Re: [squid-users] blacklist
Hi all. Currently I have 3 servers running with squid and haproxy balancing ahead of them. It works perfectly. Now I want to block porn sites, viruses, external proxies, etc ... I tried dansguardian and squidguard, but slows down my squid and I do not like. I can use? A simple acl with domains of http://squidguard.mesd.k12.or.us/blacklists.tgz lowered (for example) An ICAP server? Thank you. Hi, Dansguardian slow ? I agree for SquidGuard but I'm using Dansguardian without problem with 700 requests/second max (average 450 r/s) If your hardware is too light see something like opendns or better with dnsmasq, only for domains but faster than light and you can mix with dansguardian or acl for objects and urls. Fred
Re: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn?
On 5/03/2012 8:33 p.m., Jiang Wen Dong wrote: This is not what I want. I want proxy_auth user maxconn=100, others maxconn=50. Yes. That is what the config I wrote does. # if user has connections = 100, deny even if logged in # else if user is logged in, allow (up to 100) # else if connections = 50, deny more than 50 connections (extra lines are for good security, allowing random person on The Internet 50 connections is not good) # else other local clients, allow # else deny Amos -邮件原件- 发件人: Amos Jeffries On 05.03.2012 14:16, Jiang Wen Dong wrote: My English is not good, hope you can understand what I'm saying. I want to set default maxconn=50, and maxconn=100 for proxy_auth user. If I set default maxconn before proxy_auth, then proxy_auth user get maxconn=50, not maxconn=100. If I set default maxconn after proxy_auth, every user get a auth dialog window, which I do not want it show for !proxy_auth user. How to set different maxconn number of proxy_auth user from default maxconn? You are thinking about this backwards. Place the widest everybody limitations first. Then the highest privileged allow permissions. Then repeat as you gradually restrict things. Like this: acl login proxy_auth REQUIRED acl 100cc maxconn 100 acl 50cc maxconn 50 # nobody allowed more than 100 connections http_access deny 100cc # login users the only ones allowed more than 50 http_access allow login http_access deny 50cc # then other LAN clients... http_access allow localnet # everything not permitted yet is not trusted for any access. http_access deny all Amos
Re: [squid-users] blacklist
El día 5 de marzo de 2012 09:11, FredB fredbm...@free.fr escribió: Hi all. Currently I have 3 servers running with squid and haproxy balancing ahead of them. It works perfectly. Now I want to block porn sites, viruses, external proxies, etc ... I tried dansguardian and squidguard, but slows down my squid and I do not like. I can use? A simple acl with domains of http://squidguard.mesd.k12.or.us/blacklists.tgz lowered (for example) An ICAP server? Thank you. Hi, Dansguardian slow ? I agree for SquidGuard but I'm using Dansguardian without problem with 700 requests/second max (average 450 r/s) If your hardware is too light see something like opendns or better with dnsmasq, only for domains but faster than light and you can mix with dansguardian or acl for objects and urls. The bbdd of dansguardian is not free. am I wrong? Fred
[squid-users] 答复: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn?
Thank you. But there's still a problem, !proxy_auth user will see a auth dialog window, that is not what I want. I want !proxy_auth user pass trough, without auth dialog window. Jiang Wendong (姜文栋) IT Dept. Tel: 010-5822-3486/3481 Mobile: 13811249966 E-Mail: wendong.ji...@td-tech.com / jiangwend...@huawei.com -邮件原件- 发件人: Amos Jeffries [mailto:squ...@treenet.co.nz] 发送时间: 2012年3月5日 17:11 收件人: squid-users@squid-cache.org 主题: Re: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn? On 5/03/2012 8:33 p.m., Jiang Wen Dong wrote: This is not what I want. I want proxy_auth user maxconn=100, others maxconn=50. Yes. That is what the config I wrote does. # if user has connections = 100, deny even if logged in # else if user is logged in, allow (up to 100) # else if connections = 50, deny more than 50 connections (extra lines are for good security, allowing random person on The Internet 50 connections is not good) # else other local clients, allow # else deny Amos -邮件原件- 发件人: Amos Jeffries On 05.03.2012 14:16, Jiang Wen Dong wrote: My English is not good, hope you can understand what I'm saying. I want to set default maxconn=50, and maxconn=100 for proxy_auth user. If I set default maxconn before proxy_auth, then proxy_auth user get maxconn=50, not maxconn=100. If I set default maxconn after proxy_auth, every user get a auth dialog window, which I do not want it show for !proxy_auth user. How to set different maxconn number of proxy_auth user from default maxconn? You are thinking about this backwards. Place the widest everybody limitations first. Then the highest privileged allow permissions. Then repeat as you gradually restrict things. Like this: acl login proxy_auth REQUIRED acl 100cc maxconn 100 acl 50cc maxconn 50 # nobody allowed more than 100 connections http_access deny 100cc # login users the only ones allowed more than 50 http_access allow login http_access deny 50cc # then other LAN clients... http_access allow localnet # everything not permitted yet is not trusted for any access. http_access deny all Amos CAUTION: This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, distribution or reproduction of this message is prohibited. If you have received this message in error please notify the sender of this message immediately. ( ©TD Tech Co.,Ltd) 重要提示:此邮件及附件具保密性质,包含商业秘密、受法律保护不得泄露。如果您意外收到此邮件,特此提醒您此邮件的机密性,请立即通知我们并从您的系统中删除此邮件及附件。如果您不是此邮件应当的收件人,请注意不可对此邮件及其附件进行利用、复制或向他人透露其内容。 ( ©TD Tech Co.,Ltd)
Re: [squid-users] blacklist
* Esteban Torres Rodríguez mortenol.tor...@gmail.com: Dansguardian slow ? I agree for SquidGuard but I'm using Dansguardian without problem with 700 requests/second max (average 450 r/s) If your hardware is too light see something like opendns or better with dnsmasq, only for domains but faster than light and you can mix with dansguardian or acl for objects and urls. The bbdd of dansguardian is not free. am I wrong? What is bbdd? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
Re: [squid-users] 答复: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn?
On 5/03/2012 10:38 p.m., Jiang Wen Dong wrote: Thank you. But there's still a problem, !proxy_auth user will see a auth dialog window, that is not what I want. I want !proxy_auth user pass trough, without auth dialog window. Dialog window is a browser feature. Nothing to do with Squid. You can use this workaround to prevent Squid asking for credentials: http_access allow login all But then you have no way to perform login. You could change this part: http_access allow login http_access deny 50cc to: http_access deny 50cc login so login popup only appears after 50 connections is reached. Users who can login get the extra connections, users who cant get an annoying popup each time the try to go past 50. Amos Jiang Wendong (姜文 栋) IT Dept. Tel: 010-5822-3486/3481 Mobile: 13811249966 E-Mail: wendong.ji...@td-tech.com / jiangwend...@huawei.com -邮件原件- 发件人: Amos Jeffries [mailto:squ...@treenet.co.nz] 发送时间: 2012年3 月5日 17:11 收件人: squid-users@squid-cache.org 主题: Re: [squid- users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn? On 5/03/2012 8:33 p.m., Jiang Wen Dong wrote: This is not what I want. I want proxy_auth user maxconn=100, others maxconn=50. Yes. That is what the config I wrote does. # if user has connections = 100, deny even if logged in # else if user is logged in, allow (up to 100) # else if connections = 50, deny more than 50 connections (extra lines are for good security, allowing random person on The Internet 50 connections is not good) # else other local clients, allow # else deny Amos -邮件原件- 发件人: Amos Jeffries On 05.03.2012 14:16, Jiang Wen Dong wrote: My English is not good, hope you can understand what I'm saying. I want to set default maxconn=50, and maxconn=100 for proxy_auth user. If I set default maxconn before proxy_auth, then proxy_auth user get maxconn=50, not maxconn=100. If I set default maxconn after proxy_auth, every user get a auth dialog window, which I do not want it show for !proxy_auth user. How to set different maxconn number of proxy_auth user from default maxconn? You are thinking about this backwards. Place the widest everybody limitations first. Then the highest privileged allow permissions. Then repeat as you gradually restrict things. Like this: acl login proxy_auth REQUIRED acl 100cc maxconn 100 acl 50cc maxconn 50 # nobody allowed more than 100 connections http_access deny 100cc # login users the only ones allowed more than 50 http_access allow login http_access deny 50cc # then other LAN clients... http_access allow localnet # everything not permitted yet is not trusted for any access. http_access deny all Amos CAUTION: This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, distribution or reproduction of this message is prohibited. If you have received this message in error please notify the sender of this message immediately. ( ©TD Tech Co.,Ltd) 重要提示: 此邮件及附件具保密性质,包含商业秘密、受法律保护不得泄露。如果您意外收 到此邮件,特此提醒您此邮件的机密性,请立即通知我们并 从您的系统中删除 此邮件及附件。如果您不是此邮件应当的收件人,请注意不可对此邮件及其附件 进行利用、复制或向他人透露其内容。 ( ©TD Tech Co.,Ltd)
