I'm having some problems with reverse proxy and NTLM authentication.
Specifically, the connection to the client is not persisted which I believe
invalidates the NTLM authentication protocol. I've added a source port number
to the logs which shows that it is indeed creating a new connection for
I'm having some problems with reverse proxy and NTLM authentication.
Specifically, the connection to the client is not persisted which I believe
invalidates the NTLM authentication protocol. I've added a source port
number to the logs which shows that it is indeed creating a new connection
I'm having some problems with reverse proxy and NTLM authentication.
Specifically, the connection to the client is not persisted which I
believe invalidates the NTLM authentication protocol. I've added a
source port number to the logs which shows that it is indeed creating
a new
I've done a bit more testing on this, and it seems that the server
returns
HTTP/1.1 401 Unauthorized but squid turns this into HTTP/1.0 401
Unauthorized before passing it onto the client. Does that help?
It seems that this is the cause of the problem... The patch following this
email
) */
}
/* do header conversions */
buildReplyHeader();
}
---
Sorry for my newbyness ;) !
Have a good day, regards,
Clem
-Message d'origine-
De : James Harper [mailto:james.har...@bendigoit.com.au]
Envoyé : mardi 12 juin 2012 08:08
À
Dear all,
I need to implement a Proxy Solution that works as following:
1. Proxy should be implementable without any changes on the net, it should
just replace the router
2. Proxy should log any traffic in a logfile with username, ip and connected
site, should work for http, ftp,
On 1/08/2012 6:01 p.m., Dmitry Melekhov wrote:
Hello!
I switched to 3.HEAD-20120627-r12185 from 2.6 two days ago and now I
see in log something like:
2012/08/01 08:25:48 kid1| Failed to select source for
'http://izavia.su/favicon.ico'
2012/08/01 08:25:48 kid1| always_direct
Squid-ssd addresses those challenges well:
1.User reads from SSD; back-to-origin fetches written to SSD
2.Objects evicted from SSD to HDD, and from HDD to nothing
3.Objects promoted to SSD from HDD to avoid back-to-origin fetches
Can you comment on how a squid-specific solution compares
I'm pretty sure it's not a server hardware problem (It's EEC).
It's only affecting a very small proportion of users and there's a clear split
between those who see the problem most/all of the time and those that
never do. RAM errors aren't that selective. RAM errors also tend to make a
On a Windows desktop there are often a bunch of system services that make http
connections, either running as a system account or running as a user but that
don't know how to authenticate. The list of these exceptions is tedious to
maintain so it would be good to be able to authorise the users
On 16/02/2013 3:23 p.m., James Harper wrote:
On a Windows desktop there are often a bunch of system services that
make http connections, either running as a system account or running as a
user but that don't know how to authenticate. The list of these exceptions is
tedious to maintain so
Is there a mechanism by which I can intercept port 443 and alert the user that
a proxy is required, eg if they try to go to https://www.apple.com then they
get redirected to a website with instructions on how to configure their device
(iphones in this case) to the proxy.
https is supposed to
Hello,
After many years with squid as a proxy-cache combined with the proxy.pac
or
WPAD client configurations, we are considering to use squid as a proxy with
interception (WCCP2) on our whole university site.
The reason essentially lies on complaints from users with their browsers
Say I have a squid reverse proxy with https enabled on it at
https://apps.example.com. This serves a number of apps including:
/owa - outlook web access
/rpc - ms terminal server gateway
/intranet
/bugtracker
/svn - svn anon browser access
/procedures
These are spread across a bunch of
-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz]
Sent: Tuesday, 19 March 2013 10:35 AM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] authenticate access to reverse proxy
On 19/03/2013 12:57 a.m., James Harper wrote:
Say I have a squid reverse
On 27/04/2013 8:52 p.m., Amir Mottaghian wrote:
Dear All
Could you please guide me in order to configure authentication for
transparent proxy in squid?
