[squid-users] cachemgr.cfi General Runtime Information shows negative memory values
Hello all. I am trying to understand how Squid allocates resources. It is weir for me that the General Runtime Information shows negative values! You can check it here: http://pastebin.com/EyVPB3Qu It is a bug or a problem in my installation? Thanks Sebastian
RE: [squid-users] Prefetch patch test
Sorry Amos. But where else do I post this ? I thought I can mail it to this mail id squid-users@squid-cache.org. But if there is some other place, please let me know. - Anita -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: 15 February 2012 18:17 To: squid-users@squid-cache.org Subject: Re: [squid-users] Prefetch patch test Before we start. Please do not hijack other topics discussions. It ruins the groups archive threading and threaded mailer tools many of us use to track the group mail. Thank you. On 15/02/2012 5:24 p.m., anita.sivakumar wrote: > Hi, > > Has anyone used and tested the squid prefetch patch available in the squid > website? > For me it apparently gave a segmentation fault when I tried to prefetch. It > works normally for other requests though. I assume you means the prefetch project patch from devel.squid-cache.org? That was last updated for one of the 3.0 PRE-releases (5 or 6 by the looks of it). It was not accepted into mainline for some reason unknown to me. Apart from ESI support, all body content filtering and adaptations have been pushed off to ICAP and eCAP processors. The whole devel.* site is now outdated, all projects there are in the deprecated bin. If you would like to revive one please get in touch with squid-dev about joining development and be prepared for a fair bit of hacking to get it ported to current 3.HEAD in BZR. There are other tools (such as "squid-prefetch") which can do prefetch for any version of Squid without patching which you may want to investigate first. Although be aware the in most instances pre-fetching at the proxy level has usually been found to be a large waste of bandwidth and cache resources, with little benefits (or none) to offset the costs. Modern browsers do a different kind of pre-fetch themseves which has a far more efficient algorithm for calculating what resources to fetch early. Squid and other proxies do not have access to enough of the users information to do it efficiently. Amos Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
Re: [squid-users] Squid 2.7.STABLE9 suddenly fails to run
On 16.02.2012 09:19, SB Tech wrote: Hi, I'm still having the problem described below. If there's no further help forthcoming, or if this issue is just one of those things that defies explanation, I'll just go ahead and perform a restore of the whole installation from a recent backup. I'd rather not, but if I'm getting no help it's all I have left. It does seem to be one of those problems. There is no reason why the 777 experiment should have failed at all. You could check for free disk space and available inodes (if the FS uses inodes). Amos
Re: [squid-users] Re: Squid Cache Directory - Webmin
On 16.02.2012 12:54, berry guru wrote: Do logs get rotated because they reach a certain size or threshold? No. Just when "squid -k rotate" is run. Most distros integrate their packages with the OS logrotate system. I found something that is kind of confusing me, the owner of cache.log is the user 'proxy' which I never created, so this must be a default user from squid. Yes it is. I ran ls -l /var/log/squid3/cache.log and found that -rw-r- 1 proxy proxy 38762 2012-02-15 14:03 /var/log/squid3/cache.log So it looks like the permissions need to be assigned to the user proxy, but I don't have that info. I'm pretty sure this will fix the Webmin info, but my I'm wondering how users are giving permissions to Webmin for the cache.log directory. Er, yes. Sorry I don't know webmin to help on that particular. Maybe someone else here can say. Amos
Re: [squid-users] Re: Squid Cache Directory - Webmin
Do logs get rotated because they reach a certain size or threshold? I found something that is kind of confusing me, the owner of cache.log is the user 'proxy' which I never created, so this must be a default user from squid. I ran ls -l /var/log/squid3/cache.log and found that -rw-r- 1 proxy proxy 38762 2012-02-15 14:03 /var/log/squid3/cache.log So it looks like the permissions need to be assigned to the user proxy, but I don't have that info. I'm pretty sure this will fix the Webmin info, but my I'm wondering how users are giving permissions to Webmin for the cache.log directory. On Wed, Feb 15, 2012 at 2:53 PM, Amos Jeffries wrote: > On 16.02.2012 11:31, berry guru wrote: >> >> If I were to run chmod ugo+rwx *file* where file would be cache.log am >> I going to break something. Is this the appropriate approach? > > > It is incomplete. When the log gets rotated things die again. > > The Squid details are in a folder called .../squid3/ so that you can assign > that folder the appropriate read/write and owner/group permissions and leave > its parent /var/log with root-only or similar access. > > PS. I should have said re-run -k parse when you think you have resolved the > issues. Sometimes a major problem causes early abortand later problems > remain hidden. > > Amos >
Re: [squid-users] Authorisation fails sometimes
On 16.02.2012 03:12, Günter Merz wrote: Hello, I'm using squid_kerb_ldap (via external_acl_type) to authenticate via kerberos and authorize access via ldap groups. This seems to work. Partly anyway. My problem is: Most of the traffic is authorized as shown in the access.log file which shows GETs and CONNECTs using the respective kerberos id (user@DOMAIN) but some GETs and CONNECTs lack that kerberos id (-) and consequently fail (TCP_DENIED). I tested if an earlier ACL might prevent those transfers from being allowed by inserting an ACL right before the external_acl_type to allow all transfers from the host I was using. This didn't show any TCP_DENIEDs. Um, of course not. "allow all" will never deny anything. Absolutely anything is permitted. I also wondered if the browser could be at fault (not requesting each GET with the respective kerberos id) so I changed from Firefox to Chromium. The behaviour was identical. Can anyone think of a reason for this behaviour or another way to debug for the cause? Beyond seeing "TCP_DENIED" when the credentials are missing, What makes you think there is a fault? 4xx status messages is simply the mechanism HTTP uses for the proxy to inform the client software about things it needs to do. In this case adding the credentials to its request. It can (and should) retry immediately with credentials and get accepted. At best all 4xx status are minor problems easily corrected in the background by the client. 5xx status are the major errors, only the server admin can fix those. You also omitted details about what software versions you are dealing with. It's hard to diagnose a bug fixed in say 2005 without knowing your software came out in 2002. Likewise to ignore bugs fixed already in your version. Amos