Re: [squid-users] transparent proxy in squid3
On 5/03/2012 4:29 p.m., pplive wrote: Dear Amos, On Sun, Mar 4, 2012 at 9:44 PM, Amos Jeffries wrote: On 05.03.2012 06:40, pplive wrote: Dear Amos, Thanks a lot! By looking at your URL, I have enter the following commands in my squid3 machine (my HTTP service is at PORT 8080), the squid3 proxy machine is at 10.0.3.1, HTTP server (noder) is at 10.0.2.1, HTTP client (nodes) is at 10.0.1.1: yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -s 10.0.3.1 -p tcp --dport 8080 -j ACCEPT yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 10.0.3.1:3128 yeung@nodec1:~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE yeung@nodec1:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j DROP snip However, the proxy still has some problem, when we start wget from the HTTP client yeung@nodes:~$ wget 10.0.2.1:8080 --2012-03-04 09:31:39-- http://10.0.2.1:8080/ Connecting to 10.0.2.1:8080... ^C So far good (modulo the testing with port-8080 factor). yeung@nodes:~$ We look at the TCPDUMP result at squid3 machine (10.0.3.1), we see the following message: 09:31:39.384558 IP nodes-links.51902 noder-linkr.http-alt: Flags [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val 38022185 ecr 0,nop,wscale 6], length 0 09:31:42.379034 IP nodes-links.51902 noder-linkr.http-alt: Flags [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val 38022935 ecr 0,nop,wscale 6], length 0 It seems that there were some HTTP-alt traffic coming in from the switch, but no HTTP traffic going out of the squid3 machine. Is this a dump of all packets involving port 8080? or did you add an IP address or interface direction to hide some packets? Yes, I use 'sudo tcpdump -i eth0', and I have skip some LLDP messages as follows (as the squid3 machine is connected to a programmable switch): Does Squid already have a cached copy of the URL object being used as a test? There is nothing in access.log I'm thinking it is probably something in the kernel security controls then. SELinux can block interception because it is an MITM attack on the clients. Also rp_filter can block the TCP connections in strange places and show up like this. Did you restart the networking on the squid box after changing sysctl.conf (/etc/init.d/networking restart) Amos
Re: [squid-users] blacklist
El día 5 de marzo de 2012 10:39, Ralf Hildebrandt ralf.hildebra...@charite.de escribió: * Esteban Torres Rodríguez mortenol.tor...@gmail.com: Dansguardian slow ? I agree for SquidGuard but I'm using Dansguardian without problem with 700 requests/second max (average 450 r/s) If your hardware is too light see something like opendns or better with dnsmasq, only for domains but faster than light and you can mix with dansguardian or acl for objects and urls. The bbdd of dansguardian is not free. am I wrong? What is bbdd? Sorry, DB no. List of domains. I've tried Dansguardian with this list of domains: http://dansguardian.org/?page=blacklist http://urlblacklist.com/ -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.de Campus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
[squid-users] Roadmap Squid 3.2
Hi all, Amos, like I said in bug report, Squid 3.2 is very stable with your last fix, and Alex's patch which is not already included in truck, and I would like to know the schedule for an official stable release, approximately of course (before this summer, end of year ?) I had reported some problems with rock store but maybe it can be consider like an experimental feature for the moment ? Thanks Fred
[squid-users] squid with squidguard issue
can some one plz help. i followed http://wiki.debian.org/DebianEdu/HowTo/SquidGuard and using lenny squid 2.7 and squidguard 1.2.0 i write the below line at the end of squid.conf redirect_program /usr/bin/squidGuard i denied ads in squidGuard.conf and addme.com is a domain which i am sure is in the list of blocklist database. now when i go to addme.com it just open the website (which i dont want though) here is squidGuard.conf rule. dest adult { domainlist ads/domains # urllist /var/lib/squidguard/db/blacklists/porn/urls # expressionlist adult/expressions redirecthttp://google.com } here is squidguard log. /var/log/squid/squidGuard.log 2012-03-05 08:06:53 [4180] squidGuard 1.2.0 started (1330952813.099) 2012-03-05 08:06:53 [4180] recalculating alarm in 30187 seconds 2012-03-05 08:06:53 [4180] squidGuard ready for requests (1330952813.101) 2012-03-05 08:06:53 [4182] destblock good missing active content, set inactive 2012-03-05 08:06:53 [4182] destblock local missing active content, set inactive 2012-03-05 08:06:53 [4182] init domainlist /var/lib/squidguard/db/ads/domains 2012-03-05 08:06:53 [4182] loading dbfile /var/lib/squidguard/db/ads/domains.db 2012-03-05 08:06:53 [4182] squidGuard 1.2.0 started (1330952813.107) 2012-03-05 08:06:53 [4182] recalculating alarm in 30187 seconds 2012-03-05 08:06:53 [4182] squidGuard ready for requests (1330952813.108) here is access.log.the thing which is making me confuse that redirect tag is not present which suppose to be there. however i can not find any redirect tag in default 2.7 squid.conf file. can u please tell me what is going on and how can i redirect or can solve the issue 1330953994.304640 10.51.100.240 TCP_CLIENT_REFRESH_MISS/200 1910 GET http://www.addme.com/favicon.ico - DIRECT/69.43.161.4 image/x-icon Thanks,
[squid-users] Re: squid with squidguard issue
url_rewrite_program /usr/sbin/squidGuard url_rewrite_children 5 this also doesn't work On Mon, Mar 5, 2012 at 6:40 PM, Muhammad Yousuf Khan sir...@gmail.com wrote: can some one plz help. i followed http://wiki.debian.org/DebianEdu/HowTo/SquidGuard and using lenny squid 2.7 and squidguard 1.2.0 i write the below line at the end of squid.conf redirect_program /usr/bin/squidGuard i denied ads in squidGuard.conf and addme.com is a domain which i am sure is in the list of blocklist database. now when i go to addme.com it just open the website (which i dont want though) here is squidGuard.conf rule. dest adult { domainlist ads/domains # urllist /var/lib/squidguard/db/blacklists/porn/urls # expressionlist adult/expressions redirect http://google.com } here is squidguard log. /var/log/squid/squidGuard.log 2012-03-05 08:06:53 [4180] squidGuard 1.2.0 started (1330952813.099) 2012-03-05 08:06:53 [4180] recalculating alarm in 30187 seconds 2012-03-05 08:06:53 [4180] squidGuard ready for requests (1330952813.101) 2012-03-05 08:06:53 [4182] destblock good missing active content, set inactive 2012-03-05 08:06:53 [4182] destblock local missing active content, set inactive 2012-03-05 08:06:53 [4182] init domainlist /var/lib/squidguard/db/ads/domains 2012-03-05 08:06:53 [4182] loading dbfile /var/lib/squidguard/db/ads/domains.db 2012-03-05 08:06:53 [4182] squidGuard 1.2.0 started (1330952813.107) 2012-03-05 08:06:53 [4182] recalculating alarm in 30187 seconds 2012-03-05 08:06:53 [4182] squidGuard ready for requests (1330952813.108) here is access.log.the thing which is making me confuse that redirect tag is not present which suppose to be there. however i can not find any redirect tag in default 2.7 squid.conf file. can u please tell me what is going on and how can i redirect or can solve the issue 1330953994.304 640 10.51.100.240 TCP_CLIENT_REFRESH_MISS/200 1910 GET http://www.addme.com/favicon.ico - DIRECT/69.43.161.4 image/x-icon Thanks,
[squid-users] SQUID TPROXY not working when URL is hosted on the same machine running SQUID
