Re: [squid-users] Squid3 issues
Hi, As a common courtesy I did give my name at the end, with best regards "Adam" if you really looked. And when I created this account years ago, I named it Gmail because I have many other accounts, it helps me filter through my email boxes, second of all I am new to the mainling list system, I receive an email I hit reply to the person that answered me And please just forget it, will you, I am no longer seeking any help I told you before, you asked me to describe my scenario, so I did but I really don't need help thanks all the same. If you looked on my reply I did say "Best Regards Adam" Thanks for your time and good luck Regards ADAM - Original Message - From: "Nyamul Hassan" To: "Squid Users" Sent: Friday, March 19, 2010 6:33 AM Subject: Fwd: [squid-users] Squid3 issues Hi, As a normal courtesy on regular mailing lists, it is more appropriate to use your "regular name", rather than just "GMail". The answers on this list still come from humans, and it's always nice to know the name of the person we're communicating with. Also, in one of your emails, you said that you had a FD problem, which can only happen if you have a working Squid, which is processing a lot of requests. Please confirm if that is correct. And, if your're seeing this, then I believe you have already read Amos's post. I'm forwarding this to the list. I'm more of a "forward proxy" guy, so the more adept members of the list would be of more helpful in your scenario. Regards HASSAN -- Forwarded message -- From: Gmail Date: Fri, Mar 19, 2010 at 3:29 AM Subject: Re: [squid-users] Squid3 issues To: Nyamul Hassan I'd rather use it in hosting like setup, considering I have other clients not only the webservers so if it's possible which I believe it is, to use it as Hosting setup Thanks Let me give you a quick insight of my network All my machines run Ubuntu hardy 8 my network is based on 192.1.1.0/24 1) DNS / DHCP Examples (192.168.1.1) 2) Router (Squid) Proxy (192.168.1.4) 3) Webserver xxx.xxx.x. 5 4) Websever xxx.xxx.x.6 5) Websever xxx.xxx.x 7 6) IRC Server xxx.xxx.110 7) Digichat 100% (java) / Flash Servers xxx.xxx.x 112 5) Windows XP clients range 192.168.1.3 - 192.168.1.2 - 192.168.1.8 - 192.168.1.111 - 192.168.1.113 Other machines are not connected yet The above are just examples Two network switches Hope that helps Thanks - Original Message - From: "Nyamul Hassan" To: "Squid Users" Sent: Thursday, March 18, 2010 9:05 PM Subject: Re: [squid-users] Squid3 issues So, do you want to use proxy in an ISP like setup? Or in a Web Hosting like setup? Regards HASSAN On Fri, Mar 19, 2010 at 2:25 AM, Gmail wrote: Ok I'll try and clarify it (thanks btw) I am running 3 websites on one single machine and have been for few years, then the load started to grow, then I decided to have a go at a proxy server: I was actually putting off for a couple of years, simply because I am very restricted time wise I have as I said 3 different websites running on one single machine in a vhost mode three websites with three different domain names. Let's say 1) example.com, example.net, example.org all pointing eventually to the same IP address as I said it worked perfectly but it started to slow down a bit as the load gets too much for one machine to handle. On top of that I run other servers on different machines, such as Chat servers (IRC, Flash, DigiChat) , and various other applications. Now, I am using this machine as a proxy server (reverse proxy server) and a router at the same time using iptables, and I use another machine as a DNS/DHCP servers, all configured and working fine indeed no problems at all. Now, I really struggled to get the clients on my network to have access to the internet, I mean just to browse the net, I did in the end, but every single example I followed not a single one worked for me, I don't know how many forums and articles I read. I have applied so many examples no luck. So basically no requests were passed to the backend server, all I wanted is to get those requests forwarded to the web-server and if that works then I will add three more machines as backend servers and each machine will hold one website with it's DB and so on.. That was my plan anyway, And I found myself in ever decreasing circle going around in circle, following some people's examples and nothing worked, I tried to find information for example about, how to setup a cache parent, sibbling and so on, not a single word about, I even read O'reilly's articles. In those examples for instance they mention a parent in order to forward a request, without telling you how to set a parent, and if you don't have a parent, does that mean you can't use a proxy server, and If I had a parent where would it be? and how to decide which one is the parent and which one is the child etc.. NO indication not a single word, "they expect" you to know all that as if you spent all you life working o
[squid-users] Squid3 issues
Hi Amos, Thanks for your comments, All I was doing is hit reply, this is the very first time ever I used any mailing list It doesn't matter anymore, I am sorry if I offended anyone, it was not my intention, when I get an email I simply hit reply I will try and solve my problems, and if I do get it to work I will certainly post the solution for future users who might face the same problem As for now, I just want to thank you all I have previously installed an older version of Squid compiled it manually it wasn't the one packaged with the OS (Ubuntu hardy) after few days trying to get it to work, I mean as a reverse proxy, with no luck, I removed it, tried the version 3.0 the one that was packaged with the Os, I got as far as allowing clients on my network to have access to the internet and most of other applications on windows XP couldn't connect. anyway this time around I have downloaded it again configured it compiled it and installed it, it's not starting but this is a minor problem, it's a permission issue rather than anything else. I just want to say, thank you all, If I do get it to work I will post the solution as promised if not that means I have moved on and no longer using Squid3. I will break it down for others to see and it will hopefully help others: Here it is: 1) Machine A Proxy-Router 2) Machine DSN DHCP 3) Web-server One www.example.com 4) Web-server Twowww.example.org 5) Web-server Three www.example.net 6) IRC-server / Digichat server Plus 5 Windows clients I wanted a proxy server in the for two good reasons, one is for loadbalancing and second for an extra layer of security Currently I have all of the three websites above running on a single machine on a virtualhosts, but it's too much for one machine to handle all the requests. I always wanted to use a proxy server but I was putting it off. a) I knew it was going to be a challenge b) I was trying to get sometime off in order to do it properly Basically all I wanted for now is to forward all requests to the relevant backend servers, to which I knew it was going to be a challenge Once again I am sorry if I offended anyone it wasn't my intention I will manage to sort it out or simply move on and try something else Thank you all Best Regards Adam
Re: [squid-users] Squid3 issues
Hi Amos, Thanks again for your reply, I have tried these two links, I have used them for one server at a time, or maybe the issue is that I was trying to access the backend Server which is currently running in virtualhost mode and holds the 3 websites. As I said before I have completely uninstalled the previous Squid, I reinstalled it again this time, configured it and compiled it (manually) I had some issues with permissions, first the cache logs and then the swap file directory but it's all sorted. Now when ever I start Squid with Squid -NCd 10 I check if everything is running ok, so I get this warning: ClientParseRequestMethod: Unsupported method attempted by : 111.118.144.225 This is not a bug. see Squid.conf extension methods ClientProcess Invalid Request. Let me just point out that first I have no idea where this IP originate from, I tried Dnsstuff to figure out where it's coming from, I am not sure if it's a Google crawler or someone else, the information wasn't clear. But it's definitely not one of my IPs Second, the proxy at the moment is behind a router and is not connected to any of "Local" clients yet, I wanted to run it first before I can connect it as a "Proxy-Router" How can I prevent this from accessing it because it's persisting connection it will soon cripple the server. Does anyone know who owns this IP address please? 111.118.144.225 All I got as info is this Location: Cambodia [City: Phnom Penh, Phnum Penh]Maybe I need to block their IP if I can.At the moment the proxy server is set as a standalone machine connected through a router so I can't understand why is it gettingthese requests, from outside.Any ideas please?RegardsAdam- Original Message - From: "Amos Jeffries" To: Sent: Friday, March 19, 2010 2:53 PM Subject: Re: [squid-users] Squid3 issues a...@gmail wrote: Hi Amos, Thanks for your comments, All I was doing is hit reply, this is the very first time ever I used any mailing list It doesn't matter anymore, I am sorry if I offended anyone, it was not my intention, when I get an email I simply hit reply I will try and solve my problems, and if I do get it to work I will certainly post the solution for future users who might face the same problem As for now, I just want to thank you all I have previously installed an older version of Squid compiled it manually it wasn't the one packaged with the OS (Ubuntu hardy) after few days trying to get it to work, I mean as a reverse proxy, with no luck, I removed it, tried the version 3.0 the one that was packaged with the Os, I got as far as allowing clients on my network to have access to the internet and most of other applications on windows XP couldn't connect. Windows apps sadly often have to be individually configured for the proxy. A lot are not able to use proxies at all. For the MS software on WindowsXP, set the IE "Internet Options" then at the command line running "proxycfg -u". That proxycfg -u seems trivial, but it is seriously important for Windows XP or a lot of HTTP service stuff in the background will not work even with IE set correctly. Also worth noting is that proxy auto-detect is not done by several of the back-end libraries either. Including windows update :( anyway this time around I have downloaded it again configured it compiled it and installed it, it's not starting but this is a minor problem, it's a permission issue rather than anything else. I just want to say, thank you all, If I do get it to work I will post the solution as promised if not that means I have moved on and no longer using Squid3. I will break it down for others to see and it will hopefully help others: Here it is: 1) Machine A Proxy-Router 2) Machine DSN DHCP 3) Web-server One www.example.com 4) Web-server Twowww.example.org 5) Web-server Three www.example.net 6) IRC-server / Digichat server Plus 5 Windows clients I wanted a proxy server in the for two good reasons, one is for loadbalancing and second for an extra layer of security Currently I have all of the three websites above running on a single machine on a virtualhosts, but it's too much for one machine to handle all the requests. I always wanted to use a proxy server but I was putting it off. a) I knew it was going to be a challenge b) I was trying to get sometime off in order to do it properly Basically all I wanted for now is to forward all requests to the relevant backend servers, to which I knew it was going to be a challenge The "IRC-server / Digichat server" may not be proxy-able at all through Squid. It depends if they use HTTP services, or if they are accessible via HTTP. For the reverse proxying of your websites: pick one of the web servers to start with and this is the wiki article you need for that website: http://wiki.squid-cache.org/ConfigExampl
Re: [squid-users] Squid3 issues
Hi Amos, I forgot to ask you about this comment Amos Wrote: " The "IRC-server / Digichat server" may not be proxy-able at all through Squid. It depends if they use HTTP services, or if they are accessible via HTTP" According to you or from what I understand, proxy server (Squid) can only allow HTTP/HTTPS requests, correct? If that's a yes, what are we going to do with all hundreds of requests then? You know as well as I do, running servers and services, you don't just run programmes and applications that are passed through http So if the only access to A "network" is through 3128 (http) what happens to the rest of the services that we can provide? I am a little confused, so in my opinion correct me if I am wrong, we must allow through DNAT "iptables" all other services that don't use http, for the simple reason, those requests will be rejected by the Proxy server. For instance IRC servers use mainly these ports -7000 the standard port is 6667 Is the proxy server able to handle these ports?. As for the Digichat server here is what is said about on their website Will DigiChat work through firewalls and proxy servers? All DigiChat licenses and chat hosting plans allow you to customize the ports used, providing your users access through firewalls. Additionally, DigiChat offers HTTP Tunneling functionality on select server licenses. This feature allows your chatters to use DigiChat from behind protective proxy servers. It is important that you understand the proper configuring of server ports in order for this feature to perform optimally. To ensure proper performance of DigiChat, please refer to the product documentation or consult a DigiChat support representative. NOTE: Some advanced features such as Audio chat (voice) or Video chat (web cam chat) make use of UDP ports for proper operation and as such are NOT tunnelled. Please configure your firewall so that such advanced features will work without interruption. If anyone is interested to find out more about this here is the link http://www.digichat.com/PDF/DC_FAQ.pdf Regards Adam
[squid-users] What version of squid in the upcoming ubuntu 10.4 repo
Have you tried to ask the question on Ubuntu forums? You're more likely to get an answer, I believe it will be version 3.0 Stable 25 I am only guessing Regards Adam
[squid-users] Unsupported method attempted by
Hi, I was wondering if anyone here could help with this problem I have just finished reinstalling my proxy server Squid3.0STABLE25 As soon as I start it with Squid -NCd 10 I check if everything is running ok, so I get this warning: ClientParseRequestMethod: Unsupported method attempted by : 111.118.144.225 This is not a bug. see Squid.conf extension methods ClientProcess Invalid Request. And the proxy server is not yet connected to any client at this time, but I get these invalid requets one after another, is there anyway from stopping this? It's almost like a flood, it is an outside IP address. These are the information related to the above IP address: All I got as info is this Location: Cambodia [City: Phnom Penh, Phnum Penh] If you have any suggestions please let me know Regards Adam
Re: [squid-users] Squid3 issues
Well IRC can be accessed with IRC clients such as mIRC and so on But they can also be accessed via the web with Java Applets using in fact a web browser That's why I am asking the question, if anyone has had this done. As for Digichat, is a 100% Java written programme, and it also uses the Web browser for clients to connect to it from outside with a Java Applet. It uses http, what they were saying there was about the hosting server on their servers I have my own Digichat server, which is hosted in my house. So if they can do it even with a proxy I am sure I can do it. And If I get it to work then I will post how I did it in case someone else is looking for a solution of the same nature or same service. Because these services were running fine on port 80 with no problems, I mean clients could easily access these servers from the HTTP port 80 and then they are redirected to the server's ports: IRC -7000 and Digichat usually on 8396 So I will post back if I get it up and running Regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Saturday, March 20, 2010 12:12 AM Subject: Re: [squid-users] Squid3 issues a...@gmail wrote: Hi Amos, I forgot to ask you about this comment Amos Wrote: " The "IRC-server / Digichat server" may not be proxy-able at all through Squid. It depends if they use HTTP services, or if they are accessible via HTTP" I said that because my reading of one of your earlier messages it appeared that you were getting frustrated by Squid not proxying traffic for those services. I'm not sure if you are wanting Squid to gateway access for your client machines to those server(s), which is possible with some client configuration. DigiWeb sounds like it needs special licenses to be configured that way. I'm not sure if you are wanting to gateway traffic from the general public to those servers. Which is not possible for IRC and seems not for DigiWeb either. According to you or from what I understand, proxy server (Squid) can only allow HTTP/HTTPS requests, correct? Yes. If that's a yes, what are we going to do with all hundreds of requests then? I don't understand what you mean by "hundreds of requests". What type of requests and for what? user requests for access? software requests for non-HTTP stuff? You know as well as I do, running servers and services, you don't just run programmes and applications that are passed through http So if the only access to A "network" is through 3128 (http) what happens to the rest of the services that we can provide? Your public (externally visible) services should not be published on port 3128 unless you are offering proxy services. I am a little confused, so in my opinion correct me if I am wrong, we must allow through DNAT "iptables" all other services that don't use http, for the simple reason, those requests will be rejected by the Proxy server. Maybe. It gets complicated. 1) Squid can only handle HTTP inbound to Squid. 2) You could do routing or port forwarding (DNAT) with iptables, or use other non-Squid proxy software for each publicly provided protocol. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18
Re: [squid-users] Squid3 issues
