|
|
|
|
|
|
| Author |
Message |
Emilio Casbas
*nix forums addict
Joined: 05 May 2005
Posts: 50
|
 Posted: Wed Jun 07, 2006 8:30 am Post subject:
Re: Allowing/Unblocking Skype with Squid
|
|
|
Kinkie wrote:
| Quote: | On Tue, 2006-06-06 at 15:13 +0200, Philipp Nyffenegger wrote:
acl N_IPS urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl connect method CONNECT
http_access allow connect N_IPS all
Why do all these tipps refer to "urlpath_regex" ? This is IMHO false.
At least it does not match at my site. There is no URL-Path in the
CONNECT-Method, iirc.
Yes, you are right.
This works fine in blocking Skype via Squid at my site :
acl CONNECT method CONNECT
acl skype url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
.
deny_info ERR_CLIENT_HTTPS2IP_DENIED skype
http_access deny CONNECT skype
I might have read the ACL wrong, but aren't you blocking all HTTPS
access when the server address is specified as an IP this way?
Kinkie
|
Yes, but the original post was for the opposite purpose,
they wanted to unblocked the skype connections, and a pattern for
these connections type through squid is by this way, although isn´t 100%
effective.
Thanks
Emilio C. |
|
| Back to top |
|
 |
Emilio Casbas
*nix forums addict
Joined: 05 May 2005
Posts: 50
|
| Posted: Wed Jun 07, 2006 9:13 am Post subject:
Re: Allowing/Unblocking Skype with Squid
|
|
|
Jon Joyce wrote:
| Quote: | Hi Emilio,
Many thanks for your reply.
When you say careful regards to security, do you mean that anyone who
knows the IP of a host will get through our content filter?
Yes if you have modified the CONNECT tags in the default squid.conf. |
The most serious companies having a web presence (such as Internet
Banking, E-commerce, loggin applications from trusted sites...) will
have registered
domains referenced by their FQDN URLs. so you can't trust in "all" IP
connections through the method CONNECT.
Thanks
Emilio C.
| Quote: | We have mainly set our squid up like this to stop people using Proxy
Tunneling software....
Jon
On 6 Jun 2006, at 09:27, Emilio Casbas wrote:
Jon Joyce wrote:
Hi all,
We currently have a Squid box set up to only allow secure https
traffic through a manually updated whitelist. So now, all clients
must provide the name and 443 port of our Proxy server before they
can access secure sites (i.e. Internet Banking, Hotmail etc.)
We now have the problem that Skype wants to use the outgoing secure
443 port which is not allowed through our Proxy...
Is there anyway around this??
Skype will attempt to tunnel the traffic over port 443 using the SSL
protocol as you said,
In order to permit access to skype through squid, you would have to
know the "random" destination
IPs that skype use with the CONNECT method.
One possibility could be you can try permit numeric IPs with the
CONNECT method, but be careful regard to security.
acl N_IPS urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl connect method CONNECT
http_access allow connect N_IPS all
Thanks
Emilio C.
Anyone's help is much appretiated
Jon
|
|
|
| Back to top |
|
|
Shoebottom, Bryan
*nix forums addict
Joined: 14 Sep 2005
Posts: 58
|
| Posted: Tue Jun 13, 2006 4:43 pm Post subject:
RE: I have Squid 2.5 stable 14 running on a Linux box using theWCCPv1. This setup seems to be having tr
|
|
|
I ended up moving to WCCPv2 and a 2.6.9 or later kernel to resolve this
issue. There are some posts on changing the MTU of the GRE/ethX
interface but this never worked for me.
