Re: [squid-users] AD Ldap (automatically take the user that is logging on PC)

On Thu, Aug 18, 2016 at 04:45:54PM +1200, Amos Jeffries wrote: > > IIRC, there is a setting somewhere called "Use Windows Integrated > Authentication" that sometimes has to be enabled for SSO to work with > non-Microsoft designed authentication schemes. > Not in my experience - if you have "Use

Re: [squid-users] stop caching completely on squid 3.5.2

On 18/08/2016 7:05 a.m., --Ahmad-- wrote: > Hi > I’m willing to stop caching on squid 3.5.2 on both memory & disk caching > > is the directive : > cache deny all > > sufficient for that ? Almost. Squid will still allocate the memory cache RAM. You will want to accompany it with "cache_mem 0"

Re: [squid-users] AD Ldap (automatically take the user that is logging on PC)

On 18/08/2016 12:11 p.m., brendan kearney wrote: > You want Kerberos and/or NTLM authentication for Single Sign On. That is a myth. SSO is simply a way of building the system so that the credentials used for machine login work when sent to the proxy and other services. If you don't build the syste

Re: [squid-users] making 204s cachable again

On 18/08/2016 12:29 p.m., Jim Ford wrote: > I recently upgraded to Version 3.5.10. I'm using it as a regular as Please keep going. 3.5.20 is current and all releases older than 3.5.19 have security issues. > well as a reverse proxy. In both cases I've noticed that what were > formerly cachable

Re: [squid-users] Squid 2.7.s9 HTTPS-proxying - hint welcome

On 18/08/2016 11:00 a.m., Torsten Kuehn wrote: > Thank you for your quick reply! > > On 17/08/2016 6:01 p.m., Amos Jeffries wrote: > >>> I am forced to stuck with 2.X >> Then you cannot decrypt the HTTPS in order to cache it. Squid older than >> 3.2 simply do not have any of the functionality to

Re: [squid-users] AD Ldap (automatically take the user that is logging on PC)

Hello Erdosain, Here is how to configure it reusing your sq...@example.lan user (no samba). http://docs.diladele.com/administrator_guide_4_6/active_directory/install_prerequisites_for_kerberos_authentication.html Best regards, Rafael From: squid-users [mailto:squid-use

Re: [squid-users] AD Ldap (automatically take the user that is logging on PC)

so.. there is no way to do that with ldap? :-( -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/AD-Ldap-automatically-take-the-user-that-is-logging-on-PC-tp4678994p4679001.html Sent from the Squid - Users mailing list archive at

[squid-users] New Domain Blacklist Options...

We heard you loud and clear, you wanted our enhanced blacklists in a similar archive/file structure as shallalist and urlblacklist for your web filtering platform, so we finally did it. Available now to all squidblacklist.org members is the new “Universal Archive Structure Format” for any platf

[squid-users] making 204s cachable again

I recently upgraded to Version 3.5.10. I'm using it as a regular as well as a reverse proxy. In both cases I've noticed that what were formerly cachable requests that resulted in a 204 response, are now always resulting in a MISS. The only hits I'm getting are negative when the requests are c

Re: [squid-users] AD Ldap (automatically take the user that is logging on PC)

You want Kerberos and/or NTLM authentication for Single Sign On. These authentication methods automatically provide credentials when browser are configured and the necessary network services are running. On Aug 17, 2016 6:30 PM, "erdosain9" wrote: > lol > no, for all the ACL. > vip and control.

Re: [squid-users] Squid 2.7.s9 HTTPS-proxying - hint welcome

Thank you for your quick reply! On 17/08/2016 6:01 p.m., Amos Jeffries wrote: >> I am forced to stuck with 2.X > Then you cannot decrypt the HTTPS in order to cache it. Squid older than > 3.2 simply do not have any of the functionality to do so. I.e. not cacheable at all? May sound stupid but I

Re: [squid-users] AD Ldap (automatically take the user that is logging on PC)

lol no, for all the ACL. vip and control... that no users need to enter username and password ... (only to log on to the PC, but do not have to put username and password in the browser).. for all. (i dont speak english.) -- View this message in context: http://squid-web-pro

Re: [squid-users] AD Ldap (automatically take the user that is logging on PC)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Vips do not want enter username and password? :) 18.08.2016 2:58, erdosain9 пишет: > Hi > Squid configured to authenticate with AD with LDAP. this is the relevant > configuration. > > > # Active Directory > auth_param basic program /usr/lib64/squ

[squid-users] AD Ldap (automatically take the user that is logging on PC)

Hi Squid configured to authenticate with AD with LDAP. this is the relevant configuration. # Active Directory auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "cn=Users,dc=example,dc=lan" -D sq...@example.lan -w pass -f sAMAccountName=%s -v 3 -s sub -h 192.168.1.60 auth_param basi

Re: [squid-users] Yet another store_id question HIT MISS

Hey Omid, I will try to test here on my local squid to see if there is a well understood reason for the MISS. What have you tried until now to test the issue? Did you tried to reproduce from your PC? Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...

