agent, a little executable running on every client at logon time - Direct query to the user workstation - A DC agent that query DCs for user sessions There isn't any kind of web browser authentication, and this solution cannot work with non Windows clients or machine non domain member. Multiuser terminal server environments cannot be supported and the WS policy server should be Windows based and domain member for full functionality. Regards Guido Thanks! On 1/2/09, Johnson, S sjohn...@edina.k12.mn.us wrote: That's too bad... I've set up numerous Bluecoat proxies and they do have this capability. But of course, you're paying about $50k usd / box. -Original Message- From: Guido Serassio [mailto:guido.seras...@acmeconsulting.it] Sent: Thursday, January 01, 2009 4:00 AM To: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] NTLM and transparent/interception confusion Hi, At 20.06 31/12/2008, Johnson, S wrote: I've been doing a lot of reading on this... I've got the proxy working in either of these two modes: 1) As a browser configuration proxy 2) with http_port 3128 transparent, in redirected mode I've got NTLM authentication working just fine with #1 above. However, with #2 I never get a password prompt. I don't really care about transparency; I just want to authenticate users that are outbound without having to configure their browser. I asked this question a couple of months back and there are people stating that they are doing the authentication with transparent mode. Some of the references I've found in my searches also seem to corroborate the possibility of this working (but it's not working for me). However, in the documentation it seems that this should not be possible. Am I barking up the wrong tree or is this truly possible? You cannot. Youa are mixing two very different and incompatible things: - Transparent/intercepting proxy - NTLM transparent (silent) authentication, also known as Windows integrated authentication http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe 0e21e5c2903473c473d401533ac7 Regards and happy New Year Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- /kinkie - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] NTLM and transparent/interception confusion
Hi, At 20.06 31/12/2008, Johnson, S wrote: I've been doing a lot of reading on this... I've got the proxy working in either of these two modes: 1) As a browser configuration proxy 2) with http_port 3128 transparent, in redirected mode I've got NTLM authentication working just fine with #1 above. However, with #2 I never get a password prompt. I don't really care about transparency; I just want to authenticate users that are outbound without having to configure their browser. I asked this question a couple of months back and there are people stating that they are doing the authentication with transparent mode. Some of the references I've found in my searches also seem to corroborate the possibility of this working (but it's not working for me). However, in the documentation it seems that this should not be possible. Am I barking up the wrong tree or is this truly possible? You cannot. Youa are mixing two very different and incompatible things: - Transparent/intercepting proxy - NTLM transparent (silent) authentication, also known as Windows integrated authentication http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe0e21e5c2903473c473d401533ac7 Regards and happy New Year Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] Native WIN32 NTLM and Basic Helpers must be used without the -A -D switches.
Hi, At 10.46 19/12/2008, Paul Cocker wrote: Having noticed that squid is now shipping with an mswin_check_ad_group file (I don't recall this in 2.6) I'm working on moving our 2.7 config over to it. In the readme it says: - Native WIN32 NTLM and Basic Helpers must be used without the -A -D switches. Our mswin_check_lm_group line used -D as I recall there were lookup problems without it, however I want to check what this line means. What is considered a native WIN32 helper? -A isn't documented as a switch either. Certainly we're a 100% Windows domain. Can anyone clarify this line for me? You are mixing authentication helpers with external ACL helpers. -A -D switches are only for mswin_auth and mswin_ntlm_auth helpers. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
[squid-users] Experimental Squid 3.0.STABLE11-RC1 binary release for Windows
I'm pleased to announce the availability of an experimental Squid 3.0.STABLE11-RC1 binary release for Windows. The package is available here: http://squid.acmeconsulting.it/download/squid-3.0.STABLE11-RC1-bin.zip This package is totally unsupported by Acmeconsulting, and is provided as is for testing only purpose. For any questions and for your feedbacks use the squid-users mailing list. Due to the experimental nature of this release, please don't use it on production environment. Any positive feedback will be welcome. Regards Guido Serassio - Guido Serassio - Squid Core Developer Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] RPC over HTTPS for Terminal Services Gateway
Hi, At 10.23 24/11/2008, Andreas Adler wrote: Hi there I am running Squid 3.0 PRE6 as a reverse proxy for many applications and services. RPC over HTTPS for Exchange/OWA is running fine for a long time. Recently I tried to pass the TS Gateway through Squid, but this is giving me a very hard time. TS Gateway is using RPC over HTTPS just like Exchange does, but I always get an authentication error. Here is what I get: -- TCP_MISS/401 399 RPC_IN_DATA https://server.domain.com/rpc/rpcproxy.dll? - FIRST_UP_PARENT/server.domain.com text/plain -- Here is my access rule: cache_peer server.domain.com parent 443 0 proxy-only no-query originserver front-end-https=on ssl login=PASS sslflags=DONT_VERIFY_PEER Does anybody run a Terminal Services Gateway (TS Gateway) being proxied through squid? Could there be something wrong with some NTLM passthrough? I am pretty clueless on this, so any help is very appreciated! I never tested TS Gateway on Squid, but usually Exchange RPC over HTTPS works better using Basic authentication over SSL. Another thing to verify is the Reverse Proxy SSL certificate: using self signed certificates for Echange RPC over HTTPS, Outlook fails silently if the CA is not trusted. Regards Guido Thanks a lot! Andreas Adler - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
