[squid-users] Linux Noob - Squid Config

Amos Jeffries squid3 at treenet.co.nz
Tue May 7 17:59:57 UTC 2024


On 7/05/24 07:59, Piana, Josh wrote:
> Amos,
> 
> You raise a good point about Kerberos! I was not aware that Squid supported this method. Yes - I think we would preferably use this method, especially because this looks like it's much easier to setup and still checks all the boxes we need for security purposes.
> 
> With that being said, without using NTLM, can we bypass using Samba? We would rather not rely on that resource if possible.
> 

I'm not sure how much of Samba need to be setup to use the NTLM helper. 
It has been a while since I used it.


> In regards to your responses to all of the lines of code, I'll be going through that seperately and will get back to you if I have any more questions with it. After installing Squid, moving over and updating the old config, and adjusting the parameters you mentioned below, what else is there to do to finish setting up this server? I'm not entirely sure if Apache is needed anymore either. This would simplify and modernize our processes a great deal if this can be remopved as well.
> 

There is no sign in the squid.conf as to what Apache was being used for.
So that and any other services the old machine had going will still need 
your attention, but they are not related to Squid.


Cheers
Amos


> - Josh
> 
> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
> Sent: Monday, May 6, 2024 12:59 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Linux Noob - Squid Config
> 
> Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> 
> 
> [ please keep responses on-list to assist any others who encounter the same issues in future ]
> 
> On 4/05/24 08:51, Piana, Josh wrote:
>> Hey Amos,
>>
>> Thank you so much for getting back to me so quickly!
>>
>> To answer your question about NTLM, I meant to say NTLMv2. We're trying to become compliant with newer security standards and this old box in depersate need of some love and updating.
>>
> 
> 
> Hmm. My question was more aiming as a yes/no answer.
> 
> Squid can certainly still support NTLM. But if possible going to just Negotiate/Kerberos auth would be a simpler config.
> 
> The /usr/bin/ntlm_auth authenticator you have been using is provided by Samba. So you will need to have Samba installed (yum install samba) and configured the same (or equivalent for its upgrade) as before Squid authentication is usable.
> 
> FYI; Modern Squid start helpers only as-needed. Meaning Squid will startup and run fine without a working auth helper ... until the point where a helper lookup is needed. So you can test Squid with some trivial requests before needing Samba fully working.
> 
> 
>> --------------------------------------------------------------
>> Current squid.conf file Output:
>>
>> max_filedesc 4096
> 
> 
> I advise changing this to at least:
> 
>     max_filedescriptors 65536
> 
> Why? Modern web pages can cause clients to open up to a hundred connections to various servers to display a single web page. Each client of those connection consumes 3-4 file descriptors.
> 
> You will also need to check the OS limitation to ensure
> 
> 
>> cache_mgr itadmin at ...
>> cache_effective_user squid
>> cache_effective_group squid
>> coredump_dir /opt/squid/var
>> pid_filename /var/run/squid.pid
>> shutdown_lifetime 5 seconds
>> error_directory /usr/local/share/squid/errors/English_CUSTOM
> 
> 
> Check what customizations have been done to the files inside that directory.
> 
> If it is just the new templates for the deny_info lines later in your config; then you can copy those templates to the new machine.
> And create symlnks from the
> 
> I suggest placing the custom error templates in a directory such as /etc/squid/errors/ and a symlink from the /usr/local/share/squid/errors/templates/ directory (or wherever the templates are put by yum install).
>    [ This way upgrades that change the default templates will not erase your ones. At worst you should only have to re-create the symlinks manually. ]
> 
> (If you need it; to learn how to create symlinks type "man ln".)
> 
> 
>> logfile_rotate 0
>> debug_options ALL,1
> 
> You can remove the above line. It is a default setting.
> 
> 
>> buffered_logs on > cache_log /var/log/squid/general> cache_access_log
>> /var/log/squid/access
> 
> 
> The above two lines should be more like:
> 
>     cache_log /var/log/squid/cache.log
>     access_log daemon:/var/log/squid/access.log
> 
> 
>> cache_store_log none
>> log_mime_hdrs off
> 
> The above two lines can be removed. They are default settings.
> 
> 
>> log_fqdn off
> 
> Remove this line. It is not supported in modern Squid.
> 
> 
>> strip_query_terms off
>> http_port 10.46.11.20:8080
>> http_port 127.0.0.1:3128
>> icp_port 0
> 
> The above line can be removed. It is a default setting.
