RE: [squid-users] Seen this before???
Hi trying to configure transparent proxy with this rule any error? #iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 The requested URL could not be retrieved While trying to retrieve the URL: / The following error was encountered: * Invalid URL Some aspect of the requested URL is incorrect. Possible problems: * Missing or incorrect access protocol (should be `http://'' or similar) * Missing hostname * Illegal double-escape in the URL-Path * Illegal character in hostname; underscores are not allowed Your cache administrator is root The requested URL could not be retrieved Checkout : http://www.squid-cache.org/Doc/FAQ/FAQ-17.html Checkout item 2. (required squid.conf entries) M.
Re: [squid-users] maxconn semantics
On Tue, 13 Jan 2004, Paul wrote: I'd like to limit the total number of connections from anywhere, and would like some clarification. For example, with the following: acl connlimit maxconn 2 http_access deny all connlimit http_access allow !connlimit maxconn is appplied per source IP address so this is not what you are looking for. I can establish at most 2 connections from one IP number. So far so good. But if I come in from another IP number, I can establish additional connections, leading me to believe that the *total* number of connections allowed is essentially unlimited. The total number of connections is limited by the maximum number of filedescriptors your OS allows Squid to use. Each concurrent requests uses up to 3 filedescriptor (client connection, server connection, cache). If Squid runs short of filedescriptors (less than 100 free filedescriptors IIRC) it will automatically stop accepting new client connections. The number of available filedescriptors can be set by ulimit when starting Squid. You should not set this limit lower than ca 128, and you should almost certainly disable persistent connections if considering running Squid with a low amount of filedescriptors or otherwise limited amount of connections. Regards Henrik
RE: [squid-users] Yahoo Games Problem
With ca 98.9% probability this game application is not using HTTP for port 11999 and can not access this port via proxies. What you need in such case is to set up your networking to allow direct access to port 11999 from the client stations. Regards Henrik On Wed, 14 Jan 2004, Fritz Mesedilla wrote: Hello Shan! Were you able to make it work? I have also been trying to make it work to no avail. :D Perhaps you can post here what you did if you made it to work. Thanks. Cheers, fritz www.mesedilla.com --- + Basta Ikaw Lord -Original Message- From: Shan Ch. [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 8:34 PM To: [EMAIL PROTECTED] Subject: [squid-users] Yahoo Games Problem Hi! I am trying to route all the network traffic through my Linux 8.0 machine using Squid. But everytime i try to connect to yahoo games the java applet wont load. I get a message that my PC is behind a firewall. I have opened the port 11999 following is the config. http_port 3128 http_port 11999 but it still wont work. Can anyone help me? Thank you. Shan Irtaza IT Consultant _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately by e-mail and delete this e-mail from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. Overture Media, Inc. Direct Line: (632) 635-4785 Trunkline: (632) 631-8971 Local 146 Fax: (632) 637-2206 Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. Ortigas Ave., Quezon City 1100
[squid-users] Digest Authentication
Hello, i have some questions about digest authentication and in particular on the way communication beetween squid, the client and the helper takes place (I'm testing digest_pw_auth). 1. Who does create the challenge for the user? Squid or the helper? 2. In the case it is Squid, what does it pass to the helper on stdin? 3. And how does the helper reply? OK or ERR as usual? 4. What is intended for HHA1, since I can find no reference to it in RFC2617? Maybe a different notation? Thank you in advance. Regards, Antonio Manfreda Easynet srl c/o Reale Mutua Assicurazioni Ufficio Architettura Tecnica Area Security [EMAIL PROTECTED] Tel. 011-431-2791
[squid-users] NTLMv2
Dear all, I have a simple question about NTLM. Does Squid support NTLMv2 authentication or just standard NTLM? Regards, Antonio Manfreda
Re: [squid-users] maxconn semantics
Thank you very much for your reply, Henrik. So a ulimit of 1000 ought to limit the total number of connections to about 300+. Looks like under my current 2.4 Linux kernel, maximum number of filedescriptors possible is around 26K, but only 1024 allowed per process: # sysctl fs.file-max fs.file-max = 26208 # ulimit -a core file size(blocks, -c) 0 data seg size (kbytes, -d) unlimited file size (blocks, -f) unlimited max locked memory (kbytes, -l) unlimited max memory size (kbytes, -m) unlimited open files(-n) 1024 pipe size (512 bytes, -p) 8 stack size(kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes(-u) 2047 virtual memory(kbytes, -v) unlimited -- Paul
Re: [squid-users] maxconn semantics
On Wed, 14 Jan 2004, Paul wrote: Thank you very much for your reply, Henrik. So a ulimit of 1000 ought to limit the total number of connections to about 300+. Looks like under my current 2.4 Linux kernel, maximum number of filedescriptors possible is around 26K, but only 1024 allowed per process: 1024 is the default limit of Linux and many other OS:es. It can be raised or lowered if you like. To raise the limit you must also recompile Squid with the limit raised. Regards Henrik
Re: [squid-users] Digest Authentication
On Wed, 14 Jan 2004 [EMAIL PROTECTED] wrote: 1. Who does create the challenge for the user? Squid or the helper? Squid. 2. In the case it is Squid, what does it pass to the helper on stdin? 3. And how does the helper reply? OK or ERR as usual? 2,3 is documented in the squid.conf comments === Parameters for the digest scheme follow === program cmdline Specify the command for the external authenticator. Such a program reads a line containing username:realm and replies with the appropriate H(A1) value base64 encoded. See rfc 2616 for the definition of H(A1). See also the operation of the operation of the digest_pw_auth helper as reference. 4. What is intended for HHA1, since I can find no reference to it in RFC2617? Maybe a different notation? Search for H(A1) and you will find the correct references. Regards Henrik
Re: [squid-users] NTLMv2
On Tue, 13 Jan 2004, Antonio Manfreda wrote: Dear all, I have a simple question about NTLM. Does Squid support NTLMv2 authentication or just standard NTLM? NTLM and LANMAN. The Samba helper should support NTLMv2 and NTLM2 as well but is currently limited by Squid. Regards Henrik
Re: [squid-users] Seen this before???
