Re: [squid-users] realplayer and squid
Hi !! By the time we configured Real Player access through squid, it wasn´t capable of authenticating. To solve this, we´ve created the following acl and access rules: acl RealPlayer browser R1 http_access allow RealPlayer Note that the http_access line must be placed before the line where you enforce authentication. Regards, Carlos. 2005/9/6, Ronald Warner [EMAIL PROTECTED]: good day. we are running 2.5stable9 with proxy authentication. when there is no proxy authentication, realplayer is able to play sites with rm on it such as http://www.biblegateway.com/passage/?search=psalm%20119version=31. however, when proxy authentication is enabled, sites like the one above can't play the audio. i have already emailed real support. i have done the configurations they suggested but audio still won't run. realplayer says connection to proxy server could not be established. you may be experiencying network problems. rtsp://ra.gospelcom.net/bible/english/niv/max_mclean/rm/english-niv-gen-02-mm.rm. when proxy auth is disabled, i don't get this error. thanks for the help/clues.
Re: [squid-users] squid firwall rules for windowsupdate validation?
Hi!! Windows Update really has problems authenticating to squid, so you need to use some rules in order to get it working. The rules that we are using are the following: acl WindowsUpdateSites dstdomain .windowsupdate.com .windowsupdate.microsoft.com .update.microsoft.com Then, before the http_access rule that requires user authentication, use this one http_access allow WindowsUpdateSites Regards, Carlos. 2005/8/25, Matt Ashfield [EMAIL PROTECTED]: Hi All A bit off topic, but I've had some users complain that they are having problems when going to windowsupdate and it tries to validate their copy of windows. It seems like a timeout issue. What are people who are running squid as a firewall allowing through to allow for windowsupdate? Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 [EMAIL PROTECTED]
Re: [squid-users] block a specific file
Hi !! You can use url_regex for that. I guess you can get instructions on how to use it on the squid faq or on the squid.conf contents. Regards, Carlos. 2005/8/22, John Halfpenny [EMAIL PROTECTED]: hi. does anyone know if squid can be configured to block a specific filename as opposed to mime type extensions? thanks john ___ Join Excite! - http://www.excite.com The most personalized portal on the Web!
Re: [squid-users] Re: configuring Squid to authenticate AND to log users' access to forbidden sites.
Hi !! 1) My Squid.conf relevant lines below: [...] acl autenticados proxy_auth REQUIRED [...] acl liberado dstdom_regex /etc/squid/liberado.txt acl semacesso dstdom_regex /etc/squid/semacesso.txt [...] http_access allow autenticados http_access allow liberado http_access deny semacesso [...] # And finally deny all other access to this proxy http_access allow localhost http_access deny all [...] In this configuration it allows an authenticated user to access any site, even the forbidden ones. OTOH, I put the 'liberado' and 'semacesso' lines ABOVE the authentication line, the user does not access forbidden sites and Squid logs that into Cache.log, but WITHOUT the lame user's login. Untested: http_access allow localhost http_access deny semacesso autenticados http_access allow autenticados http_access deny all When you use http_access allow autenticados as your first rule, you are saying that anyone who authenticates have access to any site, as squid´s rules are processed in the order that they are declared, so you should place your deny rules before this one. 2) Is there a better way to permit access to non-pornographic sites (eg esSEX.ac.uk) but block pornographic ones (eg SEX.com)? A content scanning proxy. Unfortunately I don't have any experience with this (the squids I manage either don't have content scanning, or they talk to a parent proxy which does scan but which I don't manage) Joost You can use DansGuardian, wich is a url and content filter that works with squid, or squidguard, wich is just a url filter. You can also use some public lists of urls do be blocked bye either filter. Regards, Carlos.
Re: [squid-users] Max Challgenge Reuse
Hi Henrik, We are preparing to test the Max Challenge Reuse parameter, but we were wondering if there is any reasonable value that we should start with ... Can you help me on this? Thanks in advance, Carlos. 2005/8/9, Henrik Nordstrom [EMAIL PROTECTED]: On Fri, 5 Aug 2005, Carlos Zottmann wrote: Hi !! Thanks for the answers of both of you !! By stability issues, do you mean that Squid crashes with NTLM Challenge-Reuse? Yes, there is at least two independent reports of this. The problem we are facing here is due to a bug in Windows Event Log. When the windows log file becomes greater than a certain size, smaller then the maximum size we have specified, it stops logging new events. Nice. To prevent losing security logs, we decided to run a scheduled job that copies and empties de windows event log every four hours. Sounds like a reasonable idea. Whenever this job runs, the DC becomes slow, and the ntlm helpers start to enter in R state, probably waiting for the DC response. Hmm.. R is reserved, waiting for the client to send the next NTLMSSP blob in the NTLM authentication handshake. B is buzy waiting for the DC response. You could try enabling challenge reuse in Squid to lower the number of queries sent to the DC, but don't expect it to make magics and watch the stability of your Squids after doing so. Mvh Henrik
Re: [squid-users] Windows update hangs
Hi, I am facing the following problem with Windows Update ... It works nice with squid until it has to download any file ... At this point the windows update client sends a HEAD method to the site, and it gets Denied by squid ... I have already declared an acl for the HEAD method and allowed this method for the windows update sites, as follows: acl HEAD method HEAD acl WindowsUpdateSites dstdomain .windowsupdate.com .windowsupdate.microsoft.com .update.microsoft.com http_access allow HEAD WindowsUpdateSites Squid´s access log shows this: 1124403238.616590 10.x.x.x TCP_DENIED/403 310 HEAD http://www.download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/ndp1.1sp1-kb867460-x86_74a5b25d65a70b8ecd6a9c301a0aea10d8483a23.exe - DIRECT/206.24.192.222 text/html Does anyone know what can be wrong? Regards, Carlos. 2005/8/16, Joost de Heer [EMAIL PROTECTED]: Lasse Mørk said: ok. I've putted at the end of squid.conf :( Then tried to move it up a little. Now i looks like this: --snip-- acl WIN1 dstdomain http://*.update.microsoft.com acl WIN1 dstdomain .update.microsoft.com Joost
Re: [squid-users] Blocking Web bugs?
