Re: [squid-users] Always ntlm .... Squid + AD
Henrik Nordstrom a écrit : > On ons, 2007-08-29 at 17:42 +0200, Alexandre Mackow wrote: > > Make sure your cache_effective_user is member of the group owning > the /var/run/samba/winbindd_privileged directory, and that you DO NOT > specify cache_effective_group in squid.conf... (repeat: DO NOT > specify..) > > REgards > Henrik > Thanks for your help The probleme was /var/run/samba/winbindd_privileged group owner... So the log message was now : temporary disabling (Proxy Authentication Required) digest from myparent.proxy Any idea... I will try different solution to resolve my problem but if you see something.. Regards. ++ begin:vcard fn:Alexandre Mackow n:Mackow;Alexandre org:Groupe Millet;OSI adr;dom:;;Bretignolles;Bressuire;;79300 email;internet:[EMAIL PROTECTED] title:Service OSI tel;work:05 49 74 55 67 x-mozilla-html:FALSE version:2.1 end:vcard
[squid-users] Redirect Web traffic From Linux GW to win32 squid.
Im working with WRT54GL and i want make somes whitelist for websites. I tried to do that with iptables +webstr but i had a lot of problems with hotmail. So i decided to install squid on a Win2k server and redirect all the web traffic from the WRT54GL to my Win2kServer. This is the scenario. INTERNET --- WRT54GL - --- Clients --- Win2KServer On Wrt54Gl i have a rule to make a DNAT all the webtraffic to Win2KServer to port 3128 except for the Win2kServer. The squid on Win2kServer appear to be working ok. But when the clients open their browser, i get an error from squid. The squid access.log show: error:invalid-request And only show the IP of the WRT54GL and not the real IP of the Clients. How cha i fix both problems? -- Ing. Rogelio C. Sevilla Fernandez Direccion de Desarrollo Telematico / Secretaria de Administracion Gobierno del Estado de Colima Tel (312)3126062 / (312)3126000 ext 2360 - "2007, AÑO DE LA SALUD PÚBLICA EN COLIMA." -
Re: [squid-users] criticism against squid
On Wed, Aug 29, 2007, Neil Harkins wrote: > That was my assessment as well: no object eviction?!? > > So if your dataset it small enough, then varnish could > be as good as... a light webserver and a ramdisk. ;) > If you've got a huge amount of content, and want to > accelerate the hottest fraction, squid is still the best choice, > and can be tuned to resolve most of the issues the Varnish > authors cite. As features are added to Varnish, that might change. > We'll see. It's VCL language definately looks interesting. .. And they've got funding. The bulk of the interesting Varnish work was when they had funding.. :) Adrian
Re: [squid-users] criticism against squid
That was my assessment as well: no object eviction?!? So if your dataset it small enough, then varnish could be as good as... a light webserver and a ramdisk. ;) If you've got a huge amount of content, and want to accelerate the hottest fraction, squid is still the best choice, and can be tuned to resolve most of the issues the Varnish authors cite. As features are added to Varnish, that might change. We'll see. It's VCL language definately looks interesting. -neil On 8/29/07, john allspaw <[EMAIL PROTECTED]> wrote: > Varnish shows a lot of promise. I do believe that there's a good amount of > trash talking in > those comments, especially given that squid would for sure have been designed > differently if > it set out to be a fast accelerator, not a forward proxy with all of the > bells and whistles. > > Flickr can't use Varnish in its current form, for example, because object > eviction isn't yet a feature. :) > Hence, we use squid. It's working just fine for us. So in that case, I'll > take the "1980" design that works, > versus the 2007 design that doesn't. :) > > -j > > - Original Message > From: howard chen <[EMAIL PROTECTED]> > To: squid-users@squid-cache.org > Sent: Wednesday, August 29, 2007 10:23:09 AM > Subject: [squid-users] criticism against squid > > > hody, > > just found a new http accelerator, varnish, which criticize squid, e.g. > > > Why bother with Varnish - why not use Squid? > > Varnish was written from the ground up to be a high performance > caching reverse proxy. Squid is a forward proxy that can be configured > as a reverse proxy. Besides - Squid is rather old and designed like > computer programs where supposed to be designed in 1980. Please see > ArchitectNotes for details. > > > I am not familiar with the internal of squid in fact, anyone has any > comments? >
Re: [squid-users] criticism against squid
Varnish shows a lot of promise. I do believe that there's a good amount of trash talking in those comments, especially given that squid would for sure have been designed differently if it set out to be a fast accelerator, not a forward proxy with all of the bells and whistles. Flickr can't use Varnish in its current form, for example, because object eviction isn't yet a feature. :) Hence, we use squid. It's working just fine for us. So in that case, I'll take the "1980" design that works, versus the 2007 design that doesn't. :) -j - Original Message From: howard chen <[EMAIL PROTECTED]> To: squid-users@squid-cache.org Sent: Wednesday, August 29, 2007 10:23:09 AM Subject: [squid-users] criticism against squid hody, just found a new http accelerator, varnish, which criticize squid, e.g. Why bother with Varnish - why not use Squid? Varnish was written from the ground up to be a high performance caching reverse proxy. Squid is a forward proxy that can be configured as a reverse proxy. Besides - Squid is rather old and designed like computer programs where supposed to be designed in 1980. Please see ArchitectNotes for details. I am not familiar with the internal of squid in fact, anyone has any comments? Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=list&sid=396545469
Re: [squid-users] IE6 ignoring cache-control due to HTTP/1.0 header?
