This is our SQUID configuration:
<snip>
authenticate_program /usr/local/bin/smb_auth
authenticate_program -W
authenticate_program bogegod
authenticate_program -U
authenticate_program gont-pdc01
authenticate_children 4
authenticate_ttl 3600 seconds
authenticate_ip_ttl 90 seconds
authenticate_ip_ttl_is_strict on
wais_relay_port 0
request_header_max_size 10240 bytes
request_body_max_size 1048576 bytes
reply_body_max_size 2097152 bytes
reference_age 31557790 seconds
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
negative_ttl 300 seconds
positive_dns_ttl 21600 seconds
negative_dns_ttl 300 seconds
range_offset_limit 0 bytes
connect_timeout 120 seconds
peer_connect_timeout 60 seconds
siteselect_timeout 4 seconds
read_timeout 900 seconds
request_timeout 30 seconds
client_lifetime 86400 seconds
half_closed_clients on
pconn_timeout 120 seconds
ident_timeout 10 seconds
shutdown_lifetime 30 seconds
acl QUERY urlpath_regex cgi-bin
acl QUERY urlpath_regex \?
acl all src 0.0.0.0/0.0.0.0
acl bogeclients src 192.125.128.0/255.255.255.0
acl bogeclients src 192.125.129.0/255.255.255.0
acl simmern src 195.233.126.92
acl manager proto cache_object
acl localhost src 127.0.0.1
acl SSL_ports port 443
acl SSL_ports port 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl deny_muell_regex url_regex .mp3$
<snip>
acl deny_muell_url urlpath_regex \.exe$
acl porn url_regex sex
<snip>
acl porn url_regex wickedmovies
acl noporn url_regex sdat[0-9][0-9][0-9][0-9]\.exe
acl noporn url_regex akamai
<snip>
acl noporn url_regex analyse
acl intranet2 dstdomain .mannesmann.de
acl intranet5 dst 195.233.149.75
acl internet2 dstdomain .sachs-ag.de
acl internet2 dstdomain .sachs.de
acl intranet_boge dst 192.125.128.0/255.255.255.0
acl intranet_boge_dom dstdomain www.boge-intranet.com
acl internet_boge dstdomain .boge-vibrationcontrol.de
acl internet_boge dstdomain .boge-vibrationcontrol.com
acl internet_bahn dstdomain .bahn.de
acl internet_bahn dstdomain .adbureau.net
acl internet_hug dstdomain .hug.de
acl internet_routenpl dstdomain www.route.de
acl auth_inet2 proxy_auth REQUIRED
acl auth_inet5 proxy_auth REQUIRED
acl auth_iboge proxy_auth REQUIRED
acl auth_ibahn proxy_auth REQUIRED
acl auth_ihug proxy_auth REQUIRED
acl auth_iroutenpl proxy_auth REQUIRED
acl CONNECT method CONNECT
http_access Allow localhost
http_access Allow simmern
http_access Deny !noporn porn
http_access Deny !noporn deny_muell_url
http_access Deny deny_muell_regex
http_access Allow intranet2
http_access Allow intranet5
http_access Allow intranet_boge
http_access Allow internet_boge
http_access Allow internet_bahn
http_access Allow internet_hug
http_access Allow internet_routenpl
http_access Allow !intranet_boge auth_iboge
http_access Allow bogeclients
http_access Deny all
http_access Deny !Safe_ports
http_access Deny all
icp_access Allow all
proxy_auth_realm Squid proxy-caching web server
ident_lookup_access Deny all
cache_mgr webmaster
cache_effective_user squid
cache_effective_group users
announce_period 31536000 seconds
announce_host tracker.ircache.net
announce_port 3131
httpd_accel_port 80
httpd_accel_single_host off
httpd_accel_with_proxy off
httpd_accel_uses_host_header off
dns_testnames netscape.com
dns_testnames internic.net
dns_testnames nlanr.net
