Blocking HTTP tunnel in squid proxy 2.5 Post: 302296647

6 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

squid proxy and apache servers

hi. pardon my noob question id just like to have a quick answer. i am planning to install a jabber webclient and a jabber server in our apache server. my boss said this wouldnt work because squid filters port 5222 connections (jabber). i told him we can simply 'unfilter' the port then but he said...

2. Infrastructure Monitoring

Blocking File Uploads with Squid

Dear All I want to block email attachments upload on internet through different mail servers. My requirement is that no user can send email attachments on yahoo, hotmail, gmail etc. I have RHEL-5 and squid 2.7. I have applied the undermentioned ACL but it in vain ACL is acl fileupload...

3. UNIX for Advanced & Expert Users

Setup a Reverse Proxy on Squid

Hi all, The scenario is: http://img834.imageshack.us/img834/7990/1234z.jpg - With: + 192.168.100.0/24 : internet link (simulation) + Multiple Websites are hosting in local. + Complete DNS configuration. + OS: CentOS 5 - Requirements: Configure Squid Proxy as...

4. IP Networking

SQUID Proxy server configuration

Can any one direct me to the resources where I can find in-depth instructions on Squid Proxy server and its configuration? Thanks in advance.:)

5. IP Networking

Blocking sites with squid

Hi i have created a proxy with squid and i need to block all domains of yahoo let's say . i have to configure squid.conf but idk how..

6. IP Networking

http over ssh tunnel using multiple hops

Hello, I got an application on a linux server that I would like to access using https and a URL. I would like to create a ssh tunnel. But, let's say the app is on box C, but box C can only be accessed through box B, that can be accessed only through box A. I would like to create the ssh tunnel...

LEARN ABOUT CENTOS

negotiate_kerberos_auth

negotiate_kerberos_auth(8)				      System Manager's Manual					negotiate_kerberos_auth(8)

NAME

       negotiate_kerberos_auth - Squid kerberos based authentication helper

       Version 3.0.4sq

SYNOPSIS

       negotiate_kerberos_auth [-h] [-d] [-i] [-r] [-s Service-Principal-Name]

DESCRIPTION

       negotiate_kerberos_auth is an installed binary and allows Squid to authenticate users via the Negotiate protocol and Kerberos.

OPTIONS

       -h	   Display the binary help and command line syntax info using stderr.

       -d	   Write debug messages to stderr.

       -i	   Write informational messages to stderr.

       -r	   Remove realm from username before returning the username to squid.

       -s Service-Principal-name
		   Provide Service Principal Name.

CONFIGURATION

       This helper is intended to be used as an authentication helper in squid.conf.

       auth_param negotiate program /path/to/negotiate_kerberos_auth
       auth_param negotiate children 10
       auth_param negotiate keep_alive on

       NOTE: The following squid startup file modification may be required:

       Add  the following lines to the squid startup script to point squid to a keytab file which contains the HTTP/fqdn service principal for the
       default Kerberos domain. The fqdn must be the proxy name set in IE or firefox. You can not use an IP address.

       KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME

       If you use a different Kerberos domain than the machine itself is in you can point squid to the seperate Kerberos config  file  by  setting
       the following environmnet variable in the startup script.

       KRB5_CONFIG=/etc/krb5-squid.conf export KRB5_CONFIG

       Kerberos  can  keep a replay cache to detect the reuse of Kerberos tickets (usually only possible in a 5 minute window) . If squid is under
       high load with Negotiate(Kerberos) proxy authentication requests the replay cache checks can create high CPU load. If the environment  does
       not  require  high  security  the  replay cache check can be disabled for MIT based Kerberos implementations by adding the following to the
       startup script

       KRB5RCACHETYPE=none export KRB5RCACHETYPE

       If negotiate_kerberos_auth doesn't determine for some reason the right service principal you can provide it with -s HTTP/fqdn.

       If you serve multiple Kerberos realms add a  HTTP/fqdn@REALM  service  principal  per  realm  to  the  HTTP.keytab  file  and  use  the	-s
       GSS_C_NO_NAME option with negotiate_kerberos_auth.

AUTHOR

       This program was written by Markus Moeller <markus_moeller@compuserve.com>

       This manual was written by Markus Moeller <markus_moeller@compuserve.com>

COPYRIGHT

       This program and documentation is copyright to the authors named above.

       Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).

QUESTIONS

       Questions on the usage of this program can be sent to the Squid Users mailing list <squid-users@squid-cache.org>

REPORTING BUGS

       Bug reports need to be made in English.	See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with
       your bug report.

       Report bugs or bug fixes using http://bugs.squid-cache.org/

       Report serious security bugs to Squid Bugs <squid-bugs@squid-cache.org>

       Report ideas for new improvements to the Squid Developers mailing list <squid-dev@squid-cache.org>

SEE ALSO

       squid(8) ext_kerberos_ldap_group_acl(8)
       RFC4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows,
       RFC2478 - The Simple and Protected GSS-API Negotiation Mechanism,
       RFC1964 - The Kerberos Version 5 GSS-API Mechanism,
       The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
       The Squid Configuration Manual http://www.squid-cache.org/Doc/config/ http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

															negotiate_kerberos_auth(8)