Re: [squid-users] HTTP 407 responses

2012-02-15 Thread Luis Enrique Sanchez Arce

With firefox you need to set the following variable to avoid the password 3 
times.

In the navigation bar put about:config and change de value

network.auth.force-generic-ntlm = true

Luis,

On 15/02/12 15:33, Mr J Potter wrote:
 Hi Amos,

 Thanks for your help on this...

 I've had to change tack on this in light of what you have said and
 have now got NTLM authentication working.

 - any form of http authentication is going to kick up a login box -
 there is no way round this, right?

 With , NTLM I am now getting the NTLM login 3 times before it lets me
 in (apparently this is normal)


 Can you recommend the best/least bad approach to go for here? I;m
 setting up a guest wireless system, and I just want a way to get (non
 domain) devices to get a chance to login to get an internet
 connection, but all the ways I've found have major flaws.


 - LDAP basic authentication works fine but is insecure
 - LDAP digest requires a new type of password hash to be set up in my
 directory services
 - NTLM requires 3 login attempts

 Or do I move away from http authentication entirely?

 thanks in advance,

 Jim
 UK


Jim,

If you are getting login prompts like this (especially 3 times) it's 
likely your NTLM auth is not working.

In normal use with NTLM on domain member hosts, you should never see 
them, not even when opening the browser for the first time. The browser 
should pass through authentication from the logged on Windows session.

I would check the permissions on the winbindd_privileged folder (usually 
in /var/run/samba or /var/cache/samba) and make sure your squid user can 
write to it. Some distros actually change the permissions on that folder 
after winbind has started in the init script.

You might also want to check winbind is working by issuing wbinfo -u 
and wbinfo -g  - you should get a list of domain users and groups.

Alex


Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE 
ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU!
http://www.antiterroristas.cu
http://justiciaparaloscinco.wordpress.com


Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE 
ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU!
http://www.antiterroristas.cu
http://justiciaparaloscinco.wordpress.com


Re: [squid-users] %login in ACL without autentication configured

2011-11-24 Thread Luis Enrique Sanchez Arce

Hi Amos and thanks for your response,

I have a database of users that can be both users IP (192.168.1.0/24) as 
standard (juan manuel, owners, etc).
Besides, I have for those users a set of rules that regulate their navigation.

The following configuration for redir_program works ok for me.

---
auth_param basic program myauthdb
auth_param basic children 10
auth_param basic realm Test
auth_param basic credentialsttl 2 hours
acl pass proxy_auth REQUIRED

external_acl_type notauth children=10 ttl=0 %SRC notauth
acl bypass_auth external notauth

redirect_program redirector.pl
redirect_rewrites_host_header on
redirect_children 70

acl Restrictivo src 10.0.0.0/8

http_access allow bypass_auth
http_access allow Restrictivo pass
-

The program notauth takes the parameter %SRC internally and verify if user IP 
exists in the system. To be positive
returns OK and ignore authentication. In that case the redirect_program 
receives the authenticated user - and internally
takes the user such as IP.

What I want to do is this the same but with external acl. The fallowing 
configuration donĀ“t work for me.

-
auth_param basic program myauthdb
auth_param basic children 10
auth_param basic realm Test
auth_param basic credentialsttl 2 hours
acl pass proxy_auth REQUIRED

external_acl_type notauth children=10 ttl=0 %SRC notauth
acl bypass_auth external notauth

external_acl_type redirprogram children=30 concurrency=10 ttl=300 %URI %SRC 
%LOGIN %METHOD redirector.pl
acl redir external redirprogram

http_access allow bypass_auth redir
http_access allow pass redir
http_access allow redir

# And finally deny all other access to this proxy
http_access deny all
deny_info ERR_FILTER_DENIED redir all
-

I added the acl notauth return OK user=IP, the idea is that the acl redir 
assume %LOGIN as the IP. It does't works for me.

The operation is required to be with an external acl to write in the log with 
the label %ea.
The acl redirect_program does not support sending something to the log.

I hope you understand what I want to do, and if exist a way to do it?.

Sorry for the inconvenience and for my English.