dns_testnames microsoft.com
logfile_rotate 3
tcp_recv_bufsize 0 bytes
err_html_text
deny_info ERR_BOGE_PORNO_DENIED porn
memory_pools on
memory_pools_limit 0 bytes
forwarded_for on
log_icp_queries on
icp_hit_stale off
minimum_direct_hops 4
minimum_direct_rtt 400
cachemgr_passwd none all
store_avg_object_size 13 KB
store_objects_per_bucket 20
client_db on
netdb_low 900
netdb_high 1000
netdb_ping_period 300 seconds
query_icmp off
test_reachability off
buffered_logs off
reload_into_ims off
always_direct Allow intranet2
always_direct Allow intranet5
always_direct Allow intranet_boge
always_direct Deny all
never_direct Allow all
icon_directory /usr/local/squid/etc/icons
error_directory /usr/local/squid/etc/errors
minimum_retry_timeout 5 seconds
maximum_single_addr_tries 3
as_whois_server whois.ra.net
wccp_router 0.0.0.0
wccp_version 4
wccp_incoming_address 0.0.0.0
wccp_outgoing_address 255.255.255.255
incoming_icp_average 6
incoming_http_average 4
incoming_dns_average 4
min_icp_poll_cnt 8
min_dns_poll_cnt 8
min_http_poll_cnt 8
max_open_disk_fds 0
offline_mode off
uri_whitespace strip
nonhierarchical_direct on
prefer_direct off
strip_query_terms on
redirector_bypass off
ignore_unknown_nameservers on
client_persistent_connections on
server_persistent_connections on
pipeline_prefetch on
high_response_time_warning 0
high_page_fault_warning 0
high_memory_warning 0 bytes
store_dir_select_algorithm least-load
ie_refresh off
> Mit freundlichen Grüßen / regards
> Werner Rost
>
> ---------------------------------------------------------------------
> ZF Boge GmbH
> Werner Rost
> IT
> Friesdorfer Str. 175
> D-53175 Bonn
>
>
> phone: +49/228/3825 420
> fax: +49/228/3825 398
> werner.rost@zfboge.com
>
> www.boge-vibrationcontrol.com
> ---------------------------------------------------------------------
>
> -----Ursprüngliche Nachricht-----
> Von: Henrik Nordstrom [mailto:hno@marasystems.com]
> Gesendet am: Dienstag, 23. April 2002 16:48
> An: Rost, Werner
> Cc: 'squid-users@squid-cache.org'
> Betreff: Re: AW: AW: [squid-users] Need help
>
> What do your http_access rules look like?
>
> When this happens http_access continues on the next line as
> if the user was
> not in the list of allowed users.
>
> Regards
> Henrik
>
>
> Rost, Werner wrote:
> > More info: There are warning messages in cache.log, but 1
> user is able to
> > log on to squid at 2 different IPs. This should be rejected
> by the entries
> > "authenticate_ip_ttl = 90 seconds" and
> "authenticate_ip_ttl_is_strict on"
> > in squid.conf
> >
> > cache.log shows:
> >
> > 2002/04/23 13:02:20| aclMatchProxyAuth: user 'schul_2'
> tries to use multple
> > IP addresses!
> > 2002/04/23 13:02:20| aclMatchProxyAuth: user 'schul_2'
> tries to use multple
> > IP addresses!
> > 2002/04/23 13:02:20| aclMatchProxyAuth: user 'schul_2'
> tries to use multple
> > IP addresses!
> > 2002/04/23 13:02:20| aclMatchProxyAuth: user 'schul_2'
> tries to use multple
> > IP addresses!
> > 2002/04/23 13:02:21| aclMatchProxyAuth: user 'schul_2'
> tries to use multple
> > IP addresses!
> > 2002/04/23 13:02:21| aclMatchProxyAuth: user 'schul_2'
> tries to use multple
> > IP addresses!
> > 2002/04/23 13:02:21| aclMatchProxyAuth: user 'schul_2'
> tries to use multple
> > IP addresses!