have you tried to set this option? httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on this option is needed if you want to configure transparent proxy. .::DAMK::. On Wed, 14 Jan 2004 09:47:06 +0300, Ronny [EMAIL PROTECTED] wrote: Hi trying to configure transparent proxy with this rule any error? #iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 The requested URL could not be retrieved While trying to retrieve the URL: / The following error was encountered: * Invalid URL Some aspect of the requested URL is incorrect. Possible problems: * Missing or incorrect access protocol (should be `http://'' or similar) * Missing hostname * Illegal double-escape in the URL-Path * Illegal character in hostname; underscores are not allowed Your cache administrator is root The requested URL could not be retrieved -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
[squid-users] RE: Question about ldapsearch argument!
Dear Henrik, Yes it has retuned about 89 records that I found a lot of information about my users in my AD. The only problem that I am trying so solve is the argument that I should tell my Squid_ldap_auth to search my AD to authenticate the user. Also about the authentication of the last argument I used -W to have a login prompt when I was trying to tell ldapsearch to search my active directory. Regards Hamed -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 1:42 AM To: Hamed Majnoonian Cc: Henrik Nordstrom; [EMAIL PROTECTED] Subject: Re: Question about ldapsearch argument! On Tue, 13 Jan 2004, Hamed Majnoonian wrote: 1- The name of my domain is juno.hov.butanegroup.com - juno is the name of my active directory and the rest is the domain name. Ok. 2- Here is my Ldapsearch argument: /Ldapsearch -h 192.168.2.2 -xv -b dc=juno,dc=hov,dc=butanegroup,dc=com uid=administrator Was anything returned? Most AD servers do not allow anonymous searches of the directory, and you may need to specify a bind DN and password to bind as while performing the search. Also AD does not make use of the uid attribute last time I looked, so unless you have defined this attribute in your directory the search filter is unlikely to return anything. As searches is not allowed you have to guess what the DN to bind as is or use a Windows LDAP tool to browse the directory while logged on to the domain. But the DN for administrator should be CN=Administrator,CN=Users,DC=juno,dc=hoc,dc=butanegroup,dc=com Assuming your AD name is juno.hoc.butanegroup.com (should show up as @juno.hoc.butanegroup.com in the login screen and in the user manager). Regards Henrik
Rif: Re: [squid-users] Digest Authentication
Hello, thanks for the explanation about the communication strategy beetween Squid and the helper. I missed it in the config file. Anyway, I still can't find any direct reference to HHA1 in RCF2617. What does it correspond to? Thank you in advance. Regards Antonio Manfreda Easynet srl c/o Reale Mutua Assicurazioni Ufficio Architettura Tecnica Area Security [EMAIL PROTECTED] Tel. 011-431-2791 Henrik Nordstrom [EMAIL PROTECTED]Per:[EMAIL PROTECTED] .orgCc: [EMAIL PROTECTED] Oggetto: Re: [squid-users] Digest Authentication 14/01/2004 11.38 On Wed, 14 Jan 2004 [EMAIL PROTECTED] wrote: 1. Who does create the challenge for the user? Squid or the helper? Squid. 2. In the case it is Squid, what does it pass to the helper on stdin? 3. And how does the helper reply? OK or ERR as usual? 2,3 is documented in the squid.conf comments === Parameters for the digest scheme follow === program cmdline Specify the command for the external authenticator. Such a program reads a line containing username:realm and replies with the appropriate H(A1) value base64 encoded. See rfc 2616 for the definition of H(A1). See also the operation of the operation of the digest_pw_auth helper as reference. 4. What is intended for HHA1, since I can find no reference to it in RFC2617? Maybe a different notation? Search for H(A1) and you will find the correct references. Regards Henrik Ai sensi della Legge 675/96 e successive modifiche/integrazioni si precisa che le informazioni contenute nel presente messaggio, e negli eventuali allegati, sono riservate e per uso esclusivo del destinatario. Pertanto è vietata la copia, la diffusione e la rivelazione anche parziale dei dati in esso contenuti alle persone non autorizzate dal medesimo. Chiunque lo ricevesse per errore è pregato di restituirlo al mittente e di distruggere il contenuto.
[squid-users] Impossible keep-alive header
I'm suddenly getting a lot of these errors. Here's an example: 2004/01/14 10:29:35| ctx: exit level 0 2004/01/14 10:29:35| ctx: enter level 0: 'http://www.squid-cache.org/Versions/v2/2.5/bugs/' 2004/01/14 10:29:35| httpProcessReplyHeader: Impossible keep-alive header from 'http://www.squid-cache.org/Versions/v2/2.5/bugs/' This is on a Red Hat v9 system, running Squid 2.5S4 and all patches applied. I think that these many entries in cache.log are the result of applying the recent squid-2.5.STABLE4-http_workarounds.patch patch. Anyone else seeing this behavior? Thanks.