Hi, At 14.00 28/10/2008, Josh Haft wrote: Firefox can't grab NTLM creds like IE does. This is really a VERY wrong assertion. Firefox supports all Squid authentication schema (Basic, Digest NTLM and Negotiate) starting from version 1.5, while this is true for Internet Explorer starting from 7.0 version Regards Guido On 10/28/08, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. I have also notioced that if I clic on cancel twice, than I can see tha internet page someon can help me?!?! thanks in advance - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] squidnt.com, warning
Hi, At 18.01 16/10/2008, Mr Lyphifco wrote: It seems that the site http://squidnt.com/ is trying to masquerade as an official website for Mr Serassio's Windows port of Squid. It doesn't explicitly state this, but the wording of the site contents strongly implies such a thing. Also it was entered into a new Wikipedia article on SquidNT as the homepage: http://en.wikipedia.org/w/index.php?title=SquidNTaction=history I suspect blog-spam of some sort. Thanks for your report. The squidnt.com site seems deliberately incomplete SquidNT was the name of the Windows port project of Squid 2.5. Starting from Squid 2.6 STABLE4 Windows is an official Squid 2 platform, and the official sources can be compiled on Windows without changes. So SquidNT is the name of a complete project. I think that the Wikipedia page and the Squid FAQ page should me more accurate about this. So I have just updated the Wiki page: http://wiki.squid-cache.org/SquidFaq/AboutSquid#head-500ddc367517c94cdf5cc49cb26868ab64becf63 Please, do you can update again the Wikipedia page ? Thanks Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] compiling squid error on windows
Hi Amos, At 04.08 04/09/2008, Amos Jeffries wrote: Amos: there are some Windows informations missing from 3.0 release notes, you can find it in the 2.6 one. I'll fix that right now. You mean the whole section 4 (in 2.7) / section 6 (in 2.6)? Sorry for the delayed answer. You must take the whole 2.6 Windows release notes, 2.7 release notes are also incomplete. The 2.6 content is still true. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] compiling squid error on windows
Hi Amos, At 15.46 03/09/2008, Amos Jeffries wrote: Dooda Dave wrote: Dear all, I've downloaded squid3.0 stable 8 and am trying to compile it on windows 2003. however, i hit an error when starting to run make. the error is as below: [EMAIL PROTECTED] /cygdrive/c/squid-3.0.STABLE8 $ make make: *** No targets specified and no makefile found. Stop. I couldn't really get help from google at all. Hope some of you may have encountered the same problem. Thanks in advance. Regards, Dooda 3.0 has no official windows support. What is there is very, very experimental, and while improving slowly. Guido is the only one with a proper MS devel install to test stuff, and he is still working on both squid versions. If you are able to help at all, thank you. Squid 3.0 STABLE 8 should build on both MinGW+MSYS and Cygwin. I don't know how it works :-( 3.x windows issues had probably best go to squid-dev. Anyway, I'm very not sure of this, so make a backup copy of your squid code files before trying. ... but ... you probably need to run ./configure to generate the makefiles for your system. Sure, like any other platform. Amos: there are some Windows informations missing from 3.0 release notes, you can find it in the 2.6 one. Regards Guido Amos -- Please use Squid 2.7.STABLE4 or 3.0.STABLE8 - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Mingw(patch for long file pointers) --with-large-files
Hi, At 14.41 18/08/2008, chudy wrote: Using Mingw to compile squid --with-large-files following Patch MinGW for long file pointers http://mdsh.com/wiki/jsp/Wiki?Mplayer:build%20on%20MinGWhighlight=build http://mdsh.com/wiki/jsp/Wiki?Mplayer:build%20on%20MinGWhighlight=build and edit cut I just want a confirmation if i did the right thing. for now the squid is running fine with ./configure --enable--enable-win32-service --enable-storeio=aufs,coss --enable-removal-policies=heap,lru --enable-snmp --disable-wccp --disable-wccpv2 --enable-large-cache-files --prefix=c:/squid --with-large-files --enable-err-languages=english --enable-cachemgr-hostname=server i've attached my squid.conf store_rewrite and url_rewrite helper. http://www.nabble.com/file/p19025674/squid.conf squid.conf http://www.nabble.com/file/p19025674/test.pl test.pl http://www.nabble.com/file/p19025674/rewrite.pl rewrite.pl one thing i've seeing Warnings about failed to unpack meta data that i've never seen in aufs. and still the same Warnings using 2.7 stable version when using coss. This patch could be incomplete. I don't know how MinGW internal are arranged, so I think that you should ask about this on the mingw-users mailing list. On the Squid side, probably there is a conflicting definition in squid_mswin.h at line 174. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Squid-3.0.STABLE7 Compilation errors on SPARC
Hi, At 21.26 07/07/2008, Frog wrote: Hi All, I have a machine here that is running 3.0.STABLE4 and I wish to upgrade it to STABLE7. I compiled and installed STABLE4 with no problems. However while attempting to compile the latest release I am getting lots of errors during the configure script which are repeatedly saying to report a bug. I am attempting to configure with the following options: ./configure --prefix=/usr/local --enable-storeio=ufs,aufs,coss,diskd,null --enable-snmp --enable-delay-pools --enable-cache-digests --enable-underscores --enable-referer-log --enable-useragent-log --enable-auth=basic,digest,ntlm --enable-carp --enable-follow-x-forwarded-for --with-large-files --enable-async-io --enable-removal-policies=lru,heap --enable-icmp --enable-icap-client The error that occurs in config.log for various headers look like the following: cut When running the configuration script with just --prefix=/usr/local results in no errors. So obviously it looks like one of my configuration options is not compatible. My GCC compiler is 3.4.3 as provided by the OS. PATH=/usr/sbin:/usr/bin:/usr/sfw/bin/:/usr/ccs/bin/ Would anyone have experienced this before or seen something similar? It could be related to this problem: http://www.squid-cache.org/Versions/v3/HEAD/changesets/b9055.patch Please, try to build without the --with-large-files option. Let we to know the result. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Anti-Virus Exclusions
