Look this
Negotiate Authenticator Statistics:
program: /lib64/squid/negotiate_kerberos_auth
number active: 25 of 25 (0 shutting down)
requests sent: 27331
replies received: 27306
queue length: 11
avg service time: 389 msec
I change to 25... and in this moment i have queue length 11... there
and 35, someone it's eating...and by the way the first "error" (a lot of
numbers and letters its happening)
Negotiate Authenticator Statistics:
program: /lib64/squid/negotiate_kerberos_auth
number active: 35 of 35 (0 shutting down)
requests sent: 35222
replies received: 35221
queue length: 0
avg
Ok,
Thanks.
We are using a windows server 2012...
Can you explain to me how the negotiate authenticator works??
how works? when a user want browser to a page, the squid, use the
authenticator for know if can browse?? every time? for every single web
pages?
Thanks
--
View this message in
And... for last
How i read this??
Delay pools configured: 5
Pool: 1
Class: 2
Aggregate:
Max: 100
Restore: 100
Current: 100
Individual:
Max: 512000
Restore: 5
And for example, if i have this
Negotiate Authenticator Statistics:
program: /lib64/squid/negotiate_kerberos_auth
number active: 20 of 20 (0 shutting down)
requests sent: 23980
replies received: 23980
queue length: 0
avg service time: 8 msec
ID # FD PID # Requests # Replies
Hi to all.
Im having too much "avg service time" in the negotiate kerberos helper. Amos
tell me that it's a configuration related to the AD. Can somebody give me a
hand to tune that? or tell me where find information about?
Thanks
Negotiate Authenticator Statistics:
program:
Hi.
I have working a squid server. we have 110 pc.
I have two virtualized squids.
One of them is working, and the other i use for testing purpose. but, i want
to know if i could take that of "testing purpose" and put to work with
"cache peers or neighbors"??
It would be better?? it give some
thanks and sorry, i have just two.
In one of them (the more "important") i have SSO, and in the other i have
access per ip.
So, i need to have the two squid servers equally or not?
In the other hand I do not mind the use of bandwidth but serve as fast as
possible.
how i would config this??
Hi to all.
This is strange...
if a put "date" i get the actual time. I mean the time it's correct.
More or less in this moment it is
[root@squid ~]# date
miƩ may 24 15:59:59 ART 2017
in the same moment (more or less) access.log
24/May/2017:19:00:21
same moment (more or less)
[root@squid
Hi again.
Just boot up
11:43
number active: 14 of 25 (0 shutting down)
requests sent: 166348
replies received: 166348
queue length: 0
avg service time: 34 msec
ID # FD PID # Requests # Replies Flags Time Offset
Request
366 97 13237 510
acl local_machines dst 192.168.1.0/24
###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
HTTP/squid.xxx@xxx.lan
auth_param negotiate children 25 startup=0 idle=1
auth_param negotiate keep_alive on
external_acl_type i-full
Amos Jeffries wrote
> The core issue is the speed at which that service rotates its response
> IP lists, which is directly related to each request going to entirely
> different server in their farm. Simply having a single (and maybe more
> sane regarding TTLs) resolver as a networks focal point
oh ok!
so... dosent have any sense try to have a big ttl?
because ok, if i use just a own dns resolver then "they" have just one ttl
and no one for each user.
But, would not be better have long ttl???
the ip attached to a domain name it's changing so quickly (15', for
example)?? i dont
"If I assume that its doing what you want there are still two major
issues that can be seen.". i think it was...
"1) Mixing interception and authentication (ssl-bump is a type of
interception, at least on the https:// traffic). Intercepted messages
cannot be authenticated - though
Hi. For what I understood. It is important ttl of dns names. So, I wanted to
know when the squid server would ask for resolution again. That is, how long
was the record kept.
Thanks
pd.:whitout -x
[root@squid ~]# dig yahoo.com
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> yahoo.com
;; global
Hi.
Im traying to improve the dns response because im having this times:
Negotiate Authenticator Statistics:
program: /lib64/squid/negotiate_kerberos_auth
number active: 32 of 32 (0 shutting down)
requests sent: 72241
replies received: 72241
queue length: 0
avg service time: 56 msec
ID #
Hi.
Im getting this kind of error:
--
The following error was encountered while trying to retrieve the URL:
https://wiki.squid-cache.org/*
Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.
The
this is weird.
This just happend to me with that web... i mean, with
https://wiki.squid-cache.org/ (not with google, not with facebook).
But the weird is that if i go trough a authenticate machine for ip, i
receive that ipv6. but if i go throug a authenticate kerberos machine i get
this net::err
Sorry, but, the problem with the certificate is a problem from the web?? i
mean, is not a problem of "my squid".
So better i exclude that web... but, so strange, squid webpage wiki with
problem in certificate???
--
Sent from:
Ok, thats a error from chrome.
Another thing with just that web, that if i disable dns_ipv4_first.
I get this:
--
The following error was
Sorry, i found where
/etc/sysconfig/squid
And was good, already have that config, so i dont know why is failing.
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
Hi.
