Hello Amos Jeffries!
I tried to use three parameters, but it did not work.
I did not understand why this is giving error...
I tried to use three parameters, but it did not work.
I did not understand why this is giving error...
2014-10-27 14:40 GMT-02:00 <squid-users-request@xxxxxxxxxxxxxxxxxxxxx>:
Send squid-users mailing list submissions to
squid-users@xxxxxxxxxxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
squid-users-request@xxxxxxxxxxxxxxxxxxxxx
You can reach the person managing the list at
squid-users-owner@xxxxxxxxxxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."
Today's Topics:
1. Re: Delay Class 3 - Squid (Amos Jeffries)
2. Re: Delay Class 3 - Squid (Amos Jeffries)
3. Re: Filtering keywords on google search (Cassiano Martin)
4. how to obtain info about actual active downloads?
(Frantisek Hanzlik)
5. Re: how to obtain info about actual active downloads?
(Antony Stone)
6. Re: how to obtain info about actual active downloads?
(Leonardo Rodrigues)
7. Re: Kerberos Authentication Failing for Windows 7+ with BH
gss_accept_sec_context() failed (Pedro Lobo)
----------------------------------------------------------------------
Message: 1
Date: Tue, 28 Oct 2014 01:01:34 +1300
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Delay Class 3 - Squid
Message-ID: <544E341E.7080801@xxxxxxxxxxxxx>
Content-Type: text/plain; charset=utf-8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 28/10/2014 12:57 a.m., Jorge Visentini wrote:
> Hello!
>
> Sorry my english.
>
> I'm racking my brain to figure out why the error.
>
> I've used a long time ago a rule delay pool but this time I am not
> able to implement ...
>
> In my squid.conf looks like this:
>
> delay_pools 1 delay_class 1 3 delay_parameters 1 50000/50000
> 24000/24000
http://www.squid-cache.org/Doc/config/delay_parameters/
class 1 pools only have one speed parameter. Not two.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUTjQeAAoJELJo5wb/XPRjm0IH/3Fwh9VhfFOhpMfn1Z20ii2b
49SC9fhyMmVfoNdm49uOY9txb/7VDQpfRtb4yvNcAJJ+t0soNRlz8wcYrvJHeu52
HMG1te3wySXVZgar/DzQbsI/k15Ar2uuUVmJJ/rkQextBjftqXF7HLXo6kBNRLG7
xcwSSrtGy9SIY8yOZflz+4ANJr5Z1Fme1w2Cp88UXXBLuKXZ3JNeQrte06aRpJkn
KwWQwSLwv3KGF48PbuLRD2M8flA/eFkoqg0VK0CRzjytGwxb/b0OIE9shl/GH2A0
oEcWVowZHqAXSsSbbpW9GIyNpKoxjndY80VBijaTvvXj+tBQK2DaIse7e7NaEGc=
=tJHs
-----END PGP SIGNATURE-----
------------------------------
Message: 2
Date: Tue, 28 Oct 2014 01:06:13 +1300
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Delay Class 3 - Squid
Message-ID: <544E3535.7050805@xxxxxxxxxxxxx>
Content-Type: text/plain; charset=utf-8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 28/10/2014 1:01 a.m., Amos Jeffries wrote:
> On 28/10/2014 12:57 a.m., Jorge Visentini wrote:
>> Hello!
>
>> Sorry my english.
>
>> I'm racking my brain to figure out why the error.
>
>> I've used a long time ago a rule delay pool but this time I am
>> not able to implement ...
>
>> In my squid.conf looks like this:
>
>> delay_pools 1 delay_class 1 3 delay_parameters 1 50000/50000
>> 24000/24000
>
> http://www.squid-cache.org/Doc/config/delay_parameters/
>
> class 1 pools only have one speed parameter. Not two.