Hi Paul, At 10.23 13/06/2008, Paul Cocker wrote: The proxy server running squid will soon be getting a real-time anti-virus scanner on it. Are there any exclusions which need to be configured in regards to squid? Exclude the cache directory (and subfolders) is really a good idea. This is better for performance and for Squid reliability: it's a bad thing if the antivirus will delete a file in the cache dir. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] DNS options for Windows port of Squid 2.6
Hi, At 14:14 06/05/2008, Henrik Nordstrom wrote: On tis, 2008-05-06 at 13:25 +0200, H.Lekin wrote: Reconfiguring the Squid service with the -k option after being dialed in works in principle, but is not allowed from an user's account (OpenSCManager failed). That should be fixable somehow I think.. Isn't it possible to set up system triggers run when the dialup interface goes up/down? Not very familiar with Windows unfortunately.. This was already implemented into Squid 2.HEAD: http://www.squid-cache.org/Versions/v2/HEAD/changesets/11818.patch This feature will be available on Squid 2.7. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] DNS lookup rotation of IPs
Hi, At 21:36 06/05/2008, Christian Seifert wrote: Hi there, I am running a DNS cache prg that is resolving hostnames inan identical manner even if more than one IPs are returned. So, for example, ping www.google.com will always try ping to 209.85.173.147 even though host resolves to multiple IPs (it seems like it takes the top record) host www.google.com www.google.com is an alias for www.l.google.com. www.l.google.com has address 209.85.173.147 www.l.google.com has address 209.85.173.104 www.l.google.com has address 209.85.173.103 www.l.google.com has address 209.85.173.99 Squid,however,seems not to do this. It seems to randomly select one IP evenwhen it isusing the DNS cache prg ... is there any way to configure itto alwaysuse the top one, just like ping behaves? Look for balance_on_multiple_ip off in squid.conf. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] DNS options for Windows port of Squid 2.6
Hi, At 22:20 06/05/2008, H.Lekin wrote: On 06.05.2008 18:12, Guido Serassio wrote: Hi, At 14:14 06/05/2008, Henrik Nordstrom wrote: On tis, 2008-05-06 at 13:25 +0200, H.Lekin wrote: Reconfiguring the Squid service with the -k option after being dialed in works in principle, but is not allowed from an user's account (OpenSCManager failed). That should be fixable somehow I think.. Isn't it possible to set up system triggers run when the dialup interface goes up/down? Not very familiar with Windows unfortunately.. This was already implemented into Squid 2.HEAD: http://www.squid-cache.org/Versions/v2/HEAD/changesets/11818.patch This feature will be available on Squid 2.7. When will 2.7 be released? Is there a work around for in between? I think few months. As I know the only work around is to force a squid reconfiguration. Can this patch file be applied to the 2.6STABLE20 source code? Yes, it should work fine. Will it compile on cygwin with mingw packages from mid 2005 (different naming scheme)instead of MinGW 3.1.0? What'is your build version ? Standard, Delay Pools or SSL ? I can send to you an already patched binary. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] DNS options for Windows port of Squid 2.6
Hi, At 23:30 06/05/2008, H.Lekin wrote: Will it compile on cygwin with mingw packages from mid 2005 (different naming scheme)instead of MinGW 3.1.0? What'is your build version ? Standard, Delay Pools or SSL ? Don't know. Squid -v output is: Squid Cache: Version 2.6.STABLE20 It's a standard build. I can send to you an already patched binary. Yes, please. Here you can find a binary (standard build) of Squid STABLE20 patched with the changeset 11868: http://squid.acmeconsulting.it/download/squid-11868.zip Please note: the Squid reconfigure happens after any changes to any IP address of any machine interface. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Squid and OWA strange problem
Hi, At 08:02 25/04/2008, Henrik Nordstrom wrote: tor 2008-04-24 klockan 09:34 +0200 skrev Franz Angeli: i use Squid Version 2.6.STABLE5 on Debian stable, i have strange problem with this owa site: https://mail.telecomitalia.it If i try to login (with real or fake credentials) with squid login page return to itself without any error!??! If i connect directly all works fine? First of all try upgrading. There has been some bugfixes to the connection pinning / forwarding of Microsoft looks like HTTP but isn't authentication. Just looked to the site: it's a Exchange 2007 OWA running form based authentication over HTTPS. I'm using Squid 2.6 as a reverse proxy for my Exchange 2003 OWA running the same configuration without problems. So, it shouldn't be an authentication problem on Squid, but I still don't have verified if there are any so called new features in OWA 2007 ... Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Squid and OWA strange problem
Hi, At 10:04 25/04/2008, Franz Angeli wrote: My squid server is only a cache proxy, reverse proxy on remote exchange OWA server is some Microsoft ISA stuff. I think there is something very wrong in this OWA server setup: C:\nslookup mail.telecomitalia.it Server: titano.acmeconsulting.loc Address: 172.30.128.1 Non-authoritative answer: Name:mail.telecomitalia.it Addresses: 156.54.233.103, 156.54.233.102 Adding balance_on_multiple_ip off to your squid.conf should fix your problem. A round robin configuration for a OWA front-end is really a stupid solution because OWA is a session based web application. I love the incompetency of Telecom Italia peoples . Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Rewrite http to https for owa.
Hi, At 02:54 22/04/2008, Dwyer, Simon wrote: Hey everyone, I am starting to really get my squid server under control here :) One last step to have it fully working is to rewrite address's coming in on http to https. This is for OWA. I have tried to use squirm and have some success. What I need to do is redirect http://mail.domainname.com/ to https://mail.domainname/com/owa. For all reverse proxy requests. Is there an easier way to do this? I have googled it without much success. I think that this could help you; http://support.microsoft.com/kb/327800/en-us But I'm not sure if all the OWA functionality work fine rewriting the path of the URL. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Proxy Auth sniffable?