Hello, We are using squid to transparently proxy the traffic to a captive portal that is residing on the same machine as the squid server. The solution was working based on a NAT REDIRECT . We are moving the solution to TPROXY based now as part of migration to IPv6. The TPROXY works fine in intercepting traffic and also successfully able to allow / deny traffic to IPv6 sites. We are facing a strange issue when we try to access a URL in the same machine that hosts the squid server. The acces hangs and squid is not able to connect to the URL. We are having AOL webserver to host the webpage. All the configurations as recommended by the squid sites are done. - Firewall rules with TPROXY and DIVERT chian has been setup as below ip6tables -t mangle -N DIVERT ip6tables -t mangle -A DIVERT -j MARK --set-mark 1 ip6tables -t mangle -A DIVERT -j ACCEPT ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT ip6tables -t mangle -A PREROUTING -m tos --tos 0x20 -j ACCEPT ip6tables -t mangle -A PREROUTING -i eth0.20 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8085 ip6tables -t mangle -A PREROUTING -j ACCEPT - Policy routing to route proxied traffic to the local box is also done as recommended 16383: from all fwmark 0x1 lookup 100 16390: from all lookup local 32766: from all lookup main ip -6 route show table 100 local default dev lo metric 1024 local default dev eth0.20 metric 1024 Squid configuration used is standard and have provided below a snapshot of cache.log. Running squid in full debug level with max logging. I have provided the final set of logs for this transaction. The URL accessed in the test is http://[2001:4b8:1::549]/sample_page.adp. Appreciate any assistance / pointers to solve this. Please do let me know if any additional information is required. -- cache.log- 2012/03/05 04:29:26.320 kid1| HTTP Server REQUEST: - GET /sample_page.adp HTTP/1.1 User-Agent: w3m/0.5.2 Accept: text/html, text/*;q=0.5, image/*, application/*, audio/*, multipart/* Accept-Encoding: gzip, compress, bzip, bzip2, deflate Accept-Language: en;q=1.0 Host: [2001:4b8:1::549] Via: 1.0 nmd.tst26.aus.wayport.net (squid/3.2.0.15-20120228-r11519) X-Forwarded-For: 2001:4b8:1:5:250:56ff:feb2:2cfc Cache-Control: max-age=259200 Connection: keep-alive -- 2012/03/05 04:29:26.320 kid1| Write.cc(21) Write: local=[2001:4b8:1:5:250:56ff:feb2:2cfc]:43673 remote=[2001:4b8:1::549]:80 FD 13 flags=25: sz 417: asynCall 0x871f6e8*1 2012/03/05 04:29:26.320 kid1| ModPoll.cc(149) SetSelect: FD 13, type=2, handler=1, client_data=0x84df560, timeout=0 2012/03/05 04:29:26.320 kid1| HttpStateData status out: [ job7] 2012/03/05 04:29:26.321 kid1| leaving AsyncJob::start() 2012/03/05 04:29:26.321 kid1| event.cc(252) checkEvents: checkEvents 2012/03/05 04:29:26.321 kid1| The AsyncCall MaintainSwapSpace constructed, this=0x871ff48 [call204] 2012/03/05 04:29:26.321 kid1| event.cc(261) will call MaintainSwapSpace() [call204] 2012/03/05 04:29:26.321 kid1| entering MaintainSwapSpace() 2012/03/05 04:29:26.321 kid1| AsyncCall.cc(34) make: make call MaintainSwapSpace [call204] 2012/03/05 04:29:26.321 kid1| event.cc(344) schedule: schedule: Adding 'MaintainSwapSpace', in 1.00 seconds 2012/03/05 04:29:26.321 kid1| leaving MaintainSwapSpace() 2012/03/05 04:29:27.149 kid1| event.cc(252) checkEvents: checkEvents 2012/03/05 04:29:27.149 kid1| The AsyncCall memPoolCleanIdlePools constructed, this=0x871ff48 [call205] 2012/03/05 04:29:27.149 kid1| event.cc(261) will call memPoolCleanIdlePools() [call205] 2012/03/05 04:29:27.149 kid1| entering memPoolCleanIdlePools() 2012/03/05 04:29:27.149 kid1| AsyncCall.cc(34) make: make call memPoolCleanIdlePools [call205] 2012/03/05 04:29:27.150 kid1| event.cc(344) schedule: schedule: Adding 'memPoolCleanIdlePools', in 15.00 seconds 2012/03/05 04:29:27.150 kid1| leaving memPoolCleanIdlePools() 2012/03/05 04:29:27.165 kid1| event.cc(252) checkEvents: checkEvents 2012/03/05 04:29:27.165 kid1| The AsyncCall fqdncache_purgelru constructed, this=0x871ff48 [call206] 2012/03/05 04:29:27.165 kid1| event.cc(261) will call fqdncache_purgelru() [call206] 2012/03/05 04:29:27.165 kid1| entering fqdncache_purgelru() 2012/03/05 04:29:27.165 kid1| AsyncCall.cc(34) make: make call fqdncache_purgelru [call206] 2012/03/05 04:29:27.165 kid1| event.cc(344) schedule: schedule: Adding 'fqdncache_purgelru', in 10.00 seconds 2012/03/05 04:29:27.166 kid1| leaving fqdncache_purgelru() Best Regards, Vignesh
[squid-users] SQUID TPROXY option does not work when URL is on the same machine as SQUID
Hello, We are using squid to transparently proxy the traffic to a captive portal that is residing on the same machine as the squid server. The solution was working based on a NAT REDIRECT . We are moving the solution to TPROXY based now as part of migration to IPv6. The TPROXY works fine in intercepting traffic and also successfully able to allow / deny traffic to IPv6 sites. We are facing a strange issue when we try to access a URL in the same machine that hosts the squid server. The acces hangs and squid is not able to connect to the URL. We are having AOL webserver to host the webpage. All the configurations as recommended by the squid sites are done. - Firewall rules with TPROXY and DIVERT chian has been setup as below ip6tables -t mangle -N DIVERT ip6tables -t mangle -A DIVERT -j MARK --set-mark 1 ip6tables -t mangle -A DIVERT -j ACCEPT ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT ip6tables -t mangle -A PREROUTING -m tos --tos 0x20 -j ACCEPT ip6tables -t mangle -A PREROUTING -i eth0.20 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8085 ip6tables -t mangle -A PREROUTING -j ACCEPT - Policy routing to route proxied traffic to the local box is also done as recommended 16383: from all fwmark 0x1 lookup 100 16390: from all lookup local 32766: from all lookup main ip -6 route show table 100 local default dev lo metric 1024 local default dev eth0.20 metric 1024 Squid configuration used is standard and have provided below a snapshot of cache.log. Running squid in full debug level with max logging. I have provided the final set of logs for this transaction. The URL accessed in the test is http://[2001:4b8:1::549]/sample_page.adp. Appreciate any assistance / pointers to solve this. Please do let me know if any additional information is required. 2012/03/05 04:29:26.320 kid1| HTTP Server REQUEST: - GET /sample_page.adp HTTP/1.1 User-Agent: w3m/0.5.2 Accept: text/html, text/*;q=0.5, image/*, application/*, audio/*, multipart/* Accept-Encoding: gzip, compress, bzip, bzip2, deflate Accept-Language: en;q=1.0 Host: [2001:4b8:1::549] Via: 1.0 nmd.tst26.aus.wayport.net (squid/3.2.0.15-20120228-r11519) X-Forwarded-For: 2001:4b8:1:5:250:56ff:feb2:2cfc Cache-Control: max-age=259200 Connection: keep-alive -- 2012/03/05 04:29:26.320 kid1| Write.cc(21) Write: local=[2001:4b8:1:5:250:56ff:feb2:2cfc]:43673 remote=[2001:4b8:1::549]:80 FD 13 flags=25: sz 417: asynCall 0x871f6e8*1 2012/03/05 04:29:26.320 kid1| ModPoll.cc(149) SetSelect: FD 13, type=2, handler=1, client_data=0x84df560, timeout=0 2012/03/05 04:29:26.320 kid1| HttpStateData status out: [ job7] 2012/03/05 04:29:26.321 kid1| leaving AsyncJob::start() 2012/03/05 04:29:26.321 kid1| event.cc(252) checkEvents: checkEvents 2012/03/05 04:29:26.321 kid1| The AsyncCall MaintainSwapSpace constructed, this=0x871ff48 [call204] 2012/03/05 04:29:26.321 kid1| event.cc(261) will call MaintainSwapSpace() [call204] 2012/03/05 04:29:26.321 kid1| entering MaintainSwapSpace() 2012/03/05 04:29:26.321 kid1| AsyncCall.cc(34) make: make call MaintainSwapSpace [call204] 2012/03/05 04:29:26.321 kid1| event.cc(344) schedule: schedule: Adding 'MaintainSwapSpace', in 1.00 seconds 2012/03/05 04:29:26.321 kid1| leaving MaintainSwapSpace() 2012/03/05 04:29:27.149 kid1| event.cc(252) checkEvents: checkEvents 2012/03/05 04:29:27.149 kid1| The AsyncCall memPoolCleanIdlePools constructed, this=0x871ff48 [call205] 2012/03/05 04:29:27.149 kid1| event.cc(261) will call memPoolCleanIdlePools() [call205] 2012/03/05 04:29:27.149 kid1| entering memPoolCleanIdlePools() 2012/03/05 04:29:27.149 kid1| AsyncCall.cc(34) make: make call memPoolCleanIdlePools [call205] 2012/03/05 04:29:27.150 kid1| event.cc(344) schedule: schedule: Adding 'memPoolCleanIdlePools', in 15.00 seconds 2012/03/05 04:29:27.150 kid1| leaving memPoolCleanIdlePools() 2012/03/05 04:29:27.165 kid1| event.cc(252) checkEvents: checkEvents 2012/03/05 04:29:27.165 kid1| The AsyncCall fqdncache_purgelru constructed, this=0x871ff48 [call206] 2012/03/05 04:29:27.165 kid1| event.cc(261) will call fqdncache_purgelru() [call206] 2012/03/05 04:29:27.165 kid1| entering fqdncache_purgelru() 2012/03/05 04:29:27.165 kid1| AsyncCall.cc(34) make: make call fqdncache_purgelru [call206] 2012/03/05 04:29:27.165 kid1| event.cc(344) schedule: schedule: Adding 'fqdncache_purgelru', in 10.00 seconds 2012/03/05 04:29:27.166 kid1| leaving fqdncache_purgelru()
Re: [squid-users] transparent proxy in squid3
Dear Amos, I did restart the networking. When I just to review all iptables settings, from tcpdump we can see 09:35:23.830038 IP nodes-links.37711 noder-linkr.http-alt: Flags [S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val 59678297 ecr 0,nop,wscale 6], length 0 09:35:26.827763 IP nodes-links.37711 noder-linkr.http-alt: Flags [S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val 59679047 ecr 0,nop,wscale 6], length 0 09:35:28.828079 ARP, Request who-has noder-linkr tell nodes-links, length 46 I think the nodec1 (my squid3 machine) is even able to start an ARP query. My OS is Ubuntu, kernel version yeung@nodec1:/etc/squid3$ uname -r 2.6.32-34-generic-pae I have checked the rp_filter setting, it has been disabled. Sorry for causing you trouble. Best, Alex On Mon, Mar 5, 2012 at 4:56 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 5/03/2012 4:29 p.m., pplive wrote: Dear Amos, On Sun, Mar 4, 2012 at 9:44 PM, Amos Jeffries wrote: On 05.03.2012 06:40, pplive wrote: Dear Amos, Thanks a lot! By looking at your URL, I have enter the following commands in my squid3 machine (my HTTP service is at PORT 8080), the squid3 proxy machine is at 10.0.3.1, HTTP server (noder) is at 10.0.2.1, HTTP client (nodes) is at 10.0.1.1: yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -s 10.0.3.1 -p tcp --dport 8080 -j ACCEPT yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 10.0.3.1:3128 yeung@nodec1:~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE yeung@nodec1:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j DROP snip However, the proxy still has some problem, when we start wget from the HTTP client yeung@nodes:~$ wget 10.0.2.1:8080 --2012-03-04 09:31:39-- http://10.0.2.1:8080/ Connecting to 10.0.2.1:8080... ^C So far good (modulo the testing with port-8080 factor). yeung@nodes:~$ We look at the TCPDUMP result at squid3 machine (10.0.3.1), we see the following message: 09:31:39.384558 IP nodes-links.51902 noder-linkr.http-alt: Flags [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val 38022185 ecr 0,nop,wscale 6], length 0 09:31:42.379034 IP nodes-links.51902 noder-linkr.http-alt: Flags [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val 38022935 ecr 0,nop,wscale 6], length 0 It seems that there were some HTTP-alt traffic coming in from the switch, but no HTTP traffic going out of the squid3 machine. Is this a dump of all packets involving port 8080? or did you add an IP address or interface direction to hide some packets? Yes, I use 'sudo tcpdump -i eth0', and I have skip some LLDP messages as follows (as the squid3 machine is connected to a programmable switch): Does Squid already have a cached copy of the URL object being used as a test? There is nothing in access.log I'm thinking it is probably something in the kernel security controls then. SELinux can block interception because it is an MITM attack on the clients. Also rp_filter can block the TCP connections in strange places and show up like this. Did you restart the networking on the squid box after changing sysctl.conf (/etc/init.d/networking restart) Amos
Re: [squid-users] transparent proxy in squid3
Dear Amos, To see whether there were some internal firewall in my system , I tried a simpler topology, i.e., Client (10.0.0.1) (eth0) - (eth0) Squid3 (eth1) - (eth0) Server (10.0.0.2) I just follow the setting in http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 8080 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 8080 -j REDIRECT --to-port 3128 According to tcpdump, we can see the packets are forwarded to port 3128 (I use wget 10.0.0.2:8080 at the client) 14:04:50.282381 IP 10.0.0.1.33088 10.0.0.10.3128: Flags [S], seq 388132433, win 5840, options [mss 1460,sackOK,TS val 1028407 ecr 0,nop,wscale 6], length 0 14:04:53.212426 IP 10.0.0.1.33088 10.0.0.10.3128: Flags [S], seq 388132433, win 5840, options [mss 1460,sackOK,TS val 1029157 ecr 0,nop,wscale 6], length 0 Still, I am confusing of using one NIC, how can I redirect the packets to port 3128. Thanks a lot! Best regards, Alex On Mon, Mar 5, 2012 at 4:19 PM, pplive p2pne...@googlemail.com wrote: Dear Amos, I did restart the networking. When I just to review all iptables settings, from tcpdump we can see 09:35:23.830038 IP nodes-links.37711 noder-linkr.http-alt: Flags [S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val 59678297 ecr 0,nop,wscale 6], length 0 09:35:26.827763 IP nodes-links.37711 noder-linkr.http-alt: Flags [S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val 59679047 ecr 0,nop,wscale 6], length 0 09:35:28.828079 ARP, Request who-has noder-linkr tell nodes-links, length 46 I think the nodec1 (my squid3 machine) is even able to start an ARP query. My OS is Ubuntu, kernel version yeung@nodec1:/etc/squid3$ uname -r 2.6.32-34-generic-pae I have checked the rp_filter setting, it has been disabled. Sorry for causing you trouble. Best, Alex On Mon, Mar 5, 2012 at 4:56 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 5/03/2012 4:29 p.m., pplive wrote: Dear Amos, On Sun, Mar 4, 2012 at 9:44 PM, Amos Jeffries wrote: On 05.03.2012 06:40, pplive wrote: Dear Amos, Thanks a lot! By looking at your URL, I have enter the following commands in my squid3 machine (my HTTP service is at PORT 8080), the squid3 proxy machine is at 10.0.3.1, HTTP server (noder) is at 10.0.2.1, HTTP client (nodes) is at 10.0.1.1: yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -s 10.0.3.1 -p tcp --dport 8080 -j ACCEPT yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 10.0.3.1:3128 yeung@nodec1:~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE yeung@nodec1:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j DROP snip However, the proxy still has some problem, when we start wget from the HTTP client yeung@nodes:~$ wget 10.0.2.1:8080 --2012-03-04 09:31:39-- http://10.0.2.1:8080/ Connecting to 10.0.2.1:8080... ^C So far good (modulo the testing with port-8080 factor). yeung@nodes:~$ We look at the TCPDUMP result at squid3 machine (10.0.3.1), we see the following message: 09:31:39.384558 IP nodes-links.51902 noder-linkr.http-alt: Flags [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val 38022185 ecr 0,nop,wscale 6], length 0 09:31:42.379034 IP nodes-links.51902 noder-linkr.http-alt: Flags [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val 38022935 ecr 0,nop,wscale 6], length 0 It seems that there were some HTTP-alt traffic coming in from the switch, but no HTTP traffic going out of the squid3 machine. Is this a dump of all packets involving port 8080? or did you add an IP address or interface direction to hide some packets? Yes, I use 'sudo tcpdump -i eth0', and I have skip some LLDP messages as follows (as the squid3 machine is connected to a programmable switch): Does Squid already have a cached copy of the URL object being used as a test? There is nothing in access.log I'm thinking it is probably something in the kernel security controls then. SELinux can block interception because it is an MITM attack on the clients. Also rp_filter can block the TCP connections in strange places and show up like this. Did you restart the networking on the squid box after changing sysctl.conf (/etc/init.d/networking restart) Amos
Re: [squid-users] Roadmap Squid 3.2
On 06.03.2012 02:07, FredB wrote: Hi all, Amos, like I said in bug report, Squid 3.2 is very stable with your last fix, and Alex's patch which is not already included in truck, and I would like to know the schedule for an official stable release, approximately of course (before this summer, end of year ?) The checklist I have to work by is at http://wiki.squid-cache.org/ReleaseProcess#Squid-3 We are looping around at the freeze stage (3), waiting to reach 0 major+ bugs before we can start the stable release countdown stages (4+). We are intending 3.2 to supersede and obsolete all 3.x and 2.x series releases. Which means there are just over 50 bugs rated major or higher which need to be confirmed as fixed in 3.2, or downgraded before 3.2 can start its stability countdown. A lot of these bugs, particularly 2.x ones, just need somebody to check and verify that the described behaviour is not reproducible in 3.2 anymore. At which point they can be closed against target of 3.2. Another half dozen or so got closed this month, but there are many more to go. This is a task nearly anyone can do. You just need a network setup similar to the reporters. Anyone interested in a bug marathon for the next 6-8 weeks? I had reported some problems with rock store but maybe it can be consider like an experimental feature for the moment ? It is experimental until there has been at least one stable cycle of wide use to wrinkle out any minor bugs and edge cases. If the bug you have reported can be considered normal or lower then it will not block the stable release. Keeping in mind that the shared memory change is a feature affecting everybody, so the precise location of the bug impacts its importance a lot. Amos
Re: [squid-users] Re: squid with squidguard issue
On Mon, Mar 5, 2012 at 6:40 PM, Muhammad Yousuf Khan wrote: can some one plz help. i followed http://wiki.debian.org/DebianEdu/HowTo/SquidGuard and using lenny squid 2.7 and squidguard 1.2.0 i write the below line at the end of squid.conf redirect_program /usr/bin/squidGuard i denied ads in squidGuard.conf and addme.com is a domain which i am sure is in the list of blocklist database. now when i go to addme.com it just open the website (which i dont want though) NOTE: squidGuard is not part of Squid and is not supported by the Squid Project. For support please contact the squidGuard user help. Amos
Re: [squid-users] Implement Tproxy on Debian squeeze