Re: [squid-users] Re: Squid Cache Directory - Webmin
On 16.02.2012 11:31, berry guru wrote: If I were to run chmod ugo+rwx *file* where file would be cache.log am I going to break something. Is this the appropriate approach? It is incomplete. When the log gets rotated things die again. The Squid details are in a folder called .../squid3/ so that you can assign that folder the appropriate read/write and owner/group permissions and leave its parent /var/log with root-only or similar access. PS. I should have said re-run -k parse when you think you have resolved the issues. Sometimes a major problem causes early abortand later problems remain hidden. Amos
Re: [squid-users] HTTP 407 responses
On 16.02.2012 06:55, Luis Enrique Sanchez Arce wrote: With firefox you need to set the following variable to avoid the password 3 times. In the navigation bar put about:config and change de value network.auth.force-generic-ntlm = true Question is what does "generic NTLM" mean? NTLM being the collective brand name (yes brand name) for a collection of security encryptions which includes things as far as Windows 3.1 CRC "encryption". Little better than clear text in terms of security. network.automatic-ntlm-auth.allow-proxies - should be set to true, and probably also resolves most Firefox popups when using a proxy without needing to force generic NTLM. Amos
Re: [squid-users] Re: Squid Cache Directory - Webmin
If I were to run chmod ugo+rwx *file* where file would be cache.log am I going to break something. Is this the appropriate approach? On Wed, Feb 15, 2012 at 2:23 PM, berry guru wrote: > My mistake, I should have specified that I'm ran it with squid3. > > The "squid -k parse" gave me some good info > > WARNING: Cannot write log file: /var/log/squid3/cache.log > /var/log/squid3/cache.log: Permission denied > messages will be sent to 'stderr'. > > So it looks like I need to change permissions to that directory, and > give it the appropriate write permissions. > > > On Wed, Feb 15, 2012 at 2:14 PM, Amos Jeffries wrote: >> On 16.02.2012 11:05, berry guru wrote: >>> >>> I reverted back to the default squid configuration and I'm still >>> getting the same error. I restarted Squid, but still no go. >>> >>> Supposedly the squid -z should of done it for me. >>> >>> Any thoughts? >>> >> >> >> Run "squid -k parse". That will show you any other issues in the config. >> >> Also, you said you installed "squid3". On Debian and child systems that is a >> different package and binary. You need to run "squid3 -z" etc in that case. >> >> Amos
Re: [squid-users] Re: Squid Cache Directory - Webmin
My mistake, I should have specified that I'm ran it with squid3. The "squid -k parse" gave me some good info WARNING: Cannot write log file: /var/log/squid3/cache.log /var/log/squid3/cache.log: Permission denied messages will be sent to 'stderr'. So it looks like I need to change permissions to that directory, and give it the appropriate write permissions. On Wed, Feb 15, 2012 at 2:14 PM, Amos Jeffries wrote: > On 16.02.2012 11:05, berry guru wrote: >> >> I reverted back to the default squid configuration and I'm still >> getting the same error. I restarted Squid, but still no go. >> >> Supposedly the squid -z should of done it for me. >> >> Any thoughts? >> > > > Run "squid -k parse". That will show you any other issues in the config. > > Also, you said you installed "squid3". On Debian and child systems that is a > different package and binary. You need to run "squid3 -z" etc in that case. > > Amos
Re: [squid-users] Re: Squid Cache Directory - Webmin
On 16.02.2012 11:05, berry guru wrote: I reverted back to the default squid configuration and I'm still getting the same error. I restarted Squid, but still no go. Supposedly the squid -z should of done it for me. Any thoughts? Run "squid -k parse". That will show you any other issues in the config. Also, you said you installed "squid3". On Debian and child systems that is a different package and binary. You need to run "squid3 -z" etc in that case. Amos
Re: [squid-users] Re: Squid Cache Directory - Webmin
I reverted back to the default squid configuration and I'm still getting the same error. I restarted Squid, but still no go. Supposedly the squid -z should of done it for me. Any thoughts? On Wed, Feb 15, 2012 at 11:25 AM, berry guru wrote: > I was afraid you were going to say that Sebastian, but at the same > time it makes sense. I'm going to restore my squid.conf from a backup > and see where I stand. Thanks for the direction. > > Cheers, > > On Wed, Feb 15, 2012 at 10:58 AM, Sebastian Muniz > wrote: >> On 2/15/2012 3:07 PM, berry guru wrote: >>> >>> I thought I had it, I found something in Chp5 of the Squid Definitive >>> book talking about initializing cache directories. I ran the squid -z >>> command and got back the following details after is took: >>> >>> aclParseAccessLine: squid.conf line 846: http_access permit all >>> aclParseAccessLine: expecting 'allow' or 'deny', got 'permit'. >>> Create Swap Directories >>> >> Hello Berry, >> If you have manually modified the squid.conf file I would suggest to reset >> to defaults and start again. >> My experience with webmin is that you use it OR (exclusive OR) you do it >> manually. Manually modifying conf files tends to confuse webmin. >> In this case the error is correct, you are missing allow or deny in the line >> Check http://www.squid-cache.org/Doc/config/http_access/ >> >> Regards. >> Sebastian
Re: [squid-users] HTTP 407 responses