>
Meh, sorry. I mean class 3 has 3 parameters.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUTjU1AAoJELJo5wb/XPRjHYAIAI2oAOpjZTgsTlbdz20LZW+k
XAAAnm8QgJSDBI7ErmZAJ7AxJILfi2PR2M60411mN5AgrVYulofUriTebS13bguR
g0aoFmVMBj003T70sNZWwSgyf18Gr9ewu5X6sOSu1IdQg6M9VMJFaUUMs+FFy2bs
IOqfhEhkcszlz0wrmY+xhAxR7mm8qWenrRk47W6rQR90p5Ml5m6ha0cCyTMTo46H
euojiX3JHvbFa3NtoOiNTmNOK7ZVt6bE/KTDSGobx6ehNtsUgKQgMBfyQ9ET2269
x8/MBDBjpK3JSld0UF3CjTkF8eWZHLAC+/Y6ZRR1vY6ihXi5B4yK7+Ve0ZvK5eU=
=7r5y
-----END PGP SIGNATURE-----
------------------------------
Message: 3
Date: Mon, 27 Oct 2014 11:05:33 -0200
From: Cassiano Martin <cassiano@xxxxxxxxxxxxx>
To: Job <Job@xxxxxxxxxxxxxxxxxxxx>
Cc: "squid-users@xxxxxxxxxxxxxxx" <squid-users@xxxxxxxxxxxxxxx>
Subject: Re: Filtering keywords on google search
Message-ID:
<CAOoxthNmWSP7Xck4BpNxOO-wNNsGe3e4jkXgfvsLffeSbk9f2A@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8
I have some proof of concept on my github. it can be done thought DNS
hijacking. I modified a version of tinyproxy to enforce safe search.
you can check it out on https://github.com/polaco1782/tinyproxy
2014-10-25 9:49 GMT-02:00 Job <Job@xxxxxxxxxxxxxxxxxxxx>:
> Hello, since Google switch definitely on SSL connection it seems there is no way to filter semantic (with danguardian, squidguard or squid).
>
> SSL Bump can help in this case, both on explicit or transparent proxying?
>
> Is there another way to filter searches (and image searches!)?
>
> Thank you!
> Francesco
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
------------------------------
Message: 4
Date: Mon, 27 Oct 2014 14:32:39 +0100
From: Frantisek Hanzlik <franta@xxxxxxxxxxx>
To: Squid users list <squid-users@xxxxxxxxxxxxxxx>
Subject: how to obtain info about actual active
downloads?
Message-ID: <544E4977.3050705@xxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8
Please, what is best way for determining who squid clients (their
PC IP addresses) have which downloads active?
I want it to determine which clients burden our slow internet line.
Examining 'access.log' does not help much in this case, because users
can download large files and it may take a few minutes or hours (e.g.
in case of consuming some audio/video streams).
I tried inspecting informations in 'Client-side Active Requests' menu
in cachemgr.cgi, where are paragraphs as:
Connection: 0x7f442037aa48
FD 94, read 5892, wrote 148211583
FD desc: Reading next request
in: buf 0x7f440efc9150, offset 0, size 4096
remote: 192.168.1.44:1631
local: 192.168.1.254:3128
nrequests: 7
uri http://ice.abradio.cz/prachen64.mp3
logType TCP_MISS
out.offset 148178800, out.size 148179207
req_sz 724
entry 0x7f440d5d6220/A1AD3A830E803B23F9295A9BCB9C1949
start 1414389495.929684 (18515.473233 seconds ago)
username
delay_pool 0
which seems to contain the necessary items and it would not be a big
problem adjust them to shorter form using e.g. awk or sed script,
and this informations is possible obtain in batch with some as:
wget -q -O - 'http://localhost/Squid/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=&operation=active_requests'
or
lynx -dump 'http://localhost/Squid/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=&operation=active_requests'
But is this the correct way? Or Squid offers other tools for this
case? Or is possible cachemgr.cgi supply/enwrap with some filter
which output needed info in some customized format?
We are using squid-3.3.13/Linux i686 now, it run on our LAN internet
router, LAN has approx. twenty PCs.
Thanks in advance, Franta Hanzlik
------------------------------
Message: 5
Date: Mon, 27 Oct 2014 14:47:00 +0100
From: Antony Stone <Antony.Stone@xxxxxxxxxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: how to obtain info about actual active
downloads?
Message-ID: <201410271447.00509.Antony.Stone@xxxxxxxxxxxxxxxxxxxx>
Content-Type: Text/Plain; charset="utf-8"
On Monday 27 October 2014 at 14:32:39 (EU time), Frantisek Hanzlik wrote:
> Please, what is best way for determining who squid clients (their
> PC IP addresses) have which downloads active?
