Re: [squid-users] caching apt package lists/Raspbian
Further to this I did find an issue with the iptables loopback and IPv6 which I corrected. It still wasn’t caching the packages.xz from either the local machine or others in the local net. I ended up adding a refresh pattern for .gz and .xz which seems to cache them now. I am using 1440 20% 1440 which I thought was fairly conservative. MarkJ > On 21 Jul 2019, at 5:08 pm, TarotApprentice wrote: > > It whatever Raspbian and the router do by default, although I do use an > iptables firewall. I normally don't see any IPv6 from the other Pis, so maybe > something to do with localhost and the loopback interface. > > Cheers > > > > > > > On Sunday, 21 July 2019, 2:45:59 pm AEST, Amos Jeffries > wrote: > > > > > >> On 21/07/19 4:20 pm, Mark James wrote: >> Doing an “apt update” on the squid machine got another TCP_MISS_ABORTED for >> ::1 and then subsequent IPv4 requests from other Pis get the >> TCP_REQUEST_UNMODIFIED. >> > > That hints that there is something broken in your local network IPv6 > connectivity. Perhapse ICMPv6 is not working properly? > > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] cache-peer and tls
On 4/08/19 2:11 am, Eugene M. Zheganin wrote: > Hello, > > > I'm using squid 4.6 and I need to TLS-encrypt the session to the parent > proxy. I have in config: > > > cache_peer proxy.foo.bar parent 3129 3130 tls > tls-cafile=/usr/local/etc/squid/certs/le.pem > sslcert=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/cert.pem > sslkey=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/privkey.pem > sslflags=DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER > Please start with "squid -k parse" and update those to the Squid-4 options. Also, any errors/warnings mentioned about the PEM files contents need to be fixed. > > But no matter what I'm doing, squid keeps telling in logs that he > doesn't like the peer certificate: > > > 2019/08/03 18:42:24 kid1| ERROR: negotiating TLS on FD 23: > error:14090086:SSL routines:ssl3_get_server_certificate:certificate > verify failed (1/-1/0) > 2019/08/03 18:42:24 kid1| temporary disabling (Service Unavailable) > digest from proxy.foo.bar > > and then he's going directly bypassing the peer. :/ > > > Is there any way to tell him that I don't care ? > You really should care. There is no point in TLS to a peer if you are going to ignore whether the right peer is even being connected to. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.5.27 not caching at all
On 4/08/19 1:18 am, Mohamed Ali Ahmed wrote: > You have not provided enough information for us to know whether this is > a problem or testing mistake. > > What is this unstated "minimal change" you made that made caching > suddenly stop working? > > The only change i have made is adding NOC ACL and uncommenting the > cache_dir ufs. > Okay. > What exactly does "visiting the same website over and over again" mean? > what exact actions did you do? > > I expected when i visit a website for the time it will miss and after > retrieving it that squid will cache it internally. if i visit the same > website again, squid to read it from the local cache. i was visiting by > adding a new tap using chrome or visiting from another browser like MS > edge or IE. > Ah. This website uses "Vary: Accept-Encoding" and each web browser supports different types of encoding, or has different preference order for the ones they do share. So the first request from each browser should be expected to be a MISS. Only the second use by that particular browser can be expected to HIT or REFRESH. I'm not sure if Chrome new-tab does the same, it should not but maybe. You can add "debug_options 11,2" to get a cache.log trace of the headers from each test and see if they should have been a MISS, HIT or REFRESH. > Please do not do that "allow all". > > For one thing it makes your NOC ACL pointless, *everybody* is allowed to > use your proxy for whatever they want to do. > > If you did it to debug a caching problem, be aware that http_access has > nothing to do with cache. > > Thank you amos, I have changed to http_access deny all instead of > http_access allow all > Please ask me anything else i should share with so that you can help > me. thank you. > The 11,2 debug trace log would help. You may be able to find the problem yourself from that. > > - Pressing refresh, Shift+reload, or CTL+refresh in a browser will > *force* a MISS - yet comes under the description you gave. > - some tools send headers to forbid cached contents being delivered by > default. So cannot be used for this kind of test without special > options. > > So what do you recommend i do in order to check if squid is caching or not? > If you need to use a browser, then clicking on the address bar and pressing enter re-fetches that URL without any cache affecting requirements. Or curl, wget or squidclient tools can be used to test a single URL fetch. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] cache-peer and tls