- Original Message - From: "Amos Jeffries" To: Sent: Saturday, March 20, 2010 1:38 AM Subject: Re: [squid-users] Squid3 issues a...@gmail wrote: Well IRC can be accessed with IRC clients such as mIRC and so on But they can also be accessed via the web with Java Applets using in fact a web browser That's why I am asking the question, if anyone has had this done. Ah okay. I think you will find that those IRC Java applets use IRC protocol natively in the background. Only using the browser for a GUI. The ones I've seen were like that. Yes the Applet is configured to connect to any of these ports 6667-7000 for argument sake it's usually 6667. And yes the browser is used for GUI As for Digichat, is a 100% Java written programme, and it also uses the Web browser for clients to connect to it from outside with a Java Applet. It uses http, what they were saying there was about the hosting server on their servers I have my own Digichat server, which is hosted in my house. So if they can do it even with a proxy I am sure I can do it. And If I get it to work then I will post how I did it in case someone else is looking for a solution of the same nature or same service. Because these services were running fine on port 80 with no problems, I mean clients could easily access these servers from the HTTP port 80 and then they are redirected to the server's ports: IRC -7000 and Digichat usually on 8396 So I will post back if I get it up and running Regards Adam Oh. Okay. It sounds like they should keep working then even if Squid is in front. The Digichat (port 80 of Digichat at least) may be just another cache_peer entry for Squid. This is what is says in the documentation anyway HTTP Tunneling Servlet Configuration The DigiChat client connects to the DigiChat server through six default TCP ports: 8396, 58396, 443, 110, 119, 25. Users that access the Internet from behind a firewall or proxy server will generally have those ports blocked on their systems. DigiChat will display an error when it is not able to access the necessary ports. In order to allow access to the applet for users behind firewalls and proxy servers, HTTP Tunneling functionality has been implemented with the DigiChat software. Generally, ports 80 and 8080 are available to users behind such systems. The HTTP Tunneling Servlet can listen on these ports and pass the connection to the DigiChat Server. Regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Saturday, March 20, 2010 12:12 AM Subject: Re: [squid-users] Squid3 issues a...@gmail wrote: Hi Amos, I forgot to ask you about this comment Amos Wrote: " The "IRC-server / Digichat server" may not be proxy-able at all through Squid. It depends if they use HTTP services, or if they are accessible via HTTP" I said that because my reading of one of your earlier messages it appeared that you were getting frustrated by Squid not proxying traffic for those services. I'm not sure if you are wanting Squid to gateway access for your client machines to those server(s), which is possible with some client configuration. DigiWeb sounds like it needs special licenses to be configured that way. I'm not sure if you are wanting to gateway traffic from the general public to those servers. Which is not possible for IRC and seems not for DigiWeb either. According to you or from what I understand, proxy server (Squid) can only allow HTTP/HTTPS requests, correct? Yes. If that's a yes, what are we going to do with all hundreds of requests then? I don't understand what you mean by "hundreds of requests". What type of requests and for what? user requests for access? software requests for non-HTTP stuff? You know as well as I do, running servers and services, you don't just run programmes and applications that are passed through http So if the only access to A "network" is through 3128 (http) what happens to the rest of the services that we can provide? Your public (externally visible) services should not be published on port 3128 unless you are offering proxy services. I am a little confused, so in my opinion correct me if I am wrong, we must allow through DNAT "iptables" all other services that don't use http, for the simple reason, those requests will be rejected by the Proxy server. Maybe. It gets complicated. 1) Squid can only handle HTTP inbound to Squid. 2) You could do routing or port forwarding (DNAT) with iptables, or use other non-Squid proxy software for each publicly provided protocol. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18 -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18
[squid-users] Configuring a Basic Reverse Proxy (Website Accelerator)
Hi All, I have a question I just want to make sure that I understand this configuration. Assuming I am configuring just one backend webservers and one website: From this link: http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator Does this mean http_port 80 accel defaultsite=your.main.website.namehttp_port 80 (port of the back-end webserver)?Defaultsite= (should it be like this) defaultsite=www.mydomain.org or defaultsite=mydomain.org or defaultsite=the_name_of_the_folder_where_the_website_is_located?My next question is for thiscache_peer ip.of.webserver parent 80 0 no-query originserver name=myAccelOk this is what I understoodExample:cache_peer 192.168.1.3 parent 80 0 no-query originserver name=myAccelbut what value will "myAccel" be holding for instance, the name of my website? or it's IP address what is it exactly?My final question isacl our_sites dstdomain your.main.website.name http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny allok maybe the first line should beacl our_sites dstdomain www.mydomain.org is this correct?And then the rest is straightforwardCan anyone help me please, I am a bit confused with thisAny help would be very much appreciated Regards Adam I do apologise I have sent the first email from a different mail box
[squid-users] Mod_rewrite and Squid
Hi All, Does anyone know if Mod_rewrite will intefer with redirection of http or https requests, If anyone knows whether Squid can handle Apaches with Mod_rewrite enabled and websites with .htacces rewriteEngines On? Any help would be appreciated Regards Adam
Re: [squid-users] Mod_rewrite and Squid
Hi There, Thanks for confirming I asked the question is because, I have one of my webservers are running a website with mod_rewriteRules Thanks again Regards Adam - Original Message - From: "Jeff Peng" To: "a...@gmail" Cc: Sent: Saturday, March 20, 2010 2:26 PM Subject: Re: [squid-users] Mod_rewrite and Squid On Sat, Mar 20, 2010 at 9:53 PM, a...@gmail wrote: Hi All, Does anyone know if Mod_rewrite will intefer with redirection of http or https requests, If anyone knows whether Squid can handle Apaches with Mod_rewrite enabled and websites with .htacces rewriteEngines On? mod_rewrite returns a new path with a 301/302 code, then client browser is redirected to access the new path. Squid handes a webserver redirection well. -- Jeff Peng Email: jeffp...@netzero.net Skype: compuperson
Re: [squid-users] Configuring a Basic Reverse Proxy (Website Accelerator)
Hi Amos, Thanks for your reply My question I should probably put it another way let's say my website is http://www.example.com right? in the defaultsite= directive do I need to put just the domain name i.e example.com that should match the exact domain name that is requested by the client or something else? And the http_port should match the http_port that the backend web-server is listening on, correct? As for the cache_peer, does the cache peer also refers to the backend "web-server"? If you don't mind being a little a bit more specific please. Thank you Regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Saturday, March 20, 2010 10:35 PM Subject: Re: [squid-users] Configuring a Basic Reverse Proxy (Website Accelerator) a...@gmail wrote: Hi All, I have a question I just want to make sure that I understand this configuration. Assuming I am configuring just one backend webservers and one website: From this link: http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator Does this mean http_port 80 accel defaultsite=your.main.website.namehttp_port 80 (port of the back-end webserver)?Defaultsite= (should it be like this) defaultsite=www.mydomain.org or defaultsite=mydomain.org or defaultsite=the_name_of_the_folder_where_the_website_is_located?My next It's just the domain name visitors will use to get the website. It's only used to 'fix' broken client who fail to send a domain name in their requests. Which domain to use is up to you. question is for thiscache_peer ip.of.webserver parent 80 0 no-query originserver name=myAccelOk this is what I understoodExample:cache_peer 192.168.1.3 parent 80 0 no-query originserver name=myAccelbut what value will "myAccel" be holding for instance, the name of my website? or it's IP address what is it exactly? It's a label. Only used in the squid.conf file to represent that peer. My final question isacl our_sites dstdomain your.main.website.name http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny allok maybe the first line should beacl our_sites dstdomain www.mydomain.org is this correct?And then the rest Yes. A list of all the websites you are serving through this Squid to that peer. Wildcard sub-domains by starting with a dot for example: .example.com is straightforwardCan anyone help me please, I am a bit confused with thisAny help would be very much appreciated Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18
Re: [squid-users] Configuring a Basic Reverse Proxy (Website Accelerator)
Thanks Amos Ok I will try this and keep you all posted I hope it'll work this time Regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Saturday, March 20, 2010 11:39 PM Subject: Re: [squid-users] Configuring a Basic Reverse Proxy (Website Accelerator) a...@gmail wrote: Hi Amos, Thanks for your reply My question I should probably put it another way let's say my website is http://www.example.com right? in the defaultsite= directive do I need to put just the domain name i.e example.com that should match the exact domain name that is requested by the client or something else? It doesn't matter. Whichever domain _you_ want the client to most visit. You could even put defaultsite=abetterbrowser.org And the http_port should match the http_port that the backend web-server is listening on, correct? Yes. Port 80 is the standard. It's recommended to _also_ have Squid listening on any strange ports the backend use so that breakage in the backend server apps URLs does not cause too much damage. As for the cache_peer, does the cache peer also refers to the backend "web-server"? If you don't mind being a little a bit more specific please. cache_peer ONLY refers to the back end server connection. http_port ONLY refers to client-facing connections. - Original Message - From: "Amos Jeffries" To: Sent: Saturday, March 20, 2010 10:35 PM Subject: Re: [squid-users] Configuring a Basic Reverse Proxy (Website Accelerator) a...@gmail wrote: Hi All, I have a question I just want to make sure that I understand this configuration. Assuming I am configuring just one backend webservers and one website: From this link: http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator Does this mean http_port 80 accel defaultsite=your.main.website.namehttp_port 80 (port of the back-end webserver)?Defaultsite= (should it be like this) defaultsite=www.mydomain.org or defaultsite=mydomain.org or defaultsite=the_name_of_the_folder_where_the_website_is_located?My next It's just the domain name visitors will use to get the website. It's only used to 'fix' broken client who fail to send a domain name in their requests. Which domain to use is up to you. question is for thiscache_peer ip.of.webserver parent 80 0 no-query originserver name=myAccelOk this is what I understoodExample:cache_peer 192.168.1.3 parent 80 0 no-query originserver name=myAccelbut what value will "myAccel" be holding for instance, the name of my website? or it's IP address what is it exactly? It's a label. Only used in the squid.conf file to represent that peer. My final question isacl our_sites dstdomain your.main.website.name http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny allok maybe the first line should beacl our_sites dstdomain www.mydomain.org is this correct?And then the rest Yes. A list of all the websites you are serving through this Squid to that peer. Wildcard sub-domains by starting with a dot for example: .example.com is straightforwardCan anyone help me please, I am a bit confused with thisAny help would be very much appreciated Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18 -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18
[squid-users] FileDescriptor Issues
Hi All, I have tried everything so far I definitely have increased my file descriptors on my Ubuntu OS from 1024 to 46622 But when I start Squid 3.0 STABLE25 I doesn't seem to detect the real descriptor's size I have checked the sysctl.conf, and I have checked the system to make sure that the correct size /etc/sysctl.confWhen I run this I more /proc/sys/fs/file-maxI get 46622But Squid3.0 seem to only detect 1024Is there anything that I am not doing please? I don't know what else to do Thank you Regards Adam
Re: [squid-users] FileDescriptor Issues
Hi, Al Yes I did thanks for the suggestion I am trying to figure out why is Squid refusing to aknowledge the available size on the system Unless of course it's a bug on either sides, I mean on Squid's side and Ubuntu side, But I have checked some Ubuntu forums and people used the same methods I used and it seems very strange that when I start Squid I get 1024 instead of 46622 or whatever the number I put Regards Adam - Original Message - From: "Al - Image Hosting Services" To: "a...@gmail" Cc: Sent: Monday, March 22, 2010 6:13 PM Subject: Re: [squid-users] FileDescriptor Issues Hi, Did you try using ulimit? Best Regards, Al On Mon, 22 Mar 2010, a...@gmail wrote: Date: Mon, 22 Mar 2010 17:42:47 - From: "a...@gmail" To: squid-users@squid-cache.org Subject: [squid-users] FileDescriptor Issues Hi All, I have tried everything so far I definitely have increased my file descriptors on my Ubuntu OS from 1024 to 46622 But when I start Squid 3.0 STABLE25 I doesn't seem to detect the real descriptor's size I have checked the sysctl.conf, and I have checked the system to make sure that the correct size /etc/sysctl.confWhen I run this I more /proc/sys/fs/file-maxI get 46622But Squid3.0 seem to only detect 1024Is there anything that I am not doing please? I don't know what else to do Thank you Regards Adam
Re: [squid-users] FileDescriptor Issues
Hello All, I have solved the problem, I managed to increase the filedescriptor from 1024 This what I have done on (Ubuntu hardy) it should work on most Ubuntu OS and Debians I first needed to see the max that my System can support run this command first: cat /proc/sys/fs/file-max it will display the maximum that you're system can currently handle to increase that number you need first to run this command let's assume X is a number 46900 echo > proc/sys/fs/file-max (where the xx is the number you want to add) you then need to add this into the file /etc/sysctl.conf file fs.file-max = X (that same number again) After you've done this. check again with this command systcl -p It's all stored in /proc/sys/fs/file-nr (just run this command to get the output) To modify the limit descriptors per session We need to add this to our limits.conf emacs or vi /etc/security/limits.conf and add * soft nofile X * hard nofileX Note you can use either or both of the above two lines And you can use a specific user instead of the wildcard "*" which is at the beginning of each line, it means to all users on your system save it and then you can check with ulimit -n if you still get 1024 you probably need to reboot your system altogether, on mine it didn't show until I rebooted anyway. I hope this will help someone somewhere at some point Regards Adam - Original Message - From: "Al - Image Hosting Services" To: "a...@gmail" Cc: Sent: Monday, March 22, 2010 6:13 PM Subject: Re: [squid-users] FileDescriptor Issues Hi, Did you try using ulimit? Best Regards, Al On Mon, 22 Mar 2010, a...@gmail wrote: Date: Mon, 22 Mar 2010 17:42:47 - From: "a...@gmail" To: squid-users@squid-cache.org Subject: [squid-users] FileDescriptor Issues Hi All, I have tried everything so far I definitely have increased my file descriptors on my Ubuntu OS from 1024 to 46622 But when I start Squid 3.0 STABLE25 I doesn't seem to detect the real descriptor's size I have checked the sysctl.conf, and I have checked the system to make sure that the correct size /etc/sysctl.confWhen I run this I more /proc/sys/fs/file-maxI get 46622But Squid3.0 seem to only detect 1024Is there anything that I am not doing please? I don't know what else to do Thank you Regards Adam
[squid-users] FileDescriptor Issues
I have solved the problem, I managed to increase the filedescriptor My system now reads 65535 But Squid still says only 1024 fileDescriptors available What can I do to fix this please, I have rebooted the system and Squid several times I am running out of ideas Any help would be appreciated Regards Adam
Re: [squid-users] FileDescriptor Issues
Thanks Ivan for your suggestion But in my case it's slightly different I have no squid in /etc/default/squid /etc/init.d/mine is located in /usr/local/squid/sbin/squidunless I try this/usr/local/squid/sbin/squid SQUID_MAXFD=4096 And then restart it, but I am not sure I am using Ubuntu HardyI think this tip is for the Squid that is packaged with Ubuntu and not the compiledSquidThanks for your suggestion I appreciate itRegardsAdamFrom: "Ivan ." To: "a...@gmail" Cc: Sent: Tuesday, March 23, 2010 1:50 AM Subject: Re: [squid-users] FileDescriptor Issues Have you set the descriptor size in the squid start up script? see here http://paulgoscicki.com/archives/2007/01/squid-warning-your-cache-is-running-out-of-filedescriptors/ cheers Ivan On Tue, Mar 23, 2010 at 12:45 PM, a...@gmail wrote: I have solved the problem, I managed to increase the filedescriptor My system now reads 65535 But Squid still says only 1024 fileDescriptors available What can I do to fix this please, I have rebooted the system and Squid several times I am running out of ideas Any help would be appreciated Regards Adam
Re: [squid-users] FileDescriptor Issues