[squid-users] stop caching completely on squid 3.5.2

Hi I’m willing to stop caching on squid 3.5.2 on both memory & disk caching is the directive : cache deny all sufficient for that ? again i don’t want any type of caching cheers ___ squid-users mailing list squid-users@lists.squid-cache.org http:

Re: [squid-users] Malformed HTTP on tproxy squid

On 08/17/2016 10:25 AM, Amos Jeffries wrote: > I don't think the delayer approach will work because these are parse > error/abort responses that don't go near any ACL system. If an error response does not go through http_reply_access, then this is a Squid bug IMO. Alex.

Re: [squid-users] Malformed HTTP on tproxy squid

On 18/08/2016 4:07 a.m., Alex Rousskov wrote: > On 08/17/2016 09:02 AM, Amos Jeffries wrote: > >> Your Squid is not even getting far enough to apply security rules to the >> garbage traffic. It is basically just doing: accept() connection, >> unmangle the NAT/TPROXY details, read(2) some bytes, tr

Re: [squid-users] Checking SSL bump status in http_access

On 08/16/2016 05:12 PM, Amos Jeffries wrote: > On 17/08/2016 2:22 a.m., Steve Hill wrote: >> Is there a way of figuring out if the current request is a bumped >> request when the http_access ACL is being checked? i.e. can we tell the >> difference between a GET request that is inside a bumped tunn

Re: [squid-users] Malformed HTTP on tproxy squid

On 08/17/2016 09:02 AM, Amos Jeffries wrote: > Your Squid is not even getting far enough to apply security rules to the > garbage traffic. It is basically just doing: accept() connection, > unmangle the NAT/TPROXY details, read(2) some bytes, try to parse - bam > generate and send error page, clos

Re: [squid-users] Squid 2.7.s9 HTTPS-proxying - hint welcome

On 18/08/2016 3:23 a.m., Torsten Kühn wrote: > Dear Mailing List, > > older Squid versions have been obsoleted by 3.X and 4.X, I (barely) > dare to ask a 2.X-related question ... For particular reasons, I am > forced to stuck with 2.X Then you cannot decrypt the HTTPS in order to cache it. Squid

[squid-users] Squid 2.7.s9 HTTPS-proxying - hint welcome

Dear Mailing List, older Squid versions have been obsoleted by 3.X and 4.X, I (barely) dare to ask a 2.X-related question ... For particular reasons, I am forced to stuck with 2.X: my cache contains objects since 2010, of personal value. Due to small bandwith (ISDN speed), I use Squid as a "buffer

Re: [squid-users] Malformed HTTP on tproxy squid

On 17/08/2016 9:26 p.m., Omid Kosari wrote: > Hi Eliezer, > > > Eliezer Croitoru-2 wrote >> If you know what domain or ip address causes and issue the first thing I >> can think about is bypassing the malicious traffic to allow other >> clients\users to reach the Internet. > > Source ip may be 7

Re: [squid-users] Questions about Kerberos authentication on squid3

On 18/08/2016 1:56 a.m., L.P.H. van Belle wrote: > > In this type of authentication the user will not need to enter your username > / password when you open the browser? > > Correct, but you also need to setup your webbrowser for it. > Actually; *no* authentication scheme needs the user to en

Re: [squid-users] Yet another store_id question HIT MISS

Amos Jeffries wrote > On 18/08/2016 1:43 a.m., Omid Kosari wrote: >> Why following link is HIT >> >> X-Cache:"HIT from cache1" >> X-Cache-Lookup:"HIT from cache1:3128" >> >> >> http://igcdn-photos-c-a.akamaihd.net/hphotos-ak-xaf1/t51.2885-15/s150x150/e35/13649137_1547514802224163_950421795_n.jpg

Re: [squid-users] Yet another store_id question HIT MISS

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 17.08.2016 20:28, Amos Jeffries пишет: > On 18/08/2016 1:43 a.m., Omid Kosari wrote: >> Why following link is HIT >> >> X-Cache:"HIT from cache1" >> X-Cache-Lookup:"HIT from cache1:3128" >> >> >> http://igcdn-photos-c-a.akamaihd.net/hphotos-ak-xa

Re: [squid-users] Yet another store_id question HIT MISS

On 18/08/2016 1:43 a.m., Omid Kosari wrote: > Why following link is HIT > > X-Cache:"HIT from cache1" > X-Cache-Lookup:"HIT from cache1:3128" > > > http://igcdn-photos-c-a.akamaihd.net/hphotos-ak-xaf1/t51.2885-15/s150x150/e35/13649137_1547514802224163_950421795_n.jpg > > but this one is MISS >

Re: [squid-users] Squid cpu usage 100% from few days ago !!

On 08/16/2016 11:03 PM, Omid Kosari wrote: > Even one ip address with less than 5 requests per second can grow squid cpu > usage up to 30% . And 10 requests per second made 100% cpu usage . While > there is nothing other than that client goes through squid . The client > bandwidth is less than 10Kb

Re: [squid-users] Yet another store_id question HIT MISS

Eliezer Croitoru-2 wrote > StoreID is not the only thing which can affect a HIT or a MISS. > A nice tool which was written to understand the subject is RedBot at: > https://redbot.org/ > > From a simple inspection of the file it seems that it should get hit but, > why are you using StoreID for th

Re: [squid-users] Squid cpu usage 100% from few days ago !!