2012/3/2 Yucong Sun (叶雨飞) sunyuc...@gmail.com: I think what happens is the document seems to be wrong, the kernel already has TPROXY compiled in , look for /boot/config- and search for TPROXY, it should says m. for the iptables rules, you will need to use mangle table, there's no tproxy table anymore. as such iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port proxyport \ --tproxy-mark 0x1/0x1 on my machine ubuntu 10.04 LTS, Linux fullcenter 2.6.32-37-server #81-Ubuntu SMP Fri Dec 2 20:49:12 UTC 2011 x86_64 GNU/Linux I have TPROXY 4.1.0 included, not sure about debian. [5282830.948528] NF_TPROXY: Transparent proxy support initialized, version 4.1.0 [5282830.948533] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd. However, I do want to add an additional question , suppose my proxy machine will be acting as network gateway to my LAN, can I simply archive the same effect by simply -iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT 127.0.0.1: ??? why was tproxy needed in the first place? As far as I understood it you would use tproxy if you want to expose your internal IPs to the other side, so if for instance my internal network is actually a publicly routable block and I don't want to NAT that then you use tproxy, whereas the effect of the rule you write above is basically NAT in that the original source will be invisible to the destination. But I may not have understood things right... Regards, Eli Thanks. On Fri, Mar 2, 2012 at 9:33 AM, David Touzeau da...@touzeau.eu wrote: There is bad news, backports did not change something according Tproxy Only kernel 3.2x is available on backports repository. apt-get install -t squeeze-backports linux-image-3.2.0-0.bpo.1-686-pae apt-get install -t squeeze-backports upgrade reboot my kernel is now Linux squid32.localhost.localdomain 3.2.0-0.bpo.1-686-pae #1 SMP Sat Feb 11 14:57:20 UTC 2012 i686 GNU/Linux iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80 WARNING: All config files need .conf: /etc/modprobe.d/fuse, it will be ignored in a future release. iptables v1.4.8: can't initialize iptables table `tproxy': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded grep -i iptables /boot/config-`uname -r` CONFIG_IP_NF_IPTABLES=m CONFIG_IP6_NF_IPTABLES=m # iptables trigger is under Netfilter config (LED target) SNIF, SNIF Le 02/03/2012 17:03, David Touzeau a écrit : iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80
Re: [squid-users] transparent proxy in squid3
On 06.03.2012 11:09, pplive wrote: Dear Amos, To see whether there were some internal firewall in my system , I tried a simpler topology, i.e., Client (10.0.0.1) (eth0) - (eth0) Squid3 (eth1) - (eth0) Server (10.0.0.2) I just follow the setting in http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 8080 -j redirect --redirect-target ACCEPT ACCEPT on the layer-2 bridging is to handle the packet entirely at that low layer. It needs to be DROPed out of the bridging layer into to iptables layer handling before NAT can change the IP/port and routing can shift it to INPUT path where Squid gets it. iptables -t nat -A PREROUTING -i br0 -p tcp --dport 8080 -j REDIRECT --to-port 3128 According to tcpdump, we can see the packets are forwarded to port 3128 (I use wget 10.0.0.2:8080 at the client) 14:04:50.282381 IP 10.0.0.1.33088 10.0.0.10.3128: Flags [S], seq 388132433, win 5840, options [mss 1460,sackOK,TS val 1028407 ecr 0,nop,wscale 6], length 0 14:04:53.212426 IP 10.0.0.1.33088 10.0.0.10.3128: Flags [S], seq 388132433, win 5840, options [mss 1460,sackOK,TS val 1029157 ecr 0,nop,wscale 6], length 0 Still, I am confusing of using one NIC, how can I redirect the packets to port 3128. NAT is a special system which can change packets on both bridging and routing layers but does not itself make them change layer. So what the above trace shows is that packets arriving are NAT/NAPT changed as they flow through the bridge. But not anything else. tcpdump gets packets before any of the iptables etc handling gets done to them. So its useful to verify that the packets are arriving and/or leaving the NIC as expected. but not much help deciphering what is happening to them in the middle around where Squid sits. We have to rely on ebtables/iptables LOG functionality for those bits. I'm sorry I can't be of much more help. Beyond suggesting to try later versions of the software including kernel I've run out of ideas. Amos
[squid-users] domain list 'optimizer'
I'm just wondering if anyone ever wrote a tool to optimize the various huge lists provided by different people or even self built lists... What do I mean by optimize? When the list is of type dstdomain and contains entries: www.domain.ex www2.domain.ex www-dumb.domain.ex x.www.domain.ex www3.domain.ex If you know that domain.ex is actually a domain of whatever the list type is you can just change all those entries into one .domain.ex entry... Regards, Eliyahu - אליהו
Re: [squid-users] Implement Tproxy on Debian squeeze
On 06.03.2012 11:42, E.S. Rosenberg wrote: 2012/3/2 Yucong Sun (叶雨飞): I think what happens is the document seems to be wrong, the kernel already has TPROXY compiled in , look for /boot/config- and search for TPROXY, it should says m. for the iptables rules, you will need to use mangle table, there's no tproxy table anymore. There was never a TPROXY table. It has always been the mangle table, with TPROXY *target*. However, I do want to add an additional question , suppose my proxy machine will be acting as network gateway to my LAN, can I simply archive the same effect by simply -iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT 127.0.0.1: ??? why was tproxy needed in the first place? As far as I understood it you would use tproxy if you want to expose your internal IPs to the other side, so if for instance my internal network is actually a publicly routable block and I don't want to NAT that then you use tproxy, whereas the effect of the rule you write above is basically NAT in that the original source will be invisible to the destination. But I may not have understood things right... Sort-of. Exposure is only limited to the in and out ports of Squid. TPROXY can work alongside proper address-only NAT to gain the address obfuscation if you want it. Or with any kind of firewalls for actual security. You would also use TPROXY if you needed to do traffic interception for protocols other than IPv4. For OS where transparent proxy works there is no more technical reasons to use NAT. OpenBSD 5.x for example seem to have jumped the whole upgrade process and no longer support NAT interception at all, using divert sockets which is their version of TPROXY, across the main set of system tools. Amos
Re: [squid-users] Implement Tproxy on Debian squeeze
2012/3/6 Amos Jeffries squ...@treenet.co.nz: On 06.03.2012 11:42, E.S. Rosenberg wrote: 2012/3/2 Yucong Sun (叶雨飞): I think what happens is the document seems to be wrong, the kernel already has TPROXY compiled in , look for /boot/config- and search for TPROXY, it should says m. for the iptables rules, you will need to use mangle table, there's no tproxy table anymore. There was never a TPROXY table. It has always been the mangle table, with TPROXY *target*. However, I do want to add an additional question , suppose my proxy machine will be acting as network gateway to my LAN, can I simply archive the same effect by simply -iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT 127.0.0.1: ??? why was tproxy needed in the first place? As far as I understood it you would use tproxy if you want to expose your internal IPs to the other side, so if for instance my internal network is actually a publicly routable block and I don't want to NAT that then you use tproxy, whereas the effect of the rule you write above is basically NAT in that the original source will be invisible to the destination. But I may not have understood things right... Sort-of. Exposure is only limited to the in and out ports of Squid. TPROXY can work alongside proper address-only NAT to gain the address obfuscation if you want it. Or with any kind of firewalls for actual security. You would also use TPROXY if you needed to do traffic interception for protocols other than IPv4. For OS where transparent proxy works there is no more technical reasons to use NAT. OpenBSD 5.x for example seem to have jumped the whole upgrade process and no longer support NAT interception at all, using divert sockets which is their version of TPROXY, across the main set of system tools. That is assuming the TPROXY machine sits on the line of the machines going out, if it's just a firewall that is redirecting all port 80 traffic to the proxy on a different subnet you would still use it I would think? Thanks, Eli Amos
Re: [squid-users] Implement Tproxy on Debian squeeze