Hi Kevin !! Thanks for the answer I was afraid of something like that, but it is good to know it anyway ... Regards, Carlos. 2005/8/13, Kevin [EMAIL PROTECTED]: On 8/12/05, Carlos Zottmann [EMAIL PROTECTED] wrote: Does anyone know a way to block web bugs (0x0 gifs) with squid? Interesting question. Since the function of a web bug is fulfilled when the URL is retrieved from the remote server, and since Squid can't see the GIF's dimensions until after the object is received, I'd say it's technically impossible to effectively block web bugs using Squid, short of composing a regular expression to match all likely tracking bug URLs (watch out for false positives). You could certainly modify Squid (or any caching proxy) to detect when a received image has dimensions below a certain minimum, and react by forcing any _future_ requests for that object to be served from cache regardless of the headers supplied by the server or a cookie or other header requested by the client. This wouldn't help the first time any user triggers a web bug, but would effectively keep private any future requests for that same exact URL. Kevin Kadow
Re: AW: [squid-users] Windows update hangs
Hi everybody !! Don´t know a solution can be found here, but the following link show an article describing How the windows update client determines wich proxy server to use ... http://support.microsoft.com/?kbid=900935 Regards, Carlos. 2005/8/12, Lasse Mørk [EMAIL PROTECTED]: Still runs terrible slow! It is almost impossible to use windows update... This aint good! Try to use https://update... Instead of http.. That works for us... But youre right, there is an problem with squid and windowsupdate. If i set proxy settings to automatically (dns or dhcp delivers the wpad settings) than windowsupdate failes. -- Mit freundlichen Gruessen! Axel Mueller ++ Axel Müller ICT - Services T-Systems GEI GmbH Service Line Systems Integration IBU Public and Healthcare Goslarer Ufer 35, 10589 Berlin, Germany Telefon: +49 30 3497-1859 FAX: +49 30 3497-1177 E-Mail: [EMAIL PROTECTED] Internet: http://www.t-systems.com T-Systems ist eine Division der Deutschen Telekom ++ The only problem with mornings is that they happen too early in the day -Ursprüngliche Nachricht- Von: Lasse Mørk [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 11. August 2005 15:22 An: squid-users@squid-cache.org Cc: Aaron McDonnell Betreff: Re: [squid-users] Windows update hangs Hi Aaron The squid is not running as a transperent proxy, and we have manually set the proxy settings in I-Explore. It works though, but takes 30min - 1hour or so to connect. And forever to download the updates. :( Hi Lasse It could be related to the problem I'm having, depending on how your proxy it set up. I'm trying to build a box to manage the Quarantine network in our environment and the Windows Update site hangs/fails for me as well. The problem in my case is that Squid is a transparent proxy, and when you click on either the Custom or Express options, it briefly requires an SSL connection to download.windowsupdate.com - since Squid doesn't seem to have a way to do that in transparent mode, it fails. If I set IE to use Squid as a proxy directly, it'll work. Have you tried setting the proxy settings directly in IE yet? Aaron Lasse Mørk wrote: Is there anyway to get around this issue? It just stalls now where it looks for latest updates. Maybe without caching the windows update files? I am getting kinda desperate! Hmm.. Dosn't seem to help :( It still lacks and run terrible slow. On 8/11/05, Lasse Mørk [EMAIL PROTECTED] wrote: Hey all squid 2.5.9-10 running debian. Does anyone knows what to do, when windows update hangs ? Sometime it just stalls, but now and then it works, although it is got damn slow :( Including that, it prompts for user and passwords just before it checks for updates, I belive it is? Any solution to this? The best thing would be if it was possible to cache the updates, but it worst case I might have to remove the windows update site, from the proxy list. Thanks http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.54 M. -- Aaron McDonnell Network Administrator Network Operations Centre University of Western Ontario Tel: 519-661-2111 ext. 86558
[squid-users] Blocking Web bugs?
Hi !! Does anyone know a way to block web bugs (0x0 gifs) with squid? Thanks in advance, Carlos.
Re: [squid-users] Max Challgenge Reuse
2005/8/5, Henrik Nordstrom [EMAIL PROTECTED]: On Wed, 3 Aug 2005, Kinkie wrote: With max_challenge_reuse set to anything but 0, squid will perform a replay attack on the NTLM authentication to increase authentication performance. Everything should work more or less fine (if you see failed auths you may want to enable the helper-fail-open config option and helper flag - be warned that doing so is a security compromise). Except that there appears to still be some Squid stability issues with NTLM Challenge-Reuse enabled. Hi !! Thanks for the answers of both of you !! By stability issues, do you mean that Squid crashes with NTLM Challenge-Reuse? The problem we are facing here is due to a bug in Windows Event Log. When the windows log file becomes greater than a certain size, smaller then the maximum size we have specified, it stops logging new events. To prevent losing security logs, we decided to run a scheduled job that copies and empties de windows event log every four hours. Whenever this job runs, the DC becomes slow, and the ntlm helpers start to enter in R state, probably waiting for the DC response. What we need to do is to lower Squid authentication needs, until we solve this bug. What would be the best way to do it? Regards, Carlos.
Re: [squid-users] Http_access deny and fallback from ntlm to basic
OK ... Thanks for the tip .. We have some groups here that have access to a limited set of sites, so our rules are like the following: http_access allow group set_of_sites http_access deny group I guess we will have to turn them upside down :-) The weirdest thing is that these rules used to work, until we applied the security rollup for W2k SP4. After that, we had some problems regarding squid rules with windows groups. Due to that, we removed the security rollup. Then two things happened: the password prompts related to deny rules, and our basic authentication, that was broken before the installation of the security rollup, turned to work again ... Regards, Carlos. 2005/8/5, Henrik Nordstrom [EMAIL PROTECTED]: On Tue, 2 Aug 2005, Carlos Zottmann wrote: The problem we are facing is that when a user hits a rule that denies access, squid falls back to basic authentication and prompts the user for a new username and password. Make sure your deny lines end with a non-authentication related ACL, for example all. Regards Henrik
[squid-users] Http_access deny and fallback from ntlm to basic
Hi !! We are using ntlm authentication here, and some http_access rules denying access to some sites. The problem we are facing is that when a user hits a rule that denies access, squid falls back to basic authentication and prompts the user for a new username and password. How can we configure squid so it just shows de access denied error page in this case, instead of falling back to basic authentication? Thanks in advance, Carlos.
[squid-users] Max Challgenge Reuse
Hi !! We are having some problems with our domain controllers that is slowing down squid during peak ours, due to ntlm authentication. We considered changing the value of Max_Challeng_Reuse from 0 to some higher value, in order to decrease the load on the domain controllers coming from squid, but I would like to know what are the possible consequences, specially regarding performance, before actually commiting this change. Can anyone send me informations about it? Thanks in advance, Carlos.
[squid-users] Problem regardin denying access through squid
Hi !! We are facing a problem regarding denying access through squid. We use ntlm authentication, as well as basic authentication. We have set some http_access rules that denies access to some web sites, based on the external acl helper related to Microsoft AD Groups. These rules works fine, denying access based on the ntlm authentication, but squid is then prompting the basic authentication window. How can we configure squid so it just shows the access denied page, instead of prompting this authentication window? Regards, Carlos.
[squid-users] On-line monitoring of sites being accessed through squid
Hi !! Is there any on-line monitoring tool that is able to report the sites that are being acessed through squid, giving just a list of the sites that are being accessed, maybe with a counter of clients accessing it, and a sum of bytes transferred, or hits? Regards, Carlos.
Re: Enc: [Fwd: Re: [squid-users] Behaviour change in ntlm authentication - please help]
Henrik Nordstrom wrote: On Tue, 28 Jun 2005 [EMAIL PROTECTED] wrote: It is reserved for a long time (NTLM Authenticator output shows 86914.103 seconds), and it will never leave this state. Any ideas why the timeout is not working? Do you have ntlm challenge reuse enabled? If so try disabling it.. Also which Squid version? 2.5.STABLE10 without challenge reuse enabled is highly recommended for NTLM operation. Regards Henrik Hi !! We have max_challenge_reuses 0. I think that it means that challenge reuse is disabled, wright? In this case, does the value of max_challenge_lifetime have any impact on squid´s performance? Regards, Carlos.
Re: [squid-users] ntlm_auth for windows clients that arent part of the default domain
Henrik Nordstrom wrote: On Mon, 27 Jun 2005, Carlos Zottmann wrote: I think that it makes difference for NTLM as we use DansGuardian as an upstream proxy, and we forward the client´s username. It is being sent to DansGuardian without the domain portion. Unfortunately I am not sure if this parameter is the reason, as we have changed it when we changed the samba version, a while ago. This is dependent on the Samba version from what I have been told, but maybe you are right. In any case what you describe is however pure post-processing of the username to not include the domain component if it is the same as the default domain and does not make any difference on the client side. Regards Henrik I am under the impression that, when our basic authentication was working, the windows that was showed by the browser did have a domain field, but we could leave it blank, and the authentication happened with the default domain. Regards, Carlos.
Re: [squid-users] ntlm_auth for windows clients that arent part of the default domain
Henrik Nordstrom wrote: On Thu, 16 Jun 2005, Festivus wrote: Ive got ntlm_auth working without any problems at my site for PCs that are a part of the same domain. Obviously PCs that arent part of the domain prompt the user for their username, password and domain. (This is actually the majority of our clients atm) What I need to know is, is there a way I can make ntlm_auth use the default domain for when a user doesnt enter the domain? Good question. Do the clients even accept leaving the domain field blank? If the clients accept using a blank domain then you could try asking the Samba people if ntlm_auth could be made to substitute a default domain in the authentication if the domain is left blank by the client. There is no way to make the NTLM login dialog not have that domain field. The format of this login dialog is fully defined by the browse, all the server (i.e. Squid) says is that NTLM authentication is acceptable and the domain of the server. Regards Henrik Hi !! smb.conf has a parameter that might help you ... You should set use default domain = yes Regards, Carlos.