Thanks,
Bryan
-----Original Message-----
From: Keith Owen [mailto:KOwen@cdfa.ca.gov]
Sent: June 13, 2006 12:42 PM
To: squid-users@squid-cache.org
Subject: [squid-users] I have Squid 2.5 stable 14 running on a Linux box
using theWCCPv1. This setup seems to be having tr
I have Squid 2.5 stable 14 running on a Linux box using the WCCPv1. This
setup seems to be having troubles with e-mail website (ex mail.yahoo.com
& hotmail.com) What happens is when the user name and password are
entered and the login button is pressed, it will timeout on a blank
page. If anyone can offer suggestions that would be appreciated. |
|
| Back to top |
|
|
Santosh Rani
*nix forums beginner
Joined: 19 Jun 2006
Posts: 8
|
| Posted: Mon Jun 19, 2006 3:40 pm Post subject:
Re:Thanks for the response please; proxy.pac
|
|
|
Thanks for the replies.
Regards
On 19/04/06, Henrik Nordstrom <henrik@henriknordstrom.net> wrote:
| Quote: | tis 2006-04-18 klockan 20:42 +0200 skrev Joost de Heer:
I think it uses the cached proxy.pac.
Yes, but it is almost trivial to make the cached proxy.pac instruct the
browser to go direct when not connected to the office network.
Regards
Henrik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQBERhNn516QwDnMM9sRAgTyAJ9WKocWbbl+LTQVVzxwqgTcDD1MBgCfQNcJ
ob68kxtm794WRJItZe+mH10=
=xCPb
-----END PGP SIGNATURE-----
|
|
|
| Back to top |
|
|
Henrik Nordstrom
*nix forums Guru
Joined: 01 Feb 2005
Posts: 2377
|
| Posted: Thu Jun 22, 2006 11:12 am Post subject:
Re: the dreaded 'zero sized reply' on RHEL3
|
|
|
ons 2006-06-21 klockan 17:11 +0200 skrev tomvo@absi.be:
| Quote: | Well, not sure what you mean with 'support for this patched binary
distribution is provided by redhat' but 2.5.stable3 is the latest one that
they offer for RHEL3 (via their up2date tool).
|
That support for the RedHat binary distribution of Squid is provided by
RedHat.
| Quote: | Can you tell me where I can find a officially supported squid for RHEL3
that is more current ?
|
The officially supported Squid version in this forum is the current
STABLE source code release, i.e. currently 2.5.STABLE14. And yes RHEL3
is a supported platform.
But we won't hurt you for running a binary distribution. Just that we
can not help you much with problems which seem to be specific to the
binary distribution you are running, and we also expect you to verify
that any problem you may have exists in the current version of Squid as
well before looking into the exact details.
Translated to your current question this means that the level of the
original question you sent is fine. So is also questions related to how
to configure Squid etc. However, as the problem could not be repeated by
clicking on the link you provided it's not back on your table to verify
if you see the problem using the current version of Squid (not the
RedHat version). Or alternatively if you do not want to try the
squid-cache.org source distribution send the question to your RedHat
support contact.
Regards
Henrik |
|
| Back to top |
|
|
Craig Home
*nix forums beginner
Joined: 19 Jun 2006
Posts: 4
|
| Posted: Thu Jun 22, 2006 11:46 am Post subject:
Re: the dreaded 'zero sized reply' on RHEL3
|
|
|
Please help me unsubscribe from this list.
Thanks
Craig
| Quote: | ons 2006-06-21 klockan 17:11 +0200 skrev tomvo@absi.be:
Well, not sure what you mean with 'support for this patched binary
distribution is provided by redhat' but 2.5.stable3 is the latest one
that
they offer for RHEL3 (via their up2date tool).
That support for the RedHat binary distribution of Squid is provided by
RedHat.
Can you tell me where I can find a officially supported squid for RHEL3
that is more current ?
The officially supported Squid version in this forum is the current
STABLE source code release, i.e. currently 2.5.STABLE14. And yes RHEL3
is a supported platform.
But we won't hurt you for running a binary distribution. Just that we
can not help you much with problems which seem to be specific to the
binary distribution you are running, and we also expect you to verify
that any problem you may have exists in the current version of Squid as
well before looking into the exact details.
Translated to your current question this means that the level of the
original question you sent is fine. So is also questions related to how
to configure Squid etc. However, as the problem could not be repeated by
clicking on the link you provided it's not back on your table to verify
if you see the problem using the current version of Squid (not the
RedHat version). Or alternatively if you do not want to try the
squid-cache.org source distribution send the question to your RedHat
support contact.