> 
> 
>> forwarded_for off
> 
> Change that "off" to;
>    * "delete" for complete removal of the header), or
>    * "transparent" for Squid to not add the header.
> 
> 
>> ftp_user anonftpuser at ...
>> ftp_list_width 32
>> ftp_passive on
>> connect_timeout 30 seconds
>> peer_connect_timeout 20 seconds
>> read_timeout 2 minutes
>> request_timeout 2 minutes
>> persistent_request_timeout 30 seconds
>> cache_dir ufs /var/cache/squid/ufs/squid 16000 64 64
>> cache_replacement_policy heap LFUDA memory_replacement_policy lru
>> cache_mem 200 MB maximum_object_size 32 MB
>> maximum_object_size_in_memory 128 KB quick_abort_min 16 KB
>> quick_abort_max 1 MB quick_abort_pct 90 range_offset_limit 64 KB acl
>> no_cache_url url_regex -i "/etc/squid/no_cache_url"
>> cache deny no_cache_url
> 
> Modern Squid define a set of "refresh_pattern" to fixup messages cacheability inline with HTTP/1.1 caching requirements.
> 
> Please add these lines:
> 
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> 
> 
> 
>> acl blows_chunks dstdomain .blr.com
>> header_access Accept-Encoding deny blows_chunks
> 
> This is something to look into. Be aware of how exactly that server is broken when it receives "Accept-Encoding" headers.
> 
> The old Squid only supported HTTP/1.0. Your new Squid supports HTTP/1.1 which may work better with whatever that server was doing to be considered bad.
> 
> 
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 30
>> auth_param ntlm keep_alive on
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic auth_param basic children 5
>> auth_param basic realm "..."
>> auth_param basic credentialsttl 2 hours acl authenticated proxy_auth
>> REQUIRED acl all src 0.0.0.0/0.0.0.0
> 
> Remove the above line. The "all" ACL is now built-in.
> 
> 
>> acl src_self src 127.0.0.0/255.0.0.0
>> acl src_self src 10.46.11.20
> 
> Modern Squid provide these as a built-in "localhost" ACL.
> 
> To add the machines global IP address as part of localhost, replace the above two lines with:
>     acl localhost src 10.46.11.20/32
> 
> Then replace all uses of "src_self" with "localhost".
> 
> 
>> acl dst_self dst 127.0.0.0/255.0.0.0
>> acl dst_self dst 10.46.11.20
> 
> 
> Modern Squid provide these as a built-in "to_localhost" ACL.
> 
> To add the machines global IP address as part of localhost, replace the above two lines with:
>     acl to_localhost dst 10.46.11.20/32
> 
> Then replace all uses of "dst_self" with "to_localhost".
> 
> 
>> acl from_arc src 10.0.0.0/255.255.0.0
>> acl from_arc src 10.46.0.0/255.254.0.0 acl local_dst_addr dst
>> 10.0.0.0/255.0.0.0
> 
> FYI; while the above is acceptible to Squid. Prefer writing those as CIDR masks instead of NetMask syntax.
> 
>    eg.  10.0.0.0/8
> 
> 
>> acl local_dst_addr dst bldg3.*.com.
>> acl local_dst_addr dst bldg5.*.com.
>> acl local_dst_dom dstdomain arcgate
> 
> The above is not a domain name, nor wildcard domain.
> 
> FYI; Squid will attempt to apply a domain search using the "domain" or "search" as configured in /etc/resolv.conf and resolve arcgate.* in DNS.
> 
> 
>> acl proto_FTP proto FTP
>> acl proto_HTTP proto HTTP
>> acl http_ports port 80
>> acl http_ports port 81
>> acl http_ports port 82
>> acl http_ports port 807
>> acl http_ports port 8000
>> acl http_ports port 8001
>> acl http_ports port 8080
>> acl http_ports port 8081
>> acl http_ports port 9000
>> acl ssl_ports port 443
>> acl ssl_ports port 818
>> acl ssl_ports port 4435
>> acl ssl_ports port 9571
>> acl ssl_ports port 9030
>> acl ssl_ports port 4502
>> acl ssl_ports port 8080
>> acl ssl_ports port 8081
>> acl ssh_ports port 22 1776 8217
>> acl ftp_ports port 21
>> acl method_CONNECT method CONNECT
> 
> The "CONNECT" ACL is provided as a built-in.
> 
> Replace all uses of "method_CONNECT" with just "CONNECT" and remove the above line.