Hi, At 17:59 21/04/2008, Andreas Pettersson wrote: Is the browser sending username and password in cleartext or a simple base64 encoding when user authenticaties with proxy authentication against an ldap directory? Yes, as any basic authentication helper. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Squid NTLM Auth Failing on Long Passwords
Hi, Il 17:38 15/04/2008 [EMAIL PROTECTED] ha scritto: I appear to have run into an issue with Squid failing to authenticate users with long passwords. I have had a few users that always get a username/password prompt box which re-appears even if the correct info is entered. The AD server logs each of the attempts as a bad password. Squid appears to log it as Empty LM password supplied for user ... No-Auth. (Only verified for some users) The only thing I can find in common between these users would be password that are over 14 characters in length. Is this a possible source of the errors/constant password prompt? From doing some reading it appears that the LanMan hash value becomes NULL after 14 chars are inputed as a password. I'm at a loss for a solution short of telling my users that they need to use shorter passwords. Any thoughts are appreciated. Thanks, What NTLM helper ? LM based helpers like ntlm_auth provided with Squid are limited to 14 characters password. This is a LM protocol limit. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Troubles with SquidNT in complex environment
Hi, At 22:52 11/03/2008, Peter Weichenberger wrote: Dear All, I'm pretty new to Squid and have troubles running it in the following environment: * LAN with 250 users * Windows Active Directory Service (ADS) Web Security Solution consisting of * IBM Proventia Web Filter performing URL filtering * Trend Micro InterScan Web Security Suite (IWSS) performing Antivirus scanning Both products (Webfilter and AV scanner) are installed on virtual machines running under VMware ESX 3.02. Both of them have an integrated, non-caching proxy server. Starting from the user PC, we have the following proxy chain: User PC = Web Filter proxy = IWSS proxy = Internet I want to use ADS objects like usernames in the Web Filter configuration - e.g. to create a rules based on usernames instead of IP addresses. Problem: The proxy server included in Proventia Web Filter has no ADS/NTLM auth support, but can act as an ICAP server. In order to use ADS objects in the Web Filter config you need an additional, NTLM auth-capable proxy server. Since there is no such proxy server in our LAN yet, we obtained a preconfigured Squid for Windows package containing * SquidNT 2.5 Stable12 binaries * NTLM auth support First, you should upgrade to Squid 2.6 and add also Negotiate authentication. I installed the Squid package on the same virtual machine where the Web Filter is installed. SquidNT acts as an ICAP client, authenticating proxy users against our AD. The Proventia Web Filter acts as an ICAP server, telling SquidNT if the authenticated user is allowed to access the requested site. So the proxy chain now looks like this: User PC = Squid proxy (ICAP client) = Web Filter (ICAP server) = IWSS proxy = Internet Unfortunately we have the following problems with SquidNT: 1. Excessive RAM consumption After starting the SquidNT service, Windows Task manager shows that squid.exe uses about 9,000 KB of RAM. This is a know and fixed old bug for Squid STABLE 12: http://www.squid-cache.org/bugs/show_bug.cgi?id=1522 A working day and many user requests later, squid.exe uses about 700,000 KB (!!) of RAM! Although the virtual machine has 1 GB of RAM assigned, Windows XP SP2 started to expand its paging file in order to satisfy the ever-increasing RAM demand of squid.exe. Please: use a Server OS .. Monitoring Windows Task Manager, you can watch squid.exe's memory consumption counting up every 5 seconds. This means I have to restart the SquidNT service at least once a day - otherwise the paging file would fill up the harddisk completely. After restarting SquidNT, it returns back to its initial RAM footprint of about 9,000 KB, but starts to count up its memory consumption immediately. I already set memory_pools to off in squid.conf, but this freed up 1,600 KB, which is nothing compared to 700,000 KB. Since we had repeated Squid fatal errors due to insufficient ntlm_auth processes in the beginning, I have set the number of these processes to 35 (auth_param ntlm children 35). If you are using IE7, Negotiate here could help you. Q: Although these are separate processes, can they be the cause for Squid sucking RAM like a black hole? Is there anything else I can do against it - besides restarting the Squid service? Upgrade Squid to latest 2.6. 2. Service instabilities Occasionally, users get a message in their browser telling them that the proxy has rejected the connection. I checked the Squid server immediately after having received this message myself, but squid.exe was running as always. Obviously there are situations where Squid ceases its service for a short time, being unable to service user requests during this period. Expected, because you are running on a Workstation OS: http://smallvoid.com/article/winnt-tcpip-max-limit.html Q: What can be done to enhance reliability/stability of SquidNT? Run Squid on Windows 2003 Server. 3. Problems accessing certain websites with Internet Explorer (IE) through Squid Our users have problems accessing the following sites: a) Bank website hosting a Java-based Internet banking application (website complains about missing Java support/invalid browser configuration) Latest Java VM is NTLM aware. b) Website running a Citrix portal delivering applications over the Web Not sure if there is something to do here., but there are many changes/improvement into 2.6. Both applications use HTTPS and work when * using the IWSS proxy, bypassing Squid; independent of browser * using the Squid proxy, but Firefox instead of IE Problem: IE is our standard browser and is installed everywhere. Q: Is there any IE setting, which has to be changed in order to make special Web applications work over Squid? Ideas and hints regarding any of these issues are appreciated. Again, first upgrade to latest 2.6 STABLE 18. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft
Re: [squid-users] Getting username from NTLM but ignore domain and password?
Hi, At 15:57 05/03/2008, Adrian wrote: Hi, I want to create an authenticator in perl - I don't want people to have to manually type usernames and passwords, I just hope to grab their usernames from the NTLM and trust that they haven't installed a browser that can't supply the credentials automatically like IE. There is a number of different domains too so I want to be able to accept them all.. Is there a way to get IE to send the username that squid passes onto an external authentication module? The authenticator will permit any password - I just want it to capture the username. The idea is that the proxy stays transparent but I can still see the usernames in the log files if I need to. I'd really appreciate any tips. Such NTLM authenticator is already in Squid: fakeauth. Regards Guido Thanks, Adrian. - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
RE: [squid-users] Multi ISP Load Balancing Problem
HI, At 19:58 04/03/2008, Lazuardi Nasution wrote: Hi, I'm using Windows 2000 with Service Pack 4. Server, right ? If you think that it is a file descriptor problem, why this problem apear when I install 3 Squid Services but not happen on previous configuration which install one Squid Service only ? I don't understand about select(). The Loop related error has been solved by not using ICP between Main to both Parent and Parent to Parent sibling relation ship. I think that you are pushing too much squid under Windows. But the performance with 3 Squid Services still bad. select() is the worst Squid comm loops. For a really high performance cache, you should use another OS. Please note that I'm writing this as the maintainer of the Windows port of Squid :-) Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Question about Bug 1681