Regards
Henrik
|
><< signature.asc >> |
|
| Back to top |
|
|
Neil A. Hillard
*nix forums addict
Joined: 09 Mar 2005
Posts: 77
|
| Posted: Thu Jun 22, 2006 11:58 am Post subject:
Re: the dreaded 'zero sized reply' on RHEL3
|
|
|
Craig,
which bit of 'Read the SMTP headers' didn't you understand?
The following appears in the header of each and every message which is
sent to the mailing list:
List-Post: <mailto:squid-users@squid-cache.org>
List-Help: <mailto:squid-users-help@squid-cache.org>
List-Unsubscribe: <mailto:squid-users-unsubscribe@squid-cache.org>
List-Subscribe: <mailto:squid-users-subscribe@squid-cache.org>
If you then can't unsubscribe explain exactly what you've tried and what
message / error you receive. Otherwise you won't get assistance.
Neil.
Craig Home wrote:
| Quote: |
Please help me unsubscribe from this list.
Thanks
Craig
ons 2006-06-21 klockan 17:11 +0200 skrev tomvo@absi.be:
Well, not sure what you mean with 'support for this patched binary
distribution is provided by redhat' but 2.5.stable3 is the latest
one that
they offer for RHEL3 (via their up2date tool).
That support for the RedHat binary distribution of Squid is provided by
RedHat.
Can you tell me where I can find a officially supported squid for RHEL3
that is more current ?
The officially supported Squid version in this forum is the current
STABLE source code release, i.e. currently 2.5.STABLE14. And yes RHEL3
is a supported platform.
But we won't hurt you for running a binary distribution. Just that we
can not help you much with problems which seem to be specific to the
binary distribution you are running, and we also expect you to verify
that any problem you may have exists in the current version of Squid as
well before looking into the exact details.
Translated to your current question this means that the level of the
original question you sent is fine. So is also questions related to how
to configure Squid etc. However, as the problem could not be repeated by
clicking on the link you provided it's not back on your table to verify
if you see the problem using the current version of Squid (not the
RedHat version). Or alternatively if you do not want to try the
squid-cache.org source distribution send the question to your RedHat
support contact.
Regards
Henrik
signature.asc
|
--
Neil Hillard hillardn@whl.co.uk
Westland Helicopters Ltd. http://www.whl.co.uk/
Disclaimer: This message does not necessarily reflect the
views of Westland Helicopters Ltd. |
|
| Back to top |
|
|
Lai, Raymond
*nix forums beginner
Joined: 22 Jun 2006
Posts: 2
|
| Posted: Thu Jun 22, 2006 8:26 pm Post subject:
RE:
|
|
|
|
unsubscribe |
|
| Back to top |
|
|
Craig Home
*nix forums beginner
Joined: 19 Jun 2006
Posts: 4
|
| Posted: Fri Jun 23, 2006 1:13 pm Post subject:
Re: the dreaded 'zero sized reply' on RHEL3
|
|
|
Neil
Sorry, I don't always catch all replies as I've been asking for a few weeks
and getting loads of unwanted messages from the list instead of any direct
replies
I have sent numerous emails to the squid-users-unsubscribe@squid-cache.org
over the last four weeks and followed all the relevant instructions on the
following link and stilll I get the messages
http://www.squid-cache.org/mailing-lists.html
Regards
Craig
| Quote: | Craig,
which bit of 'Read the SMTP headers' didn't you understand?
The following appears in the header of each and every message which is
sent to the mailing list:
List-Post: <mailto:squid-users@squid-cache.org
List-Help: <mailto:squid-users-help@squid-cache.org
List-Unsubscribe: <mailto:squid-users-unsubscribe@squid-cache.org
List-Subscribe: <mailto:squid-users-subscribe@squid-cache.org
If you then can't unsubscribe explain exactly what you've tried and what
message / error you receive. Otherwise you won't get assistance.