On 16.02.2012 04:33, Mr J Potter wrote: Hi Amos, Thanks for your help on this... I've had to change tack on this in light of what you have said and have now got NTLM authentication working. - any form of http authentication is going to kick up a login box - there is no way round this, right? No. That is entirely up to the browser. Squid always sends the 407, but whether that goes through a SSO process or popup is up to the browser. With , NTLM I am now getting the NTLM login 3 times before it lets me in (apparently this is normal) Several 407 *messages* is normal yes. Popups? not so much. You should only ever see one of those (or not even one). Can you recommend the best/least bad approach to go for here? I;m setting up a guest wireless system, and I just want a way to get (non domain) devices to get a chance to login to get an internet connection, but all the ways I've found have major flaws. - LDAP basic authentication works fine but is insecure - LDAP digest requires a new type of password hash to be set up in my directory services - NTLM requires 3 login attempts Or do I move away from http authentication entirely? You have missed Kerberos. This is an upgrade from NTLM with less of the handshake messages and somewhat better security encryption. Most systems support it, but YMMV on a general access system. Amos
Re: [squid-users] Squid block list
I've been using squidguard for years. Its great - you can block/allow by user, workstation, time or url, and rewrite urls (for instance I can force all google image searches to be safe, and block certain search terms). I looked at dansguardian too but squidguard won my vote at the time (about 5 years ago). I don't know about any others. and there's what looks like an OK front end for it too (squidguard manager) or a webmin module but I've never used them in anger. Jim On 15 February 2012 13:51, Muhammad Yousuf Khan wrote: > Hello All, > > I need a suggestion as i am new to squid-world and i don't wanna waist > my time on R&D rather for the perfect solution which is scalable and > reliable. so as every Squid administrator want to restrict the > unwanted website access during working hours so i am here to ask the > same thing however i know how to implement squid and how to use > squid.conf and how to block the destination and i also know that there > are websites that are providing databases for squid to use as block > list and also consistently updating the databases. so i want such a > tool or supporting tool which can at least update the data files on > weekly bases however i will manage the implementation of rules on my > own. so kindly suggest me. > > Thank you. > > MYK
Re: [squid-users] HTTP 407 responses
Hi Alex, I've got it working fine on domain members. I should have explained better - I'm setting up a guest wireless network in a school, so all devices that attach will be personal, non domain, and as a rule I won't get the chance to configure them before they connect. The devices that I want to connect will be mostly student laptops, smartphones and visitors' devices. The plan is to set up proxy DHCP autoconfig and/or transparent port forwarding trick to point people towards the proxy (https is likely not to like this I know), but I want a way of getting people to say who they are and give them internet access accordingly. I;m using squid/squidguard to great effect for the domain machines, and I'd like to use the same set of rules for folks connecting their own devices. How has anyone else done this? the options I've found are basic, digest or NTLM all of which have major issues in terms of security, configuration or usability respectively. Jim > Jim, > > If you are getting login prompts like this (especially 3 times) it's likely > your NTLM auth is not working. > > In normal use with NTLM on domain member hosts, you should never see them, > not even when opening the browser for the first time. The browser should > pass through authentication from the logged on Windows session. > > I would check the permissions on the winbindd_privileged folder (usually in > /var/run/samba or /var/cache/samba) and make sure your squid user can write > to it. Some distros actually change the permissions on that folder after > winbind has started in the init script. > > You might also want to check winbind is working by issuing "wbinfo -u" and > "wbinfo -g" - you should get a list of domain users and groups. > > Alex
[squid-users] Squid 2.7.STABLE9 suddenly fails to run
Hi, I'm still having the problem described below. If there's no further help forthcoming, or if this issue is just one of those things that defies explanation, I'll just go ahead and perform a restore of the whole installation from a recent backup. I'd rather not, but if I'm getting no help it's all I have left. Thank you. S. On 12 February 2012 00:34, Amos Jeffries wrote: > On 12/02/2012 10:53 a.m., SB Tech wrote: >>> >>> the "squid[1551]: storeDirOpenTmpSwapLog: Failed to open swap log" >>> error still exists, and is fatal. This is the unprivileged user >>> spawned by the root process that is run at boot. >>> >>> The low-privileged effective user is the default, "proxy". Here's an >>> accurate representation of my cache/logs file stucture: >>> /media/sdcard root:root 777 >>> ../squidproxy:proxy 770 >>> ../../00 through 0F proxy:proxy 750 >>> ../../swap.stateproxy:proxy 640 >>> ../../logs proxy:proxy 775 >>> ../../../*.log proxy:proxy 640 >>> Interestingly, swap.state is back even though I deleted it during >>> troubleshooting, so Squid can clearly r/w here just fine. >>> For completeness, my cache_dir is set as follows: >>> cache_dir ufs /media/sdcard/squid 800 16 256 >>> Logs: >>> access_log none >>> cache_log /media/sdcard/squid/logs/cache.log >>> cache_store_log /media/sdcard/squid/logs/store.log >>> I really can't see anything wrong with my permissions. What am I missing? >>> Thanks. >> >> I note it's actually looking for "TmpSwapLog" - is there somewhere >> else I should be looking for this permissions issue (if that's what >> this is) than the swap.state file? > > > Its a temporary of teh swap.satte called swap.state.clean or swap.state.tmp > and should be in the same directory as your swap.state. > > Try setting /media/sdcard/squid to 777 for one run and seeing if something > strange has happened with its permissions. If swap.state owner or group > changes those are what needs to be given access. > > Amos Hi, Thanks for following up on this. I took your advice, but afterwards I simply received the same error. I performed a "ls -la" on ../squid, and I don't see any evidence of a swap.state.clean or .tmp - all I have are the cache folders, my logs folder and swap.state. Where could this be, as it seems to be where the problem lies?
