[squid-users] will the patch for bug #3048 apply to squid3.1 tree, or only to squid3.2 ?
Hi, I went into the problem descriped in bug #3048 http://bugs.squid-cache.org/show_bug.cgi?id=3048 The patch is commited to 3.2 branch, but not to 3.1 as far as I can see. Will the patch be applied to 3.1, too ? -- Best regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. signature.asc Description: Digital signature
[squid-users] Can I log AD logon user name in squid log file .
Dear Forks, I want to log AD logon username in squid log file. But I do not want to ask user to enter username/password when they view web pages via squid proxy server. Is it possible or not .. ? Regards, MrCrack 007
Re: [squid-users] Can I log AD logon user name in squid log file .
Hi If you use authentication-mechanism like Kerberos or NTLM (http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos) you can see the username in the access.log. But it's necessary to register the squid-box with a computer-account in your active-directory. Regards, Tom 2010/12/20 Mr Crack mrcrack...@gmail.com: Dear Forks, I want to log AD logon username in squid log file. But I do not want to ask user to enter username/password when they view web pages via squid proxy server. Is it possible or not .. ? Regards, MrCrack 007
Re: [squid-users] maxconn
So what do you recommend as a solution? The only line I have in my conf that has ssl in it is this acl SSL_ports port 443 563 but I have these port as safe acl Safe_ports port 443 563 How do I allow the connection thru SSL ports but close them down enough to not get a HTTP Proxy CONNECT Loop DoS show on my scan? Thanks Jason On Fri, Dec 17, 2010 at 11:38 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 18/12/10 04:35, Jason Greene wrote: On Thu, Dec 16, 2010 at 7:41 PM, Amos Jeffriessqu...@treenet.co.nz wrote: On 17/12/10 10:38, Jason Greene wrote: I m trying to close a security hole I want to use maxconn on ALL IPs acl limitusercon maxconn 3 http_access deny all limitusercon Testing the all there is not useful. That should be just: http_access deny limitusercon ... making sure its placed at the top of your access controls so nothing doing an allow can bypass it. Right after the deny CONNECT !SSL_Ports should do. Thanks, I'll try this out. But it doesn't seem to work and the hole still appears on a scan. What hole? HTTP Proxy CONNECT Loop DoS If that is what I think it is you are missing the default deny CONNECT !SSL_Ports or have opened SSL_Ports too wide. Due to: - the proxy listening ports are not SSL/CONNECT safe ports. - port 443 listening is reverse-proxy territory + reverse proxy must not accept CONNECT requests (older squid releases allowed it wrongly). Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
[squid-users] Fwd: What's means ? ERR_PRECONDITION_FAILED
Anyone know what is error : ERR_PRECONDITION_FAILED This occure randomly on some request. Sometimes on swf, sometimes on css files... Bellow the requests and response headers.. Squid Version: Squid Cache: Version 3.2.0.3 Best regards, Request URL: http://www.bradesco.com.br/html/img/tv/filme0.swf Request Method: GET Status Code: 412 Precondition Failed Request Headers Accept: */* Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Accept-Encoding: gzip,deflate,sdch Accept-Language: pt-BR,en-US;q=0.8,en;q=0.6 Connection: keep-alive Cookie: CKIDP=YWO4CLCF4aOjYyoPncP9Y5p+WNFY1292850798; CTLNC=dzvo+cmywMdZd/sc3mKtTBhtxpNY05 Host: www.bradesco.com.br If-Modified-Since: Thu, 16 Dec 2010 17:22:02 GMT If-None-Match: 7396-4bab-4abca280 Referer: http://www.bradesco.com.br/html/swf/destaque.swf User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Response Headers Age:1292873418 Connection:keep-alive Content-Language: pt-br Content-Length: 2678 Content-Type: text/html Date: Mon, 20 Dec 2010 19:30:17 GMT Mime-Version: 1.0 Server: squid Vary: Accept-Language Via: 1.1 cache1.unetvale.com.br (squid) Warning: 113 cache1.unetvale.com.br (squid) This cache hit is still fresh and more than 1 day old X-Cache: HIT from cache1.unetvale.com.br X-Squid-Error: ERR_PRECONDITION_FAILED 0 -- Alex Montoanelli Analista de Sistemas Unetvale Conectividade +55 48 3263 8700 www.unetvale.net
Re: [squid-users] Two node squid reverse proxy
On 20/12/10 05:05, N3O wrote: Thanks for the reply amos. I'm a total newbie to this kind of configuration, could you give me an example of using cache_peer sibling statement? How-to and FAQ details are documented here: http://wiki.squid-cache.org/Features/CacheHierarchy With the detailed docs for the config option here: http://www.squid-cache.org/Doc/config/cache_peer/ also what options do i have to implement the LB before it goes to the chosen squid server?? have in mind again i'm a total newbie regarding this type of secenario... I can't answer this one without knowledge of the LB your are going to use. Thus my initial question: What sort of capabilities do you have around the network to do that LB? Thank you! On Sun, Dec 19, 2010 at 4:52 AM, Amos Jeffriessqu...