> 
> 
>> acl methods_std method GET HEAD POST PUT DELETE acl methods_std method
>> TRACE OPTIONS acl purge method PURGE http_access allow purge src_self
>> http_access deny purge
> 
> This purge is something to consider carefully. You should not need to ever use it on a properly working cache that obeys HTTP standard.
> 
> If possible prefer to remove the http_access and acl lines relating to the curstom "PURGE" method. This allows modern Squid to improve performance by not tracking a lot of things.
> 
> 
>> acl cache_manager proto cache_object
> 
> The "manager" ACL is provided as built-in by modern Squids, and has a different definition for the latest access mechanism(s).
> 
> Replace all uses of "cache_manager" with "manager" and remove the above line.
> 
> 
>> cachemgr_passwd disabled shutdown offline_toggle cachemgr_passwd none
>> all
> 
>> http_access allow cache_manager src_self http_access deny
>> cache_manager
> 
> Per earlier change requests this should become:
> 
>    http_access allow manager localhost
>    http_access deny manager
> 
> 
>> http_access deny dst_self
>> http_access deny src_self
> 
> 
> Per earlier change requests this should become:
> 
>    http_access deny localhost
>    http_access deny to_localhost
> 
>> http_access deny !from_arc
> 
>> http_access       allow local_dst_dom
>> http_reply_access allow local_dst_dom
> 
>> http_access       allow local_dst_addr
>> http_reply_access allow local_dst_addr
> 
>> acl authless_src src "/etc/squid/authless_src"
>> http_access       allow authless_src
>> http_reply_access allow authless_src
> 
>> acl authless_dst dstdomain "/etc/squid/authless_dst"
>> http_access       allow authless_dst
>> http_reply_access allow authless_dst
> 
>> acl bad_domains_preauth dstdomain "/etc/squid/bad_domains_preauth"
>> http_access deny bad_domains_preauth
> 
>> http_access deny !authenticated
> 
>> acl block_user proxy_auth_regex -i "/etc/squid/block_user"
>> http_access deny block_user
> 
>> acl bad_exception_urls url_regex -i "/etc/squid/bad_exception_urls"
>> acl exec_files url_regex -i "/etc/squid/exec_files"
>> acl exec_users proxy_auth_regex -i "/etc/squid/exec_users"
>> http_access deny !bad_exception_urls !exec_users exec_files deny_info
>> ERR_BLOCK_TYPE exec_files
> 
>> acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users"
>> acl mmedia_sites dstdomain "/etc/squid/mmedia_sites"
>> http_access       allow methods_std    proto_HTTP http_ports mmedia_sites mmedia_users
>> http_reply_access allow methods_std    proto_HTTP http_ports mmedia_sites mmedia_users
> 
>> http_access       allow method_CONNECT            ssl_ports  mmedia_sites mmedia_users
>> http_reply_access allow method_CONNECT            ssl_ports  mmedia_sites mmedia_users
> 
>> acl bad_domains dstdomain "/etc/squid/bad_domains"
>> http_access deny !bad_exception_urls bad_domains
>> deny_info ERR_BLOCK_DST       bad_domains
> 
>> acl bad_domains_regex dstdom_regex -i "/etc/squid/bad_domains_regex"
>> http_access deny !bad_exception_urls bad_domains_regex
>> deny_info ERR_BLOCK_DST       bad_domains_regex
> 
>> acl bad_urls url_regex -i "/etc/squid/bad_urls"
>> http_access deny !bad_exception_urls bad_urls
>> deny_info ERR_BLOCK_DST       bad_urls
> 
>> acl bad_files urlpath_regex -i "/etc/squid/bad_files"
>> http_access deny !bad_exception_urls bad_files deny_info
>> ERR_BLOCK_TYPE bad_files
> 
>> acl bad_types rep_mime_type -i "/etc/squid/bad_types"
>> http_reply_access deny bad_types !bad_exception_urls deny_info
>> ERR_BLOCK_TYPE bad_types
> 
>> acl fsoguest_user proxy_auth_regex -i fsoguest acl fsoguest_dst
>> dstdomain .opm.gov acl fsoguest_dst dstdomain .google-analytics.com
>> acl fsoguest_dst dstdomain pki.google.com acl fsoguest_dst dstdomain
>> ajax.googleapis.com acl fsoguest_dst dstdomain fonts.googleapis.com
>> acl fsoguest_dst dstdomain html5shiv.googlecode.com acl fsoguest_dst
>> dstdomain fonts.gstatic.com acl fsoguest_dst dstdomain
>> clients1.google.com acl fsoguest_dst dstdomain ajax.microsoft.com acl
>> fsoguest_dst dstdomain ajax.aspnetcdn.com acl fsoguest_dst dstdomain
>> .geotrust.com acl fsoguest_dst dstdomain .akamaihd.net acl
>> fsoguest_dst dstdomain symcd.com http_access allow methods_std
>> proto_HTTP http_ports fsoguest_dst fsoguest_user
>> http_access allow method_CONNECT         ssl_ports  fsoguest_dst fsoguest_user
>> http_access deny fsoguest_user
> 
>> http_access allow http_ports proto_HTTP methods_std
> 
>> acl ssh_users proxy_auth -i PCADMIN
>> acl ssh_users proxy_auth -i BSCOTT
>> http_access allow method_CONNECT ssh_ports ssh_users
> 
>> acl ssh_dst dst vthm.com
>> http_access allow method_CONNECT ssh_ports ssh_dst
> 
>> acl ftp_dst dst
>> http://www.a/
>> rc-tech.com%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7C69861412949747
>> 94b68b08dc6deddb54%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C638506
>> 115567977267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luM
>> zIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Rj6hxBCYCNqITDlpJ
>> QiS%2B8TlfOX6z6DbmVNOfHeD7sU%3D&reserved=0
> 
> I hoep that above line is a typo. A full URL is not valid for a "dst"
> ACL type.