Please see the FAQ:
http://wiki.squid-
cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication
I was testing an external_acl_type and set ttl=3 so my script would be called
often enough to see what was happening. This seemed to result in the acl
logging as denied fairly regularly, even though it definitely returns OK.
Putting ttl up to 30 seconds seems to make all the problems go away.
Is it possible for squid to intercept and apply acl's to https without actually
decrypting and generating certificates etc? The conversation would go something
like:
. Client makes connection to IP 1.2.3.4
. Squid intercepts the connection (but doesn't respond yet)
. Squid connects to 1.2.3.4
Is it possible for squid to intercept and apply acl's to https without
actually
decrypting and generating certificates etc? The conversation would go
something like:
It actually almost works if I put a dummy cert on the https_port config line
with ssl-bump, but then use none for
Unfortunately it seems to throw the details it gathered
away after checking what bump to use as all I get in there is the
destination IP. Logging %ssl::cert_subject just shows -.
http:/www.squid-cache.org/Doc/config/logformat/:
%ssl::cert_subject log the Subject field of a SSL
I believe the above is one of the use cases that SSL Peek and Splice
project aims to address. Look for step2 peek and terminate actions
specifically:
http://wiki.squid-cache.org/Features/SslPeekAndSplice
Awesome. I'll try it out once it's in the official branch.
Thanks
James
The docs says that ident doesn't work with intercept proxying, and it doesn't,
but I think it wouldn't be too hard to make it work. In fact maybe as simple as
setting COMM_TRANSPARENT on the ident socket.
Does that sound plausible? What I've found is that not only doesn't ident not
work on an
On 12/07/2014 5:21 p.m., James Harper wrote:
The docs says that ident doesn't work with intercept proxying, and it
doesn't, but I think it wouldn't be too hard to make it work. In fact
maybe as simple as setting COMM_TRANSPARENT on the ident socket.
COMM_TRANSPARENT is a Squid inernal
Does that sound plausible? What I've found is that not only doesn't
ident not work on an intercepted connection, the connection just
hangs forever (or at least for the 10 minutes that I waited) if any
acl's are encountered that would require an ident lookup.
The hang is a separate bug
Is there any way of configuring squid to proxy any tcp traffic on any port?
Obviously it can't filter on URL but can still filter on a few other things,
including ident user and IP address.
Thanks
James
On 17/07/2014 11:09 p.m., James Harper wrote:
Is there any way of configuring squid to proxy any tcp traffic on any
port? Obviously it can't filter on URL but can still filter on a few
other things, including ident user and IP address.
Devices that do that are commonly called firewalls
Hi All,
Free API to lock resolution in YouTube players via your prefered Squid
Cache.
https://sourceforge.net/projects/youtuberesolutionlocker/
Very easy to use
Does it actually lock resolution or limit resolution to = required
resolution? Locking the resolution too high can cause
Hi James,
All is in the title YouTube Resolution Locker, so...
The API is there to lock the resolution to low value, we think the API to
help in reducing bandwidth as HD videos consume a lot.
Regarding bandwidth limiter with YouTube, do you think Squid admins need
a special script ?
Just trying to use offic. package for openWRT, which is based on squid2.7
only.
Having detected some DNS-issues, does anybody use squid on openWRT,
and which squid version ?
I am using squid on a buffalo router on openwrt attitude adjustment (whatever
squid version comes with that).
I
I am using the latest 3.4 build and a config that looks like:
ident_lookup_access allow localnet
ident_lookup_access deny all
ident_timeout 5 seconds
acl password_required proxy_auth REQUIRED
acl ident_required ident REQUIRED
http_access allow localnet ident_required ident_unrestricted_group
I mentioned at the tail of another email, I'd like to see a better out-of-band
authentication protocol than ident. Such a protocol would have:
. a single connection from squid over which all identification requests travel.
Not one connection per request as with ident.
. two way authentication
without www.* -- Forbidden You don't have permission to access / on
this
server.