Re: [squid-users] ntlm_auth for windows clients that arent part of the default domain
Henrik Nordstrom wrote: On Mon, 27 Jun 2005, Carlos Zottmann wrote: smb.conf has a parameter that might help you ... You should set use default domain = yes Does this really make any difference for NTLM authentication? It should make a huge difference for Basic authentication however. Regards Henrik Hi !! I think that it makes difference for NTLM as we use DansGuardian as an upstream proxy, and we forward the client´s username. It is being sent to DansGuardian without the domain portion. Unfortunately I am not sure if this parameter is the reason, as we have changed it when we changed the samba version, a while ago. Regarding basic authentication, we are having problems with it here, but we didn´t bother to solve it yet as we officially use IE in our network, and it only causes problems to older versions of Firefox and Opera, for instance ... Regards, Carlos.
Re: [squid-users] dansguardian, page cannot be displayed, access denied
nima sadeghian wrote: Dear Carlos on Squid: http_port 3328 is this OK? but dansguardian shoots replys to squid and squid replys the page cannot be displaed ACCESS DENIED thnx again nima On 6/16/05, Carlos Zottmann [EMAIL PROTECTED] wrote: nima sadeghian wrote: hi all; I configed dansguardian for squid filterport = 8080 proxyport = 3328 proxyip = 172.17.100.10 filterip = [blank] but wen I run dansguardian and squid, for web requests squid replys page cannot be displayed, access denied help me regards nima Nima, The proxyport should be the one that you set squid to listen to ... Regards, Carlos. Hi Nima !! It is ok to set the squid port to 3328, provided you don´t already use this port to anything else. Are you running DansGuardian on the same machine where you run Squid? If so, check the acls regarding the localhost address, 127.0.0.1 Regards, Carlos.
[squid-users] Behaviour change in ntlm authentication - please help again !!
Hi !! I have posted this message yesterday, but, as I received no answer, I am trying again. As the problem is really bad here, I would kindly ask the list members to tell me any experiences regarding this issue, like ways to set up squid (or samba) to use ntlm v1 or ntlm v2. Thanks again, Carlos. We are facing a strange behaviour change in ntlm authentication, that is causing Squid to slow down on peak hours. Previously, the browsers would try to get a web page through squid, and they received one 407 error, sent an authentication package that successfully authenticated the client, and then received the requested web page. Now, the browsers are getting one 407 error, sending an authentication package, getting another 407 error, sending a different authenticatino package, and then they are successfully authenticated. It seems to me that Squid is asking for ntlm v2, and was asking for ntlm v1 before. The domain policy for this is Send LM NTLM - Use NTLMv2 session security if negotiated. Observing the NTLM User Authentication Stats in Cachemgr.cgi, we see that, in random times of the day, the ntlm helpers begin entering in the R state, and when all of them are in this state, than squid restarts itself, sometimes returning to normal operation, and sometimes repeating this process. Given this scenario, I would like to know if anyone has already been through this, and could point me some directions, or how can I debug it to get to know what´s happening. I would also like to ask for a detailed description of the possible ntlm helper stats, shown in cachemgr.cgi. We are using Squid-2.5 Stable9 and Samba 3.0.10-1 Thanks in Advance, Carlos.
[squid-users] Behaviour change in ntlm authentication - please help
Hi !! We are facing a strange behaviour change in ntlm authentication, that is causing Squid to slow down on peak hours. Previously, the browsers would try to get a web page through squid, and they received one 407 error, sent an authentication package that successfully authenticated the client, and then received the requested web page. Now, the browsers are getting one 407 error, sending an authentication package, getting another 407 error, sending a different authenticatino package, and then they are successfully authenticated. It seems to me that Squid is asking for ntlm v2, and was asking for ntlm v1 before. The domain policy for this is Send LM NTLM - Use NTLMv2 session security if negotiated. Observing the NTLM User Authentication Stats in Cachemgr.cgi, we see that, in random times of the day, the ntlm helpers begin entering in the R state, and when all of them are in this state, than squid restarts itself, sometimes returning to normal operation, and sometimes repeating this process. Given this scenario, I would like to know if anyone has already been through this, and could point me some directions, or how can I debug it to get to know what´s happening. I would also like to ask for a detailed description of the possible ntlm helper stats, shown in cachemgr.cgi. We are using Squid-2.5 Stable9 and Samba 3.0.10-1 Thanks in Advance, Carlos.
[squid-users] Re: SquidGuard vs. Dansguardian
Hi! We are using squid with ntlm authentication, wich then forwards the user name do DansGuardian, and it is working very well, with no problems at all ... Regards, Carlos. -- Dansguardian is very stable but can slow down network traffic depending on the size of your network. The low down is Dansguardian does everything squidguard does and more. But if you use squid_NTLM or something like that would will have problems doing this with dans. I have read that it is now possible but have yet to try it out as I haven't bin playing in the test lab lattly.
[squid-users] Re: SquidGuard vs. Dansguardian
Hi Gary !! I have a how-to documented in portuguese Would you be able to read it? Regards, Carlos.
[squid-users] Re: Content Filtering Solutions
Hi !! These kind of filtering can be done with squid itself, with its built-in acls. You can combine it with traditional content-filtering solutions, like Dansguardian, that was pointed by someone at this list ... Regards, Carlos. -- Sorry for breaking into the thread, but I though that'd be related: Does anybody know of any good filtering solution (possibly to go along with squid) with capabilities to filter out not only based on content but also by type of request divided into classes. Something like: machine A has permission to do HEAD on sites B,C,D machine X has permission to request only application/rdf+xml content from sites Z,W,Y. Any pointers are deeply appreciated.
[squid-users] assertion failed: HttpHeader.c:664: strBuf(s)
Hi!
We are running Squid Version 2.5.STABLE7-20050124, and we begun experiencing
squid crashes, apparently due to the following error, found in cache.log:
2005/03/16 08:36:44| WARNING: found whitespace in HTTP header name {Cache
Control: no-cache}
2005/03/16 08:36:44| ctx: exit level 0
2005/03/16 08:36:44| WARNING: found whitespace in HTTP header name {Cache
Control: no-cache}
2005/03/16 08:36:44| assertion failed: HttpHeader.c:664: strBuf(s)
We´ve searched the Bugzilla database, and there is a patch for it, under Bug
#1207.
As the Bugzilla database doesn´t state the Stable version to with the patch
applies (or, at least, I didn´t find it), I would like to know if this patch
applies to the version that we are running.
Even if it does is it better to upgrade to Stable9?
Thanks in Advance,
Carlos.
[squid-users] Re: File download blocking
Hi !! I think it is better to use a rep_mime_tipe acl, because this way you have better control over what is being downloaded then using file extensions. Regards, Carlos. --- Hello, You're all probably tired of this subject but I'm having a problem with the following config: acl europe src x.x.x.x/x.x.x.x acl germany src x.x.x.x/x.x.x.x acl blockfiles url_regex /etc/squid/denyfiles.txt http_access deny blockfiles germany http_access deny blockfiles europe The contents of the denyfiles.txt looks like this: \.exe$ \.zip$ \.mpg$ \.mpeg The problem is that none of the files I want to block and prevent download are actually blocked and can be downloaded. Anyone got any ideas? Many thanks, IM
[squid-users] Authentication Window popping up randomly
Hi! We are facing an weird problem here with ntlm authentication. After we upgraded our Linux boxes to Fedora Core 3, sometimes the user is prompted with the authentication window from squid. Looking at the winbindd.log I have found the following error message: [2005/02/21 12:20:44, 0] rpc_client/cli_pipe.c:cli_nt_session_open(1451) cli_nt_session_open: cli_nt_create failed on pipe \NETLOGON to machine SERVER_NAME. Error was NT_STATUS_PIPE_NOT_AVAILABLE [2005/02/21 12:20:44, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) Could not initialise \PIPE\NETLOGON What could be going wrong? Thanks in Advance, Carlos.