> I want it to determine which clients burden our slow internet line.
> Examining 'access.log' does not help much in this case, because users
> can download large files and it may take a few minutes or hours (e.g.
> in case of consuming some audio/video streams).
I would use the tool 'iptraf', either running on your squid server, or on a
machine which can sniff your internal network traffic (possibly with the use of a
spanning port on the switch).
That can give you real-time bandwidth measurements per IP address.
Regards,
Antony.
--
Anything that improbable is effectively impossible.
- Murray Gell-Mann, Nobel Prizewinner in Physics
Please reply to the list;
please *don't* CC me.
------------------------------
Message: 6
Date: Mon, 27 Oct 2014 14:37:43 -0200
From: Leonardo Rodrigues <leolistas@xxxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: how to obtain info about actual active
downloads?
Message-ID: <544E74D7.2030104@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=utf-8; format=flowed
On 27/10/14 11:47, Antony Stone wrote:
> On Monday 27 October 2014 at 14:32:39 (EU time), Frantisek Hanzlik wrote:
>
>> Please, what is best way for determining who squid clients (their
>> PC IP addresses) have which downloads active?
>> I want it to determine which clients burden our slow internet line.
>> Examining 'access.log' does not help much in this case, because users
>> can download large files and it may take a few minutes or hours (e.g.
>> in case of consuming some audio/video streams).
> I would use the tool 'iptraf', either running on your squid server, or on a
> machine which can sniff your internal network traffic (possibly with the use of a
> spanning port on the switch).
>
> That can give you real-time bandwidth measurements per IP address.
>
I use this script:
http://samm.kiev.ua/sqstat/
Set it to auto-update on 15/15 seconds, for example, and you'll
have a great and easy way to evaluate active connections and high
bandwidth use connections.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@xxxxxxxxxxxxxx
My SPAMTRAP, do not email it
------------------------------
Message: 7
Date: Mon, 27 Oct 2014 16:39:17 +0000
From: "Pedro Lobo" <palobo@xxxxxxxxx>
To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: Re: Kerberos Authentication Failing for Windows
7+ with BH gss_accept_sec_context() failed
Message-ID: <94F74226-F24B-4910-95B7-B86ACE815995@xxxxxxxxx>
Content-Type: text/plain; charset="utf-8"
Hey Everybody,
Seems as though I celebrated too soon on Saturday. Today things are back to not working for Windows 7+ machines and XP/2003 machines are working just fine.
I've also checked the permissions on the keytab file and they haven't changed since Saturday, so it's not that... ARGH!!!!
Craving ideas and solutions right now... Pilot users are less than satisfied ;)
Cheers,
Pedro
On 25 Oct 2014, at 14:13, Markus Moeller wrote:
> Hi Pedro,
>
> I wonder if he upper case in the name is a problem. Can you try
>
> auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s GSS_C_NO_NAME
>
> instead of
>
> auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s HTTP/proxy01tst.fake.net
>
> Markus
>
> "Pedro Lobo" <palobo@xxxxxxxxx> wrote in message news:FD6832B9-3F1F-48C6-A76F-47A224F1697B@xxxxxxxxx...
> Hi Markus,
>
> I used msktutil to create the keytab.
>
> msktutil -c -s HTTP/proxy01tst.fake.net -h proxy01tst.fake.net -k /etc/squid3/PROXY.keytab --computer-name proxy01-tst --upn HTTP/proxy01tst.fake.net --server srv01.fake.net --verbose
> Output of klist -ekt:
>
> 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (arcfour-hmac)
> 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes128-cts-hmac-sha1-96)
> 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes256-cts-hmac-sha1-96)
> 2 10/24/2014 22:59:50 HTTP/proxy01tst.FAKE.net@xxxxxxxx (arcfour-hmac)
> 2 10/24/2014 22:59:50 HTTP/proxy01tst.FAKE.net@xxxxxxxx (aes128-cts-hmac-sha1-96)
> 2 10/24/2014 22:59:50 HTTP/proxy01tst.FAKE.net@xxxxxxxx (aes256-cts-hmac-sha1-96)
> 2 10/24/2014 22:59:50 host/proxy01tst.FAKE.net@xxxxxxxx (arcfour-hmac)
> 2 10/24/2014 22:59:50 host/proxy01tst.FAKE.net@xxxxxxxx (aes128-cts-hmac-sha1-96)
> 2 10/24/2014 22:59:50 host/proxy01tst.FAKE.net@xxxxxxxx (aes256-cts-hmac-sha1-96)
> Yep, using MIT Kerberos
>
> Thanks in advance for any help.