On ons, 2007-08-29 at 11:19 -0700, ToddWilliams wrote: > More info about that "subsequent request" -- it is a history.back() > javascript call. Heh.. history navigation is a bit special in many browsers.. and rightfully so as users want to really go back when using back, not have the request resubmitted to the server. Any code relying on either behaviour when using back will have a hard time as there is no guarantees for either result.. > But as I said, that fails when we use squid (goes into an infinite loop), > but works fine when we use a different proxy (such as Apache mod_proxy or > CCproxy) which sends HTTP/1.1 headers. It's not at all impossible IE behaves differently when seeing HTTP/1.0. But it should not.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] criticism against squid
On tor, 2007-08-30 at 01:23 +0800, howard chen wrote: > I am not familiar with the internal of squid in fact, anyone has any comments? Yes, Squid is old. Parts of the code is in fact more thant 10 years old. Yes, Squid is not primarily designed to be a reverse proxy. The main focus for Squid has been Internet proxying. But reverse proxying is within the scope of Squid and has gotten a lot more attention in the last years. Yes, there is aspects of the internal design of Squid which can be significantly improved. Work is being done in that area, but it takes time. Is Squid better/worse than Varnish? Depends on your needs. They both have their strengths and weaknesses. For some uses Varnish is a much better fit, for some other uses it does not work at all. Regards Henrik signature.asc Description: This is a digitally signed message part
RE: [squid-users] Access denied - ACL problem
On ons, 2007-08-29 at 15:36 -0400, Edward Stafford wrote: > = > While trying to retrieve the URL: http://servername:81/dashboard > > The following error was encountered: > > Unable to determine IP address from host name for yaserver > > The dnsserver returned: > > Server Failure: The name server was unable to process this query. This is because Squid don't know which domain to look into. See the append_domain or dns_defnames squid.conf directives. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Reverse proxy intranet to intranet...
On ons, 2007-08-29 at 11:54 -0400, Lawrence Beall wrote: > I have a setup where we have a server on an intranet say 192.168.1.*. > It has a vpn link that is on a different subnet say 192.168.40.*. > Between the two networks this is the only box that knows how to find > anything on 192.168.40 from 192.168.1.*. I was hoping to use squid to > reverse proxy to a webserver in 192.168.40.*. Is this possible to do > using ip's instead of dns names? The only examples I'm finding are > specifying full host names. Yes, you can use IPs if you like. The examples uses host names as thats the common setup... Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Always ntlm .... Squid + AD
On ons, 2007-08-29 at 17:42 +0200, Alexandre Mackow wrote: > Hi, > I configure my squid with ntlm authentification > Samba + Kerberos + Winbind are ok ... The linux join the win2k3 domain ... > I can't connect my client through the proxy, I got a log : > "[2007/08/29 17:31:30, 0] utils/ntlm_auth.c:winbind_pw_check(429) > Login for user [EMAIL PROTECTED]@[Myposte] failed > due to [winbind client not authorized to use winbindd_pam_auth_crap. > Ensure permissions on /var/run/samba/winbindd_privileged are set correctly.] Make sure your cache_effective_user is member of the group owning the /var/run/samba/winbindd_privileged directory, and that you DO NOT specify cache_effective_group in squid.conf... (repeat: DO NOT specify..) REgards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid and WCCP
On ons, 2007-08-29 at 08:45 +0200, Ian wrote: > Hi, > > Yes, the GRE is working. My unit is 10.10.11.1 and the cisco is 10.10.250.1: Do you see packets arriving on the GRE interface? And do you have matching firewall rules to redirect these packets to the Squid port? Regards Henrik signature.asc Description: This is a digitally signed message part
RE: [squid-users] Access denied - ACL problem
I got a bit further. I added web server host entry in my ACL: acl servernameHost dstdomain servername Then I added http_access allow servernameHost before the deny_all. That still didn't work. Then I thought It had something to do with the Safe_Ports. The server accepts access on port 81, but it is not in the safe ports list. So I moved the servernameHost acl before the !Safe_ports acl and now I get a new error. = While trying to retrieve the URL: http://servername:81/dashboard The following error was encountered: Unable to determine IP address from host name for yaserver The dnsserver returned: Server Failure: The name server was unable to process this query. This means that: The cache was not able to resolve the hostname presented in the URL. Check if the address is correct. = Resolv.conf on my squid server does point to my internal DNS server and I do have PTR and HOST records for servername. Our dns is on a windows 2000 server with AD. Our squid proxy runs on a linux box in the same subnet, but