[squid-users] External_acl_type
Hi !! Is there a way to choose wich requestes are going through a external_acl_type? For example, can I configure all requests coming from localhost to not go through a external_acl_type that verifies the Windows group that the user belongs to? Thanks in Advance, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] External_acl_type
Hi !! Is there a way to choose wich requestes are going through a external_acl_type? For example, can I configure all requests coming from localhost to not go through a external_acl_type that verifies the Windows group that the user belongs to? Thanks in Advance, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] External_acl_type
Henrik, We are using here Squid and DansGuardian, with the following configuration: Squid - DansGuardian Squid (same instance as the first one) All works fine, if we don´t use external_acl_type to determine who is going through DansGuardian, and who is not. When we use it, our cache.log gets lots of entries like this: 2003/12/18 17:53:44| aclMatchExternal: nt_group user not authenticated (-1) nt_group is the name of our external_acl_type ... Our first http_access directive is http_access allow localhost, in order to prevent squid from requiring DansGuardian to authenticate, and we also have a always_direct allow localhost directive in order to prevent requests from DansGuardian to be sent back to it again... If we disable DansGuardian (by not using cache_peer), the external_acl_type works fine for any other purpose, and we don´t see those messages in cache.log. What may be going wrong? Thanks in Advance, Carlos. Em 19 Dec 2003, Henrik Nordstrom escreveu: On Fri, 19 Dec 2003 [EMAIL PROTECTED] wrote: Is there a way to choose wich requestes are going through a external_acl_type? Yes, by using http_access. For example, can I configure all requests coming from localhost to not go through a external_acl_type that verifies the Windows group that the user belongs to? Yes, simply allow these without requiring the acl tied to your external_acl_type. Regards Henrik -- _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] External_acl_type
Henrik, We are using here Squid and DansGuardian, with the following configuration: Squid - DansGuardian Squid (same instance as the first one) All works fine, if we don´t use external_acl_type to determine who is going through DansGuardian, and who is not. When we use it, our cache.log gets lots of entries like this: 2003/12/18 17:53:44| aclMatchExternal: nt_group user not authenticated (-1) nt_group is the name of our external_acl_type ... Our first http_access directive is http_access allow localhost, in order to prevent squid from requiring DansGuardian to authenticate, and we also have a always_direct allow localhost directive in order to prevent requests from DansGuardian to be sent back to it again... If we disable DansGuardian (by not using cache_peer), the external_acl_type works fine for any other purpose, and we don´t see those messages in cache.log. What may be going wrong? Thanks in Advance, Carlos. Em 19 Dec 2003, Henrik Nordstrom escreveu: On Fri, 19 Dec 2003 [EMAIL PROTECTED] wrote: Is there a way to choose wich requestes are going through a external_acl_type? Yes, by using http_access. For example, can I configure all requests coming from localhost to not go through a external_acl_type that verifies the Windows group that the user belongs to? Yes, simply allow these without requiring the acl tied to your external_acl_type. Regards Henrik -- _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] Problem with wbinfo_group.pl
Hi!! We are using wbinfo_group.pl in order to build acls based on Windows groups, but we are facing the following problem: We have built a test acl, with a USER that we know that belongs to a specific Group. Wbinfo_group.pl is called by Squid, with the correct parameters, but it returns ERR to squid. Below there is a copy of our cache.log, with the actual Domain substituted by DOMAIN, the actual User substitued by USER, and the actual Group substituted by Group. The DOMAIN and the USER are actually all uppercase, and the group has just the first letter in uppercase. 2003/12/18 17:48:07| aclMatchExternal: nt_group = 0 2003/12/18 17:48:07| aclMatchExternal: nt_group(DOMAIN\\USER Group) = lookup needed 2003/12/18 17:48:07| externalAclLookup: lookup in 'nt_group' for 'DOMAIN\\USER Group' 2003/12/18 17:48:07| external_acl_cache_add: Adding 'DOMAIN\\USER Group' = -1 Got DOMAIN\\USER Group from squid shellwords: User: -USER- Group: -Group- User: -USER- Group: -Group- SID: -Could not lookup name Group- GID: -Could not convert sid Could to gid- Sending ERR to squid 2003/12/18 17:48:07| externalAclHandleReply: reply=ERR 2003/12/18 17:48:07| external_acl_cache_add: Adding 'DOMAIN\\USER Group' = 0 What may be going wrong? Thanks in Advance, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] Problem with wbinfo_group.pl
Hi!! We are using wbinfo_group.pl in order to build acls based on Windows groups, but we are facing the following problem: We have built a test acl, with a USER that we know that belongs to a specific Group. Wbinfo_group.pl is called by Squid, with the correct parameters, but it returns ERR to squid. Below there is a copy of our cache.log, with the actual Domain substituted by DOMAIN, the actual User substitued by USER, and the actual Group substituted by Group. The DOMAIN and the USER are actually all uppercase, and the group has just the first letter in uppercase. 2003/12/18 17:48:07| aclMatchExternal: nt_group = 0 2003/12/18 17:48:07| aclMatchExternal: nt_group(DOMAIN\\USER Group) = lookup needed 2003/12/18 17:48:07| externalAclLookup: lookup in 'nt_group' for 'DOMAIN\\USER Group' 2003/12/18 17:48:07| external_acl_cache_add: Adding 'DOMAIN\\USER Group' = -1 Got DOMAIN\\USER Group from squid shellwords: User: -USER- Group: -Group- User: -USER- Group: -Group- SID: -Could not lookup name Group- GID: -Could not convert sid Could to gid- Sending ERR to squid 2003/12/18 17:48:07| externalAclHandleReply: reply=ERR 2003/12/18 17:48:07| external_acl_cache_add: Adding 'DOMAIN\\USER Group' = 0 What may be going wrong? Thanks in Advance, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Problem with wbinfo_group.pl
Hi Again !! I was checking wbinfo, and found out the the Group that I have chosen to test can´t be looked up by wbinfo, although it exists in MSAD. This problem occurs with some other Groups in MSAD, but, for the majority of the Groups, the lookup runs ok !!! Have anyone run into this problem before? Regards, Carlos. Em 18 Dec 2003, [EMAIL PROTECTED] escreveu: Hi!! We are using wbinfo_group.pl in order to build acls based on Windows groups, but we are facing the following problem: We have built a test acl, with a USER that we know that belongs to a specific Group. Wbinfo_group.pl is called by Squid, with the correct parameters, but it returns ERR to squid. Below there is a copy of our cache.log, with the actual Domain substituted by DOMAIN, the actual User substitued by USER, and the actual Group substituted by Group. The DOMAIN and the USER are actually all uppercase, and the group has just the first letter in uppercase. 2003/12/18 17:48:07| aclMatchExternal: nt_group = 0 2003/12/18 17:48:07| aclMatchExternal: nt_group(DOMAIN\\USER Group) = lookup needed 2003/12/18 17:48:07| externalAclLookup: lookup in 'nt_group' for 'DOMAIN\\USER Group' 2003/12/18 17:48:07| external_acl_cache_add: Adding 'DOMAIN\\USER Group' = -1 Got DOMAIN\\USER Group from squid shellwords: User: -USER- Group: -Group- User: -USER- Group: -Group- SID: -Could not lookup name Group- GID: -Could not convert sid Could to gid- Sending ERR to squid 2003/12/18 17:48:07| externalAclHandleReply: reply=ERR 2003/12/18 17:48:07| external_acl_cache_add: Adding 'DOMAIN\\USER Group' = 0 What may be going wrong? Thanks in Advance, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/ -- _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Problem with wbinfo_group.pl