[squid-users] Re: Squid block list
On 2/15/2012 2:51 PM, Muhammad Yousuf Khan wrote: list and also consistently updating the databases. so i want such a tool or supporting tool which can at least update the data files on weekly bases however i will manage the implementation of rules on my own. so kindly suggest me. qlproxy? full blown though for your needs... best regards, sichent
Re: [squid-users] Re: Squid Cache Directory - Webmin
I was afraid you were going to say that Sebastian, but at the same time it makes sense. I'm going to restore my squid.conf from a backup and see where I stand. Thanks for the direction. Cheers, On Wed, Feb 15, 2012 at 10:58 AM, Sebastian Muniz wrote: > On 2/15/2012 3:07 PM, berry guru wrote: >> >> I thought I had it, I found something in Chp5 of the Squid Definitive >> book talking about initializing cache directories. I ran the squid -z >> command and got back the following details after is took: >> >> aclParseAccessLine: squid.conf line 846: http_access permit all >> aclParseAccessLine: expecting 'allow' or 'deny', got 'permit'. >> Create Swap Directories >> > Hello Berry, > If you have manually modified the squid.conf file I would suggest to reset > to defaults and start again. > My experience with webmin is that you use it OR (exclusive OR) you do it > manually. Manually modifying conf files tends to confuse webmin. > In this case the error is correct, you are missing allow or deny in the line > Check http://www.squid-cache.org/Doc/config/http_access/ > > Regards. > Sebastian
Re: [squid-users] Re: Squid Cache Directory - Webmin
On 2/15/2012 3:07 PM, berry guru wrote: I thought I had it, I found something in Chp5 of the Squid Definitive book talking about initializing cache directories. I ran the squid -z command and got back the following details after is took: aclParseAccessLine: squid.conf line 846: http_access permit all aclParseAccessLine: expecting 'allow' or 'deny', got 'permit'. Create Swap Directories Hello Berry, If you have manually modified the squid.conf file I would suggest to reset to defaults and start again. My experience with webmin is that you use it OR (exclusive OR) you do it manually. Manually modifying conf files tends to confuse webmin. In this case the error is correct, you are missing allow or deny in the line Check http://www.squid-cache.org/Doc/config/http_access/ Regards. Sebastian
Re: [squid-users] Squid block list
ufdbGuard is a free URL filter for Squid which has the time-related ACL feature to block sites only during business hours. The Reference Manual of ufdbGuard explains the technical details. If you have a small set of sites that you want to block, you can make your own URL table and use ufdbGuard for free. If you want to use a commercial URL database, you can go to www.urlfilterdb.com Marcus Muhammad Yousuf Khan wrote: Hello All, I need a suggestion as i am new to squid-world and i don't wanna waist my time on R&D rather for the perfect solution which is scalable and reliable. so as every Squid administrator want to restrict the unwanted website access during working hours so i am here to ask the same thing however i know how to implement squid and how to use squid.conf and how to block the destination and i also know that there are websites that are providing databases for squid to use as block list and also consistently updating the databases. so i want such a tool or supporting tool which can at least update the data files on weekly bases however i will manage the implementation of rules on my own. so kindly suggest me. Thank you. MYK
[squid-users] Re: Squid Cache Directory - Webmin
I thought I had it, I found something in Chp5 of the Squid Definitive book talking about initializing cache directories. I ran the squid -z command and got back the following details after is took: aclParseAccessLine: squid.conf line 846: http_access permit all aclParseAccessLine: expecting 'allow' or 'deny', got 'permit'. Create Swap Directories On Wed, Feb 15, 2012 at 9:50 AM, berry guru wrote: > I installed Webmin to configure Squid3 and was wondering how do I go > about initializing the squid cache directory. > > Under the Squid Proxy Server it states "Your Squid cache directory > /var/spool/squid3 has not been initialized. This must be done before > Squid can be run." I entered both a username I typically use and > root, but they both return the error "Cannot write to directory > /etc/squid3" > > I'm thinking this is an issue with permissions to that directory. I'm > not exactly sure on how to edit those permissions. Am I correct in > that assumption?
