Re: [squid-users] Does delay feature affect cached content
On Mon, 10 Sep 2012 16:00:17 -0700, Amos Jeffries wrote: > The old/original delay_* only affects upstream server traffic. Not HIT > data responses, but may slow down the revalidation process for HITs. > > The newer client_delay_* affects client traffic. ok, thanks. (I'm still using the older)
[squid-users] Does delay feature affect cached content
Dear squid users, does anyone know if the use of this future affect all content served by squid to clients or only the content downloaded by squid? If it affect the cached content, is there an acl type that match catched content so I can exclude it for delay_access?
Re: [squid-users] Re: Re: Re: Kerberos auth and users in another AD domain
On 13/12/2011 00:15, Markus Moeller wrote: Hi Emmanuel, I did not do any performance testing, so I don't know. ok, I'll let you informed when I put this on production servers ;)
Re: [squid-users] Re: Re: Kerberos auth and users in another AD domain
On Fri, Dec 09, 2011 at 10:04:56PM -, Markus Moeller wrote: > BTW you can also compile 3.2 and just copy the binary. It works as > standalone helper. > I just tried and it seems to works fine and from a small test seems to fix my main problem :) Do you know if there can be any performance impact (because of little overhead introduced by this wrapper) for the squid boxes?
Re: [squid-users] Re: Kerberos auth and users in another AD domain
On Fri, Dec 09, 2011 at 06:31:07PM -, Markus Moeller wrote: > Did you try my negotiate wrapper ? It is part of squid 3.2, but > right now only works with 3.1 ( I have an open bug for 3.2) > Can you give me hints on how to build it for 3.1 ?
Re: [squid-users] Re: Kerberos auth and users in another AD domain
On Fri, Dec 09, 2011 at 06:31:07PM -, Markus Moeller wrote: > Did you try my negotiate wrapper ? It is part of squid 3.2, but > right now only works with 3.1 ( I have an open bug for 3.2) > looks interesting, I'm going to grab it from last 3.2 sources and compile it for 3.1. I'll let you know if it fixes one/all of my authentications problems ;)
Re: [squid-users] Kerberos auth and users in another AD domain
On Thu, Dec 08, 2011 at 09:14:51PM +0100, Emmanuel Lacour wrote: > > > As negotiate is proposed and IE support it, it always try to > authenticate with negotiate and so it fails every time. > this is by design since XP SP2: http://support.microsoft.com/kb/891559 I did not found any workaround. here is a setup that I tested, which allow evry kind of auth, exept from an IE client not in the AD domain: auth_param negotiate program /usr/lib/squid3/negotiate_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 5 auth_param negotiate keep_alive off auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TEST auth_param ntlm children 5 auth_param ntlm keep_alive off auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=test,dc=local" -D "cn=Administrator,cn=Users,dc=test,dc=local" -w "x" -f sAMAccountName=%s -h win-hlbivo4bbdl.test.local -d auth_param basic casesensitive off auth_param basic children 5 auth_param basic realm Proxy TEST NB: setting a default domain for ntlm allow users to just use the login, without domain\ before NB: keep_alive off, as written in the docs helps at least FF to not prompt multiple time for auth
Re: [squid-users] Kerberos auth and users in another AD domain
(sorry for the thread break, I loosed original messages and cannot find the Message-ID) Amos, thanks for your hints. I did some tests to connect to a kerberos enabled squid from a windows client not within the AD domain: squid auth setup is: negotiate squid_kerb_auth ntlm basic (ldap) As negotiate is proposed and IE support it, it always try to authenticate with negotiate and so it fails every time. I tried to invert the auth order, putting basic at first, IE always try negotiate (when Firefox just use the first one). With the negotiate,ntlm,basic order, firefox seems to try different methods, because after three tries of login in, it works. If I remove negotiate, then I can authenticate using ntlm by specifying as username DOMAIN\user. So as I understand, the only way to go is to have two squids: - one with kerberos for 'domain' users (with ntlm fallback for clients not knowing negotiate support, but ntlm and with basic fallback for client without negotiate/ntlm support) - and a second one with only basic auth
[squid-users] Kerberos auth and users in another AD domain
I enabled kerberos auth on an AD domain with a fallback to ldap basic auth. It seems that if someone use the proxy from another lan in another AD domain on which I have no control, the basic auth is not used. Is this understandable? Any way to work around this?
