Hi,
I have two squids using NTLM auth against AD. Those squids are used by
client through a single A DNS entry (proxy.domain.tld) (so round robin).
I want to switch to kerberos, but I don't know what to create with
msktutil:
- two machines with same proxy.domain.tld UPN ?
- one machine used by
On Fri, Sep 09, 2011 at 03:42:21PM +0100, Markus Moeller wrote:
You need to create one AD entry for proxy.domain.tld and copy the
same keytab to both squid servers and use the -s GSS_C_NO_NAME
option for squid_kerb_auth or negotiate_kerberos_auth.
at a first glance, it seems to works like a
Hi squid users,
it seems that when doing krb auth, proxy_auth acl are case
sensitive and must contain the realm (like what is logged in squid
access log).
is there a way to change this, because when using squid_ldap_auth as
fallback, I have to put names twice such as:
acl administrator
For the case problem, I RTFM ...:
acl administrator proxy_auth -i administrator@test.local
For the realm, I can use the proxy_auth_regex, but it would be really
easier if there is a way to really strip the realm part.
acl administrator proxy_auth_regex -i ^(administrator|foo)(@.*)?$
to allow
Dear squid users,
- how do you know how many authentications helpers you need (I suppose
that I need less than the maximum number of simultaneous proxy
connexions)?
- what happens if there is not enough (authentication failed, slowness,
...)?
thanks for any hint on this :)
Thanks both for your explanation, I did not saw the auth stats in
cachemgr !
Looks like I ran too many, I have two squids with 1k simultaneous
connexions on each, I set up 250 ntlm negotiate + 250 ntlm basic, it's
far too much according to stats. 80 negotiate and 10 basic are
sufficient :) I'm
If do not change the size/L1/L2, can I just change ufs to aufs in
squid.conf and only do a squid reload, or do I need to restart squid?
On Tue, Oct 18, 2011 at 11:38:28AM -0500, Luis Daniel Lucio Quiroz wrote:
2011/10/18 Emmanuel Lacour elac...@easter-eggs.com:
If do not change the size/L1/L2, can I just change ufs to aufs in
squid.conf and only do a squid reload, or do I need to restart squid?
restart it
I did
On Wed, Oct 19, 2011 at 10:52:19AM -0500, Luis Daniel Lucio Quiroz wrote:
That means you change L1 and L2 , run squid -z
but I did not, I only changer ufs to aufs, for sure!
before:
cache_dir ufs /var/spool/squid 307200 736 256
after:
cache_dir aufs /var/spool/squid 307200 736 256
On Thu, Oct 20, 2011 at 11:06:42AM +1300, Amos Jeffries wrote:
The Squid in-memory index indicates a file exists, but the disk does
not have it.
and in this case, what happens for the end user, squid fetch the file
again from remote or issue an error?
On Thu, Oct 20, 2011 at 09:13:30PM +1300, Amos Jeffries wrote:
I'm not entirely certain about the store background. I believe it
fetched from remote.
I hope ;)
I enabled kerberos auth on an AD domain with a fallback to ldap basic
auth.
It seems that if someone use the proxy from another lan in another AD
domain on which I have no control, the basic auth is not used.
Is this understandable? Any way to work around this?
(sorry for the thread break, I loosed original messages and cannot find
the Message-ID)
Amos, thanks for your hints.
I did some tests to connect to a kerberos enabled squid from a windows
client not within the AD domain:
squid auth setup is:
negotiate squid_kerb_auth
ntlm
basic (ldap)
As
On Thu, Dec 08, 2011 at 09:14:51PM +0100, Emmanuel Lacour wrote:
As negotiate is proposed and IE support it, it always try to
authenticate with negotiate and so it fails every time.
this is by design since XP SP2:
http://support.microsoft.com/kb/891559
I did not found any workaround
On Fri, Dec 09, 2011 at 06:31:07PM -, Markus Moeller wrote:
Did you try my negotiate wrapper ? It is part of squid 3.2, but
right now only works with 3.1 ( I have an open bug for 3.2)
looks interesting, I'm going to grab it from last 3.2 sources and
compile it for 3.1. I'll let you know
On Fri, Dec 09, 2011 at 06:31:07PM -, Markus Moeller wrote:
Did you try my negotiate wrapper ? It is part of squid 3.2, but
right now only works with 3.1 ( I have an open bug for 3.2)
Can you give me hints on how to build it for 3.1 ?
On Fri, Dec 09, 2011 at 10:04:56PM -, Markus Moeller wrote:
BTW you can also compile 3.2 and just copy the binary. It works as
standalone helper.
I just tried and it seems to works fine and from a small test seems to
fix my main problem :)
Do you know if there can be any performance
On 13/12/2011 00:15, Markus Moeller wrote:
Hi Emmanuel,
I did not do any performance testing, so I don't know.
ok, I'll let you informed when I put this on production servers ;)
Dear squid users,
does anyone know if the use of this future affect all content served by
squid to clients or only the content downloaded by squid?
If it affect the cached content, is there an acl type that match catched
content so I can exclude it for delay_access?
On Mon, 10 Sep 2012 16:00:17 -0700, Amos Jeffries wrote:
The old/original delay_* only affects upstream server traffic. Not HIT
data responses, but may slow down the revalidation process for HITs.
The newer client_delay_* affects client traffic.
ok, thanks. (I'm still using the older)
20 matches
Mail list logo