I follow this guide
https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
But, i dont know where put this
Add the following configuration to /etc/default/squid3
KRB5_KTNAME=/etc/squid3/PROXY.keytab
export KRB5_KTNAME
i dont have that file /etc/default/squid3
Hi.
All is working fine, but im having this error in the mail of root
--
From r...@squid.domain.lan Tue Oct 3 04:00:02 2017
Return-Path:
X-Original-To: root
By the way,
totalusedfree shared buff/cache
available
Mem: 3,7G3,0G122M 13M554M
422M
Swap: 2,0G160M1,8G
--
Sent from:
Hi to all.
all was working fine.. but today Im having this issue
2017/09/07 11:34:49 kid1| Starting new negotiateauthenticator helpers...
2017/09/07 11:34:49 kid1| helperOpenServers: Starting 1/35
'negotiate_kerberos_auth' processes
2017/09/07 11:34:50 kid1| Starting new negotiateauthenticator
Ok, thanks
i grow the swap
[root@squid /]# free -h
totalusedfree shared buff/cache
available
Mem: 3,7G1,0G117M 29M2,6G
2,4G
Swap: 6,0G124M5,9G
related to swappiness what would be a
but, why so slow then???
"
For Negotiate and NTLM the credentials are supposed to be unique per
connection, so each TCP connection requires separate lookup. But
followup pipelined requests on a connection should not need auth helper
lookups as they share the already authenticated credentials.
Hi.
Thanks.
But there is some Time to live, for config in the squid, so the service is
not asking every time for authenticate??
Thanks!
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing
Sorry, this is part of my config
###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
HTTP/squid.domain@domain.lan
auth_param negotiate children 45 startup=0 idle=1
auth_param negotiate keep_alive on
external_acl_type i-full %LOGIN
Hi.
Im having a lot of this in cache.log... is this normal?? The https is access
is working fine... but i have those error.
2017/09/04 13:10:58 kid1| Error negotiating SSL on FD 467:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (
1/-1/0)
2017/09/04 13:10:58
Hi.
There is a way to know what can be happend with this failure?
Thanks to all.
Internal DNS Statistics:
The Queue:
DELAY SINCE
ID SIZE SENDS FIRST SEND LAST SEND M FQDN
-- - -- - -
DNS jumbo-grams: not working
Nameservers:
IP
Sorry, i dont understand.
Just enumerate the user in a acl?
a common acl or a kerberos acl??
can you put me a example please?
Thanks
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing
Thanks Amos.
Let's be clear ... this configuration was working exactly as I wanted it to.
The users in each of those groups (i-full, sin_autenticacion, i-limitados)
navigated without problems. So that they did not navigate, I simply took
them out of one of those groups, period. Everything works
But, that's exactly the problem.
Thats what i do.
I do a have this large group
i-full
and a small group with a few users from i-full, the small group is called
i-restringidos.
And put i-restringidos in the top... (as you can see in my config file)
But, is not working. They can go trough the web
Thanks.
I update to 3.5.27 and now i dont have this problem.
But, i have this doubt... so, this was a problem of my certificate or a bug
from squid???
Thanks
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
Im having this warning in the log.
I dont find anything related to this in google, so.
What could be??
this is my config
GRUPOS DE IP
acl sin_autenticacion src "/etc/squid/listas/sin_autenticacion.lst"
###Kerberos Auth with ActiveDirectory###
auth_param negotiate program
Hi to all.
Im having some things in the log.
Like this:
-Vary object loop
-Could not parse headers from on disk object
-varyEvaluateMatch: Oops
ipcacheParse No Address records in response to (i supposed this is not a
problem)
And a lot more as you can see.
2017/12/12 16:09:50 kid1|
Hi.
I want to put that command
reference_age 1 week
i see that in a lot of tutorial, but... squid give me a error, and stop the
service.
dont recognice the command... that command doesnt exist anymore??
Thanks
pd:there is another way to tell squid how manage the time for the cache
objets??
When i put the in Chrome
https://.sdfasdfasdfasdfasd.com
it produces the same error...
but this just happend with "https" and with chrome.. not with
firefox.
With firefox i get the error web pager from squid
Unable to determine IP address from host name
Hi, and thanks.
But, i dont get it, how this is possible, if the bumping is working well. I
mean, if all https is working with my certificate, except for those that i
block (from chrome). But the bumping is working well in Chrome and Firefox.
This is log from Chrome with port
1512501177.181
"Does that error match the generated certificate sent by Squid to a
blocked Chrome user? In other words, does that certificate have an
invalid common name (CN) field? "
No, is the same certificate.
"I suggest comparing the following two certificates:
* the certificate sent by Squid to a
Yes, Chrome tell this when i look the certificate
"The certificate for this site does not contain a Subject Alternative Name
extension containing a domain name or IP address."
So, my certificate does not have a Subject Alternative Name.
But, this is not a problem with Firefox.
I have to change
Ok, thanks for your time.
This "fix" the problem...
reg add HKLM\Software\Policies\Google\Chrome /v
EnableCommonNameFallbackForLocalAnchors /t REG_DWORD /d 1
When i wrote that command, the problem is gone.
but, i want to know about that fix that you are telling me.