On 06.03.2012 12:54, E.S. Rosenberg wrote: 2012/3/6 Amos Jeffries squ...@treenet.co.nz: On 06.03.2012 11:42, E.S. Rosenberg wrote: 2012/3/2 Yucong Sun (叶雨飞): I think what happens is the document seems to be wrong, the kernel already has TPROXY compiled in , look for /boot/config- and search for TPROXY, it should says m. for the iptables rules, you will need to use mangle table, there's no tproxy table anymore. There was never a TPROXY table. It has always been the mangle table, with TPROXY *target*. However, I do want to add an additional question , suppose my proxy machine will be acting as network gateway to my LAN, can I simply archive the same effect by simply -iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT 127.0.0.1: ??? why was tproxy needed in the first place? As far as I understood it you would use tproxy if you want to expose your internal IPs to the other side, so if for instance my internal network is actually a publicly routable block and I don't want to NAT that then you use tproxy, whereas the effect of the rule you write above is basically NAT in that the original source will be invisible to the destination. But I may not have understood things right... Sort-of. Exposure is only limited to the in and out ports of Squid. TPROXY can work alongside proper address-only NAT to gain the address obfuscation if you want it. Or with any kind of firewalls for actual security. You would also use TPROXY if you needed to do traffic interception for protocols other than IPv4. For OS where transparent proxy works there is no more technical reasons to use NAT. OpenBSD 5.x for example seem to have jumped the whole upgrade process and no longer support NAT interception at all, using divert sockets which is their version of TPROXY, across the main set of system tools. That is assuming the TPROXY machine sits on the line of the machines going out, if it's just a firewall that is redirecting all port 80 traffic to the proxy on a different subnet you would still use it I would think? If by line you mean the packet flow at a virtual level, yes. TPROXY is similar to a virtual bridge. Interception in any form assumes the packets are reaching the machine somehow. Actually bridging the packets across a box with TPROXY on it is the easy way to configure it. Policy routing is the slightly harder way. Only difference in these installations between the TPROXY of the NAT is what properties routing logics need to make decisions on. Amos
Re: [squid-users] Roadmap Squid 3.2
On Tue, 6 Mar 2012, Amos Jeffries wrote: On 06.03.2012 02:07, FredB wrote: Hi all, Amos, like I said in bug report, Squid 3.2 is very stable with your last fix, and Alex's patch which is not already included in truck, and I would like to know the schedule for an official stable release, approximately of course (before this summer, end of year ?) The checklist I have to work by is at http://wiki.squid-cache.org/ReleaseProcess#Squid-3 We are looping around at the freeze stage (3), waiting to reach 0 major+ bugs before we can start the stable release countdown stages (4+). We are intending 3.2 to supersede and obsolete all 3.x and 2.x series releases. Which means there are just over 50 bugs rated major or higher which need to be confirmed as fixed in 3.2, or downgraded before 3.2 can start its stability countdown. I haven't checked in the last several months, but has there been any progress on the fact that ACLs are so much more expensive to evaluate in 3.x than in 1.x or 2.x? David Lang
Re: [squid-users] squid with squidguard issue
On Mar 5, 2012, at 8:40 AM, Muhammad Yousuf Khan wrote: can some one plz help. i followed http://wiki.debian.org/DebianEdu/HowTo/SquidGuard and using lenny squid 2.7 and squidguard 1.2.0 i write the below line at the end of squid.conf redirect_program /usr/bin/squidGuard okay i denied ads in squidGuard.conf and addme.com is a domain which i am sure is in the list of blocklist database. now when i go to addme.com it just open the website (which i dont want though) here is squidGuard.conf rule. dest adult { domainlist ads/domains # urllist /var/lib/squidguard/db/blacklists/porn/urls # expressionlist adult/expressions redirecthttp://google.com } you need to supply a source and destination. basically who is allowed to access squidguard. and then tell squidguard what to do with the clients request,..allow or deny. eg; dbhome /usr/local/squidGuard/db logdir /usr/local/squidGuard/log # # SOURCE ADDRESSES: src admin { ip 10.1.1.1 } src fooclients { ip 10.132.0.0/16 10.155.0.0/16 } src freedomzone { ip 10.154.1.0/24 10.154.2.0/24 } # DESTINATION CLASSES: # dest whitelist { domainlist whitelist/domains } dest education { domainlist education/schools/domains urllist education/schools/urls } dest denied { domainlist denied/domains urllist denied/urls redirecthttp://10.0.2.3/surfb1.html log deniedaccess.log } acl { admin { pass any } fooclients { passwhitelist education !denied any } else { pass any } freedomzone { passwhitelist education !pornexp !porn any redirect http://staff2.beth.k12.pa.us/index.html } else { pass any } default { pass none redirect http://10.0.2.3/index.html } } here is squidguard log. /var/log/squid/squidGuard.log 2012-03-05 08:06:53 [4180] squidGuard 1.2.0 started (1330952813.099) 2012-03-05 08:06:53 [4180] recalculating alarm in 30187 seconds 2012-03-05 08:06:53 [4180] squidGuard ready for requests (1330952813.101) 2012-03-05 08:06:53 [4182] destblock good missing active content, set inactive 2012-03-05 08:06:53 [4182] destblock local missing active content, set inactive 2012-03-05 08:06:53 [4182] init domainlist /var/lib/squidguard/db/ads/domains 2012-03-05 08:06:53 [4182] loading dbfile /var/lib/squidguard/db/ads/domains.db 2012-03-05 08:06:53 [4182] squidGuard 1.2.0 started (1330952813.107) 2012-03-05 08:06:53 [4182] recalculating alarm in 30187 seconds 2012-03-05 08:06:53 [4182] squidGuard ready for requests (1330952813.108) here is access.log.the thing which is making me confuse that redirect tag is not present which suppose to be there. however i can not find any redirect tag in default 2.7 squid.conf file. can u please tell me what is going on and how can i redirect or can solve the issue 1330953994.304640 10.51.100.240 TCP_CLIENT_REFRESH_MISS/200 1910 GET http://www.addme.com/favicon.ico - DIRECT/69.43.161.4 image/x-icon Thanks,
Re: [squid-users] squid with squidguard issue
Well you could use squids built in blacklist capabilities instead of adding complexity by trying to us squidGard or DansGuardian, particularly if your a noob at squid. Ive taken a look at them and decided that its too much effort to try and implement, Rather, this is how ive done it. Try this instead, its what I do. created a blacklist file, and place it somewhere, mine is in my squid dir /etc/squid3/squid-block.acl (u can name it whatever u want of course) add a few test entries to this file in the following format .pornsite.com .unwantedsite.com .whatevershit.com .someshitwebsite.com the . will ensure thatwww.pornsite.com or any subdomain is also blocked. So next add these lines to your squid.conf #blacklist by haxradio.com== acl blacklist dstdomain /etc/squid3/squid-block.acl http_access deny blacklist #== then do squid3 +k reconfigure (assuming that your running squid3.x series) Voila, you are blocking sites using a black list my friend. btw, just ignore the stupid warning messages. they do not affect the functionality of this feature and ive learned to just ignore them. Thanks to Amos for helping me to properly do this. On 03/05/2012 05:19 PM, jeffrey j donovan wrote: On Mar 5, 2012, at 8:40 AM, Muhammad Yousuf Khan wrote: can some one plz help. i followed http://wiki.debian.org/DebianEdu/HowTo/SquidGuard and using lenny squid 2.7 and squidguard 1.2.0 i write the below line at the end of squid.conf redirect_program /usr/bin/squidGuard okay i denied ads in squidGuard.conf and addme.com is a domain which i am sure is in the list of blocklist database. now when i go to addme.com it just open the website (which i dont want though) here is squidGuard.conf rule. dest adult { domainlist ads/domains # urllist /var/lib/squidguard/db/blacklists/porn/urls # expressionlist adult/expressions redirecthttp://google.com } you need to supply a source and destination. basically who is allowed to access squidguard. and then tell squidguard what to do with the clients request,..allow or deny. eg; dbhome /usr/local/squidGuard/db logdir /usr/local/squidGuard/log # # SOURCE ADDRESSES: src admin { ip 10.1.1.1 } src fooclients { ip 10.132.0.0/16 10.155.0.0/16 } src freedomzone { ip 10.154.1.0/24 10.154.2.0/24 } # DESTINATION CLASSES: # dest whitelist { domainlist whitelist/domains } dest education { domainlist education/schools/domains urllist education/schools/urls } dest denied { domainlist denied/domains urllist denied/urls redirecthttp://10.0.2.3/surfb1.html log deniedaccess.log } acl { admin { pass any } fooclients { passwhitelist education !denied any } else { pass any } freedomzone { passwhitelist education !pornexp !porn any redirect http://staff2.beth.k12.pa.us/index.html } else { pass any } default { pass none redirect http://10.0.2.3/index.html } } here is squidguard log. /var/log/squid/squidGuard.log 2012-03-05 08:06:53 [4180] squidGuard 1.2.0 started (1330952813.099) 2012-03-05 08:06:53 [4180] recalculating alarm in 30187 seconds 2012-03-05 08:06:53 [4180] squidGuard ready for requests (1330952813.101) 2012-03-05 08:06:53 [4182] destblock good missing active content, set inactive 2012-03-05 08:06:53 [4182] destblock local missing active content, set inactive 2012-03-05 08:06:53 [4182] init domainlist /var/lib/squidguard/db/ads/domains 2012-03-05 08:06:53 [4182] loading dbfile /var/lib/squidguard/db/ads/domains.db 2012-03-05 08:06:53 [4182] squidGuard 1.2.0 started (1330952813.107) 2012-03-05 08:06:53 [4182] recalculating alarm in 30187 seconds 2012-03-05 08:06:53 [4182] squidGuard ready for requests (1330952813.108) here is access.log.the thing which is making me confuse that redirect tag is not present which suppose to be there. however i can not find any redirect tag in default 2.7 squid.conf file. can u please tell me what is going on and how can i redirect or can solve the issue 1330953994.304640 10.51.100.240 TCP_CLIENT_REFRESH_MISS/200 1910 GET http://www.addme.com/favicon.ico - DIRECT/69.43.161.4 image/x-icon Thanks,