> >
> >
> >
> > access.log shows:
> >
> > Tue Apr 23 13:02:15 2002 2323 192.125.128.156
> TCP_MISS/200 1760 GET
> > http://www.google.de/ schul_2
> DEFAULT_PARENT/proxy4.mannesmann.de text/html
> > Tue Apr 23 13:02:15 2002 552 192.125.128.156
> TCP_MISS/200 1331 GET
> > http://www.google.com/search? schul_2
> DEFAULT_PARENT/proxy4.mannesmann.de
> > text/xml
> > Tue Apr 23 13:02:20 2002 125 192.125.129.84
> TCP_IMS_HIT/304 205 GET
> > http://www.aldi.de/ schul_2 NONE/- text/html
> > Tue Apr 23 13:02:20 2002 95 192.125.129.84
> TCP_IMS_HIT/304 206 GET
> > http://www.aldi.de/2_zubeh/menu_n.htm schul_2 NONE/- text/html
> > Tue Apr 23 13:02:21 2002 68 192.125.129.84
> TCP_IMS_HIT/304 205 GET
> > http://www.aldi.de/2_zubeh/start01.htm schul_2 NONE/- text/html
> > Tue Apr 23 13:02:21 2002 68 192.125.129.84
> TCP_IMS_HIT/304 205 GET
> > http://www.aldi.de/2_zubeh/menu_s.htm schul_2 NONE/- text/html
> > Tue Apr 23 13:02:21 2002 61 192.125.129.84
> TCP_IMS_HIT/304 205 GET
> > http://www.aldi.de/1_symb/logo_n.gif schul_2 NONE/- image/gif
> > Tue Apr 23 13:02:21 2002 18 192.125.129.84
> TCP_IMS_HIT/304 205 GET
> > http://www.aldi.de/1_symb/klar.gif schul_2 NONE/- image/gif
> > Tue Apr 23 13:02:21 2002 165 192.125.129.84
> TCP_IMS_HIT/304 205 GET
> > http://www.aldi.de/1_symb/rot.gif schul_2 NONE/- image/gif
> > Tue Apr 23 13:02:21 2002 165 192.125.129.84
> TCP_IMS_HIT/304 205 GET
> > http://www.aldi.de/1_symb/neu.gif schul_2 NONE/- image/gif
> > Tue Apr 23 13:02:21 2002 101 192.125.129.84
> TCP_IMS_HIT/304 205 GET
> > http://www.aldi.de/1_symb/i1_02.gif schul_2 NONE/- image/gif
> >
> > User schul_2 surfes "google" at ip 192.125.128.156
> > At the same time schul_2 surfs "www.aldi.de" at 192.125.129.84.
> >
> > Authentication: smb_auth - requesting a WIN NT4 PDC.
> >
> > > Mit freundlichen Grüßen / regards
> > > Werner Rost
> > >
> > >
> ---------------------------------------------------------------------
> > > ZF Boge GmbH
> > > Werner Rost
> > > IT
> > > Friesdorfer Str. 175
> > > D-53175 Bonn
> > >
> > >
> > > phone: +49/228/3825 420
> > > fax: +49/228/3825 398
> > > werner.rost@zfboge.com
> > >
> > > www.boge-vibrationcontrol.com
> > >
> ---------------------------------------------------------------------
> > >
> > >
> > >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Henrik Nordstrom [mailto:hno@marasystems.com]
> > > Gesendet am: Dienstag, 23. April 2002 12:02
> > > An: Rost, Werner; 'Henrik Nordstrom'
> > > Cc: squid-users@squid-cache.org
> > > Betreff: Re: AW: [squid-users] Need help
> > >
> > > And what do you have in access.log?
> > >
> > > Regards
> > > Henrik
> > >
> > > Rost, Werner wrote:
> > > > That does not work for me.
> > > >
> > > > Our environment: SQUID 2.4 Stable 3
> > > > Internet Explorer 5.5
> > > >
> > > > Entries in squid.conf:
> > > >
> > > > authenticate_ip_ttl 90 seconds
> > > > authenticate_ip_ttl_is_strict on
> > > >
> > > >
> > > > YES, I restarted squid after changing squid.conf.