Aha . We have found that this request belongs to a cheap popular satellite receiver www.starmax.co . Maybe it has been infected and becomes zombie of a btnet . Maybe you should buy one device from them -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-c

Re: [squid-users] Large memory leak with ssl_peek (now partly understood)

On 17/08/16 06:22, Dan Charlesworth wrote: Deployed a 3.5.20 build with both of those patches and have noticed a big improvement in memory consumption of squid processes at a couple of splice-heavy sites. Thank you, sir! We've now started tentatively rolling this out to a few production sit

Re: [squid-users] Squid cpu usage 100% from few days ago !!

Hey Omid, I can try to use the PCAP files but I am trying to stick in the upper level of operation when testing. What I mean by that is that I am trying to find real world software which encounter an issue when squid is in the middle. I can write scripts but as long there is something I can repr

Re: [squid-users] Yet another store_id question HIT MISS

Hey Omid, StoreID is not the only thing which can affect a HIT or a MISS. A nice tool which was written to understand the subject is RedBot at: https://redbot.org/ From a simple inspection of the file it seems that it should get hit but, why are you using StoreID for this object? Also why are y

Re: [squid-users] Squid cpu usage 100% from few days ago !!

Thanks for reply I have provided a sample wireshark pcap and squid access.log here http://squid-web-proxy-cache.1019090.n4.nabble.com/Malformed-HTTP-on-tproxy-squid-tp4678951p4678952.html Maybe you can reproduce and resend those requests with the help of something like fiddler or any other tool

Re: [squid-users] Questions about Kerberos authentication on squid3

Hi Marcio,   Have a look here a good guide. https://dev.tranquil.it/wiki/SAMBA_-_Configuration_Squid_Kerberos   Most important, make sure your DNS setup is correct and the proxy server has an A and PTR (RR) record. Can be done without but that can result in problems.     You must cre

[squid-users] Yet another store_id question HIT MISS

Why following link is HIT X-Cache:"HIT from cache1" X-Cache-Lookup:"HIT from cache1:3128" http://igcdn-photos-c-a.akamaihd.net/hphotos-ak-xaf1/t51.2885-15/s150x150/e35/13649137_1547514802224163_950421795_n.jpg but this one is MISS http://igcdn-photos-a-a.akamaihd.net/hphotos-ak-xaf1/t51.2885-1

Re: [squid-users] Squid cpu usage 100% from few days ago !!

Thanks Antony! It kind of disappeared from my mind\eyes despite to the fact that it's there. Omid, You are right about the expectation from a software to be polished. I am with you on this but naturally port 80 should be used for http in a world which everybody obeys the holy RFC's. There are cou

[squid-users] Questions about Kerberos authentication on squid3

I have the following questions to use Kerberos authentication in squid3: You must create the krb5.keytab file when using Samba 4 as DC? If positive, how to create it? Kerberos authentication (squid_kerb_auth) works for both Windows and Linux? In this type of authentication the user will not need

[squid-users] Rock store status

Hello All, I tried rock store and smp long time ago (squid 3.2 I guess), Unfortunately I definitely drop smp because there are some limitations (In my case), and I fall-back to diskd because there were many bugs with rock store. FI I also switched to aufs without big differences. But now with

Re: [squid-users] Squid cpu usage 100% from few days ago !!

Matus UHLAR - fantomas wrote > are you intercepting traffic for port 80 only? yes -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-cpu-usage-100-from-few-days-ago-tp4678894p4678968.html Sent from the Squid - Users mailing list archive at Nabble.com. ___

Re: [squid-users] Squid cpu usage 100% from few days ago !!

On 16.08.16 22:03, Omid Kosari wrote: Even one ip address with less than 5 requests per second can grow squid cpu usage up to 30% . And 10 requests per second made 100% cpu usage . While there is nothing other than that client goes through squid . The client bandwidth is less than 10Kbps . Isn't

Re: [squid-users] Malformed HTTP on tproxy squid

Hi Eliezer, Eliezer Croitoru-2 wrote > If you know what domain or ip address causes and issue the first thing I > can think about is bypassing the malicious traffic to allow other > clients\users to reach the Internet. Source ip may be 70% of our customers because it is a popular device so it is

Re: [squid-users] Malformed HTTP on tproxy squid

Hey Omid, If you know what domain or ip address causes and issue the first thing I can think about is bypassing the malicious traffic to allow other clients\users to reach the Internet. Depends on the client and the destination you can choose the right approach. And since squid is also being use

Re: [squid-users] Squid cpu usage 100% from few days ago !!

On Wednesday 17 August 2016 at 11:01:40, Eliezer Croitoru wrote: > Hey Omid, > > Just to understand, are you intercepting traffic? From the original report: "Squid is in tproxy mode with routing" Antony. > -Original Message- > From: squid-users [mailto:squid-users-boun...@lists.squid-

Re: [squid-users] Squid cpu usage 100% from few days ago !!

Hey Omid, Just to understand, are you intercepting traffic? Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Omid Kosari Sen