> 
> The "dst" ACL values can be;
>    * a raw-IP, or
>    * a CIDR range, or
>    * a NetMask range (eg A-B/mask), or
>    * a hostname which is resolvable in DNS at Squid startup/reconfigure time.
> 
> 
>> acl ftp_dst dst ftp.telemeter.de
>> acl ftp_dst dst ftp.lucasindustries.com acl ftp_dst dst
>> ftp-upload.trendmicro.com http_access allow method_CONNECT ftp_dst
>> http_access allow method_CONNECT ssl_ports http_access deny
>> method_CONNECT
> 
>> http_access allow ftp_ports proto_FTP
>> http_access deny all
>> http_reply_access allow all
>>
> 
> 
> After making the above adjustments with Squid installed you should be aboe to run the command "squid -k parse -f /etc/squid/squid.conf.old" to see what the new Squid thinks of the old configuration.
> 
> Any "ERROR" lines that are displayed by by that command will need fixing before you can use Squid.
> 
> Any "WARNING" or "NOTICE" or "UPGRADE" are things that should be looked into fixing. But not urgent enough to make Squid unusable.
> 
> 
> You may need to run "squid -z -f /etc/squid/squid.conf.old" to create the cache directory.
> 
> 
> When that is fine you can move the /etc/squid/squid.conf.old to replace the /etc/squid/squid.conf and use the OS method for starting Squid.
> 
> Which for RHEL 9 I believe should be:
>      service squid start
> 
> 
> ... then start testing that what Squid does actually meets your expectations.
> 
> 
> HTH
> Amos
> 
> 
> 
> 
>> --------------------------------------------------------------
>>
>> Current Box squid -v Output:
>>
>> Squid Cache: Version 2.6.STABLE21
>>
>> configure options:  '--build=i386-redhat-linux-gnu' '--host=i386-redhat-linux-gnu' '--target=i386-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-arp-acl' '--enable-epoll' '--enable-snmp' '--enable-removal-policies=heap,lru' '--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl' '--with-openssl=/usr/kerberos' '--enable-delay-pools' '--enable-linux-netfilter' '--with-pthreads' '--enable-ntlm-auth-helpers=SMB,fakeauth' '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-digest-auth-helpers=password' '--with-winbind-auth-challenge' '--enable-useragent-log' '--enable-referer-log' '--disable-dependency-tracking' '--enable-cachemgr-hostname=localhost' '--enable-underscores' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL' '--enable-cache-digests' '--enable-ident-lookups' '--with-large-files' '--enable-follow-x-forwarded-for' '--enable-wccpv2' '--enable-fd-config' '--with-maxfd=16384' 'build_alias=i386-redhat-linux-gnu' 'host_alias=i386-redhat-linux-gnu' 'target_alias=i386-redhat-linux-gnu' 'CFLAGS=-D_FORTIFY_SOURCE=2 -fPIE -Os -g -pipe -fsigned-char' 'LDFLAGS=-pie'
>>
>> --------------------------------------------------------------
>>
>> New Box squid -v Output:
>>
>> Squid Cache: Version 5.5
>> Service Name: squid
>>
>> This binary uses OpenSSL 3.0.7 1 Nov 2022. For legal restrictions on
>> distribution see
>> https://www/.
