Re: [squid-users] Some problem about use squid

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 16 Dec 2013 04:14:06 +1300

On 16/12/2013 3:01 a.m., huang.zhenxing wrote:
> Dear everyone:
> We are gateway's os is centos 6.4 X64 kernel:3.9.11 and squid version :
> 3.4.1
> network : 2003AD----|-----gateway----internet---
> client-|
> -----------------------------------------------------------------------------
> first:
> now,we do test use TPROXY is succeed ;
> and do test use AD-ntlm auth by set client browser proxy is succeed
> too.
>
> we want to use tproxy + ad-ntlm auth + * need not* to set the browser
> proxy.
> How to do it ?

Not possible.
* TPROXY prohibits browser being aware of the proxy existence.
* Web browser security prohibits sending _proxy_ credentials to external
web servers even if they request credentials.
* TPROXY is a MITM attack on the clients traffic. You want your clients
to send their login credentials to any MITM attacker when it asks?

<http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F>

> -----------------------------------------------------------------------------
> second :
> How to set NO cache?
> now we are setting is : cache_dir ufs /path/squid 100 16 256 no-store
> (right?)

1) remove all cache_dir lines from squid.conf.
2) set:
   cache_mem 0
   cache deny all

> -----------------------------------------------------------------------------
> thirdly:
> The log of access record is *concurrence*,
> for example:then we are browser a url abcd.com, it maybe include
> aa.net/xxx.jpg; bb.com/*;cc.cn etc.
> we are very hope to record the url of client initiative open(click) only.
> how to do it?

Very, very difficult. HTTP contains no such concept as "click" or even
"user".

What you are asking of the proxy is similar to saying "run this video
camera 24x7 without an operator, but only record if there is a person in
front of who is smiling."

There are some things you can do which *sort of* get close to what you want:

1) you could log requests where the "Referer" HTTP header is missing.

 acl referer referer_regex .
 access_log daemon:/var/log/squid/access.log squid !referer

 ** this will not catch users clicks within the site, only first arrivals.

 ** this will catch *all* requests if the users software is configured
not to send the Referer tracking information.

2) you could configure an external ACL with session helper to track
visitors at the proxy and log only requests where the visitor is unknown.

 ** this will not catch users clicks within the site, only first arrivals.

 ** this may miss some users return visits if they happen with in the
session TTL of previous visit.

 ** this will not track unique visitors if the IP or whatever tracking
indicator chosen is shared by multiple users.

> -----------------------------------------------------------------------------
> last one :
> how to record the log of access to ms-sql server ?
> we are configure use option :...... --enable-log-daemon-helpers="DB,file"
> ......

Set these in squid.conf:
 logfile_daemon /usr/local/squid/libexec/log_db_daemon
 access_log daemon:/host/database/table/username/password

** Replace "/host/database/table/username/password" above with the
details for your ms-sql server. Leaving the / characters between each
detail.

** Your Perl installation must have database bindings to connect to
ms-sql via the Perl DBI module.

** the log database must exist before the helper is run. Log table is
optional.

** Helper requires a login with SELECT,INSERT,CREATE privileges.

 The DB helper will attempt to create the logging table with required
fields if none exists assuming the helper login has CREATE privileges to
the database.

 If you do not want to give it CREATE privileges for any reason, you can
run the helper manually with the single command line option
"/host/database/table/username/password" using a login details which do
have CREATE privileges. The Squid login will then only need
SELECt,INSERT privileges.

Amos
Received on Sun Dec 15 2013 - 15:14:27 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 16 2013 - 12:00:06 MST