Re: [squid-users] HTTP 407 responses
With firefox you need to set the following variable to avoid the password 3 times. In the navigation bar put about:config and change de value network.auth.force-generic-ntlm = true Luis, On 15/02/12 15:33, Mr J Potter wrote: > Hi Amos, > > Thanks for your help on this... > > I've had to change tack on this in light of what you have said and > have now got NTLM authentication working. > > - any form of http authentication is going to kick up a login box - > there is no way round this, right? > > With , NTLM I am now getting the NTLM login 3 times before it lets me > in (apparently this is normal) > > > Can you recommend the best/least bad approach to go for here? I;m > setting up a guest wireless system, and I just want a way to get (non > domain) devices to get a chance to login to get an internet > connection, but all the ways I've found have major flaws. > > > - LDAP basic authentication works fine but is insecure > - LDAP digest requires a new type of password hash to be set up in my > directory services > - NTLM requires 3 login attempts > > Or do I move away from http authentication entirely? > > thanks in advance, > > Jim > UK > Jim, If you are getting login prompts like this (especially 3 times) it's likely your NTLM auth is not working. In normal use with NTLM on domain member hosts, you should never see them, not even when opening the browser for the first time. The browser should pass through authentication from the logged on Windows session. I would check the permissions on the winbindd_privileged folder (usually in /var/run/samba or /var/cache/samba) and make sure your squid user can write to it. Some distros actually change the permissions on that folder after winbind has started in the init script. You might also want to check winbind is working by issuing "wbinfo -u" and "wbinfo -g" - you should get a list of domain users and groups. Alex Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com
[squid-users] Squid Cache Directory - Webmin
I installed Webmin to configure Squid3 and was wondering how do I go about initializing the squid cache directory. Under the Squid Proxy Server it states "Your Squid cache directory /var/spool/squid3 has not been initialized. This must be done before Squid can be run." I entered both a username I typically use and root, but they both return the error "Cannot write to directory /etc/squid3" I'm thinking this is an issue with permissions to that directory. I'm not exactly sure on how to edit those permissions. Am I correct in that assumption?
Re: [squid-users] HTTP 407 responses
On 15/02/12 15:33, Mr J Potter wrote: Hi Amos, Thanks for your help on this... I've had to change tack on this in light of what you have said and have now got NTLM authentication working. - any form of http authentication is going to kick up a login box - there is no way round this, right? With , NTLM I am now getting the NTLM login 3 times before it lets me in (apparently this is normal) Can you recommend the best/least bad approach to go for here? I;m setting up a guest wireless system, and I just want a way to get (non domain) devices to get a chance to login to get an internet connection, but all the ways I've found have major flaws. - LDAP basic authentication works fine but is insecure - LDAP digest requires a new type of password hash to be set up in my directory services - NTLM requires 3 login attempts Or do I move away from http authentication entirely? thanks in advance, Jim UK Jim, If you are getting login prompts like this (especially 3 times) it's likely your NTLM auth is not working. In normal use with NTLM on domain member hosts, you should never see them, not even when opening the browser for the first time. The browser should pass through authentication from the logged on Windows session. I would check the permissions on the winbindd_privileged folder (usually in /var/run/samba or /var/cache/samba) and make sure your squid user can write to it. Some distros actually change the permissions on that folder after winbind has started in the init script. You might also want to check winbind is working by issuing "wbinfo -u" and "wbinfo -g" - you should get a list of domain users and groups. Alex
Re: [squid-users] HTTP 407 responses
Hi Amos, Thanks for your help on this... I've had to change tack on this in light of what you have said and have now got NTLM authentication working. - any form of http authentication is going to kick up a login box - there is no way round this, right? With , NTLM I am now getting the NTLM login 3 times before it lets me in (apparently this is normal) Can you recommend the best/least bad approach to go for here? I;m setting up a guest wireless system, and I just want a way to get (non domain) devices to get a chance to login to get an internet connection, but all the ways I've found have major flaws. - LDAP basic authentication works fine but is insecure - LDAP digest requires a new type of password hash to be set up in my directory services - NTLM requires 3 login attempts Or do I move away from http authentication entirely? thanks in advance, Jim UK On 13 February 2012 22:25, Amos Jeffries wrote: > On 14.02.2012 04:15, Mr J Potter wrote: >> >> Hi team, >> >> I'm trying to set up an authenticating squid proxy with a nice login box >> rather than the one the browser pops up with a HTTP 407 request... Does >> anyone know how to do this? The main reasons for this are (1) to make it >> look nice (2) so that I don't have to tell people to put in DOMAIN\user >> into the box, (3) put some instructions as to what is going on and (4) to >> add a limited guest login option. > > > (1) is not supported by any of the web specifications at this point. Someone > in the IETF had a nice proposal to allow headers to be set from tag > fields in HTML. I'm not sure where that went, at the time I saw it was still > looking for support to get to the Draft stage. > > (2) is a feature of the AD or Samba