>> openssl.org%2Fsource%2Flicense.html&data=05%7C02%7Cjosh.piana%40hexcel
>> .com%7C6986141294974794b68b08dc6deddb54%7C4248050df19546d5ac9c0c7c52b0
>> 4cae%7C0%7C0%7C638506115567977267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4w
>> LjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sd
>> ata=SYACR6XE7IVCwGsCWdigcKjas80B5luo%2BHi8F6s5SFo%3D&reserved=0
>>
>> configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--libexecdir=/usr/lib64/squid' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM' '--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-storeid-rewrite-helpers=file' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--disable-security-cert-validators' '--disable-strict-error-checking' '--with-swapdir=/var/spool/squid' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ' 'CXX=g++' 'CXXFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' 'LT_SYS_LIBRARY_PATH=/usr/lib64:'
>>
>> --------------------------------------------------------------
>>
>> -----Original Message-----
>> From: squid-users <squid-users-bounces at lists.squid-cache.org> On
>> Behalf Of Amos Jeffries
>> Sent: Friday, May 3, 2024 4:21 PM
>> To: squid-users at lists.squid-cache.org
>> Subject: Re: [squid-users] Linux Noob - Squid Config
>>
>> [You don't often get email from squid3 at treenet.co.nz. Learn why this
>> is important at https://aka.ms/LearnAboutSenderIdentification ]
>>
>> Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>
>>
>> On 4/05/24 07:59, Piana, Josh wrote:
>>> Hey Everyone.
>>>
>>> I apologize in advance for any lack of formality normally shared on
>>> mailing lists such as these, it’s my first time seeking product
>>> support in this manner.
>>>
>>
>> NO need to apologize. Help and questions is most of what we do here
>> :-)
>>
>>
>>> I want to start by saying that I’m new to Linux, been using Windows
>>> environments my entire life. Such is the reason for me reaching out
>>> to you all.
>>>
>>> I have been tasked with modernizing a Squid box and feel very
>>> overwhelmed, to say the least.
>>>
>>> Current Setup:
>>>
>>> èCentOS 5.0
>>>
>>> èSquid 2.3
>>>
>>> èApache 2.0.46
>>>
>>> èSamba 3.0.9
>>>
>>> Desired Setup:
>>>
>>> èRHEL 9.2 OS
>>>
>>> èNeeds to qualify for NTLM authentication
>>>
>>
>> Hmm, does it *have* to be NTLM? that auth protocol was deprecated in 2006.
>>
>>
>>> èWould like to remove legacy apps/services
>>>
>>> èContinue to authenticate outgoing communication via AD
>>>
>>> My question is, how do I get all of these services/apps to work
>>> together? Do I just install the newest versions of each and migrate
>>> the existing config files?
>>>
>>> I was hoping for a better understanding on how all of these work
>>> together and exactly how to configure or edit these as needed. I’ve
>>> gotten as far as installing RHEL 9.2 on a fresh VM Server and trying
>>> as best as I can to learn the basics on Linux and just the general
>>> operation of a Linux ran environment. It feels like trying to ride a
>>> bike with box wheels.
>>>
>>
>>
>> The installation of a basic Squid service for RHEL is easy.
>> Just open a terminal and enter this command:
>>
>>       yum install squid
>>
>>
>> The next part is going over your old Squid configuration to see how much of it remains necessary or can be updated. It would be useful for the next steps to copy it to the RHEL machine as /etc/squid/squid.conf.old .
>>
>> You can likely find it on the CentOS machine at /etc/squid/squid.conf or /usr/share/squid/etc/squid.conf depending on how that Squid was built.
>>
>>
>> If you are able to paste the contents of that file (without the '#'
>> comment or empty lines) here, we can assist with getting the new Squid doing the same or equivalent actions.
>>
>>
>> Also please paste the output of "squid -v" run on both the old CentOS machine and on the new RHEL.
>>
>>
>> Cheers
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> https://list/
>> s.squid-cache.org%2Flistinfo%2Fsquid-users&data=05%7C02%7Cjosh.piana%4
>> 0hexcel.com%7C6986141294974794b68b08dc6deddb54%7C4248050df19546d5ac9c0
>> c7c52b04cae%7C0%7C0%7C638506115567977267%7CUnknown%7CTWFpbGZsb3d8eyJWI
>> joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7
>> C%7C&sdata=tm3ZL54tYg9GI5l1LlqjR9vQN8o%2BRcjshffEoKxMH%2FA%3D&reserved
>> =0
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list