Sorry I haven't set it in the Start up script But I will try it right away Regards Adam - Original Message - From: "Ivan ." To: "a...@gmail" Cc: Sent: Tuesday, March 23, 2010 1:50 AM Subject: Re: [squid-users] FileDescriptor Issues Have you set the descriptor size in the squid start up script? see here http://paulgoscicki.com/archives/2007/01/squid-warning-your-cache-is-running-out-of-filedescriptors/ cheers Ivan On Tue, Mar 23, 2010 at 12:45 PM, a...@gmail wrote: I have solved the problem, I managed to increase the filedescriptor My system now reads 65535 But Squid still says only 1024 fileDescriptors available What can I do to fix this please, I have rebooted the system and Squid several times I am running out of ideas Any help would be appreciated Regards Adam
Re: [squid-users] FileDescriptor Issues
Thanks Amos for this tip I will try that and keep you posted Regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Tuesday, March 23, 2010 2:54 AM Subject: Re: [squid-users] FileDescriptor Issues On Tue, 23 Mar 2010 02:19:40 -0000, "a...@gmail" wrote: Thanks Ivan for your suggestion But in my case it's slightly different I have no squid in /etc/default/squid /etc/init.d/mine is located in /usr/local/squid/sbin/squidunless I try this/usr/local/squid/sbin/squid SQUID_MAXFD=4096 /etc/default/squid is a configuration file for configuring the system init.d/squid script. It does not exist normally, you create it only when overrides are needed. .../sbin/squid is supposed to be the binary application which gets run. And then restart it, but I am not sure I am using Ubuntu HardyI think this tip is for the Squid that is packaged with Ubuntu and not the compiledSquid Bash environment shells resets the descriptors down again towards 1024 each time a new one is generated. It _always_ must be increased to the wanted limit before running Squid. Whether you do it manually on the command line each time, or in the init.d script, or in some other custom starter script. My Ubuntu systems show default OS limits of just over 24K FD available. Building Squid with: ulimit -HSn 65535 && ./configure --with-filedescriptors=65535 ... make install starting: squid -f /etc/squid.conf squid shows 1024 starting: ulimit -Hsn 64000 && squid -f /etc/squid.conf squid shows 64000 Amos
Re: [squid-users] FileDescriptor Issues
Hi All I have recompiled squid with 6400 FDS I tried with 65535 and I got a warning that 65535 is not a multiple of 64 and it may cause some problems on some systems. so I changed it to 6400 I completed the installation started Squid now it's showing 6400 although the system is set to 65535 I have one question, from your experiences with squid, would 6400 FDS be enough? Thank you all for your help Regards Adam - Original Message - From: "Bradley, Stephen W. Mr." To: "a...@gmail" Sent: Tuesday, March 23, 2010 2:02 PM Subject: RE: [squid-users] FileDescriptor Issues A problem I found is that you have to set ulimit BEFORE you compile it as well. I built everything from scratch and everytime I rebuild it I have to : ulimit -HSn XX ( being whatever you want it to be) In /etc/init.d/squid (the script I use) [snip] PATH=/usr/bin:/sbin:/bin:/usr/sbin export PATH ulimit -HSn 32768 [snip] That way every time I run the script it makes sure that it sets the FDs up to where they need to be. I'm guessing that if you have a busy server it is crashing after a little while of running... ;-) steve -----Original Message- From: a...@gmail [mailto:adbas...@googlemail.com] Sent: Monday, March 22, 2010 11:10 PM To: Amos Jeffries; squid-users@squid-cache.org Subject: Re: [squid-users] FileDescriptor Issues Thanks Amos for this tip I will try that and keep you posted Regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Tuesday, March 23, 2010 2:54 AM Subject: Re: [squid-users] FileDescriptor Issues On Tue, 23 Mar 2010 02:19:40 -, "a...@gmail" wrote: Thanks Ivan for your suggestion But in my case it's slightly different I have no squid in /etc/default/squid /etc/init.d/mine is located in /usr/local/squid/sbin/squidunless I try this/usr/local/squid/sbin/squid SQUID_MAXFD=4096 /etc/default/squid is a configuration file for configuring the system init.d/squid script. It does not exist normally, you create it only when overrides are needed. .../sbin/squid is supposed to be the binary application which gets run. And then restart it, but I am not sure I am using Ubuntu HardyI think this tip is for the Squid that is packaged with Ubuntu and not the compiledSquid Bash environment shells resets the descriptors down again towards 1024 each time a new one is generated. It _always_ must be increased to the wanted limit before running Squid. Whether you do it manually on the command line each time, or in the init.d script, or in some other custom starter script. My Ubuntu systems show default OS limits of just over 24K FD available. Building Squid with: ulimit -HSn 65535 && ./configure --with-filedescriptors=65535 ... make install starting: squid -f /etc/squid.conf squid shows 1024 starting: ulimit -Hsn 64000 && squid -f /etc/squid.conf squid shows 64000 Amos
Re: [squid-users] FileDescriptor Issues
Hi, Which OS are you using? my start up script is located here /usr/local/squid/sbin/squid The packaged one I had before, the startup script was located in /etc/init.d/squid3 But not the compiled version Thank you Regards Adam - Original Message - From: "Bradley, Stephen W. Mr." To: "a...@gmail" Sent: Tuesday, March 23, 2010 2:02 PM Subject: RE: [squid-users] FileDescriptor Issues A problem I found is that you have to set ulimit BEFORE you compile it as well. I built everything from scratch and everytime I rebuild it I have to : ulimit -HSn XX ( being whatever you want it to be) In /etc/init.d/squid (the script I use) [snip] PATH=/usr/bin:/sbin:/bin:/usr/sbin export PATH ulimit -HSn 32768 [snip] That way every time I run the script it makes sure that it sets the FDs up to where they need to be. I'm guessing that if you have a busy server it is crashing after a little while of running... ;-) steve -Original Message- From: a...@gmail [mailto:adbas...@googlemail.com] Sent: Monday, March 22, 2010 11:10 PM To: Amos Jeffries; squid-users@squid-cache.org Subject: Re: [squid-users] FileDescriptor Issues Thanks Amos for this tip I will try that and keep you posted Regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Tuesday, March 23, 2010 2:54 AM Subject: Re: [squid-users] FileDescriptor Issues On Tue, 23 Mar 2010 02:19:40 -, "a...@gmail" wrote: Thanks Ivan for your suggestion But in my case it's slightly different I have no squid in /etc/default/squid /etc/init.d/mine is located in /usr/local/squid/sbin/squidunless I try this/usr/local/squid/sbin/squid SQUID_MAXFD=4096 /etc/default/squid is a configuration file for configuring the system init.d/squid script. It does not exist normally, you create it only when overrides are needed. .../sbin/squid is supposed to be the binary application which gets run. And then restart it, but I am not sure I am using Ubuntu HardyI think this tip is for the Squid that is packaged with Ubuntu and not the compiledSquid Bash environment shells resets the descriptors down again towards 1024 each time a new one is generated. It _always_ must be increased to the wanted limit before running Squid. Whether you do it manually on the command line each time, or in the init.d script, or in some other custom starter script. My Ubuntu systems show default OS limits of just over 24K FD available. Building Squid with: ulimit -HSn 65535 && ./configure --with-filedescriptors=65535 ... make install starting: squid -f /etc/squid.conf squid shows 1024 starting: ulimit -Hsn 64000 && squid -f /etc/squid.conf squid shows 64000 Amos
[squid-users] Help with accelerated site
Hello All, I have followed this configuration, but when I try and access the website from outside my network All I get is the default page of the apache on the machine where the Squid proxy is installed Here is the link: http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator here is the configuration I followed http_port 80 accel defaultsite=your.main.website.name(changed my port to 81 my backend server listens on port 81)I havehttp_port 81 accel defaultsite=www.my.website.org vhostand then used thiscache_peer ip.of.webserver parent 80 0 no-query originserver name=myAccelcache_peer 192.168.1.5 parent 81 0 no query originserver name=myAccel(myAccel I have put a name)and then acl our_sites dstdomain my.website.org http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny all Anybody with any suggestions please?Any help would be appreciated thank youRegardsAdam
Re: [squid-users] Help with accelerated site
Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now, instead of getting the website that is located on Machine B 192.168.1.3 which is listening on port 81 not 80. I am getting the default Apache Page on the Proxy server Machine which is 192.168.1.4 And I do have the vhost in my configuration Well there are two apaches running on the two machines, the proxy machine and the web-server machine, except the web-server apache listens on port 81, logically (technically) speaking it should work, but for some reason it doesn't. I hope it makes more sense to you what I am trying to describe here Thank you all for your help Regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Thursday, March 25, 2010 1:01 AM Subject: Re: [squid-users] Help with accelerated site On Wed, 24 Mar 2010 19:48:27 -0400, Ron Wheeler wrote: What is squid proxying? Usually the normal behaviour is exactly what you are getting since squid normally proxies Apache on 80. Browser ==> Squid on 80==>proxied to Apache on port 81. If Squid is not proxying Apache, then it looks like you have Apache running on 80. If you are trying to redirect port 80 to another program that is not Apache, then you need to get Apache off port 80. You can not have 2 programs listening to port 80. If Apache is running and owns port 80, Squid will not start. If this is the case, You likely have errors in the logs to this effect. Shut down Apache and and restart Squid. Try to start Apache and now it should howl with anger (or log in anger) at not getting port 80. Ron a...@gmail wrote: Hello All, I have followed this configuration, but when I try and access the website from outside my network All I get is the default page of the apache on the machine where the Squid proxy is installed Here is the link: http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator here is the configuration I followed http_port 80 accel defaultsite=your.main.website.name(changed my port to 81 my backend server listens on port 81)I havehttp_port 81 accel defaultsite=www.my.website.org vhostand then used thiscache_peer ip.of.webserver parent 80 0 no-query originserver name=myAccelcache_peer 192.168.1.5 parent 81 0 no query originserver name=myAccel(myAccel I have put a name)and then acl our_sites dstdomain my.website.org http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny all Anybody with any suggestions please?Any help would be appreciated thank youRegardsAdam Sorry, took me a while to un-mangle that original email text. You are missing the "vhost" option on https_port 80. All traffic Squid receives on port 80 will go to Apache's default virtual host. Amos
Re: [squid-users] Help with accelerated site
Hi All, Thank you guys for your help I have tried your suggestions, Yes Ron I know that two programmes can't both listen on the same port at the same time but I thought the Apache was essential for the Proxy server, so thanks for the suggestion, I am including bits of my config here, because now I am getting "Access Denied" even from a local network: Can you guys please take a look at it and see if you can spot what's causing the access denied. note I have tried to allow everything and removed all the "deny" directives and yet it's still denies any access from my local network. That is why I get so confused with Squid, I don't understand it's logic to be perfectly honest, and let me remind you that this config used to work just fine at least it used to allow access to the internet to all the clients on my local network. # # Other Access Controls # acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl our_networks dst 192.168.1.0/32 acl our_sites dstdomain www.mysite.org acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network # acl localnet src 192.168.0.0/32 # RFC1918 possible internal network acl localnet src 192.168.1.0/32 #Local Network acl myaccelport port 80 # acl FTP proto FTP acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost #http_access deny manager # http_access deny !Safe_ports http_access allow localnet #http_access deny all # http_access allow intranet # http_access deny all http_access allow our_networks icp_access allow localnet #icp_access deny all htcp_access allow localnet #htcp_access deny all http_acceess allow CONNECT #http_access deny all hosts_file /etc/hosts visible_hostname proxy http_port 3128 hierarchy_stoplist cgi-bin ? cache_effective_user squid access_log /usr/local/squid/var/logs/access.log squid cache_log /usr/local/squid/var/logs/cache.log cache_store_log /usr/local/squid/var/logs/store.log pid_filename /usr/local/squid/var/logs/squid.pid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 icp_port 3130 htcp_port 4827 # allow_underscore on coredump_dir /usr/local/squid/var/cache Can anyone see what's wrong with this config and if possible to point it out to me, your help would be much appreciated Thanking you in advance Regards Adam - Original Message - From: "Ron Wheeler" To: "a...@gmail" Cc: "Amos Jeffries" ; Sent: Thursday, March 25, 2010 1:58 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now, instead of getting the website that is located on Machine B 192.168.1.3 which is listening on port 81 not 80. I am getting the default Apache Page on the Proxy server Machine which is 192.168.1.4 And I do have the vhost in my configuration Well there are two apaches running on the two machines, the proxy machine and the web-server machine, except the web-server apache listens on port 81, logically (technically) speaking it should work, but for some reason it doesn't. I hope it makes more sense to you what I am trying to describe here Very helpful. You can not have apache listening for port 80 on 192.168.1.4 and Squid trying to do the same thing. Only one process can have port 80. You will very likely find a note in the squid logs that says something to the effect that squid can not bind to port 80. If you shutdown apache on 192.168.1.4 and restart squid, your proxy will work (if the rest of the configuration is correct) If you then try to start apache on 192.168.1.4 it will certainly complain loudly about port 80 not being free. If you want to use Apache on both 192.168.1.4 and 192.168.1.3 you need to set the apache on 192.168.1.4 to listen on port 81 and set squid to proxy to the apache on 192.168.1.4 and use apache's proxy and vhost features to reach 192.168.1.5 which can be set to listen on port 80. This will support browser=>Squid on 192.168.1.4 ==> Apache on 192.168.1.4:81 (vhost) ==>Apache 192.168.1.3:80 That is a pretty common approach. Ron Thank you all for your he
Re: [squid-users] Help with accelerated site
Hi Al, thanks for your reply, I don't acutally have a problem with the apache because the webserver is on another machine as the backend server switching off the apache running on the proxy machine doesn't bother me what I am having a problem with is that it doesn't pull the website from the backend server and right now it won't even allow me access from the local network I have commented out all of the deny accesses and yet it still won't allow any machine on my local network to access the internet. That's what I found very strange. My proxy server runs freely on a dedicated machine nothing else runs on that machine. Regards Adam - Original Message - From: "Al - Image Hosting Services" To: "a...@gmail" Cc: Sent: Friday, March 26, 2010 1:24 AM Subject: Re: [squid-users] Help with accelerated site Hi, Although you can't have apache and squid listening on port 80 on the same IP, you can have them both running on port 80 on the same machine. Just do this: Change your apache config to: "Listen 127.0.0.1:80" Change your squid config to: "cache_peer 127.0.0.1 parent 80 0 no-query originserver" "http_port 1.2.3.4:80 accel vhost" Where 1.2.3.4 is, put your public IP. -Al On Thu, 25 Mar 2010, a...@gmail wrote: Date: Thu, 25 Mar 2010 16:30:33 - From: "a...@gmail" To: Ron Wheeler Cc: Amos Jeffries , squid-users@squid-cache.org Subject: Re: [squid-users] Help with accelerated site Hi All, Thank you guys for your help I have tried your suggestions, Yes Ron I know that two programmes can't both listen on the same port at the same time but I thought the Apache was essential for the Proxy server, so thanks for the suggestion, I am including bits of my config here, because now I am getting "Access Denied" even from a local network: Can you guys please take a look at it and see if you can spot what's causing the access denied. note I have tried to allow everything and removed all the "deny" directives and yet it's still denies any access from my local network. That is why I get so confused with Squid, I don't understand it's logic to be perfectly honest, and let me remind you that this config used to work just fine at least it used to allow access to the internet to all the clients on my local network. # # Other Access Controls # acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl our_networks dst 192.168.1.0/32 acl our_sites dstdomain www.mysite.org acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network # acl localnet src 192.168.0.0/32 # RFC1918 possible internal network acl localnet src 192.168.1.0/32 #Local Network acl myaccelport port 80 # acl FTP proto FTP acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost #http_access deny manager # http_access deny !Safe_ports http_access allow localnet #http_access deny all # http_access allow intranet # http_access deny all http_access allow our_networks icp_access allow localnet #icp_access deny all htcp_access allow localnet #htcp_access deny all http_acceess allow CONNECT #http_access deny all hosts_file /etc/hosts visible_hostname proxy http_port 3128 hierarchy_stoplist cgi-bin ? cache_effective_user squid access_log /usr/local/squid/var/logs/access.log squid cache_log /usr/local/squid/var/logs/cache.log cache_store_log /usr/local/squid/var/logs/store.log pid_filename /usr/local/squid/var/logs/squid.pid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 icp_port 3130 htcp_port 4827 # allow_underscore on coredump_dir /usr/local/squid/var/cache Can anyone see what's wrong with this config and if possible to point it out to me, your help would be much appreciated Thanking you in advance Regards Adam - Original Message - From: "Ron Wheeler" To: "a...@gmail" Cc: "Amos Jeffries" ; Sent: Thursday, March 25, 2010 1:58 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now,