[squid-users] Only caching sometimes
Hi all, Caching is not happening the way I expected. I am using Squid to cache the 'expensive' output of a Zope server. Due to increased traffic on the site, I am getting many server errors (database conflict), so it is urgent that objects be cached. I instructed Zope to insert a Cache-Control header with 'max-age=7776000'. The object should be cached even if refreshment would result in changes. All pages are made from the same script which I have tested with the Cacheability Engine. The response is, 'This object will be fresh for 12 weeks 6 days. The object had changed when validation was attempted'. If I understand correctly from the log extracts below (access.log, store.log and Zope's Z2.log), the object has been dropped and re-entered into the cache. Why? How can I prevent this? Thanks in advance! Ken -- 202.202.202.202 - - [14/Jan/2004:01:47:45 +0100] GET http://mysite.com:81/pathto/object_xyz HTTP/1.1 500 2462 TCP_MISS:DIRECT 61.61.61.61 - - [14/Jan/2004:03:10:00 +0100] GET http://mysite.com:81/pathto/object_xyz HTTP/1.0 200 22366 TCP_MISS:DIRECT 64.64.64.64 - - [14/Jan/2004:03:15:06 +0100] GET http://mysite.com:81/pathto/object_xyz HTTP/1.0 200 22370 TCP_HIT:NONE 202.202.202.202 - - [14/Jan/2004:09:08:12 +0100] GET http://mysite.com:81/pathto/object_xyz HTTP/1.1 200 21699 TCP_MISS:DIRECT 206.168.0.6 - - [14/Jan/2004:09:27:07 +0100] GET http://mysite.com:81/pathto/object_xyz HTTP/1.0 200 21694 TCP_CLIENT_REFRESH_MISS:DIRECT 1074046198.938 RELEASE -1 C927B08545BF24772B34082FC7B5AC2A 500 1074041265 -1 1081817265 text/html 1865/1865 GET http://mysite.com:81/pathto/object_xyz 1074046199.623 SWAPOUT 00 2075 C927B08545BF24772B34082FC7B5AC2A 200 1074046199 -1 1081822199 text/html 22053/22053 GET http://mysite.com:81/pathto/object_xyz 1074067689.816 SWAPOUT 00 3591 C927B08545BF24772B34082FC7B5AC2A 200 1074067689 -1 1081843689 text/html 21386/21386 GET http://mysite.com:81/pathto/object_xyz 1074068826.935 SWAPOUT 00 3662 C927B08545BF24772B34082FC7B5AC2A 200 1074068826 -1 1081844826 text/html 21386/21386 GET http://mysite.com:81/pathto/object_xyz 123.45.678.90 - Anonymous [14/Jan/2004:01:47:45 +0200] GET /pathto/object_xyz HTTP/1.0 200 2421 123.45.678.90 - Anonymous [14/Jan/2004:03:09:59 +0200] GET /pathto/object_xyz HTTP/1.0 200 22325 123.45.678.90 - Anonymous [14/Jan/2004:09:08:09 +0200] GET /pathto/object_xyz HTTP/1.0 200 21658 123.45.678.90 - Anonymous [14/Jan/2004:09:27:06 +0200] GET /pathto/object_xyz HTTP/1.0 200 21658 CacheabilityEngine/1.30 http://www.mnot.net/cacheability/
Re: [squid-users] Impossible keep-alive header
Yup just downloaded the latest 2.5S4 snapshot and installed it on one of my caches and they started. All the other caches are o.k. alex --On 14 January 2004 10:37 -0500 Steve Snyder [EMAIL PROTECTED] wrote: I'm suddenly getting a lot of these errors. Here's an example: 2004/01/14 10:29:35| ctx: exit level 0 2004/01/14 10:29:35| ctx: enter level 0: 'http://www.squid-cache.org/Versions/v2/2.5/bugs/' 2004/01/14 10:29:35| httpProcessReplyHeader: Impossible keep-alive header from 'http://www.squid-cache.org/Versions/v2/2.5/bugs/' This is on a Red Hat v9 system, running Squid 2.5S4 and all patches applied. I think that these many entries in cache.log are the result of applying the recent squid-2.5.STABLE4-http_workarounds.patch patch. Anyone else seeing this behavior? Thanks. Sent using Mulberry 3.01a
[squid-users] ldapseach argument and the result of LDAP machine!