PDC backend. They can be set to require > the DOMAIN part or add a default value if missing. > > (3) permitting the server to determine what gets displayed on the login area > opens it to phishing vulnerabilities. For most of the auth schemes the realm > parameter is used by browsers after some heavy input validation as part of > the title or descriptive text of the login popup. If you set it to a sane > value the popup is self-explanatory to all users. > > > >> >> This is where I am so far... >> >> - I've got NTLM authentication working >> - I've got a nice login page in ERR_CACHE_ACCESS_DENIED >> and ERR_ACCESS_DENIED >> - I've still got to write the bit to authenticate people, but I'm not too >> worried about that. >> >> Highlights from my squid.conf file looks like this: >> >> auth_param ntlm program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp >> auth_param ntlm children 45 >> >> >> acl authdUsers proxy_auth REQUIRED >> >> >> http_access deny !authdUsers ### Kicks up a 407 request >> http_access deny all >> >> The second last line is the tricky one - I can see why the line >> >> http_access allow authdUsers >> >> >> would trigger a 407 request, but I'd hoped the deny ! option would get >> around this. > > > Nope. Both lines REQUIRE auth challenge before they can be tested. The deny > line ending in an auth ACL also produces auth challenge when it matches. The > browser takes it from there. > > The modern browsers all protect themselves against attackers by discarding > the response body (your page) on 407/403 status and using a safe popup they > own and can trust for secure user interaction. > > > What you can do instead of altering the form and popup is present a session > with splash page (your instructions) ahead of the login popup like so: > > external_acl_type session ... > acl doneSplash external session > > # URI to display splash page with your instructions (no login form allowed > though) > acl splash url_regex ^http://example.com/Splash > > # link ACL to splash page > deny_info 307:http://example.com/Splash?r=%s doneSplash > > # let splash page go through no limits. > http_access allow splash > > # bounce to splash page if not logged in yet AND this is a new session > http_access deny !authedUsers !doneSplash > > # do login > http_access allow authedUsers > > > The page Splash gets passed the original URI in r=%s, which it can use to > present a "continue"/ "accept" link after reading. > > Amos
Re: [squid-users] Squid block list
Le 15 février 2012 07:51, Muhammad Yousuf Khan a écrit : > Hello All, > > I need a suggestion as i am new to squid-world and i don't wanna waist > my time on R&D rather for the perfect solution which is scalable and > reliable. so as every Squid administrator want to restrict the > unwanted website access during working hours so i am here to ask the > same thing however i know how to implement squid and how to use > squid.conf and how to block the destination and i also know that there > are websites that are providing databases for squid to use as block > list and also consistently updating the databases. so i want such a > tool or supporting tool which can at least update the data files on > weekly bases however i will manage the implementation of rules on my > own. so kindly suggest me. > > Thank you. > > MYK I recommend you c-icap with dansguardian list. Better, faster.
[squid-users] Authorisation fails sometimes
Hello, I'm using squid_kerb_ldap (via external_acl_type) to authenticate via kerberos and authorize access via ldap groups. This seems to work. Partly anyway. My problem is: Most of the traffic is authorized as shown in the access.log file which shows GETs and CONNECTs using the respective kerberos id (user@DOMAIN) but some GETs and CONNECTs lack that kerberos id (-) and consequently fail (TCP_DENIED). I tested if an earlier ACL might prevent those transfers from being allowed by inserting an ACL right before the external_acl_type to allow all transfers from the host I was using. This didn't show any TCP_DENIEDs. I also wondered if the browser could be at fault (not requesting each GET with the respective kerberos id) so I changed from Firefox to Chromium. The behaviour was identical. Can anyone think of a reason for this behaviour or another way to debug for the cause?
[squid-users] cache peering between two squid 2.7 + zph + mikrotik
Hello, We are running two squid servers (squid 2.7 stable 9) and want to have cache peering between each other. Both have static real IP addresses and sits in the same LAN. Bandwidth management for users are done by Mikrotik 3.30 which has a WAN IP of the same subnet and also sits in the same LAN as the squid servers. Users are connected from Mikrotik LAN interface running PPPoE servers. We are re-directing HTTP requests from users to the squid server using DNAT to the squid's real IP + port 3128. Also note that we are also using the ZPH facility of Squid to mark cache hit packets in Mikrotik, and allowing unlimited bandwidth for hit objects. Proxy1 squid.conf :- acl localnet src 10.10.0.0/16 10.15.0.0/16 172.16.0.0/16 192.168.0.0/16 acl gateway02 src XXX.XXX.38.248/32 http_access allow gateway02 icp_access allow gateway02 miss_access deny gateway02 tcp_outgoing_tos 0x30 localnet zph_mode tos zph_local 0x30 zph_sibling 0x31 zph_parent 0 zph_option 136 cache_peer XXX.XXX.38.248 sibling 3128 3130 proxy-only and similarly we have Proxy2 squid.conf :- acl localnet src 10.10.0.0/16 10.15.0.0/16 172.16.0.0/16 192.168.0.0/16 acl gateway01 src XXX.XXX.38.245/32 http_access allow gateway01 icp_access allow gateway01 miss_access deny gateway01 tcp_outgoing_tos 0x30 localnet zph_mode tos zph_local 0x30 zph_sibling 0x31 zph_parent 0 zph_option 136 cache_peer XXX.XXX.38.245 sibling 3128 3130 proxy-only Mikrotik Setting :- /ip firewall mangle add action=mark-packet chain=prerouting disabled=no dscp=12 new-packet-mark=proxy-hit passthrough=no comment="Cache Hit Packets" /queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=pmark