Re: [squid-users] Help with accelerated site
router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # DROP everything and Log it iptables -A INPUT -j LOG #iptables -A INPUT -j DROP # modprobe ip_nat_ftp if I type this http://localhost I get the default apache webpage "It Works" if I type 192.168.1.3 I get the same thing as above I stopped the apache on the webserver, and I still get the same page as above I stopped both apaches the one on the proxy machine and the webserver I still get the default apache page "It Works" when I type 192.168.1.3 I am running out of ideas where does this come from, I have cleared the browser's cache and I still get it, when I stop the proxy server, obviously I get connection refused. I have one question does Squid packaged with apache? that's the only thing I can think of You help would be much appreciated Regards Adam - Original Message - From: "Ron Wheeler" To: "a...@gmail" Sent: Friday, March 26, 2010 5:14 PM Subject: Re: [squid-users] Help with accelerated site There are 2 uses for Squid: 1) to act as a proxy for browsers inside your network that want to get out to the Internet and you want to avoid 2 people downloading the same big file by having squid remember pages that it sees go by and giving the second requester the copy that is already in cache on its disk. In this case it is usually watching on port 3128 on the NIC attached to your internal LAN for requests that should be sent out on the public address. 2) To act as an accelerator for people outside who want pages from your web server. In this case it is watching for requests coming in on port 80 on the NIC that carries the public address and cheching to see if the page that they are requesting is in its cache and if it is, it responds to the request without bothering the webserver. Note in Case 2, it is not doing anything for your people on the inside since they do NOT come in through the ethernet interface that Squid is watching. You have to be clear in your configuring and testing that you are testing with the right connections. If you are testing case 2, you need to be outside your network to test. If you come into port 80 on the ethernet NIC that is part of your internal LAN, your accelerator may not even see it. Make sure that your firewall setup matches what you are trying to do. If you have got everything set up for whichever case you are testing, you might want to ask some of these questions to see what is happening. What happens when you try to reference the proxy with a browser on port 80? What is showing up in your squid log when you make the request? What is showing up in your firewall log when you make the request? What is showing up in the Apache log when you make the request? Post some of these results when asking for help. The answer usually is in the logs. Ron a...@gmail wrote: Hi Al, thanks for your reply, I don't acutally have a problem with the apache because the webserver is on another machine as the backend server switching off the apache running on the proxy machine doesn't bother me what I am having a problem with is that it doesn't pull the website from the backend server and right now it won't even allow me access from the local network I have commented out all of the deny accesses and yet it still won't allow any machine on my local network to access the internet. You can do both with Apache but the configurations and problems are very different. What exactly are you trying to do? Try to get one working first and then go after the other. That's what I found very strange. My proxy server runs freely on a dedicated machine nothing else runs on that machine. Regards Adam - Original Message - From: "Al - Image Hosting Services" To: "a...@gmail" Cc: Sent: Friday, March 26, 2010 1:24 AM Subject: Re: [squid-users] Help with accelerated site Hi, Although you can't have apache and squid listening on port 80 on the same IP, you can have them both running on port 80 on the same machine. Just do this: Change your apache config to: "Listen 127.0.0.1:80" Change your squid config to: "cache_peer 127.0.0.1 parent 80 0 no-query originserver" "http_port 1.2.3.4:80 accel vhost" Where 1.2.3.4 is, put your public IP. -Al On Thu, 25 Mar 2010, a...@gmail wrote: Date: Thu, 25 Mar 2010 16:30:33 -
Re: [squid-users] Help with accelerated site
Hello again here few updates of my cache.log and access.log Can anybody translat to me what does that mean, I have changed my real site to "mysite" Thank you all I tried www.mysite.org from a local machine which is 192.168.1.1 remember the router is actually on 192.168.1.4 which is also the Squid machine. cache log report *** 2010/03/26 20:41:24| WARNING: Forwarding loop detected for: GET /favicon.ico HTTP/1.0 Host: www.mysite.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.18) Gecko/2010021501 Ubuntu/8.04 (hardy) Firefox/3.0.18 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Via: 1.1 proxy (squid/3.0.STABLE25) X-Forwarded-For: 192.168.1.1 Cache-Control: max-age=259200 Connection: keep-alive 2010/03/26 20:47:02| WARNING: Forwarding loop detected for: GET / HTTP/1.0 Host: www.mysite.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.18) Gecko/2010021501 Ubuntu/8.04 (hardy) Firefox/3.0.18 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Referer: http://www.mysite.org Via: 1.1 proxy (squid/3.0.STABLE25) X-Forwarded-For: 192.168.1.1 Cache-Control: max-age=259200 Connection: keep-alive ## acces.log 1269636041.546157 192.168.1.1 TCP_MISS/200 5178 GET http://www.google.com/ - DIRECT/66.102.9.104 text/html 1269636041.727163 192.168.1.1 TCP_MISS/200 9340 GET http://www.google.com/intl/fr_ALL/images/logo.gif - DIRECT/66.102.9.104 image/gif 1269636042.006168 192.168.1.1 TCP_MISS/200 21210 GET http://www.google.com/extern_js/f/CgJmciswCjheQB0sKzAOOAwsKzAWOBcsKzAXOAYsKzAYOAUsKzAZOBksKzAdOCUsKzAlOMqIASwrMCY4CSwrMCc4BCwrMCo4AywrMCs4CiwrMDw4AiwrMEA4DSwrMEQ4AiwrMEU4ASwrME44ASw/BYTXK9Z1bX4.js - DIRECT/66.102.9.104 text/javascript 1269636042.099 59 192.168.1.1 TCP_MISS/200 4144 GET http://www.google.com/extern_chrome/1ae1d100aea24288.js - DIRECT/66.102.9.104 text/html 1269636042.164113 192.168.1.1 TCP_MISS/204 239 GET http://clients1.google.com/generate_204 - DIRECT/209.85.227.101 text/html 1269636042.212 42 192.168.1.1 TCP_MISS/200 6059 GET http://www.google.com/images/nav_logo8.png - DIRECT/66.102.9.104 image/png 1269636042.298127 192.168.1.1 TCP_MISS/204 329 GET http://www.google.com/csi? - DIRECT/66.102.9.105 text/html 1269636054.744 0 192.168.1.1 TCP_HIT/200 456 GET http://192.168.1.3/ - NONE/- text/html 1269636054.865 6 192.168.1.1 TCP_MISS/404 665 GET http://192.168.1.3/favicon.ico - DIRECT/192.168.1.3 text/html 1269636057.864 0 192.168.1.1 TCP_NEGATIVE_HIT/404 674 GET http://192.168.1.3/favicon.ico - NONE/- text/html 1269636084.636 1 81.98.104.57 TCP_MISS/403 2263 GET http://www.mysite.org/ - NONE/- text/html 1269636084.637 92 192.168.1.1 TCP_MISS/403 2327 GET http://www.mysite.org/ - FIRST_UP_PARENT/main text/html 1269636084.667 1 81.98.104.57 TCP_MISS/403 2264 GET http://www.mysite.org/favicon.ico - NONE/- text/html 1269636084.668 2 192.168.1.1 TCP_MISS/403 2328 GET http://www.mysite.org/favicon.ico - FIRST_UP_PARENT/main text/html 1269636087.667 0 192.168.1.1 TCP_NEGATIVE_HIT/403 2335 GET http://www.mysite.org/favicon.ico - NONE/- text/html 1269636098.347 0 192.168.1.1 TCP_NEGATIVE_HIT/403 2335 GET http://www.mysite.org/ - NONE/- text/html 1269636422.015 1 81.98.104.57 TCP_MISS/403 2319 GET http://www.mysite.org/ - NONE/- text/html 1269636422.016105 192.168.1.1 TCP_MISS/403 2383 GET http://www.mysite.org/ - FIRST_UP_PARENT/main text/html Your time and help will be much appreciated Thanking you in advance Regards Adam - Original Message - From: "Ron Wheeler" To: "a...@gmail" Sent: Friday, March 26, 2010 5:14 PM Subject: Re: [squid-users] Help with accelerated site There are 2 uses for Squid: 1) to act as a proxy for browsers inside your network that want to get out to the Internet and you want to avoid 2 people downloading the same big file by having squid remember pages that it sees go by and giving the second requester the copy that is already in cache on its disk. In this case it is usually watching on port 3128 on the NIC attached to your internal LAN for requests that should be sent out on the public address. 2) To act as an accelerator for people outside who want pages from your web server. In this case it is watching for requests coming in on port 80 on the NIC that carries the public address and cheching to see if the page
Re: [squid-users] Help with accelerated site
Hello guys, I don't know if any of you had a chance to take a look at my previous two posts, Now when I try to access my site I get the following ERROR The requested URL could not be retrieved The following error was encountered while trying to retrieve the URL: / Invalid URL Some aspect of the requested URL is incorrect. Some possible problems are: a.. Missing or incorrect access protocol (should be http:// or similar) b.. Missing hostname c.. Illegal double-escape in the URL-Path d.. Illegal character in hostname; underscores are not allowed. Your cache administrator is webmaster. Any idea of what needs to be done None of the above possibilities apply to this situation What can it be Thank you all Regards Adam - Original Message - From: "Ron Wheeler" To: "a...@gmail" Cc: "Amos Jeffries" ; Sent: Thursday, March 25, 2010 1:58 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now, instead of getting the website that is located on Machine B 192.168.1.3 which is listening on port 81 not 80. I am getting the default Apache Page on the Proxy server Machine which is 192.168.1.4 And I do have the vhost in my configuration Well there are two apaches running on the two machines, the proxy machine and the web-server machine, except the web-server apache listens on port 81, logically (technically) speaking it should work, but for some reason it doesn't. I hope it makes more sense to you what I am trying to describe here Very helpful. You can not have apache listening for port 80 on 192.168.1.4 and Squid trying to do the same thing. Only one process can have port 80. You will very likely find a note in the squid logs that says something to the effect that squid can not bind to port 80. If you shutdown apache on 192.168.1.4 and restart squid, your proxy will work (if the rest of the configuration is correct) If you then try to start apache on 192.168.1.4 it will certainly complain loudly about port 80 not being free. If you want to use Apache on both 192.168.1.4 and 192.168.1.3 you need to set the apache on 192.168.1.4 to listen on port 81 and set squid to proxy to the apache on 192.168.1.4 and use apache's proxy and vhost features to reach 192.168.1.5 which can be set to listen on port 80. This will support browser=>Squid on 192.168.1.4 ==> Apache on 192.168.1.4:81 (vhost) ==>Apache 192.168.1.3:80 That is a pretty common approach. Ron Thank you all for your help Regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Thursday, March 25, 2010 1:01 AM Subject: Re: [squid-users] Help with accelerated site On Wed, 24 Mar 2010 19:48:27 -0400, Ron Wheeler wrote: What is squid proxying? Usually the normal behaviour is exactly what you are getting since squid normally proxies Apache on 80. Browser ==> Squid on 80==>proxied to Apache on port 81. If Squid is not proxying Apache, then it looks like you have Apache running on 80. If you are trying to redirect port 80 to another program that is not Apache, then you need to get Apache off port 80. You can not have 2 programs listening to port 80. If Apache is running and owns port 80, Squid will not start. If this is the case, You likely have errors in the logs to this effect. Shut down Apache and and restart Squid. Try to start Apache and now it should howl with anger (or log in anger) at not getting port 80. Ron a...@gmail wrote: Hello All, I have followed this configuration, but when I try and access the website from outside my network All I get is the default page of the apache on the machine where the Squid proxy is installed Here is the link: http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator here is the configuration I followed http_port 80 accel defaultsite=your.main.website.name(changed my port to 81 my backend server listens on port 81)I havehttp_port 81 accel defaultsite=www.my.website.org vhostand then used thiscache_peer ip.of.webserver parent 80 0 no-query originserver name=myAccelcache_peer 192.168.1.5 parent 81 0 no query originserver name=myAccel(myAccel I have put a name)and then acl our_sites dstdomain my.website.org http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny all Anybody with any suggestions please?Any help would be appreciated thank youRegardsAdam Sorry, took me a while to un-mangle that original email text. You are missing the "vhost" option on https_port 80. All traffic Squid receives on port 80 will go to Apache's default virtual host. Amos
Re: [squid-users] Help with accelerated site
No one at all? No suggestions, no ideas? Regards Adam - Original Message - From: "Ron Wheeler" To: "a...@gmail" Cc: "Amos Jeffries" ; Sent: Thursday, March 25, 2010 1:58 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now, instead of getting the website that is located on Machine B 192.168.1.3 which is listening on port 81 not 80. I am getting the default Apache Page on the Proxy server Machine which is 192.168.1.4 And I do have the vhost in my configuration Well there are two apaches running on the two machines, the proxy machine and the web-server machine, except the web-server apache listens on port 81, logically (technically) speaking it should work, but for some reason it doesn't. I hope it makes more sense to you what I am trying to describe here Very helpful. You can not have apache listening for port 80 on 192.168.1.4 and Squid trying to do the same thing. Only one process can have port 80. You will very likely find a note in the squid logs that says something to the effect that squid can not bind to port 80. If you shutdown apache on 192.168.1.4 and restart squid, your proxy will work (if the rest of the configuration is correct) If you then try to start apache on 192.168.1.4 it will certainly complain loudly about port 80 not being free. If you want to use Apache on both 192.168.1.4 and 192.168.1.3 you need to set the apache on 192.168.1.4 to listen on port 81 and set squid to proxy to the apache on 192.168.1.4 and use apache's proxy and vhost features to reach 192.168.1.5 which can be set to listen on port 80. This will support browser=>Squid on 192.168.1.4 ==> Apache on 192.168.1.4:81 (vhost) ==>Apache 192.168.1.3:80 That is a pretty common approach. Ron Thank you all for your help Regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Thursday, March 25, 2010 1:01 AM Subject: Re: [squid-users] Help with accelerated site On Wed, 24 Mar 2010 19:48:27 -0400, Ron Wheeler wrote: What is squid proxying? Usually the normal behaviour is exactly what you are getting since squid normally proxies Apache on 80. Browser ==> Squid on 80==>proxied to Apache on port 81. If Squid is not proxying Apache, then it looks like you have Apache running on 80. If you are trying to redirect port 80 to another program that is not Apache, then you need to get Apache off port 80. You can not have 2 programs listening to port 80. If Apache is running and owns port 80, Squid will not start. If this is the case, You likely have errors in the logs to this effect. Shut down Apache and and restart Squid. Try to start Apache and now it should howl with anger (or log in anger) at not getting port 80. Ron a...@gmail wrote: Hello All, I have followed this configuration, but when I try and access the website from outside my network All I get is the default page of the apache on the machine where the Squid proxy is installed Here is the link: http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator here is the configuration I followed http_port 80 accel defaultsite=your.main.website.name(changed my port to 81 my backend server listens on port 81)I havehttp_port 81 accel defaultsite=www.my.website.org vhostand then used thiscache_peer ip.of.webserver parent 80 0 no-query originserver name=myAccelcache_peer 192.168.1.5 parent 81 0 no query originserver name=myAccel(myAccel I have put a name)and then acl our_sites dstdomain my.website.org http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny all Anybody with any suggestions please?Any help would be appreciated thank youRegardsAdam Sorry, took me a while to un-mangle that original email text. You are missing the "vhost" option on https_port 80. All traffic Squid receives on port 80 will go to Apache's default virtual host. Amos
Re: [squid-users] Help with accelerated site