Re: [squid-users] Change cache_dir from ufs to aufs
On Thu, Oct 20, 2011 at 09:13:30PM +1300, Amos Jeffries wrote: > I'm not entirely certain about the store background. I believe it > fetched from remote. > I hope ;)
Re: [squid-users] Change cache_dir from ufs to aufs
On Thu, Oct 20, 2011 at 11:06:42AM +1300, Amos Jeffries wrote: > The Squid in-memory index indicates a file exists, but the disk does > not have it. > and in this case, what happens for the end user, squid fetch the file again from remote or issue an error?
Re: [squid-users] Change cache_dir from ufs to aufs
On Wed, Oct 19, 2011 at 10:52:19AM -0500, Luis Daniel Lucio Quiroz wrote: > > > That means you change L1 and L2 , run squid -z > but I did not, I only changer ufs to aufs, for sure! before: cache_dir ufs /var/spool/squid 307200 736 256 after: cache_dir aufs /var/spool/squid 307200 736 256
Re: [squid-users] Change cache_dir from ufs to aufs
On Tue, Oct 18, 2011 at 11:38:28AM -0500, Luis Daniel Lucio Quiroz wrote: > 2011/10/18 Emmanuel Lacour : > > > > If do not change the size/L1/L2, can I just change ufs to aufs in > > squid.conf and only do a squid reload, or do I need to restart squid? > > > > > > restart it > I did it, it works, but now, I have some messages like this (not many, but some): 2011/10/19 16:19:58| DiskThreadsDiskFile::openDone: (2) No such file or directory 2011/10/19 16:19:58|/var/spool/squid/81/DB/0081DB55 I think that I'm going to squid-z again the spools (I plan to reduce its size any way), but I'm curious and would be happy to understand why those messages happens;)
[squid-users] Change cache_dir from ufs to aufs
If do not change the size/L1/L2, can I just change ufs to aufs in squid.conf and only do a squid reload, or do I need to restart squid?
Re: [squid-users] Number of helpers
Thanks both for your explanation, I did not saw the auth stats in cachemgr ! Looks like I ran too many, I have two squids with 1k simultaneous connexions on each, I set up 250 ntlm negotiate + 250 ntlm basic, it's far too much according to stats. 80 negotiate and 10 basic are sufficient :) I'm going to change this (and add kerberos).
[squid-users] Number of helpers
Dear squid users, - how do you know how many authentications helpers you need (I suppose that I need less than the maximum number of simultaneous proxy connexions)? - what happens if there is not enough (authentication failed, slowness, ...)? thanks for any hint on this :)
Re: [squid-users] Krb auth and case/realm
For the "case" problem, I RTFM ...: acl administrator proxy_auth -i administrator@test.local For the realm, I can use the proxy_auth_regex, but it would be really easier if there is a way to really strip the realm part. acl administrator proxy_auth_regex -i ^(administrator|foo)(@.*)?$ to allow either "administrator" or "foo", using basic auth or kerberos auth.
[squid-users] Krb auth and case/realm
Hi squid users, it seems that when doing krb auth, proxy_auth acl are case sensitive and must contain the realm (like what is logged in squid access log). is there a way to change this, because when using squid_ldap_auth as fallback, I have to put names twice such as: acl administrator proxy_auth Administrator@TEST.LOCAL administrator "Administrator@TEST.LOCAL" works with kerberos "administrator" works for ldap, but not for kerberos any help will be appreciated :)
Re: [squid-users] Re: Kerberos setup with RR DNS
On Fri, Sep 09, 2011 at 03:42:21PM +0100, Markus Moeller wrote: > You need to create one AD entry for proxy.domain.tld and copy the > same keytab to both squid servers and use the -s GSS_C_NO_NAME > option for squid_kerb_auth or negotiate_kerberos_auth. > at a first glance, it seems to works like a charm, many thanks :)
[squid-users] Kerberos setup with RR DNS
Hi, I have two squids using NTLM auth against AD. Those squids are used by client through a single A DNS entry (proxy.domain.tld) (so round robin). I want to switch to kerberos, but I don't know what to create with msktutil: - two machines with same proxy.domain.tld UPN ? - one machine used by both squids ? - it's just impossible to do ? any hints?