packet-mark=proxy-hit parent=global-out priority=8 queue=default Proxy1 is a new machine, and doesn't have any cache objects in it, because it hasn't been in the service yet. Proxy2 is a old machine, and have a substantial large cache inside it. When I use proxy2 to browse and download, I get the proxy2 objects fast because the zph_local is working and mikrotik can also mark the hit packets properly. Again I clear my browser cache, and tried to browse using proxy1, browsed the same websites are already in cache by proxy2, and I get SIBLING_HIT. Here's the log. 1327761343.689 2663 10.15.180.16 TCP_MISS/200 6299190 GET http://sound21.mp3pk.com/indian/jodibreakers/jodi-breakers08(www.songs.pk).mp3 - SIBLING_HIT/XXX.XXX.38.248 udio/mpeg But, its downloading very slowly, and downloading at the speed where I have set the RX/TX limit for that particular package. That means ZPH is not working. To investigate more, I tried to take tcpdump report from proxy1. Using tcpdump -vni eth1 | grep 'tos 0x31' i got zero results. Its not marking anything with 0x31. AGain I used tcpdump -vni eth1 | grep 'tos 0x30' while browsing those websites which are actually cached by proxy2, but accessed by proxy1. I get results like this:- 20:43:25.324668 IP (tos 0x30, ttl 64, id 27401, offset 0, flags [DF], proto TCP (6), length 40) 20:43:25.324814 IP (tos 0x30, ttl 64, id 7570, offset 0, flags [DF], proto TCP (6), length 40) 20:43:25.324834 IP (tos 0x30, ttl 64, id 51042, offset 0, flags [DF], proto TCP (6), length 40) 20:43:25.325749 IP (tos 0x30, ttl 64, id 17589, offset 0, flags [DF], proto TCP (6), length 290) 20:43:25.325845 IP (tos 0x30, ttl 64, id 47388, offset 0, flags [DF], proto TCP (6), length 290) 20:43:25.325928 IP (tos 0x30, ttl 64, id 46825, offset 0, flags [DF], proto TCP (6), length 290) 20:43:25.326010 IP (tos 0x30, ttl 64, id 27402, offset 0, flags [DF], proto TCP (6), length 290) Proxy1 configuration file says that local hits should be 0x30 and sibling hits should be 0x31, so why is proxy1 marking 0x30 for those packets which are actually SIBLING_HITS and not local hits. Even though its marking 0x30 for SIBLING_HIT .. Mikrotik still can't identify the proxy-hit packets, and therefore the download is slow. I may have confused you with lots of information, but the main fact is, I am unable to get the ZPH working with the SIBLING_HIT. Some Additional information : Few months before I used Squid 3.1 in both proxy servers and ZPH did work SIBLING_HIT. But its not working working in Squid 2.7 Please advise. Thanks & Regards, Saiful
[squid-users] Squid block list
Hello All, I need a suggestion as i am new to squid-world and i don't wanna waist my time on R&D rather for the perfect solution which is scalable and reliable. so as every Squid administrator want to restrict the unwanted website access during working hours so i am here to ask the same thing however i know how to implement squid and how to use squid.conf and how to block the destination and i also know that there are websites that are providing databases for squid to use as block list and also consistently updating the databases. so i want such a tool or supporting tool which can at least update the data files on weekly bases however i will manage the implementation of rules on my own. so kindly suggest me. Thank you. MYK
Re: [squid-users] Working Squid Configuration, but needs some fat reduction
On 15/02/2012 2:26 a.m., ALAA MURAD wrote: Dear All, First thanks for this great great open source project, I would really appropriated if someone could look at my configuration and ensure that my configuration is correct and clean. Sure. We are doing a simple reverse proxy in our SSL :443 website. So far so good, but sometimes I notice different kind of errors in the log file. I'm running M$ Windows Server and Squid 2.7, my proxy is 94.168.1.112 and connecting to the web server as back to back at 94.168.1.2 I want : * Reverse Proxy to keep working * Redirector to keep working * I don't want to server port 80 or any other ports only SSL connection in this server. * I don't want to cache anything Again my squid is working but I feel that the configuration need some tweaking (and fat reduction!). Thanks in advance . Here is my configurations : https_port 443 cert=C:/Interceptor/cert/mycompany.cert key=C:/Interceptor/cert/mycompany.key defaultsite=www.mysite.com cache_peer 192.168.1.2 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=mycompanysite acl mycompanyserver dstdomain www.mysite.com redirector_access allow mycompanyserver http_port 443 and 80 using "defaultsite=www.mysite.com" forces (re-writes!) the URI domain value to be 'www.mysite.com'. This affects *all* traffic arriving at that port regardless of the actually requested domain from the client. This means that the ACL above will match *everything* arriving on those ports. You may as well remove the access control entirely (replace with "all" when used). Squid defaults to passing everrything to the redirector (if any) and the cache_peer_access below is also redundant . The recent releases are optimized for fast handling when a particular *_access is left at its default (unset) value. redirect_children 20 redirect_rewrites_host_header on redirect_program C:/java/bin/java.exe -Djava.util.logging.config.file=C:/Interceptor/redirector/RedirectorLogging.properties -jar C:/Interceptor/redirector/Redirector.jar * What does this redirector do? * What does it output when there is no change to be made to the URI? (affects performance if non-empty result is sent back) * Can it handle concurrency or by updated to do so? (concurrency raises both speed and traffic handling capacity for these helpers) In general Redirectors/rewriters usually add problems. This is something to consider carefully whether it is needed. Depending on what this does it coulc be quite beneficial taking time to work out ACL tests for redirect_access that bypass it (deny) whenever