Hello All. I have to say since I started using Squid I get thrown from one problem to another, followed every suggestion and every tutorial and I could not get through to my my backend server This is ridiculous now, I honestly start to believe that this whole project is a joke or the software isn't at all mature to deal with what it is supposed to deal with, it's still in a teething stages, and I believe that we are the guinea pigs of this project where they made us believe that it works, I do not believe for one second that it acctually works. I have read so many questions regarding this particular issue and "nobody" could come up with a straight answer, are we the only people with this issue? are we the only people with no luck? The questions that was asked time and time again was never been answered, so please don't tell me that this thing works, I'd like to see it and don't tell me this whole site runs on a proxy Squid I'd like to see it aswell. I was getting this before: ERROR The requested URL could not be retrieved While trying to retrieve the URL: / The following error was encountered: * Invalid URLAnd I followed a suggestion I read on the mailing list, that maybe I needed to add a vhost after the http_port 3128Now I am getting this instead:The requested URL could not be retrievedThe following error was encountered while trying to retrieve the URL: http://www.mysite.org/Access Denied.Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.Your cache administrator is webmaster.It's not acctually working at all, all it does is taking you from one problem to another, and so forth it's a none stop it'a bag of problems and nasty surprises, not to mention things you need to tweak on my system to make Mr Squid happierI am sorry guys but this thing doesn't work and I believe it when I see it and even if I see it working it's still ridiculousto spend as much time to get one piece of software to work.I have followed the tutorials to the letter and many suggestions, not to mention the amount of time I wasted on this thingnever before in my life I have spent as much time on any programme, this is the first time and I am not willing to spend the rest of my life trying to figure out something that doesn't work.Sorry guys but I am very very disapointed with this, I am just going to completely uninstall the whole thingAnd go back to the way it was before or perhaps look for an alternative for something that works.Thanks to all of you who tried to helpBest of luck to anyone who's still trying to solve Squid's never ending issues.Thank you.RegardsAdam- Original Message - From: "Ron Wheeler" To: "a...@gmail" Cc: "Amos Jeffries" ; Sent: Thursday, March 25, 2010 1:58 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now, instead of getting the website that is located on Machine B 192.168.1.3 which is listening on port 81 not 80. I am getting the default Apache Page on the Proxy server Machine which is 192.168.1.4 And I do have the vhost in my configuration Well there are two apaches running on the two machines, the proxy machine and the web-server machine, except the web-server apache listens on port 81, logically (technically) speaking it should work, but for some reason it doesn't. I hope it makes more sense to you what I am trying to describe here Very helpful. You can not have apache listening for port 80 on 192.168.1.4 and Squid trying to do the same thing. Only one process can have port 80. You will very likely find a note in the squid logs that says something to the effect that squid can not bind to port 80. If you shutdown apache on 192.168.1.4 and restart squid, your proxy will work (if the rest of the configuration is correct) If you then try to start apache on 192.168.1.4 it will certainly complain loudly about port 80 not being free. If you want to use Apache on both 192.168.1.4 and 192.168.1.3 you need to set the apache on 192.168.1.4 to listen on port 81 and set squid to proxy to the apache on 192.168.1.4 and use apache's proxy and vhost features to reach 192.168.1.5 which can be set to listen on port 80. This will support browser=>Squid on 192.168.1.4 ==> Apache on 192.168.1.4:81 (vhost) ==>Apache 192.168.1.3:80 That is a pretty common approach. Ron Thank you all for your help Regards Adam - Original M
Re: [squid-users] Help with accelerated site
Hi David, I wasn't having a go at anyone in particular yes I am frustrated with "this" software I didn't start yesterday in this business I know there is always a certain level of frustration when dealing with machines. But this particular software has NO logic whatsoever, You do something for instance it works, but not to what you want it, and then you add a directive to it either it gets worse or it changes then you undo what you just did, what would you expect normally? The previous result right? NO with squid it doesn't work that way it takes you from one error to another from one problem to another and so on... Yes I am a developper myself, but I make sure what I do has a certain level of logic I am not saying we don't have issues but we also make sure that the documentation is straight forward for anybody to understand it. It's like a manufacturer who makes gadgets and give you a vague idea on how the thing works. Besides I have followed all of the documentations, all of the examples which they are not easy to understand either and in the end no result it's been more than five weeks day in day out I couldn't even bring one of sites up, and every link forum I followed either it doesn't apply to my version or it is at least 2 years old. I didn't say you owe me anything or anybody here all I am saying is a little common sense, if you make something it's imperative that you make sure people will understand it's use. And it's not just me, this particular issue has been asked for the last two or three years, are you going to tell me that after all this time nobody gave an answer to this? It strikes me maybe even the developers don't know the answer to this, all I have read so far is try this and try that and nothing works. And I didn't attack anyone as far as I can see, and it's funny I posted three e-mails and nobody replied fair enough maybe they don't have an answer but no reply whatsoever but as soon as I say something against this whole project and the way it's been handled, I get an a reply. I wasn't disrespectful to anyone, but as a professional myself I do take it on the chin when I am criticised about what I do or the way I do it Being honest I was saying how I feel about this software, if anyone feels hurt by what I said I am sorry it wasn't my intention, and they can prove me wrong then. For instance up until now, I couldn't get my websites up, on my backend server, now I managd to access them locally, and guess what? All of the examples they gave in the tutorials were wrong, I had to reverse the process to be able to access them from my local network But I still can't access them from outside my network, anyway it's my problem, one thing I will make sure is IF I ever manage to get them working I will write a tutorial to help people who might need it, because there's nothing out there for version 3.0 in less than an hour I installed a DHCP and DNS servers configured them and they were rolling, but Squid It's five weeks later and I am still struggling with it, and I mean five weeks, day in day out, morning and evening. and late nights too. I didn't mean to affend anyone, but a bit of criticism is healthy in order to improve things in general. Thanks for you offer Good luck to all Regards Adam - Original Message - From: "David Parks" To: "'a...@gmail'" ; Sent: Saturday, March 27, 2010 3:45 PM Subject: RE: [squid-users] Help with accelerated site Hi Adam, a few recommendations: 1) There are a number of consultancy and support organization that provide dedicated support for squid. If you can't find the answer here or yourself (via code or in docs), they might be an alternative you want to look into 2) The developers and people supporting squid on this list are all donating their time, they don't owe you, I, or anyone on here anything. Lambasting them isn't cool, and not appreciated by anyone on this list. 3) We all get frustrated with software, it's the nature of the business (I average a couple cycles of frustration a day myself). But lashing out in a public forum, against the very people that might be able to help you is like trying to catch flies with vinegar. 4) If you aren't getting the responses you need try refining your questions into smaller bites. There are a lot of emails in this forum and it's not always easy to digest a long email (again, the community support provided is free, if you need people to really dedicate time to your issue you should consider paying them for their time, e.g. refer back to suggestion #1). I wish you the best of luck with your task, unfortunately I don't know the answer to your question myself or I would offer my own suggestions. David -Original Message- From: a...@gmail
Re: [squid-users] Help with accelerated site
Hi Ron, Thanks for your reply and thanks for your time This is perhaps the 10th time I uninstalled it and reinstalled it And this is the very first time I could access my websites internally, externally nothing yet, I am still getting the error The following error was encountered while trying to retrieve the URL: / Invalid URL Some aspect of the requested URL is incorrect. Some possible problems are: a.. Missing or incorrect access protocol (should be http:// or similar) b.. Missing hostname c.. Illegal double-escape in the URL-Path d.. Illegal character in hostname; underscores are not allowed. Your cache administrator is webmaster. My clients can all access the internet, Yes I am sure that there's a misconfiguration in my config file but I followed every tutorial trying desperately to get something up, after a while you're saturated and very tired, bouncing from on issue to another I checked and triple checked my iptables rules everything looks fine so far For instance, my backend server is listening right now on port 81, why did I put it on port 81 because I was getting Cannot bind to in the log file so I changed it to 81 and I am getting the same error, there's absolutely nothing else in my entire network that is using that port So why can't it bind to port 81? You see the type of things that can drive you through the wall at the moment I have only three machines A is Running the Proxy and the Router (IPTABLES) B is the back end server C is the DNS/DHCP servers And only the backend server that is currently listening on port 81 and before that it was listening on port 80 no matter which port I put in my config I get the "Cannot bind to " in the log file here is a bit of my config * http_port 192.168.1.3:81 accel parent vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main acl dstdomain our_sites dstdomain www.mysite1.orgwww.mysite2.com www.mysite3.net http_allow_access main allow our_sites http_peer_access main deny all At the moment all of these sites are running on the same server (virtualhost) The only thing I am not sure of is probably the cache_peer directive "cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main" If it's wrong then I don't know what to put in there Regards Adam - Original Message - From: "Ron Wheeler" To: "a...@gmail" Cc: Sent: Saturday, March 27, 2010 4:34 PM Subject: Re: [squid-users] Help with accelerated site It is a very stable piece of software that is used in production all the time. You have made a small mistake somewhere in your setup. One of your errors in a previous e-mail seemed to indicate that you had programmed a loop into your setup. You might try uninstalling and starting over with an out of the box configuration. I would also start with only one way proxying and get that working. If you are trying to act as an accelerator for your website, just do that. That is a trivial setup. You might also use Webmin to do the configuring since it gives you a gui and avoids fiddling with configuration file syntax. In my case, I have the proxy running on the same machine as the apache webserver accel defaultsite=www.artifact-software.com vhost Squid listens on port 80 and tries to satisfy requests from its cache. If it can not, it passes the request to port 127.0.0.1:81 where Apache is listening with about 20 vhost sites including 2 proxies for Tomcats on other backend servers. Works great so I would not ge at all concerned that you will have problems after you get your little misconfiguring fixed. Ron a...@gmail wrote: Hello All. I have to say since I started using Squid I get thrown from one problem to another, followed every suggestion and every tutorial and I could not get through to my my backend server This is ridiculous now, I honestly start to believe that this whole project is a joke or the software isn't at all mature to deal with what it is supposed to deal with, it's still in a teething stages, and I believe that we are the guinea pigs of this project where they made us believe that it works, I do not believe for one second that it acctually works. I have read so many questions regarding this particular issue and "nobody" could come up with a straight answer, are we the only people with this issue? are we the only people with no luck? The questions that was asked time and time again was never been answered, so please don't tell me that this thing works, I'd like to see it and don't tell me this whole site runs on a proxy Squid I'd like to see it aswell. I was getting this before: ERROR The requested URL could not be retrieved While trying to retrieve the URL: / The following error was enc
Re: [squid-users] Help with accelerated site
Hi All, I get this in my cache log, does anyone know what it means please? Unlinkd pipe opened on FD 13 Everytime I get this I know something is going pear shape again Thank you all Regards Adam - Original Message - From: "Ron Wheeler" To: "a...@gmail" Sent: Saturday, March 27, 2010 5:07 PM Subject: Re: [squid-users] Help with accelerated site I sent you my working config. My squid is proxying Apache on its own machine http_port 192.168.1.3:81 is the port that squid is listening on it should just be "80" no host so it gets the incoming http requests. http_port 80 accel vhost defaultsite=www.mysite.org The host specification is why it can not bind. a...@gmail wrote: Hi Ron, Thanks for your reply and thanks for your time This is perhaps the 10th time I uninstalled it and reinstalled it And this is the very first time I could access my websites internally, externally nothing yet, I am still getting the error The following error was encountered while trying to retrieve the URL: / Invalid URL Some aspect of the requested URL is incorrect. Some possible problems are: a.. Missing or incorrect access protocol (should be http:// or similar) b.. Missing hostname c.. Illegal double-escape in the URL-Path d.. Illegal character in hostname; underscores are not allowed. Your cache administrator is webmaster. My clients can all access the internet, Yes I am sure that there's a misconfiguration in my config file but I followed every tutorial trying desperately to get something up, after a while you're saturated and very tired, bouncing from on issue to another I checked and triple checked my iptables rules everything looks fine so far For instance, my backend server is listening right now on port 81, why did I put it on port 81 because I was getting Cannot bind to in the log file so I changed it to 81 and I am getting the same error, there's absolutely nothing else in my entire network that is using that port So why can't it bind to port 81? You see the type of things that can drive you through the wall at the moment I have only three machines A is Running the Proxy and the Router (IPTABLES) B is the back end server C is the DNS/DHCP servers And only the backend server that is currently listening on port 81 and before that it was listening on port 80 no matter which port I put in my config I get the "Cannot bind to " in the log file here is a bit of my config * http_port 192.168.1.3:81 accel parent vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main acl dstdomain our_sites dstdomain www.mysite1.orgwww.mysite2.com www.mysite3.net http_allow_access main allow our_sites http_peer_access main deny all At the moment all of these sites are running on the same server (virtualhost) The only thing I am not sure of is probably the cache_peer directive "cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main" If it's wrong then I don't know what to put in there Regards Adam - Original Message - From: "Ron Wheeler" To: "a...@gmail" Cc: Sent: Saturday, March 27, 2010 4:34 PM Subject: Re: [squid-users] Help with accelerated site It is a very stable piece of software that is used in production all the time. You have made a small mistake somewhere in your setup. One of your errors in a previous e-mail seemed to indicate that you had programmed a loop into your setup. You might try uninstalling and starting over with an out of the box configuration. I would also start with only one way proxying and get that working. If you are trying to act as an accelerator for your website, just do that. That is a trivial setup. You might also use Webmin to do the configuring since it gives you a gui and avoids fiddling with configuration file syntax. In my case, I have the proxy running on the same machine as the apache webserver accel defaultsite=www.artifact-software.com vhost Squid listens on port 80 and tries to satisfy requests from its cache. If it can not, it passes the request to port 127.0.0.1:81 where Apache is listening with about 20 vhost sites including 2 proxies for Tomcats on other backend servers. Works great so I would not ge at all concerned that you will have problems after you get your little misconfiguring fixed. Ron a...@gmail wrote: Hello All. I have to say since I started using Squid I get thrown from one problem to another, followed every suggestion and every tutorial and I could not get through to my my backend server This is ridiculous now, I honestly start to believe that this whole project is a joke or the software isn't at all mature to deal with what it is supposed to deal with, it's still in a teething stages, and I believe t
Re: [squid-users] Help with accelerated site
Hi Amos, Thanks for the reply, I have already figured it out thanks anyway Now I can acces my virtual websites from both inside my network and outside however the clients from inside my network can't access the internet I am getting the same error as before when I was trying to access my sites from the internet "Unable to forward your request at this time ." The only thing I have changed so far was this from this http_port 3128 to this http_port 3128 vhost If I remove the vhost directive I won't be able to acces my sites So at the moment my clients can't access the web, unless I remove the vhost in front of the http_port 3128 And even that it's only for few websites for others it returns an error message Unable to retrive the URL etc... In my log I am getting Warning CONNECT method received on http accelerator port 3128 If the only request I believe I made is trying to open a Google website on one of my internal clients So what is the work around this please? Regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Sunday, March 28, 2010 7:50 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hi All, I get this in my cache log, does anyone know what it means please? Unlinkd pipe opened on FD 13 Everytime I get this I know something is going pear shape again Thank you all Regards Adam "unlinkd" (linux-style abbreviation for 'unlink daemon') is the name of the helper Squid used to erase disk files from cache. That link means it's working. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18