Hi Again !! I was checking wbinfo, and found out the the Group that I have chosen to test can´t be looked up by wbinfo, although it exists in MSAD. This problem occurs with some other Groups in MSAD, but, for the majority of the Groups, the lookup runs ok !!! Have anyone run into this problem before? Regards, Carlos. Em 18 Dec 2003, [EMAIL PROTECTED] escreveu: Hi!! We are using wbinfo_group.pl in order to build acls based on Windows groups, but we are facing the following problem: We have built a test acl, with a USER that we know that belongs to a specific Group. Wbinfo_group.pl is called by Squid, with the correct parameters, but it returns ERR to squid. Below there is a copy of our cache.log, with the actual Domain substituted by DOMAIN, the actual User substitued by USER, and the actual Group substituted by Group. The DOMAIN and the USER are actually all uppercase, and the group has just the first letter in uppercase. 2003/12/18 17:48:07| aclMatchExternal: nt_group = 0 2003/12/18 17:48:07| aclMatchExternal: nt_group(DOMAIN\\USER Group) = lookup needed 2003/12/18 17:48:07| externalAclLookup: lookup in 'nt_group' for 'DOMAIN\\USER Group' 2003/12/18 17:48:07| external_acl_cache_add: Adding 'DOMAIN\\USER Group' = -1 Got DOMAIN\\USER Group from squid shellwords: User: -USER- Group: -Group- User: -USER- Group: -Group- SID: -Could not lookup name Group- GID: -Could not convert sid Could to gid- Sending ERR to squid 2003/12/18 17:48:07| externalAclHandleReply: reply=ERR 2003/12/18 17:48:07| external_acl_cache_add: Adding 'DOMAIN\\USER Group' = 0 What may be going wrong? Thanks in Advance, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/ -- _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] Squid ntlm Samba 3
Hi !! We have a Fedora Core box with Samba 3.0 installed, with everything running ok (wbinfo -t, wbinfo -u, wbinfo -g, wbinfo -a user%password all return success, /usr/bin/ntlm_auth --username=user also returns success). We have compiled Squid with the following options: /configure --enable-auth=ntlm,basic --enable-delay-pools --enable-external-acl-helpers=wbinfo_group --enable-snmp --enable-useragent-log --prefix=/usr/local/squid The auth_param directives that we are using are the following: auth_param ntlm program /usr/bin/ntlm_auth --helperprotocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 20 minutes auth_param basic program /usr/bin/ntlm_auth --helperprotocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours We have the following configurations in place: acl usuarios_autenticados proxy_auth REQUIRED acl rede_interna src 10.0.0.0/255.0.0.0 http_access allow rede_interna usuarios_autenticados But, neither ntlm nor basic auth are working for Squid What may be going wrong? Regards, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] Squid ntlm Samba 3
Hi !! We have a Fedora Core box with Samba 3.0 installed, with everything running ok (wbinfo -t, wbinfo -u, wbinfo -g, wbinfo -a user%password all return success, /usr/bin/ntlm_auth --username=user also returns success). We have compiled Squid with the following options: /configure --enable-auth=ntlm,basic --enable-delay-pools --enable-external-acl-helpers=wbinfo_group --enable-snmp --enable-useragent-log --prefix=/usr/local/squid The auth_param directives that we are using are the following: auth_param ntlm program /usr/bin/ntlm_auth --helperprotocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 20 minutes auth_param basic program /usr/bin/ntlm_auth --helperprotocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours We have the following configurations in place: acl usuarios_autenticados proxy_auth REQUIRED acl rede_interna src 10.0.0.0/255.0.0.0 http_access allow rede_interna usuarios_autenticados But, neither ntlm nor basic auth are working for Squid What may be going wrong? Regards, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Squid ntlm Samba 3
And have you given Squid access to the privileged winbind pipe? I think I have ... Squid runs under the nobody user, wich is a member of the nobody group, right? We have changed the access rights to this: drwxr-x---2 root nobody 4096 Dec 17 12:01 winbindd_privileged I noticed the following error in /var/log/messages: squid: authenticateNTLMHandleReply: called with no result string Also, I didn´t see ntlm_auth in the process list (ps auxf) Any thoughts? Regards, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Squid ntlm Samba 3
And have you given Squid access to the privileged winbind pipe? I think I have ... Squid runs under the nobody user, wich is a member of the nobody group, right? We have changed the access rights to this: drwxr-x---2 root nobody 4096 Dec 17 12:01 winbindd_privileged I noticed the following error in /var/log/messages: squid: authenticateNTLMHandleReply: called with no result string Also, I didn´t see ntlm_auth in the process list (ps auxf) Any thoughts? Regards, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Squid versus Microsoft ISA
Ralph, As Henrik stated, Squid uses just one processor, but we are also using DansGuardian, samba, etc..., and they benefit from the other processors Regards, Carlos. Em 5 Dec 2003, Raphael Maseko escreveu: Hi Carols, Have you been able to determine that Squid is actually making use of both processors? Do you have other applications running on the same box? Ralph - Original Message - From: To: Sent: Friday, December 05, 2003 12:42 PM Subject: RE: [squid-users] Squid versus Microsoft ISA Hi !!! About your statement ... Except that with ISA you can use a SMP box. The 2 products have vastly different hardware requirements, if you buy/build a box for squid it will be a 1 CPU box, which would not be a good choice for ISA. We are using Squid over Red Hat Linux here in a SMP box, and it is running fine. Is is a IBM box with two CPUs and 1 GB of memory (seen as four CPUs by the OS due to some hardware feature) and it is dealing with 2200 users, handling something like 2gig of throughput. By using Squid you can also benefit from other open source/free software produtcs, like contentfiltering (DansGuardian, Poesia-filter), controlling the amount of user traffic per time period (Squid2Mysql), and so on. Squid also has a very nice feature called delay pools, that allows you to control bandwidth usage based on user, user groups, file extension, etc... I don´t know if MS ISA has something like that. Regards, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/ -- _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
RE: [squid-users] Squid versus Microsoft ISA
Hi !!! About your statement ... Except that with ISA you can use a SMP box. The 2 products have vastly different hardware requirements, if you buy/build a box for squid it will be a 1 CPU box, which would not be a good choice for ISA. We are using Squid over Red Hat Linux here in a SMP box, and it is running fine. Is is a IBM box with two CPUs and 1 GB of memory (seen as four CPUs by the OS due to some hardware feature) and it is dealing with 2200 users, handling something like 2gig of throughput. By using Squid you can also benefit from other open source/free software produtcs, like contentfiltering (DansGuardian, Poesia-filter), controlling the amount of user traffic per time period (Squid2Mysql), and so on. Squid also has a very nice feature called delay pools, that allows you to control bandwidth usage based on user, user groups, file extension, etc... I don´t know if MS ISA has something like that. Regards, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Re: Hardware filewall + squid: blocking kazaa/kazaa lite
Hi! I sent a message that I think didn´t get to the list, regarding this issue .. You can block Kazaa using string-match blocking, through a device capable of doing so (cisco router, linux iptables firewall, etc...) If you block string that Kazaa uses (X-Kazaa-Client, or get ./hash, for instance), than you get to block Kazaa traffic successfully. I know that Snort has a signature that detects Kazaa traffic, and you may look at that rule as well, in order to choose your string-match rule. Check if you can use string-match rules in your hardware firewall, and you´re done... Regards, Carlos. Em 29 Nov 2003, Henrik Nordstrom escreveu: On Fri, 28 Nov 2003, Robert S wrote: Thanks. I've seen various suggestions around the place, but none look workable. What other ports would I need to block to block kazaa/kazaa lite? There was an article in Linux Journal on how to block kazaa not long ago.. unfortunately I don't have it around. Regards Henrik -- _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Re: Hardware filewall + squid: blocking kazaa/kazaa lite
Hi! I sent a message that I think didn´t get to the list, regarding this issue .. You can block Kazaa using string-match blocking, through a device capable of doing so (cisco router, linux iptables firewall, etc...) If you block string that Kazaa uses (X-Kazaa-Client, or get ./hash, for instance), than you get to block Kazaa traffic successfully. I know that Snort has a signature that detects Kazaa traffic, and you may look at that rule as well, in order to choose your string-match rule. Check if you can use string-match rules in your hardware firewall, and you´re done... Regards, Carlos. Em 29 Nov 2003, Henrik Nordstrom escreveu: On Fri, 28 Nov 2003, Robert S wrote: Thanks. I've seen various suggestions around the place, but none look workable. What other ports would I need to block to block kazaa/kazaa lite? There was an article in Linux Journal on how to block kazaa not long ago.. unfortunately I don't have it around. Regards Henrik -- _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] calculating how much bandwidth is saved?