Dear Henrik, Here is the sample of what is the reply of ldapsearch with this argument: ### /ldapsearch -h 192.168.2.2 -vx -b dc=hov,dc=butanegroup,dc=com ### OUTPUT OF MY LDAP MACHINE # 3269f829-d050-4f9e-b9e7-1438fbdbc213._msdcs, hov.butanegroup.com, Microsoft DNS, System, hov.butanegroup.com dn: DC=3269f829-d050-4f9e-b9e7-1438fbdbc213._msdcs,DC=hov.butanegroup.com,CN =M icrosoftDNS,CN=System,DC=hov,DC=butanegroup,DC=com dnsRecord:: EgAFAAXwAADEIwACWAC11jUAEAMFcGx1dG8EYmdhcwNjb20A dc: 3269f829-d050-4f9e-b9e7-1438fbdbc213._msdcs instanceType: 4 distinguishedName: DC=3269f829-d050-4f9e-b9e7-1438fbdbc213._msdcs,DC=hov.butan egroup.com,CN=MicrosoftDNS,CN=System,DC=hov,DC=butanegroup,DC=com objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=hov,DC=butanegroup,D C=com objectClass: top objectClass: dnsNode objectGUID:: O5wUWy23x0m8MdyR940l7w== name: 3269f829-d050-4f9e-b9e7-1438fbdbc213._msdcs showInAdvancedViewOnly: TRUE uSNChanged: 118420 uSNCreated: 118420 whenChanged: 20030708131752.0Z whenCreated: 20030708131752.0Z # mojganxp, hov.butanegroup.com, MicrosoftDNS, System, hov.butanegroup.com dn: DC=mojganxp,DC=hov.butanegroup.com,CN=MicrosoftDNS,CN=System,DC=hov,DC=b ut anegroup,DC=com dnsRecord:: BAABAAXwAAA/OgAEsACL5jUAwKgeew== dc: mojganxp instanceType: 4 distinguishedName: DC=mojganxp,DC=hov.butanegroup.com,CN=MicrosoftDNS,CN=Syste m,DC=hov,DC=butanegroup,DC=com objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=hov,DC=butanegroup,D C=com objectClass: top objectClass: dnsNode objectGUID:: KBjWva2zZ0ODeIdG1qhnZg== name: mojganxp showInAdvancedViewOnly: TRUE uSNChanged: 1717985 uSNCreated: 1717985 whenChanged: 20031224112338.0Z whenCreated: 20031224112338.0Z # mimilani, hov.butanegroup.com, MicrosoftDNS, System, hov.butanegroup.com dn: DC=mimilani,DC=hov.butanegroup.com,CN=MicrosoftDNS,CN=System,DC=hov,DC=b ut anegroup,DC=com dnsRecord:: BAABAAXwAAD5HAADhAAO1DUAwKgCYA== dc: mimilani instanceType: 4 distinguishedName: DC=mimilani,DC=hov.butanegroup.com,CN=MicrosoftDNS,CN=Syste m,DC=hov,DC=butanegroup,DC=com objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=hov,DC=butanegroup,D C=com objectClass: top objectClass: dnsNode objectGUID:: HjIVuzgPnE6GPJ9iBWJRQQ== name: mimilani showInAdvancedViewOnly: TRUE uSNChanged: 97791 uSNCreated: 97791 whenChanged: 20030610064555.0Z whenCreated: 20030610064555.0Z # test, hov.butanegroup.com, MicrosoftDNS, System, hov.butanegroup.com dn: DC=test,DC=hov.butanegroup.com,CN=MicrosoftDNS,CN=System,DC=hov,DC=butan eg roup,DC=com dnsRecord:: BAABAAXwAAAKAQAOEAAAwKgCaA== dNSTombstoned: FALSE dc: test instanceType: 4 distinguishedName: DC=test,DC=hov.butanegroup.com,CN=MicrosoftDNS,CN=System,DC =hov,DC=butanegroup,DC=com objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=hov,DC=butanegroup,D C=com objectClass: top objectClass: dnsNode objectGUID:: ge8nPQLkU0GIwBYbTvddLQ== name: test showInAdvancedViewOnly: TRUE uSNChanged: 8602 uSNCreated: 8579 whenChanged: 20030128122418.0Z whenCreated: 20030128120008.0Z # notebook, hov.butanegroup.com, MicrosoftDNS, System, hov.butanegroup.com dn: DC=notebook,DC=hov.butanegroup.com,CN=MicrosoftDNS,CN=System,DC=hov,DC=b ut anegroup,DC=com dnsRecord:: CAUAAABnOgAA36DZcLbawwE= dNSTombstoned: TRUE dc: notebook instanceType: 4 distinguishedName: DC=notebook,DC=hov.butanegroup.com,CN=MicrosoftDNS,CN=Syste m,DC=hov,DC=butanegroup,DC=com objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=hov,DC=butanegroup,D C=com objectClass: top objectClass: dnsNode objectGUID:: QeBVbvRGq0i+6QI90tYrjQ== name: notebook showInAdvancedViewOnly: TRUE uSNChanged: 1733723 uSNCreated: 1722748 whenChanged: 20040114155240.0Z whenCreated: 20031231074447.0Z # fhrezaei, hov.butanegroup.com, MicrosoftDNS, System, hov.butanegroup.com dn: DC=fhrezaei,DC=hov.butanegroup.com,CN=MicrosoftDNS,CN=System,DC=hov,DC=b ut anegroup,DC=com dnsRecord:: BAABAAXwAAAsOgAEsABV5jUAwKgCRQ== dNSTombstoned: FALSE dc: fhrezaei instanceType: 4 distinguishedName: DC=fhrezaei,DC=hov.butanegroup.com,CN=MicrosoftDNS,CN=Syste m,DC=hov,DC=butanegroup,DC=com objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=hov,DC=butanegroup,D C=com objectClass: top objectClass: dnsNode objectGUID:: eEJZCpldME6+7WNhwvgDPw== name: fhrezaei showInAdvancedViewOnly: TRUE uSNChanged: 1715792 uSNCreated: 139934 whenChanged: 20031222054247.0Z whenCreated: 20030804053032.0Z # mirabedy, hov.butanegroup.com, MicrosoftDNS, System, hov.butanegroup.com dn: DC=mirabedy,DC=hov.butanegroup.com,CN=MicrosoftDNS,CN=System,DC=hov,DC=b ut anegroup,DC=com dnsRecord:: BAABAAXwAABEOgAEsAAE5zUAwKgCNg== dNSTombstoned: FALSE dc: mirabedy instanceType: 4 distinguishedName: DC=mirabedy,DC=hov.butanegroup.com,CN=MicrosoftDNS,CN=Syste m,DC=hov,DC=butanegroup,DC=com objectCategory:
[squid-users] RE: Question about ldapsearch argument!