@treenet.co.nz wrote: On 19/12/10 11:51, N3O wrote: Hi Does anyone know how to implement a two node squid reverse proxy?? My idea is to have 2 squid servers working as reverse proxy to an internal apache web server. The two node should do some kind of load balance between them. What sort of capabilities do you have around the network to do that LB? LB must be done before the request enters into the worker squid. (could be a hardware LB, some software scripts, routing rules or another proxy). For surety once a request enters either of the worker squid it may as well be processed by that one. The only benefit of sibling links is when the data is cached in the sibling for fast retrieval. Double-handling is a problem. So a simple design would be: internet | | LB squid1 -- squid2 \ / \/ \ / apache Which would be the best idea to implement this scenario? Thanks! There is nothing special involved. 1) Setup each node as a reverse-proxy separately with whatever handling is appropriate for your needs. 2) Test that works. 3) Add the cache_peer sibling link between. 4) Test that works. 5) setup the LB to pass requests between them with whatever balance you like. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
Re: [squid-users] Fwd: What's means ? ERR_PRECONDITION_FAILED
On 21/12/10 08:47, Alex Montoanelli wrote: Anyone know what is error : ERR_PRECONDITION_FAILED This occure randomly on some request. Sometimes on swf, sometimes on css files... Bellow the requests and response headers.. Squid Version: Squid Cache: Version 3.2.0.3 Best regards, Request URL: http://www.bradesco.com.br/html/img/tv/filme0.swf Request Method: GET Status Code: 412 Precondition Failed Request Headers Accept: */* Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Accept-Encoding: gzip,deflate,sdch Accept-Language: pt-BR,en-US;q=0.8,en;q=0.6 Connection: keep-alive Cookie: CKIDP=YWO4CLCF4aOjYyoPncP9Y5p+WNFY1292850798; CTLNC=dzvo+cmywMdZd/sc3mKtTBhtxpNY05 Host: www.bradesco.com.br If-Modified-Since: Thu, 16 Dec 2010 17:22:02 GMT If-None-Match: 7396-4bab-4abca280 Referer: http://www.bradesco.com.br/html/swf/destaque.swf User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Response Headers Age:1292873418 Connection:keep-alive Content-Language: pt-br Content-Length: 2678 Content-Type: text/html Date: Mon, 20 Dec 2010 19:30:17 GMT Mime-Version: 1.0 Server: squid Vary: Accept-Language Via: 1.1 cache1.unetvale.com.br (squid) Warning: 113 cache1.unetvale.com.br (squid) This cache hit is still fresh and more than 1 day old X-Cache: HIT from cache1.unetvale.com.br X-Squid-Error: ERR_PRECONDITION_FAILED 0 Squid now supports the HTTP/1.1 If-None-Match feature. You seem to have hit bug 3099. Upgrading to the 3.2 daily bug fix bundle should fix these. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
Re: [squid-users] will the patch for bug #3048 apply to squid3.1 tree, or only to squid3.2 ?
On 21/12/10 03:41, Dieter Bloms wrote: Hi, I went into the problem descriped in bug #3048 http://bugs.squid-cache.org/show_bug.cgi?id=3048 The patch is commited to 3.2 branch, but not to 3.1 as far as I can see. Will the patch be applied to 3.1, too ? The attachment labeled proposed patch for 3.1 is for the 3.1 branch. As the bug indicates we do not actually have any confirmation that it works. If you find this a regular occurance please try the proposed patch and report back in bugzilla about how it goes. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
Re: [squid-users] Queries regarding squid
On 20/12/10 18:38, benjamin fernandis wrote: Hi Friends, I setup squid 3.1 on RHEL 5.5.It is working fine.But when i check from client side whatipmyip.com i can get Your IP Address Is: (server public ip) Possible Proxy Detected: 1.1 cache.engine (squid)... Can u suggest me how they catch my squid info and proxy detection... And as per my deployment...i have a server which is working as squid cacheing ang gateway for my clients. Wan router Squid + gateway (server)- Switch--- Client machines And please guide me how to hide my proxy info from others The *fact* of a proxies existence being detectable is not something to worry about. It can be detected by any number of means which are beyond your control. That site is just one of many sites doing a wide array of link tests. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
Re: [squid-users] Queries regarding squid
On that particular website (as well as most of the others who offer a similar service) the key for detection is via field in headers. Turn it off in your conf and they will not detect your proxy (if you care). There are websites who give you more details and you can adjust your headers according to your needs. (Am I allowed to post links here?) On Tue, 2010-12-21 at 16:05 +1300, Amos Jeffries wrote: On 20/12/10 18:38, benjamin fernandis wrote: Hi Friends, I setup squid 3.1 on RHEL 5.5.It is working fine.But when i check from client side whatipmyip.com i can get Your IP Address Is: (server public ip) Possible Proxy Detected: 1.1 cache.engine (squid)... Can u suggest me how they catch my squid info and proxy detection... And as per my deployment...i have a server which is working as squid cacheing ang gateway for my clients. Wan router Squid + gateway (server)- Switch--- Client machines And please guide me how to hide my proxy info from others The *fact* of a proxies existence being detectable is not something to worry about. It can be detected by any number of means which are beyond your control. That site is just one of many sites doing a wide array of link tests. Amos