Im using this version Squid
Hi.
I want to do a redirect to a user.
For example if the user want to go to google, i redirect to some particular
web.
Can you tell me how??
i have config the http access trough user (with kerberos).
Thanks to all
--
Sent from:
Hi. What you think about using certificate for bump from
https://letsencrypt.org???
Thanks to all.
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
Hi to all.
The squid was working fine, but i made a mistake and... delete the
proxy.keytab. I try to do it again, but make a mistake in the syntax
wrong syntax (the real name is not squidproxy.domain.lan is
squid.domain.lan):
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.domain.lan -k
Ok.
Thanks
Know the ticket is fine, and is working (people are going throug internet
and i see in access.log there user names) but... im having this error in
the log.
2018/02/05 12:56:46 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message:
Thanks for your time! Know is working fine.
a little and stupid question where i can found the start script of
squid??? This is a Centos 7.
I want put this
KRB5RCACHETYPE=none
export KRB5RCACHETYPE
[root@squid etc]# cat /usr/lib/systemd/system/squid.service
## Copyright (C) 1996-2015 The
Hi.
Im having this warning in cache.log
2018/02/14 15:56:55 kid1| WARNING: All 32/32 ssl_crtd processes are busy.
2018/02/14 15:56:55 kid1| WARNING: 32 pending requests queued
2018/02/14 15:56:55 kid1| WARNING: Consider increasing the number of
ssl_crtd processes in your config file.
2018/02/14
Hi. Im having this problem. Im running squid on a Centos 7 container (lxc on
proxmox).
This is cache.log
support_sasl.cc(276): pid=555 :2018/02/20 10:13:34| kerberos_ldap_group:
ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=555 :2018/02/20
Hi.
The port is open.
There is a way to have a little more log??'
Thanks
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
sorry, yuri, yes is working.
i can connect via ldap and also turn on debug for investigate, and is no
error know...
but time to time, this error is happening... so... is strange.
In the other hand im getting this values with just one machine using the
squid :
Negotiate Authenticator Statistics:
Hi to all.
I dont know why i have this bad values. My network is woking fine. How i can
do to fix this. I think is a high value.
HTTP/1.1 200 OK
Server: squid/3.5.27
Mime-Version: 1.0
Date: Fri, 23 Feb 2018 17:16:25 GMT
Content-Type: text/plain;charset=utf-8
Expires: Fri, 23 Feb 2018 17:16:25 GMT
Hi to all.
Im trying to block some web to a ip group.
[root@squid ips]# cat i-restringidos.lst
192.168.1.42
192.168.1.43
192.168.1.44
192.168.1.45
192.168.1.99
192.168.1.50
192.168.1.128
This same ip group has access to all internet.
[root@squid ips]# cat prensa_isla.lst
192.168.1.42
Hi to all.
Im trying to put proxy trough DNS. Im working on a Windows Server 2012 r2.
I follow a lot of tutorial... and cant do it.
The best i have is this (and is strange).
When the pc start i see in log of squid the ip of that pc.
tail -f /var/log/squid/access.log | grep 192.168.6.22
Hi, thanks
I try Explorer 8.0 and Chrome 68.0...
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
Thanks to all!!
Now is working fine.
Just, one question to know... i make this accessible from the internet...
so, i create some acl 0.0.0.0/0 and it's working.
But.. this is a security issue??? or it's ok declare that ACL.
Thanks to all.
--
Sent from:
> php.mydomain.lan 192.168.1.223
> ticket.mydomain.lan 192.168.1.246
>.. and clients never connect to the above directly. So these domains are
>never to be accessed by users/clients.
The client can connect directly from the domain. (i mean they can connect
directly in work, but i want to do
Antony Stone wrote
>> I create two entries pointing to squid in DNS now.
>> site1.mydomain.lan
>> site2.mydomain.lan
>
> So, both of those resolve to 192.168.1.21, right?
>
> Yes, the resolve to the ip of squid.
>
>> > The config example you want to follow is
>> >
Ok, thanks. I change that.
Now, if i go to reverse.mydomain.lan i get this error:
"Unable to forward this request at this time."
1533909140.268 0 192.168.6.20 TCP_IMS_HIT/304 355 GET
http://reverse.mydomain.lan/squid-internal-static/icons/SN.png - HIER_NONE/-
image/png
but what would be
Hi.
I have Squid configured as a proxy reverse.
The DNS are configured too. The clients can access from outside without
problem.
It is working well.
But I want to serve web pages with https and I would like to use Let's
Encrypt (or something similar) so clients do not have to accept an invalid
Thank you Amos (sorry again Yuri).
And yes, the user are complains.
The problem is this (and sorry for be recurrent with this).
That value avg ms for some times goes up to 3000... and in that moment all
stop.
in the cache.log sometimes, im getting this.
support_sasl.cc(276): pid=3729
Hi.
I want to know if is possible that, for some site (sales.mydomain.com) the
proxy server send the "real ip".
Because i want to see in the logs of sales.mydomain.com the real ip of the
machine that are going (and not the proxy ip).
I know that i can see this in the log of squid... but, i want
101 - 163 of 163 matches
Mail list logo