On Wed, 14 Jan 2004, Hamed Majnoonian wrote: Yes it has retuned about 89 records that I found a lot of information about my users in my AD. The only problem that I am trying so solve is the argument that I should tell my Squid_ldap_auth to search my AD to authenticate the user. Look into the record of one user. There should be an attribute containing the login name. Then use this attribute name in your search filter. Also about the authentication of the last argument I used -W to have a login prompt when I was trying to tell ldapsearch to search my active directory. You also need the -D argument in such case.. Regards Henrik
[squid-users] Re: ldapseach argument and the result of LDAP machine!
On Wed, 14 Jan 2004, Hamed Majnoonian wrote: The question is, is it looks good? No. From what I can tell that only contained a few public entries added by your DNS server, nothing about your users. The second question is I am still trying to tell squid_ldap_auth to ask my LDAP with this argument: /squid_ldap_auth -h 192.168.2.2 -b dc=hov,dc=butanegroup,dc=com -f -u sharpknifeedge -D dc=hov,dc=butanegroup,dc=com The -D option is not correct, and needs a -W (or -w) option. The -D option MUST specify a correct DN of one of the users in your directory. As indicated earlier the DN of Administrator should be something like: CN=Administrator,CN=Users,DC=juno,DC=hov,DC=butanegroup,DC=com Regards Henrik
RE: [squid-users] RE: Question about ldapsearch argument!
Dear Henrik, I have searched but I found name: my user ID, for example in the output of LDAP. As much as I know I don't have any option about this in squid_ldap_auth so how can I tell my squid_ldap_auth to search for a special username? Could you provide any example? Regards Hamed -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 9:18 PM To: Hamed Majnoonian Cc: 'Henrik Nordstrom'; [EMAIL PROTECTED] Subject: [squid-users] RE: Question about ldapsearch argument! On Wed, 14 Jan 2004, Hamed Majnoonian wrote: Yes it has retuned about 89 records that I found a lot of information about my users in my AD. The only problem that I am trying so solve is the argument that I should tell my Squid_ldap_auth to search my AD to authenticate the user. Look into the record of one user. There should be an attribute containing the login name. Then use this attribute name in your search filter. Also about the authentication of the last argument I used -W to have a login prompt when I was trying to tell ldapsearch to search my active directory. You also need the -D argument in such case.. Regards Henrik
Re: [squid-users] Impossible keep-alive header
On Wed, 14 Jan 2004, Steve Snyder wrote: I'm suddenly getting a lot of these errors. Here's an example: 2004/01/14 10:29:35| ctx: exit level 0 2004/01/14 10:29:35| ctx: enter level 0: 'http://www.squid-cache.org/Versions/v2/2.5/bugs/' 2004/01/14 10:29:35| httpProcessReplyHeader: Impossible keep-alive header from 'http://www.squid-cache.org/Versions/v2/2.5/bugs/' Do you have a parent proxy? If you do, what kind of proxy? Regards Henrik
Re: [squid-users] Impossible keep-alive header
Thinking... OK, I think I know what the bug is in that patch. What does access.log say? Regards Henrik On Wed, 14 Jan 2004, Alex Sharaz wrote: Yup just downloaded the latest 2.5S4 snapshot and installed it on one of my caches and they started. All the other caches are o.k. alex --On 14 January 2004 10:37 -0500 Steve Snyder [EMAIL PROTECTED] wrote: I'm suddenly getting a lot of these errors. Here's an example: 2004/01/14 10:29:35| ctx: exit level 0 2004/01/14 10:29:35| ctx: enter level 0: 'http://www.squid-cache.org/Versions/v2/2.5/bugs/' 2004/01/14 10:29:35| httpProcessReplyHeader: Impossible keep-alive header from 'http://www.squid-cache.org/Versions/v2/2.5/bugs/' This is on a Red Hat v9 system, running Squid 2.5S4 and all patches applied. I think that these many entries in cache.log are the result of applying the recent squid-2.5.STABLE4-http_workarounds.patch patch. Anyone else seeing this behavior? Thanks. Sent using Mulberry 3.01a
RE: [squid-users] RE: Question about ldapsearch argument!