Hi, At 21:19 04/03/2008, Brian Kirk wrote: Ok so do I only need to apply it to squid, or will I have to also go into samba and apply it there as well? And does this need to be applied to all versions of squid 2.6 stable releases? Or is it part of a certain stable release? It's included in all Squid starting from 2.6 STABLE2. Regards Guido On 3/3/08, Guido Serassio [EMAIL PROTECTED] wrote: Hi, At 16:56 03/03/2008, Brian Kirk wrote: I have a question regarding the following bug: http://www.squid-cache.org/bugs/show_bug.cgi?id=1681 It appears as though this bug is only something that occurs with squid's ntlm_auth, we however use samba's ntlm_auth, and I see simular problems. snippet from squid.conf auth_param ntlm program /opt/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp We seem to have the exact same problem though. We are running squid2.6 Stable 9, and samba 3.0.25b. Is this patch needed for our environment? No. The fix was for all NTLM authenticators. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/ - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Question about Bug 1681
Hi, At 16:56 03/03/2008, Brian Kirk wrote: I have a question regarding the following bug: http://www.squid-cache.org/bugs/show_bug.cgi?id=1681 It appears as though this bug is only something that occurs with squid's ntlm_auth, we however use samba's ntlm_auth, and I see simular problems. snippet from squid.conf auth_param ntlm program /opt/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp We seem to have the exact same problem though. We are running squid2.6 Stable 9, and samba 3.0.25b. Is this patch needed for our environment? No. The fix was for all NTLM authenticators. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] NTLM authentication testing
Hi, At 14:40 19/02/2008, Richard Wall wrote: First problem is that you have to reinterpret the Squid reported hit ratios when using NTLM auth. Only half of these are hits, the other half being TCP_DENIED/407 that form part of the NTLM auth negotiation. This is caused by the NTLM over HTTP authentication sequence, look here for details: http://davenport.sourceforge.net/ntlm.html Second problem is that the majority of requests seem to result in auth requests to the DC. There is an article describing Win2003 performance counters showing Number of auth requests / sec, but those counters don't seem to exist on my copy. * http://support.microsoft.com/kb/928576 Correct, you should request the hotfix to Microsoft. Instead I used the difference in a minute of the total number of security events (as shown in the titel bar of the windows event viewer. * ~127 successful auth events per second ...which is about the same as the client_http.hits reported by squid. I have the following setting defined in smb.conf: * winbind cache time = 10 ...which clearly isn't being respected. * Does anyone else see this behaviour or have you managed to get auth requests cached by winbindd? * Can winbindd even do caching of auth reqests or is it only concerned with caching other domain data? What Samba version do you are using ? I remember that in Samba 3.0.25 there was big changes into winbindd regarding off-line logon support, but I don't know if this could help. Another question, what type of NTLM authentication is supported by curl ? Lan manager/NTLMv1 or full NTLMv2 ? (See the previous link for details) There are big difference between the security level and on the performance impact, and currently all browsers automatically use always the NTLMv2 type. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] NTLM authentication testing
Hi, At 16:36 19/02/2008, Richard Wall wrote: Guido, Yep, I've looked at it, but have not completely absorbed it yet :) But you should, probably it's the better NTLM explanation on the net ... :-) Another question, what type of NTLM authentication is supported by curl ? Lan manager/NTLMv1 or full NTLMv2 ? (See the previous link for details) I'm not sure, but in full debug mode, curl will show the various headers it exchanges with the server. It seems to correspond to: * http://devel.squid-cache.org/ntlm/client_proxy_protocol.html ...but of course we're starting at point 4 which means that in real life, there'd be even more squid requests I guess. Likely should be NTLMv1, NTLMv2 requires client and server mutual authentication provided by Domain Controllers. Doesn't the --helper-protocol=squid-2.5-ntlmssp in squid.conf determine that NLTMv2 will be used? Looking at the man page for ntlm_auth suggests that lanman auth would require different parameters: * http://us1.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html No, this ALLOW the support for the NTLM NEGOTIATE packet needed for NTLMv2, but the NTLM version is always negotiated between winbindd and the browser. This may seem like a stupid question, and my vague understanding of kerberos may be way off, but aren't there better alternatives to NTLM proxy auth if you're authenticating only against Active Directory servers? Doesn't Kerberos provide a time limited token to the authenticated windows domain client that can be passed to other machines in the domain as proof that the client is authenticated; and which can be used to lookup what services the client has acces to. In a perfect world shouldn't Internet Explorer just pass this token along with all requests to other machines in the same domain. Negotiate it's the future: it's Kerberos based and the packet exchange is shorter than NTLM (but packets are larger). The only drawback is that Samba 3 doesn't support it . Other limit is that you need at least Internet Explorer 7 or Firexox 1.5. It's very easy to use running Squid on Windows with native helpers, or you can try the new squid_kerb_auth helper: http://www.squid-cache.org/mail-archive/squid-users/200801/0257.html My aims are: * to have a proxy that is only available to authenticated windows domain users. * that Internet Explorer should not prompt the user for their username and password if they have already logged onto the domain. * that squid should be able to record usernames alongside requests in its logs. * That dans guardian should be able to identify the username of the client. Is there some way I can get all this without paying the penalty of NTLM auth? Sure, negotiate. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] mswin_check_lm_group - Time to check?
Hi, At 12:31 14/02/2008, Paul Cocker wrote: Quite simply, how often does the wswin_check_lm_group process check group membership? Is it every time a rule referencing a group is triggered, or does it keep a cache and update it every X minutes? If the later is this configurable? There is no caching into mswin_check_lm_group, while squid use a cache for all authentication info. Also, is there a way to add timestamps against errors it logs in cache.log? No, the code must be changed for this. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Squid Win32 SSL version
Hi, At 11:05 04/02/2008, Tomer Brand wrote: Hi All, I am trying to run SQUID as reverse proxy with SSL. I downloaded 2.6.STABLE18 with SSL support from http://squid-mirror.acmeconsulting.it/download/dl-squid.html I copied: - ssleay32.dll - libeay32.dll To system32 and created a certificate using OpenSSL. SQUID process gets terminated when the proxy machine gets HTTPS request (Working great for HTTP) with the following message: OPENSSL_Uplink(100EB010,07): no OPENSSL_Applink Any idea? As you can read, the SSL enabled binaries are declared experimental. There are two reasons for this: - The SSL binaries are automatically generated during a release without the test of the SSL functionality - I use pre-built Windows OpenSSL libraries, out of my quality control. Please, do you could send to me the SSL section of your squid.conf , so I can do some testing? Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] List of tokens or macros used in error page templates?
Hi, At 05:02 02/02/2008, Amos Jeffries wrote: Do you think that includes fixing that %i is always set to 0.0.0.0, even when I turn Forwarded-for back on? I know for 3.x it does. not sure about 2.6, but its likely. if not, we need a bug report on it. This bug was fixed by myself in August 2006 starting from 2.6 STABLE4 and 3.0.PRE5: http://www.squid-cache.org/bugs/show_bug.cgi?id=212 Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] WCCP Support for SquidNT
Hi, At 21:50 31/01/2008, Squid Dev wrote: Hi guys, I've seen some posts already (dated a while back) that there is no support as of yet for WCCP on SquidNT, due to the lack of implementation/integration of GRE on Windows. Is this still the case? if so, is there any sort of development towards a solution? As I know, nothing. On a different note, I understand that it is fundamentally impossible to authenticate users while running Squid in transparent mode. Is there a way to capture the client's username while running Squid in transparent mode? identd is supported on Windows: http://ftp.teledanmark.no/pub/windows/Identd/ Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Squid3 Win32 binary?