Neil.
Craig Home wrote:
Please help me unsubscribe from this list.
Thanks
Craig
ons 2006-06-21 klockan 17:11 +0200 skrev tomvo@absi.be:
Well, not sure what you mean with 'support for this patched binary
distribution is provided by redhat' but 2.5.stable3 is the latest
one that
they offer for RHEL3 (via their up2date tool).
That support for the RedHat binary distribution of Squid is provided by
RedHat.
Can you tell me where I can find a officially supported squid for
RHEL3
that is more current ?
The officially supported Squid version in this forum is the current
STABLE source code release, i.e. currently 2.5.STABLE14. And yes RHEL3
is a supported platform.
But we won't hurt you for running a binary distribution. Just that we
can not help you much with problems which seem to be specific to the
binary distribution you are running, and we also expect you to verify
that any problem you may have exists in the current version of Squid as
well before looking into the exact details.
Translated to your current question this means that the level of the
original question you sent is fine. So is also questions related to how
to configure Squid etc. However, as the problem could not be repeated
by
clicking on the link you provided it's not back on your table to verify
if you see the problem using the current version of Squid (not the
RedHat version). Or alternatively if you do not want to try the
squid-cache.org source distribution send the question to your RedHat
support contact.
Regards
Henrik
signature.asc
--
Neil Hillard hillardn@whl.co.uk
Westland Helicopters Ltd. http://www.whl.co.uk/
Disclaimer: This message does not necessarily reflect the
views of Westland Helicopters Ltd. |
|
|
| Back to top |
|
|
ForestCreature
*nix forums beginner
Joined: 24 Jun 2006
Posts: 1
|
| Posted: Sat Jun 24, 2006 11:01 am Post subject:
Re: 2 user accounts per 1 IP
|
|
|
Hello!
I would like to create 2 accounts per each proxy user(IP address):
one limited and one unlimited
i tried this way :
...
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 192.168.0.0/255.255.0.0
acl to_localhost dst 127.0.0.0/8
acl password proxy_auth REQUIRED
icp_access allow all
always_direct allow all
coredump_dir /var/log/squid/
#########################
acl limited proxy_auth l1 l2
acl unlimited proxy_auth u1 u2
##########################
delay_pools 1
# limited
delay_class 1 2
delay_parameters 1 15000/15000 1875/1875
delay_access 1 allow limited
delay_access 1 deny all
#unlimited
http_access allow unlimited
http_access allow limited
http_access deny manager
http_access deny all
http_reply_access allow all
.....
the problem:
when i connect to proxy as user l1(limited by 1875B/s) all OK
but when i create additional connection as user u1(unlimited) from
the same IP adress bad things happen. connection belonging to l1
gets 7.5KB/s (but is should be limited to 1875B/s)!
Can you help me overcome such problem?
Thanks! |
|
| Back to top |
|
|
Henrik Nordstrom
*nix forums Guru
Joined: 01 Feb 2005
Posts: 2377
|
| Posted: Sat Jun 24, 2006 1:26 pm Post subject:
Re: Re: 2 user accounts per 1 IP
|
|
|
lör 2006-06-24 klockan 14:01 +0300 skrev ForestCreature:
| Quote: | the problem:
when i connect to proxy as user l1(limited by 1875B/s) all OK
but when i create additional connection as user u1(unlimited) from
the same IP adress bad things happen. connection belonging to l1
gets 7.5KB/s (but is should be limited to 1875B/s)!
Can you help me overcome such problem?
|
I don't get you here.. unlimited user gets more bandwidth than the
limited user. What is the problem?
u1 was not assigned any delay pool, so why should it be limited to
1875byte/s?