Re: [squid-users] Roadmap Squid 3.2
On 06.03.2012 14:15, david wrote: On Tue, 6 Mar 2012, Amos Jeffries wrote: On 06.03.2012 02:07, FredB wrote: Hi all, Amos, like I said in bug report, Squid 3.2 is very stable with your last fix, and Alex's patch which is not already included in truck, and I would like to know the schedule for an official stable release, approximately of course (before this summer, end of year ?) The checklist I have to work by is at http://wiki.squid-cache.org/ReleaseProcess#Squid-3 We are looping around at the freeze stage (3), waiting to reach 0 major+ bugs before we can start the stable release countdown stages (4+). We are intending 3.2 to supersede and obsolete all 3.x and 2.x series releases. Which means there are just over 50 bugs rated major or higher which need to be confirmed as fixed in 3.2, or downgraded before 3.2 can start its stability countdown. I haven't checked in the last several months, but has there been any progress on the fact that ACLs are so much more expensive to evaluate in 3.x than in 1.x or 2.x? David Lang regex optimizations was done after your last message. Since your worst-case tests had many regex I was hoping to hear back from you about whether that was significant progress or more was needed. The other major optimizations have been mostly in request and DNS handling. Amos
Re: [squid-users] Re: squid with squidguard issue
On 06.03.2012 14:46, Benjamin E. Nichols wrote: Well you could use squids built in blacklist capabilities instead of adding complexity by trying to us squidGard or DansGuardian, particularly if your a noob at squid. Ive taken a look at them and decided that its too much effort to try and implement, Rather, this is how ive done it. Try this instead, its what I do. created a blacklist file, and place it somewhere, mine is in my squid dir /etc/squid3/squid-block.acl (u can name it whatever u want of course) add a few test entries to this file in the following format .pornsite.com .unwantedsite.com .whatevershit.com .someshitwebsite.com the . will ensure that www.pornsite.com or any subdomain is also blocked. (Attached is a copy of my own blacklist I use to block porn, malicious sites, and advertisements combined from several published blacklists that I have allready formatted for squid using sed and awk.) So next add these lines to your squid.conf #blacklist by haxradio.com== acl blacklist dstdomain /etc/squid3/squid-block.acl http_access deny blacklist #== then do squid3 +k reconfigure (assuming that your running squid3.x series) Er, -k Voila, you are blocking sites using a black list my friend. btw, just ignore the stupid warning messages. they do not affect the functionality of this feature and ive learned to just ignore them. Which warning messages? Amos
Re: [squid-users] Roadmap Squid 3.2
On Tue, 6 Mar 2012, Amos Jeffries wrote: On 06.03.2012 14:15, david wrote: On Tue, 6 Mar 2012, Amos Jeffries wrote: On 06.03.2012 02:07, FredB wrote: Hi all, Amos, like I said in bug report, Squid 3.2 is very stable with your last fix, and Alex's patch which is not already included in truck, and I would like to know the schedule for an official stable release, approximately of course (before this summer, end of year ?) The checklist I have to work by is at http://wiki.squid-cache.org/ReleaseProcess#Squid-3 We are looping around at the freeze stage (3), waiting to reach 0 major+ bugs before we can start the stable release countdown stages (4+). We are intending 3.2 to supersede and obsolete all 3.x and 2.x series releases. Which means there are just over 50 bugs rated major or higher which need to be confirmed as fixed in 3.2, or downgraded before 3.2 can start its stability countdown. I haven't checked in the last several months, but has there been any progress on the fact that ACLs are so much more expensive to evaluate in 3.x than in 1.x or 2.x? David Lang regex optimizations was done after your last message. Since your worst-case tests had many regex I was hoping to hear back from you about whether that was significant progress or more was needed. Ok, I'll check things. I will point out that even when I changed my tests to have no regexes in them there was still a very large performance hit from the ACL checking. David Lang The other major optimizations have been mostly in request and DNS handling. Amos
Re: [squid-users] Roadmap Squid 3.2
Is Squid-3.2.0.15 the most stable release to be using for deployment on the bleeding edge, or is 3.2.0.12 still the safest bet? In the past you have given some guidance as builds have moved into new functionality vs bug squashing phases? Are you imminently about to release 3.2.016? Does someone have some big picture comments on rock store - benefits, any known issues? Cheers Ed W
Re: [squid-users] transparent proxy in squid3
Dear Amos, Thanks for your great hint of tcpdump gets packets before any of the iptables etc handling gets done to them and We have to rely on ebtables/iptables LOG functionality for those bits Now I start debugging iptables, using sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j LOG --log-prefix TEST: from node-s (sender), we run [node-s (sender), 10.0.1.1, node-r, 10.0.2.1 (receiver), the squid3 machine is 10.0.3.1] wget 10.0.2.1:8080 while we still see 19:20:09.439059 IP nodes-links.40520 noder-linkr.http-alt: Flags [S], seq 4014254024, win 5840, options [mss 1460,sackOK,TS val 68449700 ecr 0,nop,wscale 6], in tcpdump, we see nothing in the iptables log in contrast, if we run 'wget 10.0.3.1:8080' (directly connect to 8080 port of squid3 machine, although there is no service) we see information in both tcpdump 19:26:51.347175 IP nodes-links.41022 nodec1-tblink-l9.http-alt: Flags [S], seq 1779139991, win 5840, options [mss 1460,sackOK,TS val 68550176 ecr 0,nop,wscale 6], length 0 19:26:51.347287 IP nodec1-tblink-l9.http-alt nodes-links.41022: Flags [R.], seq 0, ack 1779139992, win 0, length 0 and iptables log Mar 5 19:24:09 nodec1 kernel: [28094.303462] TEST: IN=eth0 OUT= MAC=00:04:23:ae:cc:38:00:0e:0c:68:a8:58:08:00 SRC=10.0.1.1 DST=10.0.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=62692 DF PROTO=TCP SPT=41021 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 5 19:24:09 nodec1 kernel: [28094.303495] TEST: IN=eth0 OUT= MAC=00:04:23:ae:cc:38:00:0e:0c:68:a8:58:08:00 SRC=10.0.1.1 DST=10.0.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=62692 DF PROTO=TCP SPT=41021 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 Can we conclude the error was happened due to sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j LOG --log-prefix TEST: cannot pick up the 8080 packet forwarded by the switch? Can some packet loss happen before this step? I am sorry I am not very familiar with the linux kernel/system...and bother you so much trouble... Thanks a lo! On Mon, Mar 5, 2012 at 5:57 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 06.03.2012 11:09, pplive wrote: Dear Amos, To see whether there were some internal firewall in my system , I tried a simpler topology, i.e., Client (10.0.0.1) (eth0) - (eth0) Squid3 (eth1) - (eth0) Server (10.0.0.2) I just follow the setting in http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 8080 -j redirect --redirect-target ACCEPT ACCEPT on the layer-2 bridging is to handle the packet entirely at that low layer. It needs to be DROPed out of the bridging layer into to iptables layer handling before NAT can change the IP/port and routing can shift it to INPUT path where Squid gets it. iptables -t nat -A PREROUTING -i br0 -p tcp --dport 8080 -j REDIRECT --to-port 3128 According to tcpdump, we can see the packets are forwarded to port 3128 (I use wget 10.0.0.2:8080 at the client) 14:04:50.282381 IP 10.0.0.1.33088 10.0.0.10.3128: Flags [S], seq 388132433, win 5840, options [mss 1460,sackOK,TS val 1028407 ecr 0,nop,wscale 6], length 0 14:04:53.212426 IP 10.0.0.1.33088 10.0.0.10.3128: Flags [S], seq 388132433, win 5840, options [mss 1460,sackOK,TS val 1029157 ecr 0,nop,wscale 6], length 0 Still, I am confusing of using one NIC, how can I redirect the packets to port 3128. NAT is a special system which can change packets on both bridging and routing layers but does not itself make them change layer. So what the above trace shows is that packets arriving are NAT/NAPT changed as they flow through the bridge. But not anything else. tcpdump gets packets before any of the iptables etc handling gets done to them. So its useful to verify that the packets are arriving and/or leaving the NIC as expected. but not much help deciphering what is happening to them in the middle around where Squid sits. We have to rely on ebtables/iptables LOG functionality for those bits. I'm sorry I can't be of much more help. Beyond suggesting to try later versions of the software including kernel I've run out of ideas. Amos
[squid-users] 答复: [squid-users] 答复: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn?