At 08:35 28/01/2008, howard chen wrote: Hi, I have been following from squid homepage to: http://squid-mirror.acmeconsulting.it/download/dl-squid.html Seems that currently there is no squid3 for win32 yet, is it ture? Correct, look here into the 4.2 section: http://www.squid-cache.org/Versions/v3/3.0/squid-3.0.STABLE1-RELEASENOTES.html Maybe that will be available with STABLE2. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
RE: [squid-users] squidGuard 1.3.0 released
Hi, At 09.05 06/11/2007, Paul Cocker wrote: Someone care to explain the difference, or history, behind squidGuard and squidGuard? :) You can find some info here: http://sourceforge.net/forum/forum.php?forum_id=752479 Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] RE: Running Squid on NT default domain on client
Hi, At 11.11 06/11/2007, Wever, J. wrote: Hi People, I have set up Squid 2.6 on a Win 2003 server with ntlm authentication, it works great only one problem is that my client (linux thinclients) are not joined to the domain and whenever they are prompted for a user/pass the user has to fill: domain\user for it to work. If the client (user) types just his username and password the hostname is used as the domain. This is a NTLM correct behaviour: it happens also on Windows clients non joined to a domain. Correctly Internet Explorer displays a login dialog box with three fields (username, password and domain) for NTLM authentication, while Firefox displays always a two fields dialog box for both basic and NTLM authentication. I have searched the faq and the email database and found many replies about configuring samba with smb.conf to use the default domain, however i'm not using samba. Is there anywhere else where i might set the default domain so my users only have to fill in a username and a password (without domain\)? This is a Client side problem, not a server side problem: It's the client that fills the domain field of the NTLM request with the local machine name. I don't know if it's possible to set the default NTLM domain used for authentication on the Linux client. Regards Guido Serassio - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
[squid-users] squidGuard 1.3.0 released
We are pleased to announce the availability of the release 1.3.0 of squidGuard. squidGuard-1.3.0 is based on the original squidguard-1.2.0 codebase, but has many new publicly available enhancements and features which have been developed over the last six years after squidGuard-1.2.0 was released, and these have now been rolled into this formal squidguard-1.3.0 release. This version also adds native Windows support using the MSYS+MinGW build environment. This new release can be downloaded from the squidGuard Sourceforge project: http://sourceforge.net/project/showfiles.php?group_id=184120 The most important new additions in this squidGuard-1.3.0 release are: * Imported squidguard-sed.patch from K12LTSP project. This allow squidGuard to rewrite the Google URL with the safe=active tag * Updated the redirector protocol to Squid 2.6 version * Imported netdirect-squidGuard-full.patch based on work of Chris Frey and Adam Gorski * Native Windows port using MSYS+MinGW environment We openly welcome and encourage bug reports should you run into any issues with the new release. Bug reports can be entered into the squidGuard Bug Tracker at: http://sourceforge.net/tracker/?group_id=184120atid=907981 This squidGuard-1.3.0 software was brought to you by Guido Serassio and Norbert Szasz, and is mainly based on many third-party contributions made available over the years. Many thanks to all contributors who have submitted new features. This works is not related in any way with the so called official squidGuard project at the new www.squidguard.org. Note: If there is interest in becoming an official sponsor for the ongoing squidGuard maintenance or development efforts please contact using the project forum at http://sourceforge.net/forum/?group_id=184120 Best regards Guido Serassio Norbert Szasz
Re: [squid-users] How often is mswin_check_lm_group.exe Can't find DC for user's domain logged?
Hi, At 12.49 15/10/2007, Paul Cocker wrote: I'm seeing mswin_check_lm_group.exe Can't find DC for user's domain 'cdltd.co.uk' in the cache.log file. You must use only netbios domain names, not FQDN domain names. mswin_check_lm_group.exe is a Lan Manager based helper, so netbios name resolution (WINS) is involved. Does the program try to contact the domain on startup? No. Does each child try to contact the domain? Yes, during every user validation. Is this error a reflection of a failure to connect to the domain for a single connection? Maybe. Basically, how severe is this error? Is a fatal error for the displayed user validation. Are one or two expected? This should never happen. Should I only worry when I see a cache.log swamped with them? Or is this a major concern? Hard to answer to this question, maybe a DC slowness problem, a name resolution problem, a network problem, Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] DISKD Autoremoved
Hi, At 02.53 14/10/2007, Juan C. Crespo R. wrote: hi Does anyone knows why when I try to install squid with diskd, this option autoremove itself? ./configure --prefix=/usr/local/squid --enable-async-io=128 --enable-storio=diskd,ufs --enable- There is a typo: it should be --enable-storeio. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Squid and Vista.