- Original Message -
From: Amos Jeffries squ...@treenet.co.nz
To: squid-users@squid-cache.org
Sent: Tuesday, November 22, 2011 2:56:39 PM
Subject: Re: [squid-users] %login in ACL without autentication configured

On 23/11/2011 3:04 a.m., Luis Enrique Sanchez Arce wrote:
 I try to configure external acl without autentication configured

 external_acl_type redirprogram children=30 concurrency=10 ttl=300 %URI %SRC 
 %LOGIN %METHOD redir

 If i use the acl redir_program and the autentication is not configured the 
 user logged is -

 How can i do that with external acl. I need use external acl to modified the 
 entry log with %ea variable.

 Best regard,
Luis


%LOGIN is for passing the autentication helper credentials to the
external ACL helper. Doing a full login if needed.

For extenral ACL to produce credentials it needs to do whatever  to
locate them in the background and passes the username back to Squid like so:

 OK user=username
or
 ERR user=suername

Amos



Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE 
ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU!
http://www.antiterroristas.cu
http://justiciaparaloscinco.wordpress.com


Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE 
ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU!
http://www.antiterroristas.cu
http://justiciaparaloscinco.wordpress.com


[squid-users] %login in ACL without autentication configured

2011-11-22 Thread Luis Enrique Sanchez Arce

I try to configure external acl without autentication configured

external_acl_type redirprogram children=30 concurrency=10 ttl=300 %URI %SRC 
%LOGIN %METHOD redir

If i use the acl redir_program and the autentication is not configured the user 
logged is - 

How can i do that with external acl. I need use external acl to modified the 
entry log with %ea variable.

Best regard,
  Luis




Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE 
ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU!
http://www.antiterroristas.cu
http://justiciaparaloscinco.wordpress.com


[squid-users] Autenticate user not apear in access.log

2011-04-01 Thread Luis Enrique Sanchez Arce

I have squid 3.1.6 and use basic authentication.

For many request not apear the authenticate user in access.log

I using the default log format.



[squid-users] https and external acl

2011-02-07 Thread Luis Enrique Sanchez Arce

I have configure external acl in squid. If the external acl return ERR and the 
request is HTTPS the proxy return connection refuse. What is the possible 
problem ?.

If the request is HTTP squid show a page with access denied. 



[squid-users] external_acl problem with cache

2011-01-24 Thread Luis Enrique Sanchez Arce

I have an external acl to running some logic. the Acl modify the squid log with 
parameter %ea

the acl returns something like this:

ERR message= log=uuid

or

OK message= log=uuid

uuid is a unique key generate by the acl. When I check the access.log file 
appears repeated uuid.

I think it is that squid caches the response, i put ttl=0 and negative_ttl=0 
and the error persist.

thanks in advance



[squid-users] Squid 3.0 icap HIT

2010-11-06 Thread Luis Enrique Sanchez Arce

When squid resolve the resource from cache does not send the answer to ICAP.
How I can change this behavior?

I use squid 3.0 STABLE8 and GreasySpoon (Implementation of icap protocol)


[squid-users] squid syslog-ng, problem rotate

2010-10-02 Thread Luis Enrique Sanchez Arce

I have configured Squid to send the log to syslog.

I Use the following configuration:

access_log syslog squid

When squid rotate de log, stop send the log messages to syslog-ng.

In syslog-ng I have de following configuration:
A program that reads from standard input the line that squid send.

--
source s_squid {
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream(/dev/log);
};

filter f_squid { program(squid) and match(TCP_|UDP_|ERR_);};

destination d_squid_prog {
program(/usr/local/quota template($MSGONLY\n) log_fifo_size(5));
};

log {
source(s_squid);
filter(f_squid);
destination(d_squid_prog);
};



Exist another way to read from standard input the squid access_log ?

Sorry for my english.


[squid-users] squid syslog-ng, problem rotate

2010-10-02 Thread Luis Enrique Sanchez Arce

I have configured Squid to send the log to syslog.

I Use the following configuration:

access_log syslog squid

When squid rotate de log, stop send the log messages to syslog-ng
and starts sending messages to the /var/log/message file

In syslog-ng I have de following configuration:
A program that reads from standard input the line that squid send.

--

source s_squid {
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream(/dev/log);
};

filter f_squid { program(squid) and match(TCP_|UDP_|ERR_);};

destination d_squid_prog {
program(/usr/local/quota template($MSGONLY\n) log_fifo_size(5));
};

log {
source(s_squid);
filter(f_squid);
destination(d_squid_prog);
};



Exist another way to read from standard input the squid access_log ?

Sorry for my english.