Hi!! There is a tool called squeezer that generates lots of squid statistics, including the amount of bandwith saved. You can find lots of squid related tools (including squeezer) in http://www.squid-cache.org/Scripts/ Regards, Carlos. Em 18 Nov 2003, Antony Stone escreveu: On Tuesday 18 November 2003 9:37 am, Payal Rathod wrote: Hi, A friend of mine who own a cybercafe and has squid setup as a caching proxy. She is charged per Mb of download. Is it possible to know how much bandwidth is saved due to squid? If yes, how do I go about it? The squid log file tells you what size the response to each request was, and whether it was served from the cache or from the real server. Processing the logfile to pick out the number of bytes for HITs in a given time period should give you a good indication of the savings due to squid; comparing this to the number of bytes for MISSes in the same time will give you a percentage. Remember that there will be a small overhead you can never eliminate due to DNS lookups, and HEAD requests etc to see if a file is newer than cached. Regards, Antony. -- There are two possible outcomes. If the result confirms the hypothesis, then you've made a measurement. If the result is contrary to the hypothesis, then you've made a discovery. - Enrico Fermi Please reply to the list; please don't CC me. -- _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] calculating how much bandwidth is saved?
Hi!! There is a tool called squeezer that generates lots of squid statistics, including the amount of bandwith saved. You can find lots of squid related tools (including squeezer) in http://www.squid-cache.org/Scripts/ Regards, Carlos. Em 18 Nov 2003, Antony Stone escreveu: On Tuesday 18 November 2003 9:37 am, Payal Rathod wrote: Hi, A friend of mine who own a cybercafe and has squid setup as a caching proxy. She is charged per Mb of download. Is it possible to know how much bandwidth is saved due to squid? If yes, how do I go about it? The squid log file tells you what size the response to each request was, and whether it was served from the cache or from the real server. Processing the logfile to pick out the number of bytes for HITs in a given time period should give you a good indication of the savings due to squid; comparing this to the number of bytes for MISSes in the same time will give you a percentage. Remember that there will be a small overhead you can never eliminate due to DNS lookups, and HEAD requests etc to see if a file is newer than cached. Regards, Antony. -- There are two possible outcomes. If the result confirms the hypothesis, then you've made a measurement. If the result is contrary to the hypothesis, then you've made a discovery. - Enrico Fermi Please reply to the list; please don't CC me. -- _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Re: Using ICAP patches
Hi Rui !! I had this error with some URLs . The last one was this: http://esportes.terra.com.br/tenis/ Thanks again, Carlos ... --- Hi Carlos, Can you please send me the URL of the file that's causing this error? So I can have look at it and see if it's an issue with SAVSE. Thank you! Regards, Rui _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Re: Using ICAP patches
Hi Rui !! I had this error with some URLs . The last one was this: http://esportes.terra.com.br/tenis/ Thanks again, Carlos ... --- Hi Carlos, Can you please send me the URL of the file that's causing this error? So I can have look at it and see if it's an issue with SAVSE. Thank you! Regards, Rui _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Re: Using ICAP patches
Hi Rui!!! Just tried squid compilation with ./configure --enable-icap-suppport only... It worked for a while, and then aborted with a better message then before: assertion failed: icap_respmod.c:912: icapHttpReplyHdrState(icap) == 0 Aborted Have anybody ever run into this problem? Regards, Carlos. --- Hi, It could in fact be one of those options. Could you start just by trying with --enable-icap-support only? Unfortunately I'm not a Squid expert so if one of those modules is causing the conflicts then you'll need to report them to the Squid developers. Thanks! Regards, Rui _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Re: Using ICAP patches
Hi Rui!!! Just tried squid compilation with ./configure --enable-icap-suppport only... It worked for a while, and then aborted with a better message then before: assertion failed: icap_respmod.c:912: icapHttpReplyHdrState(icap) == 0 Aborted Have anybody ever run into this problem? Regards, Carlos. --- Hi, It could in fact be one of those options. Could you start just by trying with --enable-icap-support only? Unfortunately I'm not a Squid expert so if one of those modules is causing the conflicts then you'll need to report them to the Squid developers. Thanks! Regards, Rui _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Re: Using ICAP patches
Rui, Thanks for the input again I was using icap://savse_server:1344/respmod, instead of avscan I changed it, and it worked, for a while I was using the icap_streaming patch, and it worked for a while, then it complained about something like a 0 byte response from the icap server I tried again, rebuilding squid from scratch with the icap-2.5 patch, done the icap configuration that you suggested, but, when I tried to read my first web page, squid just died with a laconic Aborted message What version of squid are you running with icap and SavSe? Are you from Brazil ... Your name suggests it Thanks in Advance, Carlos Zottmann. --- Hi Carlos, I've been using the following configuration with success with all squid icap versions: #startconfiguration### icap_enable on icap_service avscan respmod_precache 0 icap://savse_server:1344/avscan icap_class avclass avscan # Don't scan traffic to the SAVSE server, there's a bug that won't allow you # to access teh admin interface of SAVSE through the Squid proxy acl savse_server dst savse_server_ip/255.255.255.255 icap_access avclass deny savse_server # Send all other traffic to SAVSE and let SAVSE decide what to scan icap_access avclass allow all #end configuration### Currently Symantec Scan Engine hasn't been tested in REQMOD with Squid, Squid ICAP doesn't currently support scan of POST requests in REQMOD, although from version 4.3 REQMOD AV scanning is supported in Symantec Scan Engine, The correct syntax should be icap_service avscan reqmod_precache 0 icap://savse_server:1344/avscanreq Regards, Rui _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Re: Using ICAP patches
Rui, Thanks for the input again I was using icap://savse_server:1344/respmod, instead of avscan I changed it, and it worked, for a while I was using the icap_streaming patch, and it worked for a while, then it complained about something like a 0 byte response from the icap server I tried again, rebuilding squid from scratch with the icap-2.5 patch, done the icap configuration that you suggested, but, when I tried to read my first web page, squid just died with a laconic Aborted message What version of squid are you running with icap and SavSe? Are you from Brazil ... Your name suggests it Thanks in Advance, Carlos Zottmann. --- Hi Carlos, I've been using the following configuration with success with all squid icap versions: #startconfiguration### icap_enable on icap_service avscan respmod_precache 0 icap://savse_server:1344/avscan icap_class avclass avscan # Don't scan traffic to the SAVSE server, there's a bug that won't allow you # to access teh admin interface of SAVSE through the Squid proxy acl savse_server dst savse_server_ip/255.255.255.255 icap_access avclass deny savse_server # Send all other traffic to SAVSE and let SAVSE decide what to scan icap_access avclass allow all #end configuration### Currently Symantec Scan Engine hasn't been tested in REQMOD with Squid, Squid ICAP doesn't currently support scan of POST requests in REQMOD, although from version 4.3 REQMOD AV scanning is supported in Symantec Scan Engine, The correct syntax should be icap_service avscan reqmod_precache 0 icap://savse_server:1344/avscanreq Regards, Rui _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] Re: Using ICAP patches
Hi again!! I tried to use two icap_service configurations to integrate Squid and Symantec´s Scan Engine, and received different error in both cases, as follows: icap_service service_2 respmod_precache bypass trailers preview=4096 icap://shamash:1344/respmod error received: icapRespmodPreCacheReadReply: No response headers found icap_service service_2 reqmod_precache bypass icap://localhost:1344/reqmod error received: icapReqmodPreCacheReadReply: Premature end of reply What I am doing wrong? Thanks in Advance, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] Using ICAP patches (was: Squid 2.6 and NTLM authentication)