Hi, At 02.25 10/10/2007, Adrian Chadd wrote: On Tue, Oct 09, 2007, Tom Vivian wrote: My setup was/is working fine; SquidNT 2.5 using ntlm_auth on Windows Server 2003. I have just setup a MS Vista client on the network and it is denied access (TCP_DENIED/407). If I remove the proxy settings from IE's on the Viata PC it can access the net fine. Is this a Squid problem or something else. You should first upgrade to Squid-2.6. Vista comes with Internet Explorer 7, so check also if the Enable Integrated Windows Authentication advanced security option is enabled. The default for Internet Explorer 7 is not enabled. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Simple authentication on a home-based (ie no domain controller) WinXP box
Hi, At 09.46 19/09/2007, Henrik Nordstrom wrote: On tis, 2007-09-18 at 22:34 -0700, Jeffery Chow wrote: Ideally I would store a username/password pair in a text file somewhere on my system (plaintext or not, doesn't matter), but the authentication helpers that I see in my distro (mswin_auth, mswin_negotiate_auth, mswin_ntlm_auth) don't come with enough documentation to tell me which one is the right one to try. Neither, from your description you want ncsa_auth. It should be included as well I hope, if not lets ask Guido to include it. ncsa_auth is included into the Windows binary kit. If needed, NCSA support tools (htpasswd and chpasswd.cgi) for Windows are available here: http://squid.acmeconsulting.it/download/NCSAsupport.zip The mswin_* helpers is for authenticating to the Windows user services. Which may be the local accounts on your XP if you like.. The three mswin_* helpers is one per authentication scheme (see the auth_param directive). Local account authentication can be done using mswin_auth (basic) and mswin_ntlm_auth (NTLM). For negotiate usage, a Kerberos KDC is needed, so it cannot be used without an AD Windows domain. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Bungled squid.conf due to cache_dir
Hi, At 13.09 14/09/2007, Paul Cocker wrote: I'm setting up SquidNT 2.6STABLE14 using a fresh config on a Windows 2003 server. I've located it in the folder D:\Program Files\squid, mainly because there are several other programs installed on the server and it keep the folder list clean, they're all within this directory. However, when I try to start the service I get the following: FATAL: Bungled squid.conf line 1072: cache_dir ufs D:/Program Files/squid/var/cache 2000 16 256 Now, I assume this is due to spaces in the directory path which I thought the quotes would resolve. It occurred to me that perhaps the options needed to be contained within the path, so I moved the closing quote after the 256, though the error remained unchanged (barring placement of the quote mark), but then this wouldn't work anyway unless squid could read my mind regarding the chance of numbers being in a directory name, or didn't accept them there at all. I also considered the possibility that cachemgr.conf was to blame, seeing as it simply had localhost in there, and I am using port 3129 for this build of squid as an older, 2.5 version is running on 3128, though so long as squid responds, regardless of version, it shouldn't matter anyway should it? I tried changing localhost to localhost:3129 just in case, but it made no difference. Can this be made to work in a configuration where there are spaces in the directory names? Looking into Windows support section of Release Notes http://www.squid-cache.org/Versions/v2/2.6/RELEASENOTES.html#s6, about the Compatibility Notes, you can read: Paths with spaces (like 'C:\Programs Files\Squid) are NOT supported by Squid So the answer to your question is no. In Theory this could work using Windows short path names, but this not a reliable solution because short path names generation is volume dependent. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] problem with win2k
Hi, At 10.19 12/09/2007, Israel Torres wrote: I use the Win port of squid in Windows 2000. When I start the service it works perfectly for 10 url's but later the service quit, I use Windows 2000 and a 7Gb Cache file it's too much?? This is the win log: Thanks a lot, 2007/09/11 17:05:08| comm_select: select failure: (10055) WSAENOBUFS, No buffer space available. 2007/09/11 17:05:08| Select loop Error. Retry 1 This seems to be a memory problem. How much RAM on your system, and how many used Kernel Memory ? (See Task manager counters) Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] latest squid 2.6 stableX or squid 3.0 binaries to download for windows xp
Hi, At 11.27 06/09/2007, Henrik Nordstrom wrote: On tor, 2007-09-06 at 02:05 -0700, squid inbox wrote: hi To be deployed on windows OS. where can i get the latest binaries version of squid ? The latest binary release for Windows is 2.6.STABLE14, but I guess Guido will make a 2.6.STABLE16 binary soon. 2.6 stable15 or there are later versions of 2.6 ? You do not want 2.6.STABLE15.. a bit broken.. Correct, I have missed the release of STABLE15 binaries for this reason. Today I have build STABLE16 binaries, they are in the testing phase, I'm expecting to publish the new build in 1-2 days. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Squid 3.0-PRE7 won't build with snmp
Hi, At 02.12 05/09/2007, Nicole wrote: Squid 3.0-PRE7 seems to not build if you have --enable-snmp. Server was FreeBSD-6.2 amd64 When --disable-snmp was specified it built ok. Which seems to be opposite perhaps from a bug I noticed, #2071 It should be a dependency problem in Makefile: running make clean before the build should fix the problem. See my comment to the bug #2071: http://www.squid-cache.org/bugs/show_bug.cgi?id=2071. Regards Guido Serassio - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Squid 3.0-PRE7 won't build with snmp
Hi, At 21.37 05/09/2007, Nicole wrote: On 05-Sep-07 My Secret NSA Wiretap Overheard Guido Serassio Saying : Hi, At 02.12 05/09/2007, Nicole wrote: Squid 3.0-PRE7 seems to not build if you have --enable-snmp. Server was FreeBSD-6.2 amd64 When --disable-snmp was specified it built ok. Which seems to be opposite perhaps from a bug I noticed, #2071 It should be a dependency problem in Makefile: running make clean before the build should fix the problem. See my comment to the bug #2071: http://www.squid-cache.org/bugs/show_bug.cgi?id=2071. Regards Guido Serassio Hi Yes I tried that. Sadly the build still fails. In fact I was also surprised that snmp was enabled by default and that I had to use --disable-snmp to get it to build. I have done the following test: - configure --enable-snmp - make (OK) - configure --disable-snmp (but also configure only should be the same) - make (FAILED, because the files are not compiled again) - removed manually the .o files - make (OK) Please check if make clean really remove the .o files. I will run some more build test. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] ldap and digest on squid for windows