Re: [squid-users] Help with accelerated site
Hi Amos, Thanks for your time at the moment my config is as follow it's working as far is the acceleration mode is concerned http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main acl out_sites dstdomain www.mysite.org www.mysite.com www.mysite.net http_access allow our_sites cache_peer_access main allow our_sites cache_peer_access deny all I can access my 3 websites from inside my network and from the "Internet" no problems apart for it being a little slower than before, but it's working The problem I have right now is None of clients can access the internet The error as before "The requested URL could not be retrieved" here is the other part of config acl manager proto cache object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8.0.0.0/32 acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl our_network 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all http_access allow our_network http_access deny all htcp_access allow localnet htcp_access deny all icp_access allow localnet icp_access deny all http_port 3128 vhost(note if I remove the vhost I won't access my websites) if I leave it I can't access the internet from my local network) No "Bind" error at this time I hope that would help see if there's anything wrong with the configuration Regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Sunday, March 28, 2010 8:06 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hi Ron, Thanks for your reply and thanks for your time This is perhaps the 10th time I uninstalled it and reinstalled it And this is the very first time I could access my websites internally, externally nothing yet, I am still getting the error This error: The following error was encountered while trying to retrieve the URL: / ... appearing in a reverse-proxy setup means Squid received a reverse-proxy/accelerated request intended for a web server on a port without "accel" flag configured. Please read all my notes below right to the end of the email before changing anything. I'm commenting on each fine detail and what it means... My clients can all access the internet, Yes I am sure that there's a misconfiguration in my config file but I followed every tutorial trying desperately to get something up, after a while you're saturated and very tired, bouncing from on issue to another ... so, we need you to stop bouncing and concentrate on one issue at a time. When we are satisfied that you are understanding that one move on ... I checked and triple checked my iptables rules everything looks fine so far For instance, my backend server is listening right now on port 81, why did I put it on port 81 because I was getting Cannot bind to in the log file so I changed it to 81 and I am getting the same error, there's absolutely nothing else in my entire network that is using that port So why can't it bind to port 81? You see the type of things that can drive you through the wall at the moment I have only three machines A is Running the Proxy and the Router (IPTABLES) B is the back end server C is the DNS/DHCP servers And only the backend server that is currently listening on port 81 and before that it was listening on port 80 no matter which port I put in my config I get the "Cannot bind to " in the log file ... from the below I'd guess you are changing both the Squid http_port and the apache listening "Port" entries at the same time in your tests. here is a bit of my config * http_port 192.168.1.3:81 accel parent vhost defaultsite=www.mysite.org The tutorial and advice so far as I've seen has been to place Squid listening on "http_port 80 accel vhost" and apache listening on "Port 81". Okay stop here. Check that. Make it so. Restart both software if needed. If another "bind" error comes up during the restart let us know right now. Continue reading... cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main Those two lines are (or 'were' right?) a loop. Squid listening on 192.168.1.3 port 81 is to fetch requests from source server listening on 192.168.1.3 port 81. What you should have after my suggested change above is: Squid listening on port 80 fetched from server on port 81. Test this: fetch a request for http://192.168.1.3:81/ EXPECTED: results in the apache "it works", or your site. fetch a request for http://192.168.1.3/ EXPECTED: results in the apache "it works", or your site. Received through Squid. (using wget, curl, or sq
Re: [squid-users] Help with accelerated site
Hi Again, Well my local network can't access the Internet since I had to put the vhost option on the http_port 3128 They can access my sites internally not a problem, but the problem is they can no longer access the internet I have kept the original config The only thing I have changed was adding the acceleration mode for my backend server (sites) and add the vhost option after the http_port 3128 like this http_port 3128 vhost I hope that makes more sense Regards Adam - Original Message - From: "Ron Wheeler" To: "a...@gmail" ; Sent: Sunday, March 28, 2010 8:40 PM Subject: Re: [squid-users] Help with accelerated site Are you trying to build an accellerator for your site or a proxy. Pick one and get it to work. The config that I sent you is an accelerator. I would suggest to stick with the accelerator and let your inside guys hit your server on port 80. 1) Put your backend server back on port 80 http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 80 whatever I had in my config should be fine once you change my 81 to 80. I needed to use 81 since I had both apache and squid on the same machine. You do not have this problem. This way your inside guys are still hitting your backend the old fashioned way and your clients are coming through your front door with a caching proxy. Get rid of the acl stuff until you get it going and then decide how to block people. Check my acl settings but I do not recall doing anything to control access. KISS Good luck Ron a...@gmail wrote: Hi Amos, Thanks for your time at the moment my config is as follow it's working as far is the acceleration mode is concerned http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main acl out_sites dstdomain www.mysite.org www.mysite.com www.mysite.net http_access allow our_sites cache_peer_access main allow our_sites cache_peer_access deny all I can access my 3 websites from inside my network and from the "Internet" no problems apart for it being a little slower than before, but it's working The problem I have right now is None of clients can access the internet The error as before "The requested URL could not be retrieved" here is the other part of config acl manager proto cache object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8.0.0.0/32 acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl our_network 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all http_access allow our_network http_access deny all htcp_access allow localnet htcp_access deny all icp_access allow localnet icp_access deny all http_port 3128 vhost(note if I remove the vhost I won't access my websites) if I leave it I can't access the internet from my local network) No "Bind" error at this time I hope that would help see if there's anything wrong with the configuration Regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Sunday, March 28, 2010 8:06 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hi Ron, Thanks for your reply and thanks for your time This is perhaps the 10th time I uninstalled it and reinstalled it And this is the very first time I could access my websites internally, externally nothing yet, I am still getting the error This error: The following error was encountered while trying to retrieve the URL: / ... appearing in a reverse-proxy setup means Squid received a reverse-proxy/accelerated request intended for a web server on a port without "accel" flag configured. Please read all my notes below right to the end of the email before changing anything. I'm commenting on each fine detail and what it means... My clients can all access the internet, Yes I am sure that there's a misconfiguration in my config file but I followed every tutorial trying desperately to get something up, after a while you're saturated and very tired, bouncing from on issue to another ... so, we need you to stop bouncing and concentrate on one issue at a time. When we are satisfied that you are understanding that one move on ... I checked and triple checked my iptables rules everything looks fine so far For instance, my backend server is listening right now on port 81, why did I put it on port 81 because I was getting Cannot bind to in the log file so I changed it to 81 and I am getting the same error, there's absolutely nothing else in my entire network that is using that port So why can't it bind to port 81? You see the type of things that can drive you through the wall at the moment I have only three machines A is Running the Proxy and the Router (IPTABLES) B is the back end
Re: [squid-users] Help with accelerated site
Hi Hassan, Did you read the page: http://www.squid-cache.org/Versions/v2/2.7/cfgman/http_port.html Yes I did read it and I read a great deal more and I have been on many forums, and I have been through the mailing list and and... Yes it says it clearly but what it doesn't say clearly is whether your clients can have access to the internet and let people access your websites via a proxy that's what I was asking. Under "vhost", it clearly says: Accelerator mode using Host header for virtual domain support. Implies accel. So, if you want Squid listener on 3128 to be acting as "forward proxy", then don't use "vhost". When your internal users are hitting squid for regular internet usage, every port 80 website is automatically proxied, including your internal ones. If it is not working, then there must be a relevant line in the "access.log" or "cache.log" which will tell you what happened to that request. You are configuring the same box for both "forward" and "reverse" proxy, which can be tricky. If you are indeed a "developer" (and no, writing HTML does not count), then you need to use your programming hat a bit more when you're trying to even configure open source software. Did you read: http://wiki.squid-cache.org/SquidFaq/ReverseProxy It explains a lot of "concepts". Please go through them, and try to understand how all this is supposed to work. Yes I have read this too Please do not "bombard" the list with email after email without getting a response first. Not nice. Most irritating is when someone: 1. appears to not have "read the manual" with great care (read it) 2. appears to have not "searched" the internet for this problem (Done it) 3. starts to blame the software because they can't make it work (yes because some softwares are badly written) 4. starts to "whine" on the mailing list, and sends emails one after (I thought that was where you can get help, No?) another without waiting for an acceptable time (at least 48 hours) for (I oly did it once, because I forgot something or I had something else to add) someone to respond Regards HASSAN I don't understand why is it that you never help oin this mailing list the only time we see you is when somebody complains then suddenly you popup from somewhere all the time you keep silent, you never help with solutions or suggestions. Yes Squid whether you like it or not is by far not the easiest piece of software to use or to configure it doesn't mean it is brilliant It's difficult and I know it can be made to be a lot easier et user friendly without having to go a great length of time to understand it's logic, not because you used it for a long time or you are somehow involved that you think everybody should open the box and get it to work If that was the case, why then we have the mailing list?? If that was as simple as you're trying to make out. Please if you the only time you show up is to tell me what and I mustn't do then spare me your moral lectures on how I should behave. If this mailing list is "yours" and I am irritating you then say so I will leave and leave you in peace. Other than that please keep away from me This is the second time and it's ones too many. Regards Adam On Mon, Mar 29, 2010 at 1:55 AM, a...@gmail wrote: Hi Again, Well my local network can't access the Internet since I had to put the vhost option on the http_port 3128 They can access my sites internally not a problem, but the problem is they can no longer access the internet I have kept the original config The only thing I have changed was adding the acceleration mode for my backend server (sites) and add the vhost option after the http_port 3128 like this http_port 3128 vhost I hope that makes more sense Regards Adam - Original Message - From: "Ron Wheeler" To: "a...@gmail" ; Sent: Sunday, March 28, 2010 8:40 PM Subject: Re: [squid-users] Help with accelerated site Are you trying to build an accellerator for your site or a proxy. Pick one and get it to work. The config that I sent you is an accelerator. I would suggest to stick with the accelerator and let your inside guys hit your server on port 80. 1) Put your backend server back on port 80 http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 80 whatever I had in my config should be fine once you change my 81 to 80. I needed to use 81 since I had both apache and squid on the same machine. You do not have this problem. This way your inside guys are still hitting your backend the old fashioned way and your clients are coming through your front door with a caching proxy. Get rid of the acl stuff until you get it going and then decide how to block people. Check my acl settings bu
Re: [squid-users] Help with accelerated site
Hi Hassan, If I had made a long email before is because somebody asked me to post some of my log files some of my config file, some of my iptables and explain what I was trying to achieve so they can see. There was one email where I tried to express my frustration it was not directed to anybody in particular. Anyway, if you read my posts you'd see that I have tested this with and without the vhost If I use http_port 3128 vhost I can access my websites internally and externally right? If I use it without the vhost my network clients will have access to the internet through the proxy but nobody can access the websites from outside I get the error The requested URL could not be retrieved That's all I asked if there's a way around this or is it one or the other situation? Regards Adam - Original Message - From: "Nyamul Hassan" To: "Squid Users" Sent: Sunday, March 28, 2010 11:09 PM Subject: Re: [squid-users] Help with accelerated site See what happened? While you answered to the parts where I complained about your mailing-list behaviour, you failed to try out what was suggested, and report back with the logs. All the other "criticisms" that you make, is making the emails unnecessarily big. That's the main complain from myself (and probably others too), so please stop all the other messages. Did you make the change back to without vhost? Where are you stuck now? The way I see it, without using vhost, you have: 1. A reverse proxy where out-of-network requests are properly forwarded to your not-in-same-box Web Servers 2. A forward proxy, where all your internal network customers can access the Internet using Squid as their proxy. 3. However, the "internal" requests don't work for only domains "hosted" in your Web Servers as in #1. Please mention if this is correct. Or specify where it is wrong. Regards HASSAN On Mon, Mar 29, 2010 at 3:49 AM, a...@gmail wrote: Hi Hassan, Did you read the page: http://www.squid-cache.org/Versions/v2/2.7/cfgman/http_port.html Yes I did read it and I read a great deal more and I have been on many forums, and I have been through the mailing list and and... Yes it says it clearly but what it doesn't say clearly is whether your clients can have access to the internet and let people access your websites via a proxy that's what I was asking. Under "vhost", it clearly says: Accelerator mode using Host header for virtual domain support. Implies accel. So, if you want Squid listener on 3128 to be acting as "forward proxy", then don't use "vhost". When your internal users are hitting squid for regular internet usage, every port 80 website is automatically proxied, including your internal ones. If it is not working, then there must be a relevant line in the "access.log" or "cache.log" which will tell you what happened to that request. You are configuring the same box for both "forward" and "reverse" proxy, which can be tricky. If you are indeed a "developer" (and no, writing HTML does not count), then you need to use your programming hat a bit more when you're trying to even configure open source software. Did you read: http://wiki.squid-cache.org/SquidFaq/ReverseProxy It explains a lot of "concepts". Please go through them, and try to understand how all this is supposed to work. Yes I have read this too Please do not "bombard" the list with email after email without getting a response first. Not nice. Most irritating is when someone: 1. appears to not have "read the manual" with great care (read it) 2. appears to have not "searched" the internet for this problem (Done it) 3. starts to blame the software because they can't make it work (yes because some softwares are badly written) 4. starts to "whine" on the mailing list, and sends emails one after (I thought that was where you can get help, No?) another without waiting for an acceptable time (at least 48 hours) for (I oly did it once, because I forgot something or I had something else to add) someone to respond Regards HASSAN I don't understand why is it that you never help oin this mailing list the only time we see you is when somebody complains then suddenly you popup from somewhere all the time you keep silent, you never help with solutions or suggestions. Yes Squid whether you like it or not is by far not the easiest piece of software to use or to configure it doesn't mean it is brilliant It's difficult and I know it can be made to be a lot easier et user friendly without having to go a great length of time to understand it's logic, not because you used it for a long time or you are somehow involved that you think everybody should open the box and get it to work If that was the case, why then we have the mailing