the local "servername" is on a different subnet. As I stated before, if I disable the proxy in the browser settings, access works fine. Also if I try to ping servername from the squid box, I get an unknown host error. But I can successfully ping servername.domain.local. I know it might sound like a DNS issue, but I am only having the issue when squid is added to the formula. Any thoughts? -Original Message- From: Nabin Limbu [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 29, 2007 12:41 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Access denied - ACL problem In squid.conf, BEFORE the line "http_access deny all" add below 2 lines acl mynetwork http_access allow mynetwork reload squid configuration. Regards Nabin Limbu > I am new to squid so please bear with me. > I have an internal server that runs a helpdesk application and should > allow users to access it using the computer name as the url on port 81. > I have added a PTR record in our internal DNS server to point > "servername" to the correct ip address. > > http://servername:81 > > However, squid is displaying the following error. > + > ERROR > The requested URL could not be retrieved > > While trying to retrieve the URL: http://servername:81/dashboard > > The following error was encountered: > > * Access Denied. > > Access control configuration prevents your request from being > allowed at this time. Please contact your service provider if you feel > this is incorrect. > > Your cache administrator is webmaster. > Generated Wed, 29 Aug 2007 16:40:50 GMT by sentinal > (squid/2.5.STABLE12) > > + > > I can access this if I disable my proxy settings in the browser. > Can anyone tell me how to correct this. > > > This email and any files transmitted with it are intended solely for > the use of the individual (squid-users@squid-cache.org) or entity > addressed at [EMAIL PROTECTED] If you have received this > email in error please notify the system manager. Please note that any > views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the company. This email and any files transmitted with it are intended solely for the use of the individual (recipient) or entity addressed at recipient. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.
Re: [squid-users] diskd question
Hi Frank, Frank Ruiz wrote: Greetings, So I am using local disk for my cache. This consists of a 500G SATA drive. My cache size is 50G. I tried using a queue size of Q1=72 and Q1=64, however it looks like I am still I/O constrained with http requests taking up to 11 seconds. Which operating system and squid version are you using diskd with? With my limited experience, diskd is better suited for FreeBSD systems. However, it's performance is more than satisfactory in Linux systems too. Are you using SquidClient or SNMP to measure the http requests response time? Bandwidth saturation and alot of ACL filtering could also slow down your http response time. Posting your squid.conf may help. Also how many users do you have and what is the hardware configuration of your Squid box? What does the following squidclient output say: squidclient mgr:5min | grep client I am using UFS. Logging, and access time have been disabled. I am now running at: Q1=12 Q2=10 I am a little confused. So now you are using Q1=12 Q2=10 for diskd? If you are, I think that they are too small a value. If your Squid box is a busy machine, then disabling logging to access.log or cache.log may help to some extent. Does anyone happen to have any suggestions? You can try something like: cache_dir diskd /cache 5 48 256 Q1=64 Q2=72 By the way, running a 50 GB cache may need alot of memory and a fast hard drive too! Hope it helps. Thanking you... Thanks! -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np
Re: [squid-users] IE6 ignoring cache-control due to HTTP/1.0 header?
More info about that "subsequent request" -- it is a history.back() javascript call. But as I said, that fails when we use squid (goes into an infinite loop), but works fine when we use a different proxy (such as Apache mod_proxy or CCproxy) which sends HTTP/1.1 headers. Trying IE7 isn't an option for us right now, so we're discussing internally whether we can fix this with code or if we need to switch to a different proxy. It looks like IE6 is misbehaving here, but there doesn't seem to be a way to fix it. Henrik Nordstrom-5 wrote: > > On fre, 2007-08-24 at 02:15 -0700, ToddWilliams wrote: > >> A subsequent request seems to come from IE6's local cache -- it ignored >> the directives. > > Odd. > > -- View this message in context: http://www.nabble.com/IE6-ignoring-cache-control-due-to-HTTP-1.0-header--tf4322528.html#a12392807 Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] diskd question
Greetings, So I am using local disk for my cache. This consists of a 500G SATA drive. My cache size is 50G. I tried using a queue size of Q1=72 and Q1=64, however it looks like I am still I/O constrained with http requests taking up to 11 seconds. I am using UFS. Logging, and access time have been disabled. I am now running at: Q1=12 Q2=10 Does anyone happen to have any suggestions? Thanks!