Henrik, Thanks for the directions on how to apply the ICAP patch. After applying the icap-client patch, I decided to try the icap-stream patch, because I am willing to use ICAP to integrate squid with antivirus software. When I applied just the icap-stream patch, I did not get the icap_enable option in squid.conf, and the parser gave me errors on the squid startup, at the other icap options. When I tried to apply the icap-client patch first, and then the icap-stream patch, I had errors in the patching process. What is the right way to use the icap-stream patch? Thanks in Advance, Carlos Zottmann. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] Using ICAP patches (was: Squid 2.6 and NTLM authentication)
Henrik, Thanks for the directions on how to apply the ICAP patch. After applying the icap-client patch, I decided to try the icap-stream patch, because I am willing to use ICAP to integrate squid with antivirus software. When I applied just the icap-stream patch, I did not get the icap_enable option in squid.conf, and the parser gave me errors on the squid startup, at the other icap options. When I tried to apply the icap-client patch first, and then the icap-stream patch, I had errors in the patching process. What is the right way to use the icap-stream patch? Thanks in Advance, Carlos Zottmann. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] Traffic Accounting per user
Hi! I think that they are not exactly what you want, but you may take a look at squid2mysql and squid´s delaypools. Squid2mysql (http://evc.fromru.com/squid2mysql/features.html) allows you to define download limits per user based on a period (daily, monthly, etc...) DelayPools is a Squid native feature, and allows you to control bandwidth based on acls (src, for instance) ... Regards, Carlos. - Hello, I am maintaining a local network with internet access over a Squid proxy. The problem is: Squid divides the bandwidth on a per connection base. If user A would start 10 downloads (maybe using a download manager) and user B would start only 1 download, then B will only get 1/11 of the available bandwidth. What I want is to divide the bandwidth on IP base, so that user A and B would equally get 50 percent of the full bandwidth. I googled a long time, but didn't find anything... :-( Thanks a lot, Matthias _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Squid 2.6 and NTLM authentication
Hi Henrik!!! If we download the squid-icap-client following the directions in http://icap-server.sourceforge.net/squid.html, either through standard download or through cvs, it creates a directory named squid-2.6-DEVEL-20020324. That´s why I though I was dealing with 2.6 version of Squid ... Regards, Carlos. On Wed, 5 Nov 2003 [EMAIL PROTECTED] wrote: I am trying the 2.6 ICAP enbled version of Squid, and I noticed that it doesn´t come with the wb_ntlmauth helper with it What 2.6 version of Squid? There is no 2.6 version of Squid. There is 2.5 and the next version is 3.0 (under development). Regards Henrik _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Squid 2.6 and NTLM authentication
Hi Henrik!!! If we download the squid-icap-client following the directions in http://icap-server.sourceforge.net/squid.html, either through standard download or through cvs, it creates a directory named squid-2.6-DEVEL-20020324. That´s why I though I was dealing with 2.6 version of Squid ... Regards, Carlos. On Wed, 5 Nov 2003 [EMAIL PROTECTED] wrote: I am trying the 2.6 ICAP enbled version of Squid, and I noticed that it doesn´t come with the wb_ntlmauth helper with it What 2.6 version of Squid? There is no 2.6 version of Squid. There is 2.5 and the next version is 3.0 (under development). Regards Henrik _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Squid 2.6 and NTLM authentication
OK !!! I am using squid2.5-stable4 in my production environment.. Can I use this patch against this version? Would it work if I place the patch in the same directory as the Squid source and run a patch -p1 patch-filename ? Regards, Carlos. Em 6 Nov 2003, Henrik Nordstrom escreveu: On Thu, 6 Nov 2003 [EMAIL PROTECTED] wrote: If we download the squid-icap-client following the directions in http://icap-server.sourceforge.net/squid.html, either through standard download or through cvs, it creates a directory named squid-2.6-DEVEL-20020324. That´s why I though I was dealing with 2.6 version of Squid ... Ok. This gives you a very old (and most likely very unstable) development version of Squid which has not been maintained for ages. I would not recommend using this one. You should be using one of the ICAP patches to Squid-2.5 found from http://devel.squid-cache.org/ Regards Henrik -- _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Squid 2.6 and NTLM authentication
OK !!! I am using squid2.5-stable4 in my production environment.. Can I use this patch against this version? Would it work if I place the patch in the same directory as the Squid source and run a patch -p1 patch-filename ? Regards, Carlos. Em 6 Nov 2003, Henrik Nordstrom escreveu: On Thu, 6 Nov 2003 [EMAIL PROTECTED] wrote: If we download the squid-icap-client following the directions in http://icap-server.sourceforge.net/squid.html, either through standard download or through cvs, it creates a directory named squid-2.6-DEVEL-20020324. That´s why I though I was dealing with 2.6 version of Squid ... Ok. This gives you a very old (and most likely very unstable) development version of Squid which has not been maintained for ages. I would not recommend using this one. You should be using one of the ICAP patches to Squid-2.5 found from http://devel.squid-cache.org/ Regards Henrik -- _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] Re: [ICAP-Discussions] [Fwd: [squid-users] ICAP plans for SQUID?]
Rui, Thanks for the directions you gave us !!! We have already managed how to install, configure and run Squid / ICAP / Symantecs Scan Engine, using squid-icap-client available in https://sourceforge.net/project/showfiles.php?group_id=47737 with no other options in the ./configure step. When we try to compile it with the basic and ntlm helpers, we get an error while running make, after config. We have downloaded the CVS version, as well, and, with this one, we get errors in the ./configure step, if we use the basic and ntlm helpers options. How can we manage to compile squid with icap and all of the squid stuff? Regards, Carlos Zottmann. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] Re: [ICAP-Discussions] [Fwd: [squid-users] ICAP plans for SQUID?]
Rui, Thanks for the directions you gave us !!! We have already managed how to install, configure and run Squid / ICAP / Symantecs Scan Engine, using squid-icap-client available in https://sourceforge.net/project/showfiles.php?group_id=47737 with no other options in the ./configure step. When we try to compile it with the basic and ntlm helpers, we get an error while running make, after config. We have downloaded the CVS version, as well, and, with this one, we get errors in the ./configure step, if we use the basic and ntlm helpers options. How can we manage to compile squid with icap and all of the squid stuff? Regards, Carlos Zottmann. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] Squid 2.6 and NTLM Authentication
Hi !! I noticed that Squid 2.6 (development) doesn´t come with the wb_ntlmauth helper What is the best way to do ntlm authentication in Squid 2.6? Thanks in Advance, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] Squid 2.6 and NTLM Authentication
Hi !! I noticed that Squid 2.6 (development) doesn´t come with the wb_ntlmauth helper What is the best way to do ntlm authentication in Squid 2.6? Thanks in Advance, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] Squid 2.6 and NTLM authentication
Hi! I am trying the 2.6 ICAP enbled version of Squid, and I noticed that it doesn´t come with the wb_ntlmauth helper with it Which is the best way to do ntlm authentication with Squid 2.6? thanks in advance, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] ICAP plans for SQUID?
Fine !!! Can either project be used in a production environment, to integrate a antivirus solution to Squid (Symantec´s Scan Engine for Linux)? Regards, Carlos. On Tue, 28 Oct 2003 [EMAIL PROTECTED] wrote: I have been reading about ICAP and Squid, but was not able to find anything about its actual implementation, not even in the Squid 3.0 pages ... There is plenty of activities going on in this area. See http://devel.squid-cache.org/. At this time there is in fact two parallell projects working on ICAP for Squid-2.5 with slightly different goals and requirements. Hopefully there will eventually be a project working on ICAP support for Squid-3, ultimately allowing ICAP to be added to the mainstream Squid releases. Regards Henrik _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] ICAP plans for SQUID?