Regards
Henrik |
|
| Back to top |
|
|
Keith Owen
*nix forums beginner
Joined: 12 Jun 2006
Posts: 11
|
| Posted: Mon Jun 26, 2006 9:03 pm Post subject:
Re: How would I turn on ident lookup for allconnections? I don't want to do any restri
|
|
|
I tried this but I found out, my understanding, the client needs an ident program installed. Is there a way with the default XP install to lookup the user name or even the computer name. Or, is there a way to, through LDAP, cross reference an IP address with a user name. All this being invisible through the user. Thanks
| Quote: | Henrik Nordstrom <henrik@henriknordstrom.net> 06/26/06 11:08AM
m+Ñn 2006-06-26 klockan 08:26 -0700 skrev Keith Owen:
How would I turn on ident lookup for all connections? I don't want to do any restrictions, it is just for logging purposes. Thanks
|
ident_lookup_access allow all
Regards
Henrik |
|
| Back to top |
|
|
Aaron Gray
*nix forums beginner
Joined: 01 May 2005
Posts: 35
|
| Posted: Wed Jun 28, 2006 6:07 pm Post subject:
Squid use SSL ALWAYS?
|
|
|
I have squid working perfectly as a caching proxy server.
If I access my squid proxy server from a network that has some kind of
"sniffing" software, they can see the headers are HTTP headers (even though
it is on a weird port) and still identify where your going and read all the
plain text HTML.
Is there any way to make it so that when I connect to the squid proxy and
authenticate (which I require based on my ACL) that it creates a SSL
connection (or something similar) to where all traffic is encrypted even if
the destination page is not a https website? I want to hide the plain text. |
|
| Back to top |
|
|
Chris Robertson
*nix forums Guru
Joined: 01 Feb 2005
Posts: 373
|
| Posted: Wed Jun 28, 2006 8:04 pm Post subject:
Re: Squid use SSL ALWAYS?
|
|
|
Aaron Gray wrote:
| Quote: | I have squid working perfectly as a caching proxy server.
If I access my squid proxy server from a network that has some kind of
"sniffing" software, they can see the headers are HTTP headers (even
though
it is on a weird port) and still identify where your going and read
all the
plain text HTML.
Is there any way to make it so that when I connect to the squid proxy and
authenticate (which I require based on my ACL) that it creates a SSL
connection (or something similar) to where all traffic is encrypted
even if
the destination page is not a https website? I want to hide the plain
text.
You can certainly encrypt the traffic between the client and Squid (look |
into stunnel, http://www.stunnel.org/), but encrypting between Squid and
a non-SSL (HTTPS) server is not possible. If you just want to encrypt
the authentication, look into using digest.
Chris |
|
| Back to top |
|
|
Aaron Gray
*nix forums beginner
Joined: 01 May 2005
Posts: 35
|
| Posted: Wed Jun 28, 2006 8:59 pm Post subject:
Re: Squid use SSL ALWAYS?
|
|
|
It sounds like based on what you said, I should look into stunnel. My basic
reason behind this is that some places I go, they are still able to sniff
the traffic and determine what it is I am doing. My Squid proxy server is
in a co-lo so I am not concerned about the squid server to the website, only
squid to my desktop client traffic. I want all that to appear as jibberish
encrypted gabbledygook (thats a technical term!) :P
thanks
On 6/28/06, Chris Robertson <crobertson@gci.net> wrote:
| Quote: |
Aaron Gray wrote:
I have squid working perfectly as a caching proxy server.
If I access my squid proxy server from a network that has some kind of
"sniffing" software, they can see the headers are HTTP headers (even
though
it is on a weird port) and still identify where your going and read
all the
plain text HTML.
Is there any way to make it so that when I connect to the squid proxy
and
authenticate (which I require based on my ACL) that it creates a SSL
connection (or something similar) to where all traffic is encrypted
even if
the destination page is not a https website? I want to hide the plain
text.
You can certainly encrypt the traffic between the client and Squid (look
into stunnel, http://www.stunnel.org/), but encrypting between Squid and
a non-SSL (HTTPS) server is not possible. If you just want to encrypt
the authentication, look into using digest.
Chris
|
|
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Tue Dec 02, 2008 6:33 am | All times are GMT
|
|
Loans | Student Credit Cards | Mortgages | Equity Release | Free Advertising
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
Apps
»
Squid