Re: [squid-users] Access denied - ACL problem
In squid.conf, BEFORE the line "http_access deny all" add below 2 lines acl mynetwork http_access allow mynetwork reload squid configuration. Regards Nabin Limbu > I am new to squid so please bear with me. > I have an internal server that runs a helpdesk application and should > allow users to access it using the computer name as the url on port 81. > I have added a PTR record in our internal DNS server to point > "servername" to the correct ip address. > > http://servername:81 > > However, squid is displaying the following error. > + > ERROR > The requested URL could not be retrieved > > While trying to retrieve the URL: http://servername:81/dashboard > > The following error was encountered: > > * Access Denied. > > Access control configuration prevents your request from being > allowed at this time. Please contact your service provider if you feel > this is incorrect. > > Your cache administrator is webmaster. > Generated Wed, 29 Aug 2007 16:40:50 GMT by sentinal (squid/2.5.STABLE12) > > + > > I can access this if I disable my proxy settings in the browser. > Can anyone tell me how to correct this. > > > This email and any files transmitted with it are intended solely for the > use of the individual (squid-users@squid-cache.org) or entity addressed > at [EMAIL PROTECTED] If you have received this email in error > please notify the system manager. Please note that any views or opinions > presented in this email are solely those of the author and do not > necessarily represent those of the company.
[squid-users] criticism against squid
hody, just found a new http accelerator, varnish, which criticize squid, e.g. Why bother with Varnish - why not use Squid? Varnish was written from the ground up to be a high performance caching reverse proxy. Squid is a forward proxy that can be configured as a reverse proxy. Besides - Squid is rather old and designed like computer programs where supposed to be designed in 1980. Please see ArchitectNotes for details. I am not familiar with the internal of squid in fact, anyone has any comments?
Re: [squid-users] repopulate cache?
On 25.08.07 01:59, Frank Ruiz wrote: > I am not too sure if this is possible, but it would be a nice to have if not. > > I am using an all in memory cache now. cache_dir is set to null. > > However, if the system reboots, I lose my cache, and have to rebuild, > taking a toll on the origins. Each object will be fetched when needed, not when proxy starts up... > Is there a way to flush an in memory cache to disk, and use that data > to populate another populate another in memory cache? not yet. But using cache_dir of the same size and settings (max object size) than memory will have very similar behaviour. > The data is dynamic, so I would most likely flush to disk once a day > if this is possible. If you expect the system to crash, you'll end up with old data in cache. If you don't, you don't have to flush, only when shutting down. > What I am looking for is some way to replicate an in memory cache to > another host. setting up sibling relationship will do something similar, but (as above) each object will be fetched when needed. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends?
[squid-users] Access denied - ACL problem
I am new to squid so please bear with me. I have an internal server that runs a helpdesk application and should allow users to access it using the computer name as the url on port 81. I have added a PTR record in our internal DNS server to point "servername" to the correct ip address. http://servername:81 However, squid is displaying the following error. + ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://servername:81/dashboard The following error was encountered: * Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. Your cache administrator is webmaster. Generated Wed, 29 Aug 2007 16:40:50 GMT by sentinal (squid/2.5.STABLE12) + I can access this if I disable my proxy settings in the browser. Can anyone tell me how to correct this. This email and any files transmitted with it are intended solely for the use of the individual (squid-users@squid-cache.org) or entity addressed at [EMAIL PROTECTED] If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.
[squid-users] Reverse proxy intranet to intranet...