Re: [squid-users] Help with accelerated site
Hi Ron thanks again for your reply No I think you're a little confused here I have one network at the moment and is the 192.168.1.0 My Router and proxy are both on the same machine which is 192.168.1.4 My backend server is on 192.168.1.3 Two different machines but on the same network However if I use this http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 originserver name=whatever But the probleme is elsewhere because if I use http_port 3128 vhost I can access my website both from inside my network and from the internet If I use http_port 3128 without the vhost my network clients can access the "Internet" but I can't access my websites (backend server) This is the situation right now. I hope this slightly clearer Regards Adam - Original Message - From: "Ron Wheeler" To: "a...@gmail" Cc: Sent: Sunday, March 28, 2010 10:21 PM Subject: Re: [squid-users] Help with accelerated site You seemed to have missed my note quoted below. I would suggest to stick with the accelerator and let your inside guys hit your server on port 80. 1) Put your backend server back on port 80 http_port 80 accel vhost defaultsite=www.mysite.orgcache_peer 192.168.1.3 parent 80 whatever I had in my config should be fine once you change my 81 to 80. I needed to use 81 since I had both apache and squid on the same machine. You do not have this problem. This presumes that your inside guys are on the 192.168.3.x network. They do not need proxying to reach the 192.168.3.1 server since it is on the same subnet. I assume that they do not need proxying to get outside since you router probably handles that for them. I am not sure how the outside world reaches the Squid proxy but I assume that you have a NAT in the router that gets them from a public Internet address on the router to the Squid server on port 80. Do you really need proxying for your inside guys or are they perfectly happy going out to the public Internet normally though your router and can directly address the back-end server without Squid if the backend httpd is on port 80? The only case where you need to use port 81 is where squid and the httpd server are on the same machine and you want port 80 to belong to squid and squid needs to pass its requests to httpd on another port. 3128 is for proxying internal browsers on a non-routable network 192.168.x.x where you do not have a router that is NATing the inside guys for you. Squid will handle the mapping of outgoing requests and responses by giving the Internet a routable address. It requires that the inside browsers be configured to use a proxy and not try to bang on port 80 but use 3128 on the proxy for all requests. It does not seem that you need this since your router likely does this for you. I suspect that you only have to change the 2 lines in the out-of-the-box squid to get this going. Ron a...@gmail wrote: Hi Again, Well my local network can't access the Internet since I had to put the vhost option on the http_port 3128 They can access my sites internally not a problem, but the problem is they can no longer access the internet I have kept the original config The only thing I have changed was adding the acceleration mode for my backend server (sites) and add the vhost option after the http_port 3128 like this http_port 3128 vhost I hope that makes more sense Regards Adam - Original Message - From: "Ron Wheeler" To: "a...@gmail" ; Sent: Sunday, March 28, 2010 8:40 PM Subject: Re: [squid-users] Help with accelerated site Are you trying to build an accellerator for your site or a proxy. Pick one and get it to work. The config that I sent you is an accelerator. I would suggest to stick with the accelerator and let your inside guys hit your server on port 80. 1) Put your backend server back on port 80 http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 80 whatever I had in my config should be fine once you change my 81 to 80. I needed to use 81 since I had both apache and squid on the same machine. You do not have this problem. This way your inside guys are still hitting your backend the old fashioned way and your clients are coming through your front door with a caching proxy. Get rid of the acl stuff until you get it going and then decide how to block people. Check my acl settings but I do not recall doing anything to control access. KISS Good luck Ron a...@gmail wrote: Hi Amos, Thanks for your time at the moment my config is as follow it's working as far is the acceleration mode is concerned http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main acl out_sites dstdomain www.mysite.org www.mysite.com www.mysite.net http_access allow our_sites cache_peer_access main allow our_sites cache_p
Re: [squid-users] Help with accelerated site
Hello Amos, Thanks for your reply and suggestion I have just done what you suggested and I still couldn't access the internet from my local network I completely removed "our_network" and the relevant http_access etc.. But couldn't access the internet After that I did the following added and http_port 8080 to the config and up my clients could access the internet and I can still access my backend server from the internet So normally everything is working fine I am not sure it's being wise to make squid listen on more than one port, I'll keep a closer eye on it and see what will happen in the next day or two. Anyway this for the benefit of anybody who find themselves in the same or similar situation if you're forced to use http_port 3128 vhost (in order to access your sites from outside i.e Internet) This is if your sites are on the same webserver on a virtual host you can use the following http_port 3128 vhost http_port 8080 or whatever you want to use for your clients and then simply configure your clients to use that port I just want to thank everyone here who tried to help Best regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Monday, March 29, 2010 12:12 AM Subject: Re: [squid-users] Help with accelerated site On Sun, 28 Mar 2010 23:37:38 +0100, "a...@gmail" wrote: Hi Ron thanks again for your reply No I think you're a little confused here I have one network at the moment and is the 192.168.1.0 My Router and proxy are both on the same machine which is 192.168.1.4 My backend server is on 192.168.1.3 Two different machines but on the same network However if I use this http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 originserver name=whatever But the probleme is elsewhere because if I use http_port 3128 vhost I can access my website both from inside my network and from the internet If I use http_port 3128 without the vhost my network clients can access the "Internet" but I can't access my websites (backend server) This is the situation right now. Right. Okay. STOP touching the reverse-proxy parts of the config. You have them working. "http_port 3128" should stay with no other special flags. In the config you posted earlier you had these lines: acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl our_network 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all http_access allow our_network http_access deny all If you read them top to bottom the way Squid reads them you will clearly see that you have a "deny all" right in the middle. This does exactly what it says denies ALL access to things which are not permitted above it. You need to remove the "our_network" ACL completely and adjust the "localnet" ACL as per the default config instructions so that it only specifies your internal LAN IP address range(s). Amos
Re: [squid-users] Help with accelerated site
Hi Amos, Thanks again for your reply You asked me to remove the our_network Acl completely, I have done so I didn't even comment it, I removed it. I have commented out the # acl localnet 172.0.0 I have commented out the # acl localnet 10.0.0.0/8 I have put my own localnet acl localnet 192.168.1.0/32 http_access allow manager localhost http_access deny manager http_access allow localnet right? Now for 100% sure I will give it as I said a day or two and see how it goes for now everything seem to be working fine. I will email you my website I have done what you suggested now if there's something you think I haven't done please let me know Thanks again Regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Monday, March 29, 2010 1:22 AM Subject: Re: [squid-users] Help with accelerated site On Mon, 29 Mar 2010 00:39:40 +0100, "a...@gmail" wrote: Hello Amos, Thanks for your reply and suggestion I have just done what you suggested and I still couldn't access the internet from my local network I completely removed "our_network" and the relevant http_access etc.. But couldn't access the internet Part #1 of my sentence (cleaning out config garbage) completed. "You need to remove the "our_network" ACL completely" Part #2 of my sentence (how to enable access) apparently ignored. ... " and adjust the "localnet" ACL as per the default config instructions so that it only specifies your internal LAN IP address range(s)." Instead you went on and made up your own approach which complicates your setup A LOT and now requires you to juggle many other software configurations as well to make them all match the fancy squid.conf ... After that I did the following added and http_port 8080 to the config and up my clients could access the internet and I can still access my backend server from the internet So normally everything is working fine 100% sure about that? What is your public website name? I am not sure it's being wise to make squid listen on more than one port, ... not sure it's _wise_ ?! It's REQUIRED for safe security to run a different port for each type of input the proxy receives. When doing so firewall and squid.conf rules become very easy to understand and get correct without causing security breaches by accidental misconfiguration. What we have been trying to get you to do is properly setup "http_port 80 accel vhost" to receive reverse-proxy mode traffic (public website) and "http_port 3128" to receive forward-proxy mode traffic (your LAN). I'll keep a closer eye on it and see what will happen in the next day or two. Anyway this for the benefit of anybody who find themselves in the same or similar situation if you're forced to use http_port 3128 vhost (in order to access your sites from outside i.e Internet) This is if your sites are on the same webserver on a virtual host Nobody is ever forced to do this by Squid. You are no exception. Amos
Re: [squid-users] Help with accelerated site
Hi Hassan, Thanks for your suggestion, I just did that about 10 times already lol I started from scratch, the one I have right now is basically a default config with few changes I can easily remove them, but with the default config there was no way I could access my sites the only thing it did allow was the access to the internet for network clients I will double check what Amos has suggested once again and see if I hadn't missed anything Regards Adam - Original Message - From: "Nyamul Hassan" To: "Squid Users" Sent: Monday, March 29, 2010 1:32 AM Subject: Re: [squid-users] Help with accelerated site At this point, the best suggestion that I can provide to Adam is to remove the existing config, and re-instate the default config that came with Squid. Then, start from there. No need to define make custom ACLs, make everything accessible at first. Just concentrate on making the FWD + REV configs working, then moving to ACLs. Regards HASSAN On Mon, Mar 29, 2010 at 6:22 AM, Amos Jeffries wrote: On Mon, 29 Mar 2010 00:39:40 +0100, "a...@gmail" wrote: Hello Amos, Thanks for your reply and suggestion I have just done what you suggested and I still couldn't access the internet from my local network I completely removed "our_network" and the relevant http_access etc.. But couldn't access the internet Part #1 of my sentence (cleaning out config garbage) completed. "You need to remove the "our_network" ACL completely" Part #2 of my sentence (how to enable access) apparently ignored. ... " and adjust the "localnet" ACL as per the default config instructions so that it only specifies your internal LAN IP address range(s)." Instead you went on and made up your own approach which complicates your setup A LOT and now requires you to juggle many other software configurations as well to make them all match the fancy squid.conf ... After that I did the following added and http_port 8080 to the config and up my clients could access the internet and I can still access my backend server from the internet So normally everything is working fine 100% sure about that? What is your public website name? I am not sure it's being wise to make squid listen on more than one port, ... not sure it's _wise_ ?! It's REQUIRED for safe security to run a different port for each type of input the proxy receives. When doing so firewall and squid.conf rules become very easy to understand and get correct without causing security breaches by accidental misconfiguration. What we have been trying to get you to do is properly setup "http_port 80 accel vhost" to receive reverse-proxy mode traffic (public website) and "http_port 3128" to receive forward-proxy mode traffic (your LAN). I'll keep a closer eye on it and see what will happen in the next day or two. Anyway this for the benefit of anybody who find themselves in the same or similar situation if you're forced to use http_port 3128 vhost (in order to access your sites from outside i.e Internet) This is if your sites are on the same webserver on a virtual host Nobody is ever forced to do this by Squid. You are no exception. Amos
Re: [squid-users] Help with accelerated site
Hi Amos, Yes I didn't copy paste it I just typed it and I forgot to mention it but it is in the actual config, because what I did basically I took a default config copy pasted everything that was uncommented to a file I then created another config file because to go through the amount of comments in the default everytime I need to do something is very tiring, so that way it's much clearer Yes I have the src and dst on one of them Thank you again I hope I won't have more issues with other applications, such as Java applets and other things similar Thanks again for your support and patience Regards Adam - Original Message - From: "Amos Jeffries" To: Sent: Monday, March 29, 2010 2:59 AM Subject: Re: [squid-users] Help with accelerated site On Mon, 29 Mar 2010 02:39:24 +0100, "a...@gmail" wrote: Hi Amos, Thanks again for your reply You asked me to remove the our_network Acl completely, I have done so I didn't even comment it, I removed it. I have commented out the # acl localnet 172.0.0 I have commented out the # acl localnet 10.0.0.0/8 I have put my own localnet acl localnet 192.168.1.0/32 http_access allow manager localhost http_access deny manager http_access allow localnet right? Close. You don't have the word "src" in that config line you display for the ACL definition. I hope that is just a typo in the email text. That is all at this point. Amos
[squid-users] Apt-get Issue through squid
Hello Everybody! I have a question if you don't mind or if anyone has a solution to this I am trying to download some packages with apt-get on one of my Ubuntu clients All of the links fail, which means they are blocked by Squid, When I try the same thing on the Squid machine itself which is also the router I get all the updates Any Idea on how to fix this Thanking you all in advance Regards Adam
Re: [squid-users] Apt-get Issue through squid
Hi there, Thanks for your reply, I was merely asking if anyone has or had the same problem before, or anyone who might have a solution, of course If I stop squid now and disable it reconfigure my system to what it was before of course I will get the updates and the access to the internet but now any application or programme I want to run I have to find out where it is where it's going etc.. It looks as if I need to tweak for every single task,. of every single application of every single client. Yes I have followed the configuration where the whole internet goes through a proxy, when faced with a problem like this can you imagine how many programmes and apps are there? If I have to tweak each and everyone of them by hand and how many clients I have and so on So I can spend the rest of my life fixing things. Anyway thanks for your reply Regards Adam - Original Message - From: "Jakob Curdes" To: "a...@gmail" Cc: Sent: Monday, March 29, 2010 7:00 PM Subject: Re: [squid-users] Apt-get Issue through squid a...@gmail schrieb: Hello Everybody! I have a question if you don't mind or if anyone has a solution to this I am trying to download some packages with apt-get on one of my Ubuntu clients All of the links fail, which means they are blocked by Squid, When I try the same thing on the Squid machine itself which is also the router I get all the updates Please do not jump to assumptions without having checked the facts. "All of the links fail, which means they are blocked by Squid" is the least likely cause. You can verify that easily by looking at the squid access log, without going the deviation via the mailing list. MY assumption is: - The firewall on the router allows direct internet access - so it is clear that apt-get on the firewall can get the updates [without using squid at all] - apt-get, being a unix-style command line tool, does not know or respect the browser settings for proxies - you did not set a http_proxy/ftp_proxy variable in the shell calling apt-get nor did you configure a proxy in apt.conf - As you do not allow direct internet access (or maybe even do not have a gateway set on the client, which would be perfectly OK), apt-get tries to resolve the name (may succeed depending on setup) an then tries to download from the origin server (which you prohibit, so it fails also). It is very unlikely with any squid configuration near the defaults (eg. without authentication or complex header manipulation) that the proxy blocks requests from a particular machine depending on the "browser" used. Conclusion: 99% not a squid issue. You might ask on the ubuntu mailing lists for help if Google does not give you enough explanation how to use apt-get with a proxy. HTH, Jakob Curdes