possible. cache_peer_access mycompanysite allow mycompanyserver http_access allow mycompanyserver http_port 80 accel defaultsite=www.mysite.com cache_peer 192.168.1.2 parent 80 0 no-query originserver login=PASS What traffic is this peer supposed to be getting? just a backup server? The way your cache_peer are ordered means the port 443 one is preferred, and cache_peer_access permits all reverse-proxy traffic to use it. So the only reason this would be used is if the first one was overloaded or failed. This *is* a good setup to have the secure peer being preferred and insecure peer being a second-rate backup peer. Just pointing it out for anyone unaware of the behaviour. #acl apache rep_header Server ^Apache #broken_vary_encoding allow apache cache_dir ufs c:/squid/var/spool 1 16 256 cache_mem 256 MB maximum_object_size_in_memory 32 KB logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh access_log c:/squid/var/logs/access.log squid cache_log c:/squid/var/logs/cache.log cache_store_log c:/squid/var/logs/store.log This cache_store_log is usually not useful (it is a debug storage log). You can configure it as "none" to save a lot of CPU and disk cycles. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 Add: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl mydomain dstdomain mysite.com acl myweb src 127.0.0.1 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 "myweb" and "localhost" are defined as the same thing. Consider using "localhost" ACL and dropping "myweb". NP: "/255.255.255.255" and "/32" can be dropped off IPv4 addresses for simplicity. It makes no diffference to Squid, and can help you and co-workers understanding of the ACL. acl to_localhost dst 127.0.0.0/8 Add "0.0.0.0/32" to the to_localhost definition. acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 81 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Saf
Re: [squid-users] Prefetch patch test
Before we start. Please do not hijack other topics discussions. It ruins the groups archive threading and threaded mailer tools many of us use to track the group mail. Thank you. On 15/02/2012 5:24 p.m., anita.sivakumar wrote: Hi, Has anyone used and tested the squid prefetch patch available in the squid website? For me it apparently gave a segmentation fault when I tried to prefetch. It works normally for other requests though. I assume you means the prefetch project patch from devel.squid-cache.org? That was last updated for one of the 3.0 PRE-releases (5 or 6 by the looks of it). It was not accepted into mainline for some reason unknown to me. Apart from ESI support, all body content filtering and adaptations have been pushed off to ICAP and eCAP processors. The whole devel.* site is now outdated, all projects there are in the deprecated bin. If you would like to revive one please get in touch with squid-dev about joining development and be prepared for a fair bit of hacking to get it ported to current 3.HEAD in BZR. There are other tools (such as "squid-prefetch") which can do prefetch for any version of Squid without patching which you may want to investigate first. Although be aware the in most instances pre-fetching at the proxy level has usually been found to be a large waste of bandwidth and cache resources, with little benefits (or none) to offset the costs. Modern browsers do a different kind of pre-fetch themseves which has a far more efficient algorithm for calculating what resources to fetch early. Squid and other proxies do not have access to enough of the users information to do it efficiently. Amos
Re: [squid-users] Use squid to switch to Tor network
On 15/02/2012 7:54 p.m., Yucong Sun (叶雨飞) wrote: Tor (without the browser part) basically provides a socks proxy , Vidalia translate socks proxy to http proxy, and the browser use that http proxy to work. So, to get your squid use it too, just launch tor and vidalia as usual, have squid configure a cache_peer parent to that proxy (localhost:), also never_direct allow all , and you will be going through tor any minute. The key to all of this is that the traffic goes from point A inside your network where the clients can reach to some point B outside from which the domains can be reached. You could do this with any sort of relay or tunnel service. Squid only handles HTTP, so the clients other traffic will stay broken. The type of service you are looking for is usually seen with two Squid operating with a VPN or TLS tunnel between them, using cache_peer to pass traffic over it (works just as well as a routed packet path too if you add NAT). SOCKS proxy is a good idea, as would be a VPN-like tunnel with yoru routing sending packets to some outside server acting as a relay router. Amos On Tue, Feb 14, 2012 at 10:33 PM, Nguyen Hai Nam wrote: Hi Squid guys, We're using Squid 3.2 on Solaris 11 system smoothly, but few days ago our ISP has had troubles with external Internet routing so we can't reach many websites. I discovered that if I use Tor's browser I can open that websites normally (yes, it's slow btw), at least we can open the website. So I think we should cooperate between Squid and Tor to bring the Internet back for users. I'm not familiar with Tor switching network except using Tor's browser, so it's great to hear your opion and if you guys know the already configurations, I highly appreciate it. Thank you, ~Neddy.
Re: [squid-users] latest 3.1.19 doesnt compile in Centos5.7
On 15/02/2012 8:51 p.m., Luis Daniel Lucio Quiroz wrote: /usr/bin/libtool: line 805: libtool: No such file or directory libtool: ignoring unknown tag CXX libtool: link: cannot find the library `../libltdl/libltdlc.la' or unhandled argument `../libltdl/libltdlc.la' does anyone knows if i have to backport a pacage from centos6? Maybe. It look slike it could be automake or libtool or libltdl issues. 3.1+ require fairly recent versions of libtool (2.x or so) and its ltdl (7 or such) partner library. CXX is the C++ compiler variable. So it might also be automake issues. Amos