> > > >
> > > > > Mit freundlichen Grüßen / regards
> > > > > Werner Rost
> > >
> > >
> ---------------------------------------------------------------------
> > >
> > > > > ZF Boge GmbH
> > > > > Werner Rost
> > > > > IT
> > > > > Friesdorfer Str. 175
> > > > > D-53175 Bonn
> > > > >
> > > > >
> > > > > phone: +49/228/3825 420
> > > > > fax: +49/228/3825 398
> > > > > werner.rost@zfboge.com
> > > > >
> > > > > www.boge-vibrationcontrol.com
> > >
> > >
> ---------------------------------------------------------------------
> > >
> > > > > -----Ursprüngliche Nachricht-----
> > > > > Von: Henrik Nordstrom [mailto:hno@squid-cache.org]
> > > > > Gesendet am: Dienstag, 23. April 2002 10:16
> > > > > An: Vaibhav Gupta
> > > > > Cc: Boosten, Peter; squid-users@squid-cache.org
> > > > > Betreff: Re: [squid-users] Need help
> > > > >
> > > > > Vaibhav Gupta wrote:
> > > > > > I have configured this option as
> > > > > >
> > > > > > authenticate_ip_ttl 5
> > > > > >
> > > > > > but still I am able to access the net from two machines
> > > > >
> > > > > using same username.
> > > > >
> > > > > See also authenticate_ip_ttl_is_strict. The exact result
> > >
> > > without it
> > >
> > > > > depends a little on the browser used..
> > > > >
> > > > > Regards
> > > > > Henrik
> > > > >
> > > > >
> > > > > ---------------------------------------------------------
> > > > > This Mail has been checked for Viruses
> > > > > Attention: Encrypted mails can NOT be checked!
> > > > >
> > > > > **
> > > > >
> > > > > Diese Mail wurde auf Viren geprueft
> > > > > Hinweis: Verschluesselte mails koennen NICHT auf Viren
> > > > > geprueft werden!
> > > > > ---------------------------------------------------------
> > > >
> > > > ---------------------------------------------------------
> > > > This Mail has been checked for Viruses
> > > > Attention: Encrypted mails can NOT be checked!
> > > >
> > > > **
> > > >
> > > > Diese Mail wurde auf Viren geprueft
> > > > Hinweis: Verschluesselte mails koennen NICHT auf Viren
> > >
> > > geprueft werden!
> > >
> > > > ---------------------------------------------------------
> > >
> > > ---------------------------------------------------------
> > > This Mail has been checked for Viruses
> > > Attention: Encrypted mails can NOT be checked!
> > >
> > > **
> > >
> > > Diese Mail wurde auf Viren geprueft
> > > Hinweis: Verschluesselte mails koennen NICHT auf Viren
> > > geprueft werden!
> > > ---------------------------------------------------------
> >
> > ---------------------------------------------------------
> > This Mail has been checked for Viruses
> > Attention: Encrypted mails can NOT be checked!
> >
> > **
> >
> > Diese Mail wurde auf Viren geprueft
> > Hinweis: Verschluesselte mails koennen NICHT auf Viren
> geprueft werden!
> > ---------------------------------------------------------
>
>
> ---------------------------------------------------------
> This Mail has been checked for Viruses
> Attention: Encrypted mails can NOT be checked!
>
> **
>
> Diese Mail wurde auf Viren geprueft
> Hinweis: Verschluesselte mails koennen NICHT auf Viren
> geprueft werden!
> ---------------------------------------------------------
>
---------------------------------------------------------
This Mail has been checked for Viruses
Attention: Encrypted mails can NOT be checked!
**
Diese Mail wurde auf Viren geprueft
Hinweis: Verschluesselte mails koennen NICHT auf Viren geprueft werden!
---------------------------------------------------------
Received on Tue Apr 23 2002 - 09:05:48 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:39 MST
