Differences between revisions 11 and 12

Squid web proxy

Links: linux/tinyproxy

2022 rate-limit certain clients through Squid 🐙🦑

https://www.serverwatch.com/guides/reining-in-bandwidth-with-squid-proxying/
Config settings (class 1 , shared by all)
- delay_pools 1 ## Number of pools
- delay_class 1 1 ## pool_count class_ type
- # 256 Kbit/s fill rate, 1024 Kbit/s reserve
- delay_parameters 1 32000/128000 ## pool_coumt Rate_kB/s
- acl All src 0/0
- delay_access 1 allow All
Config settings (class 2 , individual maxs kB/s)
- delay_pools 1 ## Number of pools
- delay_class 1 2 ## pool_count class_type
- # 256 Kbit/s fill rate, 1024 Kbit/s reserve, 64 per ip
- delay_parameters 1 32000/128000 8000/8000 ## pool_count Total_kB/s Indiv_kB/s
- acl All src 0/0
- delay_access 1 allow All

2022 - NTLM bad idea now

Update from AWS support for NTLM authentication not supported through loadbalancer.

The specific issue with NTLM and HTTP reverse proxies like ALB is that IIS processes the NTLM authentication and applies it to the TCP connection that the HTTP request came over. ALB re-uses these TCP connections to targets for requests from multiple clients. Since the backend target (IIS) has now authenticated a TCP connection for a user, the next request (possibly from a different user) will be considered authenticated as the original user. NTLM is outdated and should be avoided. 

You can use Kerberos authentication to essentially perform what Windows authentication does

2009

My goal is to keep notes on how to enable Windows AD authentication on Squid3.x
http://www.papercut.com/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory

I joined the domain using "net rpc join -S PDC -U Administrator" # wbinfo -t > checking the trust secret via RPC calls succeeded > # wbinfo -u # wbinfo -g

http://www.cyberciti.biz/faq/squid-ntlm-authentication-configuration-howto/

Not tested

#auth_param negotiate program /usr/local/squid/bin/ntlm_auth --helper-protocol=gs
s-spnego

domain=> [domain] auth_param ntlm program /usr/lib/squid3/ntlm_auth -d domain/serv1 domain/serv2

acl Ip_Block_Range url_regex [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\:443
http_access deny Ip_Block_Range

Since FTP uses numeric IPs the Skype ACL must be exact including the port.

# Skype
acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:443
acl Skype_UA browser ^skype^
http_access deny numeric_IPS
http_access deny Skype_UA

...

CategoryLinux

-  ⇤ ← Revision 11 as of 2022-05-05 19:24:50 → 
  Size: 2322
  Editor: PieterSmit
  Comment:
+   ← Revision 12 as of 2022-05-05 19:32:03 → ⇥
  Size: 2687
  Editor: PieterSmit
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 9:
- * Config settings
+ * Config settings (class 1 , shared by all)
 Line 14:
+   * acl All src 0/0
   * delay_access 1 allow All

 * Config settings (class 2 , individual maxs kB/s)
   * delay_pools 1 ## Number of pools
   * delay_class 1 2 ## pool_count class_type
   * # 256 Kbit/s fill rate, 1024 Kbit/s reserve, 64 per ip
   * delay_parameters 1 32000/128000 8000/8000 ## pool_count Total_kB/s Indiv_kB/s