I can't make it work :( What I want is this: # acl 100cc maxconn 100 acl 50cc maxconn 50 acl 20cc maxconn 20 acl ip_dst dst ... acl website dstdom ... acl ip_src src ... acl user proxy ... acl login proxy_auth REQUIRED # # This part must set before any http_access of proxy_auth, so auth window never popup to !proxy_auth user # This part limit maxconn=20 to !proxy_auth user only, no effect to proxy_auth user http_access deny 20cc !proxy_auth user only http_access allow ip_dst http_access allow website # # Special IP or login user limit maxconn=100 http_access deny 100cc http_access allow login ip_src http_access allow user # Common login user limit maxconn=50 http_access deny 50cc http_access allow login http_access deny all Jiang Wendong (姜文栋) IT Dept. Tel: 010-5822-3486/3481 Mobile: 13811249966 E-Mail: wendong.ji...@td-tech.com / jiangwend...@huawei.com -邮件原件- 发件人: Amos Jeffries [mailto:squ...@treenet.co.nz] 发送时间: 2012年3月5日 17:51 收件人: squid-users@squid-cache.org 主题: Re: [squid-users] 答复: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn? On 5/03/2012 10:38 p.m., Jiang Wen Dong wrote: Thank you. But there's still a problem, !proxy_auth user will see a auth dialog window, that is not what I want. I want !proxy_auth user pass trough, without auth dialog window. Dialog window is a browser feature. Nothing to do with Squid. You can use this workaround to prevent Squid asking for credentials: http_access allow login all But then you have no way to perform login. You could change this part: http_access allow login http_access deny 50cc to: http_access deny 50cc login so login popup only appears after 50 connections is reached. Users who can login get the extra connections, users who cant get an annoying popup each time the try to go past 50. Amos Jiang Wendong (姜文 栋) IT Dept. Tel: 010-5822-3486/3481 Mobile: 13811249966 E-Mail: wendong.ji...@td-tech.com / jiangwend...@huawei.com -邮件原件- 发件人: Amos Jeffries [mailto:squ...@treenet.co.nz] 发送时间: 2012年3 月5日 17:11 收件人: squid-users@squid-cache.org 主题: Re: [squid- users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn? On 5/03/2012 8:33 p.m., Jiang Wen Dong wrote: This is not what I want. I want proxy_auth user maxconn=100, others maxconn=50. Yes. That is what the config I wrote does. # if user has connections = 100, deny even if logged in # else if user is logged in, allow (up to 100) # else if connections = 50, deny more than 50 connections (extra lines are for good security, allowing random person on The Internet 50 connections is not good) # else other local clients, allow # else deny Amos -邮件原件- 发件人: Amos Jeffries On 05.03.2012 14:16, Jiang Wen Dong wrote: My English is not good, hope you can understand what I'm saying. I want to set default maxconn=50, and maxconn=100 for proxy_auth user. If I set default maxconn before proxy_auth, then proxy_auth user get maxconn=50, not maxconn=100. If I set default maxconn after proxy_auth, every user get a auth dialog window, which I do not want it show for !proxy_auth user. How to set different maxconn number of proxy_auth user from default maxconn? You are thinking about this backwards. Place the widest everybody limitations first. Then the highest privileged allow permissions. Then repeat as you gradually restrict things. Like this: acl login proxy_auth REQUIRED acl 100cc maxconn 100 acl 50cc maxconn 50 # nobody allowed more than 100 connections http_access deny 100cc # login users the only ones allowed more than 50 http_access allow login http_access deny 50cc # then other LAN clients... http_access allow localnet # everything not permitted yet is not trusted for any access. http_access deny all Amos CAUTION: This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, distribution or reproduction of this message is prohibited. If you have received this message in error please notify the sender of this message immediately. ( ©TD Tech Co.,Ltd) 重要提示: 此邮件及附件具保密性质,包含商业秘密、受法律保护不得泄露。如果您意外收 到此邮件,特此提醒您此邮件的机密性,请立即通知我们并 从您的系统中删除 此邮件及附件。如果您不是此邮件应当的收件人,请注意不可对此邮件及其附件 进行利用、复制或向他人透露其内容。 ( ©TD Tech Co.,Ltd) CAUTION: This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the
Re: [squid-users] Roadmap Squid 3.2
On 06.03.2012 15:58, Ed W wrote: Is Squid-3.2.0.15 the most stable release to be using for deployment on the bleeding edge, or is 3.2.0.12 still the safest bet? .15 is IMO back on par with .12 for issues. Both needing some nasty issues patching before any production testing. see below about .16. Frederick has been supplying most of the feedback for .15, so his happiness is a good sign. There are others (self-included) using it without hitting the same bugs so YMMV but the bump is over and my reservations about advising general upgrades from the earlier beta are gone. In the past you have given some guidance as builds have moved into new functionality vs bug squashing phases? I give what guidance as I can in the Squid X is available announcements for all releases (signup to squid-announce or squid-users lists to get those). Covering what major changes have taken place, who will benefit most by upgrading to it and a rough impression of urgency. Are you imminently about to release 3.2.016? Very, very imminent. Does someone have some big picture comments on rock store - benefits, any known issues? In overview it is equivalent to COSS with an SMP support upgrade. We expect roughly the same performance benefits out of it, but have no speed comparison available (volunteer project?). http://wiki.squid-cache.org/Features/RockStore has the overview and a list of limitations. Bugzilla has a few bugs. Amos
Re: [squid-users] 答复: [squid-users] 答复: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn?
On 06.03.2012 16:40, Jiang Wen Dong wrote: I can't make it work :( Lets get the point about the popup clear. Getting the browser *never* to popup is impossible. The browser can decide to popup at any time, based on any kind of auth-related problems it has. If the user decides to clear their password managers storage, it will popup. If the user is on a machine without good connectivity to the login server, it will popup. There is nothing you can do to prevent it. In order to use login tests Squid is required to ask the browser for login at least once. If the browser has *no* login or cannot find one available for use it *will* make use of the popup at that point in order to ask the user for one. *IF* the browser has access to some credentials already *AND* they are of a type your Squid is offering to accept, it will send those and no popup happens. This is where the ACL workaround in Squid take effect, preventing Squid from asking a second time. Normally the browser only has one set of credentials and a second question will encourage its decision to use the popup. That is why and how Squid can have a hack for avoiding popups. Understand? Second point. VERY important. In HTTP logins are not per-user. They are per *request*. The first request on a new connection usually does not have any credentials, even if the user is sending credentials on many other connections already. Also, the modern browsers usually have an optimization that after they successfully send some credentials to re-use them for later requests. This is a *maybe*, we can usually rely on it for pipelined requests on one connection, but not always and we cannot rely on credentials being sent already on a brand new connection. This will cause you problems with your 20cc rules section... What I want is this: # acl 100cc maxconn 100 acl 50cc maxconn 50 acl 20cc maxconn 20 acl ip_dst dst ... acl website dstdom ... acl ip_src src ... acl user proxy ... acl login proxy_auth REQUIRED Also, every proxy_auth ACL you have can trigger Squid to ask for credentials. - login ACL - user ACL ? # # This part must set before any http_access of proxy_auth, so auth window never popup to !proxy_auth user # This part limit maxconn=20 to !proxy_auth user only, no effect to proxy_auth user http_access deny 20cc !proxy_auth user only http_access allow ip_dst http_access allow website You did not mention the 20cc limit earlier. Since 20cc is smaller than 100cc and 50cc it *will* be matching when they are supposed to be permitting access. In order to use it before them and the auth section you will have to make these allow lines. A few tricks with '!' and test order can allow your website and ip_dst permissions to be the deciding factor whether 20cc matters. Like so: # allow if less than 20 connections AND going to website http_access allow !20cc website # allow if less than 20 connections AND going to ip_dst http_access allow !20cc ip_dst # # Special IP or login user limit maxconn=100 http_access deny 100cc http_access allow login ip_src http_access allow user # Common login user limit maxconn=50 http_access deny 50cc http_access allow login http_access deny all Amos