I have a setup where we have a server on an intranet say 192.168.1.*. It has a vpn link that is on a different subnet say 192.168.40.*. Between the two networks this is the only box that knows how to find anything on 192.168.40 from 192.168.1.*. I was hoping to use squid to reverse proxy to a webserver in 192.168.40.*. Is this possible to do using ip's instead of dns names? The only examples I'm finding are specifying full host names. Larry
[squid-users] Always ntlm .... Squid + AD
Hi, I configure my squid with ntlm authentification Samba + Kerberos + Winbind are ok ... The linux join the win2k3 domain ... I can't connect my client through the proxy, I got a log : "[2007/08/29 17:31:30, 0] utils/ntlm_auth.c:winbind_pw_check(429) Login for user [EMAIL PROTECTED]@[Myposte] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are set correctly.] [2007/08/29 17:31:30, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(603) NTLMSSP BH: NT_STATUS_ACCESS_DENIED 2007/08/29 17:31:30| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' right on /var/run/samba/winbindd_privileged are 755 Any idea? Thanks a lot for your help ++ begin:vcard fn:Alexandre Mackow n:Mackow;Alexandre org:Groupe Millet;OSI adr;dom:;;Bretignolles;Bressuire;;79300 email;internet:[EMAIL PROTECTED] title:Service OSI tel;work:05 49 74 55 67 x-mozilla-html:FALSE version:2.1 end:vcard
RE: [squid-users] Via off
I did this, and it works: header_access Via deny all header_access X-Forwarded-For deny all .vp From: Sekar <[EMAIL PROTECTED]> Hello all, I have switched off the "via" header using the squid configuration file, but when a request is made the reply has this header ( Via: 1.0 xyz.abc.com:3128 (squid/2.6.STABLE14) . But the manual says that will include a Via header in requests and replies only when the directive is set to "on" # TAG: via on|off # If set (default), Squid will include a Via header in requests and # replies. Do we need to configure anything else to disable the via information in squid reply header. Thanks in advance, Sekar
[squid-users] Via off
Hello all, I have switched off the "via" header using the squid configuration file, but when a request is made the reply has this header ( Via: 1.0 xyz.abc.com:3128 (squid/2.6.STABLE14) . But the manual says that will include a Via header in requests and replies only when the directive is set to "on" # TAG: via on|off # If set (default), Squid will include a Via header in requests and # replies. Do we need to configure anything else to disable the via information in squid reply header. Thanks in advance, Sekar
Re: [squid-users] Squid Server Delay pools needed? even with Traffic shaper?
No one can tellme anything else about this?? Tek Bahadur Limbu escribió: Juan C. Crespo R. wrote: Hi I have a litle question, I'm working on a project to reduce the bandwidth consume, we are using for each client one traffic shape policy(128K almost all) , but even with this, one user conection (128K )will make the Squid sever use all the bandwitdh avalaible (4 Mb) ?, If it does, I will use the Delay pools feature :) Hi Juan, Which software/hardware are you using to shape the bandwidth of your clients at 128kbps? Are you shaping traffic based on IP addresses? Delay pools should definitely help you out in this matter. Check out the FAQ at: http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fd9b4b7ba1854a3c21796173af9d0b9aee33e376 Thanking you... Thanks
[squid-users] Akamai-like CDN using squid and a DNS trick
Hi I've written a brief success story about how we used squid and a DNS trick to solve a networking problem between ISPs that was affecting our webs' performance and public image. Long story short: all the users of a particular ISP had problems accessing our pages because of a routing problem between that ISP and ours. We ended up installing a squid reverse-proxy on that ISP's datacenter, and redirecting all its users there by returning a different DNS response depending on the client's IP address. This method could be extended to use as many ISPs/proxies as needed, creating a homegrown, Akamai-like CDN. The article is available here: http://www.bisente.com/blog/2007/08/09/un-akamai-de-andar-por-casa/? lan=english Hope someone finds it useful. :) Regards -- Vicente Aguilar <[EMAIL PROTECTED]> | http://www.bisente.com Valquirias: Cómics, manga, cosplay, ciencia-ficción, merchandising... http://www.valquirias.com | http://blogs.valquirias.com
Re: [squid-users] very large acl list
On 8/29/07, leongmzlist <[EMAIL PROTECTED]> wrote: > At 08:47 PM 8/28/2007, Deephay wrote: > >On 8/29/07, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > > > On tis, 2007-08-28 at 22:09 +0800, Deephay wrote: > > > > Greetings all, > > > > > > > > I want to have a large acl list for my squid transparent proxy > > > > (>10,000 entries) for url filtering. My question is: will the > > > > performance suffer form this? Thanks very much! > > > > > > What kind of acl? > > > > > > If using dstdomain or other structured acls then a little but not much, > > > but will take a little while to load the acl on startup. > > > >I think dstdomain would be enough, BTW, are there any other software > >dedicated to this url filtering job? thanks! > > depends on what kind of filtering. If you want to filter porn, > there's squidguard and dansguardian. > mike thanks Adrian and Mike, I'll have a look. > > > >Cheers, > >Deephay > > > > > > > > If using a regex based acl then performance will be very bad... > > > > > > Regards > > > Henrik > > > > > > > >