Hello, I'm using squid 4.6 and I need to TLS-encrypt the session to the parent proxy. I have in config: cache_peer proxy.foo.bar parent 3129 3130 tls tls-cafile=/usr/local/etc/squid/certs/le.pem sslcert=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/cert.pem sslkey=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/privkey.pem sslflags=DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER But no matter what I'm doing, squid keeps telling in logs that he doesn't like the peer certificate: 2019/08/03 18:42:24 kid1| ERROR: negotiating TLS on FD 23: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0) 2019/08/03 18:42:24 kid1| temporary disabling (Service Unavailable) digest from proxy.foo.bar and then he's going directly bypassing the peer. :/ Is there any way to tell him that I don't care ? I've also tried to actually tell him about the CA cert with tls-cafile=/usr/local/etc/squid/certs/le.pem above, this doesn't work either. Thanks. Eugene. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.5.27 not caching at all
: 144020% 10080 > refresh_pattern ^gopher:14400% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 > refresh_pattern . 0 20% 4320 > root@squid:/etc/squid# > > here's access.log file: > > 1564825166.134426 154.73.26.5 TCP_MISS/200 10644 GET > > http://somaliren.org/wp-content/plugins/revslider/public/assets/js/extensions/revolution.extension.layeranimation.min.js > - HIER_DIRECT/192.185.31.191 application/javascript > 1564825166.142436 154.73.26.5 TCP_MISS/200 8613 GET > > http://somaliren.org/wp-content/plugins/revslider/public/assets/js/extensions/revolution.extension.slideanims.min.js > - HIER_DIRECT/192.185.31.191 application/javascript > 1564825166.150440 154.73.26.5 TCP_MISS/200 8771 GET > > http://somaliren.org/wp-content/plugins/revslider/public/assets/js/extensions/revolution.extension.navigation.min.js > - HIER_DIRECT/192.185.31.191 application/javascript > 1564825166.156450 154.73.26.5 TCP_MISS/200 2892 GET > > http://somaliren.org/wp-content/plugins/revslider/public/assets/js/extensions/revolution.extension.actions.min.js > - HIER_DIRECT/192.185.31.191 application/javascript > 1564825166.804454 154.73.26.5 TCP_MISS/200 7970 GET > > http://somaliren.org/wp-content/plugins/revslider/public/assets/fonts/revicons/revicons.woff > ? > - HIER_DIRECT/192.185.31.191 font/woff > 1564825166.821437 154.73.26.5 TCP_MISS/200 2982 GET > > http://somaliren.org/wp-content/plugins/revslider/public/assets/assets/loader.gif > - HIER_DIRECT/192.185.31.191 image/gif > > > Here's cach.log file: > > root@squid:/etc/squid# tail /var/log/squid/cache.log > 2019/08/03 12:05:00 kid1| 0 Objects expired. > 2019/08/03 12:05:00 kid1| 0 Objects cancelled. > 2019/08/03 12:05:00 kid1| 0 Duplicate URLs purged. > 2019/08/03 12:05:00 kid1| 0 Swapfile clashes avoided. > 2019/08/03 12:05:00 kid1| Took 0.10 seconds ( 0.00 objects/sec). > 2019/08/03 12:05:00 kid1| Beginning Validation Procedure > 2019/08/03 12:05:00 kid1| Completed Validation Procedure > 2019/08/03 12:05:00 kid1| Validated 0 Entries > 2019/08/03 12:05:00 kid1| store_swap_size = 0.00 KB > 2019/08/03 12:05:01 kid1| storeLateRelease: released 0 objects > > Any help would be appreciated. > > thanks, > Mohamed > -- next part -- > An HTML attachment was scrubbed... > URL: < > http://lists.squid-cache.org/pipermail/squid-users/attachments/20190803/28c6e860/attachment-0001.html > > > > -- > > Message: 3 > Date: Sat, 3 Aug 2019 22:36:28 +1200 > From: Amos Jeffries > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] Squid 3.5.27 not caching at all > Message-ID: <1294aefe-7fb1-e096-3adb-511ccdc6f...@treenet.co.nz> > Content-Type: text/plain; charset=utf-8 > > On 3/08/19 9:45 pm, Mohamed Ali Ahmed wrote: > > Hello everyone, > > I have set up Squid 3.5.27 on ubuntu 18.04 from the packages. I have > > made the minimal change but when i check the access.log i get tcp_miss > > 200 most of the websites even visiting the same website over and over > again. > > > > You have not provided enough information for us to know whether this is > a problem or testing mistake. > > What is this unstated "minimal change" you made that made caching > suddenly stop working? > > What exactly does "visiting the same website over and over again" mean? > what exact actions did you do? > - Pressing refresh, Shift+reload, or CTL+refresh in a browser will > *force* a MISS - yet comes under the description you gave. > - some tools send headers to forbid cached contents being delivered by > default. So cannot be used for this kind of test without special options. > > > The more specific details you can give, the better anyone help can be. > > > > I have searched online and i did not come across any which solves my > > problem. > > > > this is squid.conf file: > > > > root@squid:/etc/squid# sed 's/#.*//;s/^\s*$//;/^$/d' > /etc/squid/squid.conf > > acl NOC src 154.73.26.5 > > acl SSL_ports port 443 > > acl Safe_ports port 80 > > acl Safe_ports port 21 > > acl Safe_ports port 443 > > acl Safe_ports port 70 > > acl Safe_ports port 210 > > acl Safe_ports port 1025-65535 > > acl Safe_ports port 280 > > acl Safe_ports port 488 > > acl Safe_ports port 591 > > acl Safe_ports port 777 > > acl CONNECT method CONNECT > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > http_acc