Fine !!! Can either project be used in a production environment, to integrate a antivirus solution to Squid (Symantec´s Scan Engine for Linux)? Regards, Carlos. On Tue, 28 Oct 2003 [EMAIL PROTECTED] wrote: I have been reading about ICAP and Squid, but was not able to find anything about its actual implementation, not even in the Squid 3.0 pages ... There is plenty of activities going on in this area. See http://devel.squid-cache.org/. At this time there is in fact two parallell projects working on ICAP for Squid-2.5 with slightly different goals and requirements. Hopefully there will eventually be a project working on ICAP support for Squid-3, ultimately allowing ICAP to be added to the mainstream Squid releases. Regards Henrik _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] ICAP plans for SQUID?
Hi !! I have been reading about ICAP and Squid, but was not able to find anything about its actual implementation, not even in the Squid 3.0 pages ... Is there any plans about developing ICAP functionality within SQUID? Regards, Carlos Zottmann. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Allow_direct and Never_direct
Thanks Duane !! It worked perfectly Regards, Carlos. On Wed, 22 Oct 2003 [EMAIL PROTECTED] wrote: Hi! I have sent a similar question before, but did not manage to solve the problem. I need to allow certain users of a Windows group to always bypass our cache_peer and the other ones to never bypass it. I am using the following configuration: always_direct allow windows_group always_direct deny all never_direct allow all The users belonging to windows_group are always going direct (good!!), but the other ones sometimes goes direct and sometimes go through our cache_peer ... What may be going wrong? There is another way to do this, and it may work better for you. you can use 'cache_peer_access' like this: cache_peer_access neighbor.name deny windows_group Then to make sure most of your users never bypass the parent, you can use never_direct rules like this: never_direct deny windows_group never_direct allow all Duane W. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Allow_direct and Never_direct
Thanks Duane !! It worked perfectly Regards, Carlos. On Wed, 22 Oct 2003 [EMAIL PROTECTED] wrote: Hi! I have sent a similar question before, but did not manage to solve the problem. I need to allow certain users of a Windows group to always bypass our cache_peer and the other ones to never bypass it. I am using the following configuration: always_direct allow windows_group always_direct deny all never_direct allow all The users belonging to windows_group are always going direct (good!!), but the other ones sometimes goes direct and sometimes go through our cache_peer ... What may be going wrong? There is another way to do this, and it may work better for you. you can use 'cache_peer_access' like this: cache_peer_access neighbor.name deny windows_group Then to make sure most of your users never bypass the parent, you can use never_direct rules like this: never_direct deny windows_group never_direct allow all Duane W. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Proxy Authentication and Java Applets
Hi !! You should do the following: acl java_jvm browser Java then, before your http_access for the authenticated users, use: http_access allow java_jvm Regards, Carlos Hi, I'm currently using SQUID 2.5 STABLE3 offering the NTLM and the basic authentications schemes, i.e. users using Internet Explorer - 5.5 and 6 - are authenticated transparently. When a java applet is to be loaded from a website an authentication dialogbox appears and the credentials have to be entered explicitely. When I understand it correctly the reason for this is that squid authenticates a socket (ip address and source port). When the Java Virtual Machine is not part of the browser but a different process the browser's authentication is not valid for the JVM. Is there a way to avoid the JVM authentication box ? Regards Wolfgang _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Proxy Authentication and Java Applets
Hi !! You should do the following: acl java_jvm browser Java then, before your http_access for the authenticated users, use: http_access allow java_jvm Regards, Carlos Hi, I'm currently using SQUID 2.5 STABLE3 offering the NTLM and the basic authentications schemes, i.e. users using Internet Explorer - 5.5 and 6 - are authenticated transparently. When a java applet is to be loaded from a website an authentication dialogbox appears and the credentials have to be entered explicitely. When I understand it correctly the reason for this is that squid authenticates a socket (ip address and source port). When the Java Virtual Machine is not part of the browser but a different process the browser's authentication is not valid for the JVM. Is there a way to avoid the JVM authentication box ? Regards Wolfgang _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] Allow_direct and Never_direct
Hi! I have sent a similar question before, but did not manage to solve the problem. I need to allow certain users of a Windows group to always bypass our cache_peer and the other ones to never bypass it. I am using the following configuration: always_direct allow windows_group always_direct deny all never_direct allow all The users belonging to windows_group are always going direct (good!!), but the other ones sometimes goes direct and sometimes go through our cache_peer ... What may be going wrong? Regards, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] Allow_direct and Never_direct
Hi! I have sent a similar question before, but did not manage to solve the problem. I need to allow certain users of a Windows group to always bypass our cache_peer and the other ones to never bypass it. I am using the following configuration: always_direct allow windows_group always_direct deny all never_direct allow all The users belonging to windows_group are always going direct (good!!), but the other ones sometimes goes direct and sometimes go through our cache_peer ... What may be going wrong? Regards, Carlos. _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] never_direct not working !!
Hi!! Thanks for the answers. I am still facing problems, though. I am still using the following rules: always_direct allow free_www always_direct deny all never_direct allow all What I get is that the users not included in free_www begin their browsing through the cache_peer, but then, suddenly, the start browsing DIRECT !!! What may be going wrong? TIA, Carlos Zottmann. On Mon, Oct 06, 2003 at 11:55:22AM -0300, [EMAIL PROTECTED] wrote: I am not managing how to direct some users to access external sites directly from de squid box, and others to go through another antivirus/proxy that we have here. If I use only never_direct allow all, everyone goes through the antivirus/proxy, but if I use the configuration below, everyone goes direct !!! What can be wrong? Mixing both always_direct and never_direct may cause problems. I don't claim to really understand the difference. I have read the comments in the squid.conf dozens of times but still don't get the idea what happens exactly when you mix them. Perhaps I need to read the source code itself. always_direct allow free_www always_direct deny all never_direct allow all The last two lines may confuse squid. Leave the last line off and tell it to... | always_direct allow free_www | always_direct deny all This way the free_www destinations are always reached directly (following your local routing table) and all other requests are sent via your parent proxy. Christoph _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] never_direct not working !!
Hi!! Thanks for the answers. I am still facing problems, though. I am still using the following rules: always_direct allow free_www always_direct deny all never_direct allow all What I get is that the users not included in free_www begin their browsing through the cache_peer, but then, suddenly, the start browsing DIRECT !!! What may be going wrong? TIA, Carlos Zottmann. On Mon, Oct 06, 2003 at 11:55:22AM -0300, [EMAIL PROTECTED] wrote: I am not managing how to direct some users to access external sites directly from de squid box, and others to go through another antivirus/proxy that we have here. If I use only never_direct allow all, everyone goes through the antivirus/proxy, but if I use the configuration below, everyone goes direct !!! What can be wrong? Mixing both always_direct and never_direct may cause problems. I don't claim to really understand the difference. I have read the comments in the squid.conf dozens of times but still don't get the idea what happens exactly when you mix them. Perhaps I need to read the source code itself. always_direct allow free_www always_direct deny all never_direct allow all The last two lines may confuse squid. Leave the last line off and tell it to... | always_direct allow free_www | always_direct deny all This way the free_www destinations are always reached directly (following your local routing table) and all other requests are sent via your parent proxy. Christoph _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] never_direct not working !!
Hi! I am not managing how to direct some users to access external sites directly from de squid box, and others to go through another antivirus/proxy that we have here. If I use only never_direct allow all, everyone goes through the antivirus/proxy, but if I use the configuration below, everyone goes direct !!! What can be wrong? Thanks in Advance, Carlos. external_acl_type windows_groups %LOGIN /usr/local/squid/libexec/wb_group acl all src 0.0.0.0/0.0.0.0 acl internal_network src x.y.z.0/255.255.255.0 acl internal_users proxy_auth REQUIRED acl free_www external windows_groups No_filter acl java_jvm browser Java/1.4 http_access allow internal_network java_jvm http_access allow internal_network internal_users http_access deny all cache_peer von.stj.gov.br parent 8002 0 no-query default always_direct allow free_www always_direct deny all never_direct allow all _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
