##master-page:HomepageReadWritePageTemplate
##master-date:Unknown-Date
#format wiki
#language en
= Squid web proxy =
 * Links: [[linux/tinyproxy]]
== 2022 rate-limit certain clients through Squid 🐙🦑 ==
 * https://www.serverwatch.com/guides/reining-in-bandwidth-with-squid-proxying/
 * Config settings (class 1 , shared by all)
   * delay_pools 1 ## Number of pools
   * delay_class 1 1 ## pool_count class_ type
   * # 256 Kbit/s fill rate, 1024 Kbit/s reserve
   * delay_parameters 1 32000/128000 ## pool_coumt Rate_kB/s
   * acl All src 0/0
   * delay_access 1 allow All

 * Config settings (class 2 , individual maxs kB/s)
   * delay_pools 1 ## Number of pools
   * delay_class 1 2 ## pool_count class_type
   * # 256 Kbit/s fill rate, 1024 Kbit/s reserve, 64 per ip
   * delay_parameters 1 32000/128000 8000/8000 ## pool_count Total_kB/s Indiv_kB/s
   * acl All src 0/0
   * delay_access 1 allow All


== 2022 - NTLM bad idea now ==
 * Update from AWS support for NTLM authentication not supported through loadbalancer. {{{
The specific issue with NTLM and HTTP reverse proxies like ALB is that IIS processes the NTLM authentication and applies it to the TCP connection that the HTTP request came over. ALB re-uses these TCP connections to targets for requests from multiple clients. Since the backend target (IIS) has now authenticated a TCP connection for a user, the next request (possibly from a different user) will be considered authenticated as the original user. NTLM is outdated and should be avoided. 

You can use Kerberos authentication to essentially perform what Windows authentication does
}}}

== 2009 ==
 * My goal is to keep notes on how to enable Windows AD authentication on Squid3.x
 * http://www.papercut.com/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory

I joined the domain using "net rpc join -S PDC -U Administrator"
# wbinfo -t
> checking the trust secret via RPC calls succeeded
> 
# wbinfo -u
# wbinfo -g

http://www.cyberciti.biz/faq/squid-ntlm-authentication-configuration-howto/

 Not tested
 {{{ 
#auth_param negotiate program /usr/local/squid/bin/ntlm_auth --helper-protocol=gs
s-spnego
}}}
domain=> [domain]
auth_param ntlm program /usr/lib/squid3/ntlm_auth -d domain/serv1 domain/serv2

{{{
acl Ip_Block_Range url_regex [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\:443
http_access deny Ip_Block_Range
}}}
<!> Since FTP uses numeric IPs the Skype ACL must be exact including the port.
{{{
# Skype
acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:443
acl Skype_UA browser ^skype^
http_access deny numeric_IPS
http_access deny Skype_UA
}}}
...
----
CategoryLinux