>
> Cheers,
> Pedro
>
> On 25 Oct 2014, at 1:26, Markus Moeller wrote:
>
> Hi Pedro,
>
> How did you create your keytab ? What does klist –ekt <squid.keytab> show ( I assume you use MIT Kerberos) ?
>
> Markus
>
> "Pedro Lobo" palobo@xxxxxxxxx wrote in message news:40E1E0E7-50C6-4117-94AA-50B06573430A@xxxxxxxxx...
> Hi Squid Gurus,
>
> I'm at my wit's end and in dire need of some squid expertise.
>
> We've got a production environment with a couple of squid 2.7 servers using NTLM and basic authentication. Recently though, we decided to upgrade and I'm now setting up squid 3.3 with Kerberos and NTLM Fallback. I've followed just about every guide I could find and in my testing environment, things were working great. Now that I've hooked it up to the main domain, things are awry.
>
> If I use a machine that's not part of the domain, NTLM kicks in and I can surf the web fine. If I use a Windows XP or Windows Server 2003, kerberos works just fine, however, if I use a machine Windows 7, 8 or 2008 server, I keep getting a popup asking me to authenticate and even then, it's and endless loop until it fails. My cache.log is littered with:
>
> negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01| negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information.
> 2014/10/24 23:03:01| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
> The odd thing, is that this has worked before. Help me Obi Wan... You're my only hope! :)
>
> Current Setup
> Squid 3.3 running on Ubuntu 14.04 server. It's connected to a 2003 server with function level 2000 (I know, we're trying to fase out the older servers).
>
> krb5.conf
>
> [libdefaults]
> default_realm = FAKE.NET
> dns_lookup_kdc = yes
> dns_lookup_realm = yes
> ticket_lifetime = 24h
> default_keytab_name = /etc/squid3/PROXY.keytab
>
> ; for Windows 2003
> default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> [realms]
> FAKE.NET = {
> kdc = srv01.fake.net
> kdc = srv02.fake.net
> kdc = srv03.fake.net
> admin_server = srv01.fake.net
> default_domain = fake.net
> }
>
> [domain_realm]
> .fake.net = FAKE.NET
> fake.net = FAKE.NET
>
> [logging]
> kdc = FILE:/var/log/kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
> squid.conf
>
> auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s HTTP/proxy01tst.fake.net
> auth_param negotiate children 20 startup=0 idle=1
> auth_param negotiate keep_alive off
>
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=FAKE.NET
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
> Cheers,
> Pedro
>
> Cumprimentos
> Pedro Lobo
> Solutions Architect | System Engineer
>
> pedro.lobo@xxxxxxxxxxxx
> Tlm.: +351 939 528 827 | Tel.: +351 214 127 314
>
> Claranet Portugal
> Ed. Parque Expo
> Av. D. João II, 1.07-2.1, 4º Piso
> 1998-014 Lisboa
> www.claranet.pt
>
> Empresa certificada ISO 9001, ISO 20000 e ISO 27001
>
>
> ------------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
>
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------------------------------------------------------
>
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
>
> Cumprimentos
> Pedro Lobo
> Solutions Architect | System Engineer
>
> pedro.lobo@xxxxxxxxxxxx
> Tlm.: +351 939 528 827 | Tel.: +351 214 127 314
>
> Claranet Portugal
> Ed. Parque Expo
> Av. D. João II, 1.07-2.1, 4º Piso
> 1998-014 Lisboa
> www.claranet.pt
>
>
>
>
>
> Empresa certificada ISO 9001, ISO 20000 e ISO 27001
>
>
>
>
> --------------------------------------------------------------------------------
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141027/219e87ff/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 536 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141027/219e87ff/attachment.sig>
------------------------------
Subject: Digest Footer
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
------------------------------
End of squid-users Digest, Vol 2, Issue 97
******************************************
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