Dear Henrik, Here is your suggestion and the answer that machine has retruned. Swordfish# ldapsearch -h 192.168.2.2 -vx -D CN=administrator,CN=users,DC=hov,DC=butanegroup,DC=COM -W ldap_init( 192.168.2.2, 0 ) Enter LDAP Password: filter: (objectclass=*) requesting: ALL # extended LDIF # # LDAPv3 # base with scope sub # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object text: 208D: NameErr: DSID-03100193, problem 2001 (NO_OBJECT), data 0, bes t match of: '' # numResponses: 1 ### I also tried to add -b dc=hov,dc=butanegroup,dc=com to the end of my argument but the number of replies increased to 1002 and still computer names in my AD !! Regards and thank you Hamed -Original Message- From: Hamed Majnoonian [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 9:24 PM To: 'Henrik Nordstrom' Cc: [EMAIL PROTECTED] Subject: RE: [squid-users] RE: Question about ldapsearch argument! Dear Henrik, I have searched but I found name: my user ID, for example in the output of LDAP. As much as I know I don't have any option about this in squid_ldap_auth so how can I tell my squid_ldap_auth to search for a special username? Could you provide any example? Regards Hamed -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 9:18 PM To: Hamed Majnoonian Cc: 'Henrik Nordstrom'; [EMAIL PROTECTED] Subject: [squid-users] RE: Question about ldapsearch argument! On Wed, 14 Jan 2004, Hamed Majnoonian wrote: Yes it has retuned about 89 records that I found a lot of information about my users in my AD. The only problem that I am trying so solve is the argument that I should tell my Squid_ldap_auth to search my AD to authenticate the user. Look into the record of one user. There should be an attribute containing the login name. Then use this attribute name in your search filter. Also about the authentication of the last argument I used -W to have a login prompt when I was trying to tell ldapsearch to search my active directory. You also need the -D argument in such case.. Regards Henrik
[squid-users] Strange ACL behavior
Hey people: Maybe this is something I'm overlooking, a common noob error or a typo, but the following few ACLs and access rules just aren't behaving like I think they should... I'm trying to grant unlimited web access to any authenticated user and limited access to non-authenticated users. Here are my acls/allows . . . acl safedomains dstdomain .mycompany.com acl authenticated_users proxy_auth http-access allow safedomains http-access allow authenticated_users http-access deny all . . . When I use this configuration it allows un-authenticated access to www.mycompany.com, but on any other web page it tries to authenticate the user. Great so far, but after authenticating the user it denies them access to the page they requested. If you pull the 'http-access allow safedomains' out of the squid.conf file, it allows authenticated users access to whatever they want, but of course doesn't allow un-authenticated access. What's up with that? Any ideas? jim burnes security engineer great-west, denver
[squid-users] OWA, SSL and HTTP Status 500/501
I'm using squid-3.0-PRE3-20040108. Want to do: Browser --SSL-- Squid --SSL-- OWA Here's my config: visible_hostname klinger.algorithmics.com cache_mgr [EMAIL PROTECTED] https_port 443 cert=/opt/squid/etc/torxm.algorithmics.com.crt key=/opt/squid/etc/torxm.algorithmics.com.key cafile=/opt/squid/etc/cacert.crt defaultsite=torxm.algorithmics.com cache_peer torxm.algorithmics.com parent 443 0 no-query ssl proxy-only sslcert=/opt/squid/etc/torxm.algorithmics.com.crt sslkey=/opt/squid/etc/torxm.algorithmics.com.key sslversion=2 sslflags=DONT_VERIFY_PEER ssl_unclean_shutdown on hierarchy_stoplist cgi-bin ? .dll acl QUERY urlpath_regex cgi-bin \? acl OWA urlpath_regex \.dll no_cache deny QUERY no_cache deny OWA acl all src 0.0.0.0/0.0.0.0 acl all-dst dst 0.0.0.0/0.0.0.0 http_access allow all http_access allow all-dst http_reply_access allow all http_reply_access allow all-dst Here's my access.log: 1074094727.641 4383 10.1.10.103 TCP_MISS/501 368 GET https://torxm.algorithmics.com/dwinkler.htm - ANY_PARENT/torxm.algorithmics.com text/html Why do I get the 501 error? If I try to retrieve the page without squid it works. Thanks, Derek Winkler
RE: [squid-users] Re: ldapseach argument and the result of LDAP machine!
Dear Henrik, I tried this and it seems I have the complete output information to be debugged. I gave this one: ### ldapsearch -h 192.168.2.2 -vx -D CN=Administrator,CN=Users,DC=hov,DC=butanegroup,DC=COM -w -b dc=hov,dc=butanegroup,dc=com Output ### And then I checked the response of LDAP in Output file and I found these about my users: ### # Hamed Majnoonian, Users, hov.butanegroup.com dn: CN=Hamed Majnoonian,CN=Users,DC=hov,DC=butanegroup,DC=com memberOf: CN=Internet,CN=Users,DC=hov,DC=butanegroup,DC=com accountExpires: 9223372036854775807 badPasswordTime: 0 badPwdCount: 0 codePage: 0 cn: Hamed Majnoonian countryCode: 0 description: XX displayName: Hamed Majnoonian givenName: Hamed instanceType: 4 lastLogoff: 0 lastLogon: 0 logonCount: 0 distinguishedName: CN=Hamed Majnoonian,CN=Users,DC=hov,DC=butanegroup,DC=com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hov,DC=butanegroup,DC com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectGUID:: uslzjQi0IUim/XdZpf0OaQ== objectSid:: AQUAAAUV/ibGSOsleSxDFwoy0QQAAA== physicalDeliveryOfficeName: Butane Group primaryGroupID: 513 pwdLastSet: 127183052515950126 name: Hamed Majnoonian sAMAccountName: sharpknifeedge sAMAccountType: 805306368 sn: Majnoonian telephoneNumber: XX userAccountControl: 66048 userPrincipalName: XX uSNChanged: 1731100 uSNCreated: 1730978 whenChanged: 2004063815.0Z whenCreated: 2004043411.0Z ## The above is a sample of my ID in the AD ... So the question is how can I tell my squid_ldap_auth to check this speficifc username when it wants to check the password with AD ? Thank you again Hamed -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 9:23 PM To: Hamed Majnoonian Cc: Henrik Nordstrom; [EMAIL PROTECTED] Subject: [squid-users] Re: ldapseach argument and the result of LDAP machine! On Wed, 14 Jan 2004, Hamed Majnoonian wrote: The question is, is it looks good? No. From what I can tell that only contained a few public entries added by your DNS server, nothing about your users. The second question is I am still trying to tell squid_ldap_auth to ask my LDAP with this argument: /squid_ldap_auth -h 192.168.2.2 -b dc=hov,dc=butanegroup,dc=com -f -u sharpknifeedge -D dc=hov,dc=butanegroup,dc=com The -D option is not correct, and needs a -W (or -w) option. The -D option MUST specify a correct DN of one of the users in your directory. As indicated earlier the DN of Administrator should be something like: CN=Administrator,CN=Users,DC=juno,DC=hov,DC=butanegroup,DC=com Regards Henrik
RE: [squid-users] RE: Question about ldapsearch argument!