Re: [squid-users] Squid 3.5.27 not caching at all
On 3/08/19 9:45 pm, Mohamed Ali Ahmed wrote: > Hello everyone, > I have set up Squid 3.5.27 on ubuntu 18.04 from the packages. I have > made the minimal change but when i check the access.log i get tcp_miss > 200 most of the websites even visiting the same website over and over again. > You have not provided enough information for us to know whether this is a problem or testing mistake. What is this unstated "minimal change" you made that made caching suddenly stop working? What exactly does "visiting the same website over and over again" mean? what exact actions did you do? - Pressing refresh, Shift+reload, or CTL+refresh in a browser will *force* a MISS - yet comes under the description you gave. - some tools send headers to forbid cached contents being delivered by default. So cannot be used for this kind of test without special options. The more specific details you can give, the better anyone help can be. > I have searched online and i did not come across any which solves my > problem. > > this is squid.conf file: > > root@squid:/etc/squid# sed 's/#.*//;s/^\s*$//;/^$/d' /etc/squid/squid.conf > acl NOC src 154.73.26.5 > acl SSL_ports port 443 > acl Safe_ports port 80 > acl Safe_ports port 21 > acl Safe_ports port 443 > acl Safe_ports port 70 > acl Safe_ports port 210 > acl Safe_ports port 1025-65535 > acl Safe_ports port 280 > acl Safe_ports port 488 > acl Safe_ports port 591 > acl Safe_ports port 777 > acl CONNECT method CONNECT > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost manager > http_access deny manager > http_access allow localhost NOC > http_access allow all Please do not do that "allow all". For one thing it makes your NOC ACL pointless, *everybody* is allowed to use your proxy for whatever they want to do. If you did it to debug a caching problem, be aware that http_access has nothing to do with cache. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid 3.5.27 not caching at all
Hello everyone, I have set up Squid 3.5.27 on ubuntu 18.04 from the packages. I have made the minimal change but when i check the access.log i get tcp_miss 200 most of the websites even visiting the same website over and over again. I have searched online and i did not come across any which solves my problem. this is squid.conf file: root@squid:/etc/squid# sed 's/#.*//;s/^\s*$//;/^$/d' /etc/squid/squid.conf acl NOC src 154.73.26.5 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost NOC http_access allow all http_port 3128 cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600 90% 43200 refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 root@squid:/etc/squid# here's access.log file: 1564825166.134426 154.73.26.5 TCP_MISS/200 10644 GET http://somaliren.org/wp-content/plugins/revslider/public/assets/js/extensions/revolution.extension.layeranimation.min.js - HIER_DIRECT/192.185.31.191 application/javascript 1564825166.142436 154.73.26.5 TCP_MISS/200 8613 GET http://somaliren.org/wp-content/plugins/revslider/public/assets/js/extensions/revolution.extension.slideanims.min.js - HIER_DIRECT/192.185.31.191 application/javascript 1564825166.150440 154.73.26.5 TCP_MISS/200 8771 GET http://somaliren.org/wp-content/plugins/revslider/public/assets/js/extensions/revolution.extension.navigation.min.js - HIER_DIRECT/192.185.31.191 application/javascript 1564825166.156450 154.73.26.5 TCP_MISS/200 2892 GET http://somaliren.org/wp-content/plugins/revslider/public/assets/js/extensions/revolution.extension.actions.min.js - HIER_DIRECT/192.185.31.191 application/javascript 1564825166.804454 154.73.26.5 TCP_MISS/200 7970 GET http://somaliren.org/wp-content/plugins/revslider/public/assets/fonts/revicons/revicons.woff? - HIER_DIRECT/192.185.31.191 font/woff 1564825166.821437 154.73.26.5 TCP_MISS/200 2982 GET http://somaliren.org/wp-content/plugins/revslider/public/assets/assets/loader.gif - HIER_DIRECT/192.185.31.191 image/gif Here's cach.log file: root@squid:/etc/squid# tail /var/log/squid/cache.log 2019/08/03 12:05:00 kid1| 0 Objects expired. 2019/08/03 12:05:00 kid1| 0 Objects cancelled. 2019/08/03 12:05:00 kid1| 0 Duplicate URLs purged. 2019/08/03 12:05:00 kid1| 0 Swapfile clashes avoided. 2019/08/03 12:05:00 kid1| Took 0.10 seconds ( 0.00 objects/sec). 2019/08/03 12:05:00 kid1| Beginning Validation Procedure 2019/08/03 12:05:00 kid1| Completed Validation Procedure 2019/08/03 12:05:00 kid1| Validated 0 Entries 2019/08/03 12:05:00 kid1| store_swap_size = 0.00 KB 2019/08/03 12:05:01 kid1| storeLateRelease: released 0 objects Any help would be appreciated. thanks, Mohamed ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users