Some browsers (Chrome?) will help by prepending www on the front for you...
if you type just squid-cache.org it will turn it into
http://www.squid-cache.org and you won't see the problem. Maybe this only
Doing a search on the main squid page gives me this:
The requested URL /cgi-bin/swish-query.cgi was not found on this server.
Maybe better doing a google search anyway?
James
___
squid-users mailing list
squid-users@lists.squid-cache.org
Just reading up on this, the Feature page
http://wiki.squid-cache.org/Features/SslPeekAndSplice says:
... with Squid shoveling TCP bytes back and forth without any decryption
I can't see that squid actually uses the splice() system call, so that would
mean squid would actually read the data
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 17/10/2014 9:47 p.m., James Harper wrote:
Just reading up on this, the Feature page
http://wiki.squid-cache.org/Features/SslPeekAndSplice says:
... with Squid shoveling TCP bytes back and forth without any
decryption
I can't see
I've written a little helper to do ssl callouts to determine if the server is
running ssl at all (eg not tunnelling over ssl), and also to be able to do
limited ACL on CN/SAN. The main limitation is the way larger organisations will
often have one SSL cert that covers many URLS (eg google cert
This has happened again a day or so after wiping the cache directory. Core dump
this time:
#0 StoreEntry::checkCachable (this=this@entry=0x284c440) at store.cc:962
962 getReply()-content_length store_maxobjsize) ||
(gdb) bt
#0 StoreEntry::checkCachable
It's possible that at one point I might have started 2 instances of
squid running at once... could that cause corruption?
Yes, very likely. More so the longer they were both running.
I see you mention segfaults below, that can also cause it for any
objects in use at the time of the
On IE, the error is :the proxy server is not responding
On Chrome: ERR_SSL_PROTOCOL_ERROR
On Firefox ssl_error_rx_record_too_long
If I bypass the proxy and go direct to the internet through our firewall, it
works fine.
This suggests to me, without having any errors in squid to go by,
Probably non-HTTPS protocol being used.
As bumping gets more popular we are hearing about a number of services
abusing port 443 for non-HTTPS protocols on the false assumption that
the TLS layer goes all the way to the origin server without
inspection. That has never been a true
On 01/01/15 00:11, James Harper wrote:
The helper connects to the IP:port and tries to obtain the certificate, and
then caches the result (in an sqlite database). If it can't do so within a
fairly
short time it returns failure (but keeps trying a bit longer and caches it for
next time
I have just noticed that urlpath_regex isn't doing what I want:
acl wuau_repo dstdomain .download.windowsupdate.com
acl wuau_path urlpath_regex -i \.psf$
acl dst_server dstdomain server
acl apt_cacher browser apt-cacher
cache deny dst_server
cache deny apt_cacher
cache deny wuau_repo
cache allow
Three things;
* by re-writing you are generating an entirely new request with the
apt-cacher server URL as the destination. The HTTP message details about
what was originally requested and from where is *gone* when the traffic
leaves for the server. The solution for that is outlined at the
I also tried the same thing with http_access and that works as expected -
*.psf files are allowed, non *.psf file are denied. I'm thinking bug at the
point... I'll do some more testing and see if I can narrow it doen.
Found it. Really stupid mistake. The documentation shows [-i] for case
Found it. Really stupid mistake. The documentation shows [-i] for
case insensitivity, but I hadn't picked up that the [] around the -i
indicated that it was optional. I had just cut and pasted from
examples. So the .cab thing was irrelevant - it just happened that
the .cab files had an
Hi all,
I'm setting up a system for using iPads in our school, and I'm stuck a bit on
tracking what the students are doing on them.
First up, I reaaly don't want a Pop-up login box from a 407 response from a
proxy server, so I'm looking for some other way to track who is doing what.
We run squid 3.5.6 in a proxy server with FreeBSD 9.3.
Squid is the only way out, there is no transparency at all.
We have problems with windows update through squid.
Problems without doing anything with Squid, or problems trying to get Squid to
actually cache windows updates?
At home I
47 matches
Mail list logo