On Wed, 14 Jan 2004, Hamed Majnoonian wrote: I have searched but I found name: my user ID, for example in the output of LDAP. As much as I know I don't have any option about this in squid_ldap_auth so how can I tell my squid_ldap_auth to search for a special username? Could you provide any example? See the -f argument and the man page. Regards Henrik
Re: [squid-users] Strange ACL behavior
On Wed, 14 Jan 2004, Burnes, James wrote: When I use this configuration it allows un-authenticated access to www.mycompany.com, but on any other web page it tries to authenticate the user. Great so far, but after authenticating the user it denies them access to the page they requested. If you pull the 'http-access allow safedomains' out of the squid.conf file, it allows authenticated users access to whatever they want, but of course doesn't allow un-authenticated access. What's up with that? Does not make sense to me. From what you have shown your access rules should work. What does the access denial page say? Regards Henrik
Re: [squid-users] OWA, SSL and HTTP Status 500/501
On Wed, 14 Jan 2004, Derek Winkler wrote: http_access allow all-dst http_reply_access allow all http_reply_access allow all-dst Here's my access.log: 1074094727.641 4383 10.1.10.103 TCP_MISS/501 368 GET https://torxm.algorithmics.com/dwinkler.htm - ANY_PARENT/torxm.algorithmics.com text/html Why do I get the 501 error? Good question. The 501 error is given by your OWA server and indicates Method not implemented. If I try to retrieve the page without squid it works. What URL are you accessing without Squid? Regards Henrik
Re: [squid-users] Impossible keep-alive header
On Wed, 14 Jan 2004, Henrik Nordstrom wrote: Thinking... OK, I think I know what the bug is in that patch. Confirmed. The logics on what keep-alive headers are impossible was a little too broad, sometimes triggering on fully valid HTTP/1.0 replies. The patch has been corrected, and attached to this message you can find the incremental patch if you are using the snapshot release or otherwise can't easily get/apply the updated patch. Regards Henrik Index: src/http.c === RCS file: /server/cvs-server/squid/squid/src/http.c,v retrieving revision 1.384.2.10 diff -u -p -r1.384.2.10 http.c --- src/http.c 12 Jan 2004 10:51:59 - 1.384.2.10 +++ src/http.c 14 Jan 2004 18:34:53 - @@ -476,7 +476,7 @@ httpProcessReplyHeader(HttpStateData * h if (reply-keep_alive) { if (httpState-peer) httpState-peer-stats.n_keepalives_recv++; - if (reply-content_length == -1) { + if (httpReplyBodySize(httpState-request-method, reply) == -1) { debug(11, 1) (httpProcessReplyHeader: Impossible keep-alive header from '%s'\n, storeUrl(entry)); httpState-flags.keepalive_broken = 1; } Index: src/structs.h === RCS file: /server/cvs-server/squid/squid/src/structs.h,v retrieving revision 1.408.2.19 diff -u -p -r1.408.2.19 structs.h --- src/structs.h 12 Jan 2004 10:51:59 - 1.408.2.19 +++ src/structs.h 14 Jan 2004 18:34:53 - @@ -964,11 +964,11 @@ struct _HttpReply { }; struct _http_state_flags { -unsigned int keepalive_broken:1; -unsigned int abuse_detected:1; unsigned int proxying:1; unsigned int keepalive:1; unsigned int only_if_cached:1; +unsigned int keepalive_broken:1; +unsigned int abuse_detected:1; }; struct _HttpStateData {
RE: [squid-users] Re: ldapseach argument and the result of LDAP machine!
On Wed, 14 Jan 2004, Hamed Majnoonian wrote: sAMAccountName: sharpknifeedge userPrincipalName: XX The above is a sample of my ID in the AD ... So the question is how can I tell my squid_ldap_auth to check this speficifc username when it wants to check the password with AD ? By using one of the above two attributes in the -f argument, as described in the squid_ldap_auth manual. One is the AD login name (with domain), the other the NT Domain login name. Regards Henrik
[squid-users] Authentication
Using 2.5.stable4 Using basic_auth with htpasswd files and would like to know if there's a way to: 1.) Expire passwords in squid, somehow. 2.) Allow the users to change their passwords. Thanx, Tim Rainier
RE: [squid-users] OWA, SSL and HTTP Status 500/501
It is your server which requires authentication. If your Squid is set up to require authentication then both the Squid reverse proxy and the server must use the same authentication, and you must be using Basic HTTP authentication on both. In addition the Squid reverse proxy must be configured to forward the login information (login option in the cache_peer directive). NTLM can not be used via reverse proxies. It does not matter if the backend connection is over SSL or not. You can only use NTLM if you tunnel the SSL port directly to the OWA server using a tcp forwarder or NAT, not using a proxy. Regards Henrik On Wed, 14 Jan 2004, Derek Winkler wrote: Adding originserver to cache_peer got me past the 501 errors, but now I can't get past the authentication dialogue. Not sure if it is basic or NTLM. Here's the entry from my access.log 1074116953.543 19 10.1.10.103 TCP_MISS/401 347 GET https://torxm.algorithmics.com/exchange/LogonFrm.asp? - FIRST_UP_PARENT/torxm.algorithmics.com text/html I thought it should work as Basic or NTLM if I was using SSL? Thanks, Derek -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 4:31 PM To: Derek Winkler Cc: 'Henrik Nordstrom' Subject: RE: [squid-users] OWA, SSL and HTTP Status 500/501 Hmm.. did you remember to declare the OWA server as an originserver class peer? Regards Henrik On Wed, 14 Jan 2004, Derek Winkler wrote: Sorry replying off-list, my Exchange server keeps converting emails to HTML and the list refuses them. I'm going to the same URL, https://torxm.algorithmics.com/dwinkler.htm without squid and it works, same browser and everything. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 1:39 PM To: Derek Winkler Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] OWA, SSL and HTTP Status 500/501 On Wed, 14 Jan 2004, Derek Winkler wrote: http_access allow all-dst http_reply_access allow all http_reply_access allow all-dst Here's my access.log: 1074094727.641 4383 10.1.10.103 TCP_MISS/501 368 GET https://torxm.algorithmics.com/dwinkler.htm - ANY_PARENT/torxm.algorithmics.com text/html Why do I get the 501 error? Good question. The 501 error is given by your OWA server and indicates Method not implemented. If I try to retrieve the page without squid it works. What URL are you accessing without Squid? Regards Henrik
Re: [squid-users] Strange ACL behavior
On Thu, 2004-01-15 at 05:08, Burnes, James wrote: . acl safedomains dstdomain .mycompany.com acl authenticated_users proxy_auth ^^^ REQUIRED Add that one word in, and it'll work. Cheers, Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: Rif: Re: [squid-users] Digest Authentication
On Thu, 2004-01-15 at 09:50, Antonio Manfreda wrote: Hello, I'm trying to make an offline calculation of the Request-Digest for an authentication session beetween a client and Squid using digest_pw_auth to see if I can reconstruct the response to the challenge. I'm using md5sum on Linux to make MD5 calculations. Turn on auth debugging in squid and you can see what it generates for the various variables. Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
Re: Rif: Re: [squid-users] Digest Authentication
Thank you very much for the clue. How can I turn on auth debugging in squid and what file does it use for logging? Anyway, I don't understand why, following RFC specs, I cant build the digest created by the client (after all it is a client side calculation). Is there some base64 encoding I am missing? Regards, Antonio Manfreda - Original Message - From: Robert Collins [EMAIL PROTECTED] To: Antonio Manfreda [EMAIL PROTECTED] Cc: Squid Users [EMAIL PROTECTED] Sent: Thursday, January 15, 2004 12:13 AM Subject: Re: Rif: Re: [squid-users] Digest Authentication
Re: Rif: Re: [squid-users] Digest Authentication
On Thu, 15 Jan 2004, Antonio Manfreda wrote: Thank you very much for the clue. How can I turn on auth debugging in squid and what file does it use for logging? Anyway, I don't understand why, following RFC specs, I cant build the digest created by the client (after all it is a client side calculation). Is there some base64 encoding I am missing? Attached you can find a small perl program implementing the Digest algorithm. I use this when testing the Digest implementation in Squid and other Digest applications (browsers etc). Regards Henrik #!/usr/bin/perl use Digest::MD5 qw(md5_hex); if (@ARGV != 8) { die(usage: user pass realm uri nonce nc cnonce [response]\n); } my ($user, $pass, $realm, $uri, $nonce, $nc, $cnonce, $oldresponse) = @ARGV; my ($method) = (GET); sub KD(@) { return md5_hex(join(:, @_)); } # 3.2.2.2 H(A1) my $HA1 = KD($user , $realm , $pass); # 3.2.2.3 H(A2) my $HA2 = KD($method ,$uri); my $response = KD($HA1, $nonce, $nc, $cnonce, auth, $HA2); print User='$user' pass='$pass' realm='$realm' nonce='$nonce', count='$nc', cnonce='$cnonce' method='$method' uri='$uri'\n; if ($response eq $oldresponse) { print OK\n; } else { print H(A1)=\${HA1}\\n; print Proxy-Authorization: digest username=\$user\, realm=\$realm\, nonce=\$nonce\, uri=\$uri\, qop=auth, nc=$nc, cnonce=\$cnonce\, response=\$response\\n; }
Re: Rif: Re: [squid-users] Digest Authentication
On Thu, 2004-01-15 at 10:35, Antonio Manfreda wrote: Thank you very much for the clue. How can I turn on auth debugging in squid and what file does it use for logging? Anyway, I don't understand why, following RFC specs, I cant build the digest created by the client (after all it is a client side calculation). Is there some base64 encoding I am missing? I'm not too interested in double checking your code - you have two implementations (squids and henrik's perl script) that you can cross reference. Squid is known to work correctly with mozilla and ie, so I'm fairly sure we've got it right :}. set debug_options = ALL,1 29,5 in squid.conf to get debug details. Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
[squid-users] Block downloading exe.
Hi, how i'm going to block my users to download the exe files --- Best Regards Liew Toh Seng Icq No: 36835809 MSN: [EMAIL PROTECTED] * .--. * |o_o | * |:_/ | * // * (| | ) * /'\_ _/` The Internet Solution Company * \___)=(___ My Directory Sdn Bhd
Re: [squid-users] maxconn semantics
In a message dated 1/14/04 5:33:19 AM Eastern Standard Time, [EMAIL PROTECTED] writes: 1024 is the default limit of Linux and many other OS:es. It can be raised or lowered if you like. To raise the limit you must also recompile Squid with the limit raised. Why is this? It seems ridiculous that at the stage of maturity that SQUID has achieved that it still cant read a sysctl variable to do this dynamically. BC