Hi, At 16.29 26/07/2007, [EMAIL PROTECTED] wrote: ood afternoon, I am french and i am sorry for my bad english. I use Squid 2.6 stable 14 with ssl support on a windows Xp Pro on a Windows Domain with Windows Server 2003 I configure squid.conf to use ldap basic authentification and it's work fine ! but now I try to use ldap Digest authentification and problem ! I write this mail because the documentation and the forums for squid on Windows are very poor. Please, can you help me ? auth_param digest program c:/squid/libexec/digest_ldap_auth.exe -e -A unicodePwd -b dc=aude,dc=com -D cn=Administrateur,cn=Users,dc=aude,dc=com -w toto -h 192.1.1.1 -v3 -Z auth_param digest children 5 auth_param digest realm AUDENCIA auth_param digest nonce_garbage_interval 5 minutes auth_param digest nonce_max_duration 30 minutes auth_param digest nonce_max_count 50 ... acl ETUDIANTS proxy_auth REQUIRED http_access allow ETUDIANTS The service Squid start and my navigator ask me authentification but after 3 try : Access Denied ! This is not a Windows problem. I think that you are using the helper in the wrong way: this helper need to STORE the user passwords in a LDAP directory services, and cannot authenticate against any LDAP user. You should read carefully the documentation. Regards Guido Thank you ! - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Re: Squid 2.5 STABLE7 failing under Cygwin Windows XP
Hi, At 06.47 24/07/2007, Santosh Rani wrote: Why you are not using the native Windows binary kits ? I have tried using binaries for SquidNT. But it gave me error in my cache.log; 2007/07/14 21:18:42| ipcCreate: CHILD: G:/Proxy1/libexec/unlinkd.exe: (2) No such file or directory I have seen that the directory as well as the file 'unlinkd.exe' exists there. I would rather be happier to use the binaries since it is easier to install it as a windows service and also that it would start automatically upon bootup. But because of above mentioned error I left it. It is my mistake though that I did not report the problem (pardon me please). Argh !!!, this is a very important detail :-( When I am already running Bofi's Squid 2.5 Stable3 on this machine, can I runt another Squid instance under Windows with a different service name? Yes, you can, but with the correct config. General guide lines for multiple instances: http://wiki.squid-cache.org/MultipleInstances On the Windows side, you must use two different Squid services with different service name and different command line. See -O and -n options. something like: squid -i -n squid1 -O -f c:/squid1/etc/squid.conf squid -i -n squid2 -O -f c:/squid2/etc/squid.conf Regards Guido On 24/07/07, Santosh Rani [EMAIL PROTECTED] wrote: My try to build Squid with --enable-win32-service failed under Cygwin with the error; It does not recognise this directive. Regards On 23/07/07, Henrik Nordstrom [EMAIL PROTECTED] wrote: On mån, 2007-07-23 at 16:05 +0530, Santosh Rani wrote: Further, I wish I could automate this so that Squid under Cygwin starts on bootup. I think the following should work: Built Squid with --enable-win32-service Then install it as a service by using /path/to/sbin/squid -i Another option is to use the service wrapper from the Windows resource kit.. used that for various non-windows daemons many years ago (NT4 era). Regards Henrik - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Re: Squid 2.5 STABLE7 failing under Cygwin Windows XP
Hi, At 12.35 23/07/2007, Santosh Rani wrote: Sir, My firewall was blocking it. blush Further, I wish I could automate this so that Squid under Cygwin starts on bootup. Kind hints please. Why you are not using the native Windows binary kits ? http://www.squid-cache.org/Download/binaries.dyn You will resolve all your problems. Regards Guido Regards On 22/07/07, Henrik Nordstrom [EMAIL PROTECTED] wrote: On sön, 2007-07-22 at 17:32 +0530, Santosh Rani wrote: Could someone please suggest why can't my Squid under Cygwin succeed direct connection to the Internet? No idea. Should work. Why it tries to find a Parent Cache when it is not configured to do so? It doesn't. Perhaps it's not using the squid.conf you thing it's using. Or maybe you have a local firewall which denies that Squid from making outgoing connections? Regards Henrik - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Squid authenticating to 2 Separate Active Directory Domains
Hi, At 18.07 30/04/2007, Ric Lonsdale wrote: Hi, I want to implement Squid, using Red Hat Enterprise 4.0, with authentication via NTLM, using Samba, to 2 separate Windows 2003 Active Directory domains. These domains do not trust each other. Is it possible to setup Samba so that it queries one domain first, then if the user does not exist on that domain, it then queries the other domain? Using Samba this cannot be done. It's a Windows domain membership problem: your samba machine, like an ordinary Windows machine, can be member of only one domain. If you think my question should be directed to Samba developers please let me know, but I know a lot of you have experience of Squid with AD setups. I think that Samba Guys cannot change the Windows architecture :-) Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] SquidNT 2.6_12 cache_effective_user --- not working
Hi, At 20.10 29/04/2007, Andreas Woll wrote: Hi all, I hope for some help. I'm currently using SquidNT2.5_9 and now I wanted to upgrade to the newest version. All things are set so far, but I still got the problem of an unexpected termination of Squid. It says in cache.log that the user set in tag cache_effective_user is not allowed to write in folder e:/squid26_12/var/logs. I don't know why, because I granted the group Everyone full access to it and it can write the cache.log file. Do you are using Cygwin ? In the other native builds of Squid (MinGW or Visual Studio) the cache_effective_user option is meaningless. You must set the Windows service account to change the Squid running account. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
RE: [squid-users] SquidNT2.6 - Active Directory
Hi, At 23.01 27/03/2007, Sergio Gleser wrote: My answers ... According to your squid.conf. the internet windows group should be a Domain Global group, is this true ? True. The Internet Group is a Global Security Group. And the case is correct ? The helper is case sensitive, you can use the -c option for case insensitive compare. If yes, you could try do debug the external acl helper adding the -d option and look into cache.log to see what happens. I send you, my cache.log. This is not correct: /mswin_check_lm_group.exe[976]: Valid_Global_Groups: checking group membership of 'grupoapex\sgleser'. /mswin_check_lm_group.exe NetServerGetInfo() failed.' The helper is not able to retrieve the group membership for the user sgleser. There is something strange in your AD environment: I have installed just today a 2.6 STABLE12 on a Windows 2003 machine member of a multi domain Windows 203 AD Forest without any problem. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Squid on Windows XP
Hi, At 00.49 25/03/2007, Chris Nighswonger wrote: Hi all, I installed the windows port of squid by Acme Consulting on an XP workstation with a dialup connection to the inet. Fixed up the squid.conf so that squid listens on 127.0.0.1 and set the IE proxy settings accordingly. Sadly I get no page-loads. The cache log shows that squid starts up OK and picks up the dns addresses assigned to the dialup connection. However, the pagefaults count on exit looks extremely high: Page faults with physical i/o: 1640 I use aufs on my FC6 squid and assumed that this would be fine on xp. Here is my cache_dir line (will tune later): cache_dir aufs c:/squid/var/cache 1024 16 256 Neither access.log nor store.log have any entries. Any thoughts on what is wrong here? Does this port no play well on XP? Or have I chosen the wrong store type? Or missed something else? Squid works fine on all Windows version starting from 2000 to the latest Vista. Do you have any personal firewall running on your XP machine ? Regards - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