Re: [squid-users] Apt-get Issue through squid
Hi Again, I do appreciate that, but some people are very restricted time wise The way it looks I could easily spend a whole year tweaking it before I could get everything working or maybe more :-) Anyway, Thank you all for your suggestions and help Regards Adam - Original Message - From: "Leonardo Carneiro - Veltrac" To: Sent: Monday, March 29, 2010 7:48 PM Subject: Re: [squid-users] Apt-get Issue through squid Also, you can educate your users so they know that your network has a proxy and to setup the proxy on the apps is a necessary step to get to work. Proxy is not a 'out-of-the-earth' thing now days and most of the users (on a enterprise network, at least) will be able to understand this. a...@gmail wrote: Hi there, Thanks for your reply, I was merely asking if anyone has or had the same problem before, or anyone who might have a solution, of course If I stop squid now and disable it reconfigure my system to what it was before of course I will get the updates and the access to the internet but now any application or programme I want to run I have to find out where it is where it's going etc.. It looks as if I need to tweak for every single task,. of every single application of every single client. Yes I have followed the configuration where the whole internet goes through a proxy, when faced with a problem like this can you imagine how many programmes and apps are there? If I have to tweak each and everyone of them by hand and how many clients I have and so on So I can spend the rest of my life fixing things. Anyway thanks for your reply Regards Adam - Original Message - From: "Jakob Curdes" To: "a...@gmail" Cc: Sent: Monday, March 29, 2010 7:00 PM Subject: Re: [squid-users] Apt-get Issue through squid a...@gmail schrieb: Hello Everybody! I have a question if you don't mind or if anyone has a solution to this I am trying to download some packages with apt-get on one of my Ubuntu clients All of the links fail, which means they are blocked by Squid, When I try the same thing on the Squid machine itself which is also the router I get all the updates Please do not jump to assumptions without having checked the facts. "All of the links fail, which means they are blocked by Squid" is the least likely cause. You can verify that easily by looking at the squid access log, without going the deviation via the mailing list. MY assumption is: - The firewall on the router allows direct internet access - so it is clear that apt-get on the firewall can get the updates [without using squid at all] - apt-get, being a unix-style command line tool, does not know or respect the browser settings for proxies - you did not set a http_proxy/ftp_proxy variable in the shell calling apt-get nor did you configure a proxy in apt.conf - As you do not allow direct internet access (or maybe even do not have a gateway set on the client, which would be perfectly OK), apt-get tries to resolve the name (may succeed depending on setup) an then tries to download from the origin server (which you prohibit, so it fails also). It is very unlikely with any squid configuration near the defaults (eg. without authentication or complex header manipulation) that the proxy blocks requests from a particular machine depending on the "browser" used. Conclusion: 99% not a squid issue. You might ask on the ubuntu mailing lists for help if Google does not give you enough explanation how to use apt-get with a proxy. HTH, Jakob Curdes
Re: [squid-users] Apt-get Issue through squid
Hi again, Sorry I forgot to mention I already have tried export http_proxy=http://ip_address:port but no luck so far Regards Adam - Original Message - From: "Leonardo Carneiro - Veltrac" To: Sent: Monday, March 29, 2010 7:48 PM Subject: Re: [squid-users] Apt-get Issue through squid Also, you can educate your users so they know that your network has a proxy and to setup the proxy on the apps is a necessary step to get to work. Proxy is not a 'out-of-the-earth' thing now days and most of the users (on a enterprise network, at least) will be able to understand this. a...@gmail wrote: Hi there, Thanks for your reply, I was merely asking if anyone has or had the same problem before, or anyone who might have a solution, of course If I stop squid now and disable it reconfigure my system to what it was before of course I will get the updates and the access to the internet but now any application or programme I want to run I have to find out where it is where it's going etc.. It looks as if I need to tweak for every single task,. of every single application of every single client. Yes I have followed the configuration where the whole internet goes through a proxy, when faced with a problem like this can you imagine how many programmes and apps are there? If I have to tweak each and everyone of them by hand and how many clients I have and so on So I can spend the rest of my life fixing things. Anyway thanks for your reply Regards Adam - Original Message - From: "Jakob Curdes" To: "a...@gmail" Cc: Sent: Monday, March 29, 2010 7:00 PM Subject: Re: [squid-users] Apt-get Issue through squid a...@gmail schrieb: Hello Everybody! I have a question if you don't mind or if anyone has a solution to this I am trying to download some packages with apt-get on one of my Ubuntu clients All of the links fail, which means they are blocked by Squid, When I try the same thing on the Squid machine itself which is also the router I get all the updates Please do not jump to assumptions without having checked the facts. "All of the links fail, which means they are blocked by Squid" is the least likely cause. You can verify that easily by looking at the squid access log, without going the deviation via the mailing list. MY assumption is: - The firewall on the router allows direct internet access - so it is clear that apt-get on the firewall can get the updates [without using squid at all] - apt-get, being a unix-style command line tool, does not know or respect the browser settings for proxies - you did not set a http_proxy/ftp_proxy variable in the shell calling apt-get nor did you configure a proxy in apt.conf - As you do not allow direct internet access (or maybe even do not have a gateway set on the client, which would be perfectly OK), apt-get tries to resolve the name (may succeed depending on setup) an then tries to download from the origin server (which you prohibit, so it fails also). It is very unlikely with any squid configuration near the defaults (eg. without authentication or complex header manipulation) that the proxy blocks requests from a particular machine depending on the "browser" used. Conclusion: 99% not a squid issue. You might ask on the ubuntu mailing lists for help if Google does not give you enough explanation how to use apt-get with a proxy. HTH, Jakob Curdes
[squid-users] Bind9 and squid3.0
Hi All, Hope you're all ok Just a quick question When I run my dns tools to check my zones and check_zone , works When I pinkg my domain name it works But when I use Dig it doesn't The reason I am asking is because before I installed Squid the dig command used to work just fine Any ideas or suggestions please or if you know of ways around this? Your help will be much appreciated I have checked here in the mailing list archives nothing came up on the subject If I did miss it, than I apologise Regards Adam
[squid-users] Issue with some files and templates
Hi All, Since I installed Squid, now that I can access my backend server and vhosted websites There are a lot of things that aren't working, some links can't be accessed, some folders can't be opened, images, a lot of things. I simply can't understand what does Squid do to block all of these things and (please don't say it's not Squid) , I can understand that Squid might block any direct access to a folder etc.. but not the files and apps interaction: while contacting the OriginServer why is it that almost a quarter of items aren't displayed, I even get this items, folder, file, " not found on this server" When I know they are there. I really don't know what to do, as if Squid stops applications talking to each other within the same folder, I really don't how to explain it. It's a shame because the concept of a proxy server is a good idea but almost 40% of things refuse to work as they used to. If anyone can give me an idea on how to work around these problems please, Regards Adam
Re: [squid-users] Issue with some files and templates
om Is there a way to block this please? And finally my access.log fills up within minutes, it is now in the size of 23, 780, 835 bytes (23.5 MB) This is far too large, sometimes it's even difficult to empty them, as they won't open because they are too large. Any ideas please? I have tried the squid -k rotate but it doesn't seem to work for the access.log I will paste few lines from the access log, it is far too big to post everything here: basically the same request repeated time and time again. access.log 1270183340.294615 204.152.200.138 TCP_MISS/200 167 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 - 1270183340.665609 67.215.231.50 TCP_MISS/200 167 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 - 1270183340.702606 67.215.247.242 TCP_MISS/200 167 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 - 1270183340.767602 67.215.231.50 TCP_MISS/200 167 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 - 1270183341.272609 67.215.247.210 TCP_MISS/200 167 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 - I hope this helps for your last questions I didn't quite understand what you meant by "And does the requested URLs match what your origin servers expect? For the above question, the answer is yes if it is what I understood the bottom one I didn't understand what you meant " > Including host component." I hope that helps Kinds Regards Adam - Original Message - From: "Henrik Nordström" To: "a...@gmail" Cc: Sent: Friday, April 02, 2010 7:33 PM Subject: Re: [squid-users] Issue with some files and templates fre 2010-04-02 klockan 19:14 +0100 skrev a...@gmail: Since I installed Squid, now that I can access my backend server and vhosted websites There are a lot of things that aren't working, some links can't be accessed, some folders can't be opened, images, a lot of things. Can you describe your setup in a bit more detail? http_port settings? cache_peer settings? cache_peer_access settings? And what does access.log report? Does it match your expectations on what was requested and where Squid tried to forward it? And does the requested URLs match what your origin servers expect? Including host component. Regards Henrik
[squid-users] Accessing my websites is extremely slow
Hi all, Accessing my websites is extremely slow, it can take up to 5 minutes for the page to load some pages in the admin area won't even load no matter how long I wait. Squid is getting extremely slow Any ideas or suggestion on how to solve this problem please I know everyone is saying "it's not squid" I am sorry bu it is squid, I never experienced all of these problems before in the 15 years I ran these websites I never had anything like until the moment I installed and ran squid I am having all sorts of problems. Any suggestions would be very much appreciated Thank you all Regards Adam
Re: [squid-users] Accessing my websites is extremely slow
Hi Ron, Thanks for your reply At the moment I kept everything as default I haven't allocated any extra cache space as yet when I restart it it doesn't really speed it up that much yes there's a slight difference for a short while I get the access.log filled so quickly to the point where I have to empty it into tries the cache.log and store.log are ok, but the access.log gets filled so quickly I have disabled it for now, to see whether it will make a difference. I have to wait til tomorrow I am trying to see if there's any noticeable change in the loading of the pages One other thing is one of my websites requires the license activation to run to it's potential but I am getting these errors since Squid. Warning: fopen() [function.fopen]: php_network_getaddresses: getaddrinfo failed: Name or service not known in /var/www/folder/functions.php on line 2341 Warning: fopen(http://www.someothersite.com/licence_server.php?licence_check=1&li=bs7F9VfU&url=www.mysite.net) [function.fopen]: failed to open stream: No such file or directory in /var/www/folder/functions.php on line 2341 Warning: feof(): supplied argument is not a valid stream resource in /var/www/folder/functions.php on line 2343 Warning: fread(): supplied argument is not a valid stream resource in /var/www/folder/functions.php on line 2345 I get these errors in the admin area instead of getting the validation of my license, I get these errors "Warnings" As for the ratio of hits, there a lot of them that fail similar to the errors mentioned above of various files and folders of various apps in my three sites. I hope that helps a bit Regards Adams - Original Message - From: "Ron Wheeler" Cc: Sent: Sunday, April 04, 2010 7:23 PM Subject: Re: [squid-users] Accessing my websites is extremely slow a...@gmail wrote: Hi all, Accessing my websites is extremely slow, it can take up to 5 minutes for the page to load some pages in the admin area won't even load no matter how long I wait. Squid is getting extremely slow Any ideas or suggestion on how to solve this problem please I know everyone is saying "it's not squid" I am sorry bu it is squid, I never experienced all of these problems before in the 15 years I ran these websites I never had anything like until the moment I installed and ran squid I am having all sorts of problems. Any suggestions would be very much appreciated Thank you all Regards Adam When you restart Squid does that speed it up? What is the ratio of hits getting through to Apache compared to those being served by Squid. How much cache space have you allocated? How are the levels structured? Ron
[squid-users] E-mails through Squid3.0 problems
Hello All, I am having a serious problem with my E-mail programmes, none of my e-mails are going out If I send e-mail from my website, they are not delivered as they used to Confirmation, Subscription emails etc.. are not delivered Is there anything that needs doing in order to allow those emails to go out most of them are "php mailer" but there are others sent with sendmail system. Any ideas please, this is very urgent and important more important than anything else so far Regards Adam
Re: [squid-users] E-mails through Squid3.0 problems
Hi Jorge, I am not actually using a proxy for smtp, but my websites do send emails on a regular basis on a subscriptions, email confirmation and so on Now if for example a user registers he won't get an email to allow him/her to activate his/her account I have not set a proxy server for a mail server this is the php mailer it is built in the website Like forums, blogs etc... I do read my logs and there's nothing there to suggest that anything is being blocked there are some links which also read "Fail to retrieve whatever from source" but it doesn't help me. It doesn't say why, anyway there are a lot of things that aren't working anymore since I've installed Squid but if that continues then I am gonna have to uninstall it and do without, it's not just one area I need to fix or one problem that I need to solve there are far too many Thanks for you reply Regards Adam - Original Message - From: "Jorge Armando Medina" To: Sent: Tuesday, April 06, 2010 4:47 PM Subject: Re: [squid-users] E-mails through Squid3.0 problems
Re: [squid-users] Squid pops up password dialog when remote site is not reachable
Hi All, I know that many people on many different situations including myself are having serious issues with the FF3 ++ especially with Java applets and many other environments. I have programs running with IE 6,7,8 Safari, FF2.0 Opera, Chrome etc.. but not with FF3.0 and later. So it could well be a Firefox issue, I am not saying that for sure but it could well be. Try with FF2 and see if it works then you'll know for sure that it's to do with FF3 and the new generation plugins or something in the core of FF3. I hope that helps Regards Adam - Original Message - From: "Ayhan Molla" To: "Henrik Nordström" Cc: Sent: Wednesday, April 07, 2010 10:09 AM Subject: Re: [squid-users] Squid pops up password dialog when remote site is not reachable I also noticed that this only happens in Firefox, IE does perform as expected. Could be an issue about FF, thank you. --- On Wed, 4/7/10, Henrik Nordström wrote: From: Henrik Nordström Subject: Re: [squid-users] Squid pops up password dialog when remote site is not reachable To: "Ayhan Molla" Cc: squid-users@squid-cache.org Date: Wednesday, April 7, 2010, 1:29 AM mån 2010-04-05 klockan 23:28 -0700 skrev Ayhan Molla: > Hi, > I only modified the helper line as follows: > auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > > and added the following two statements, the rest of the file is unchanged. > > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > acl authenticated proxy_auth REQUIRED > http_access allow authenticated No idea then. What doeas access.log say? Regards Henrik
[squid-users] Squid can't access all links
Hi All, I was wondering if anyone has any suggestions on how to solve this issue. here it is let's say I try and access http://mysite.com/folder/ it works fine right? but if I try and access for instance http://mysite.com/folder/admin_login.php it doesn't How is it possible for squid to access only on part of the site and not the rest? This happens in almost every site I have. I can't login to the admin area on some websites. Another problem is when people register e-mails are not sent as they used to, NO I haven't changed anything the only thing I added was Squid Do I need to configure Squid to access every page, file, image on every site I have? Can anyone please explain this to me it's not making any sense. Regards Adam
[squid-users] SSH and other Apps issues with Squid 3.0
Good Morning everyone. I am using Ubuntu Hardy Squid 3.0 Router Cisco/linksys I am having problems with accessing my SSH servers. I can access my websites and the backend servers. I have tried using IPtables to forward the requests to my ssh servers and now I am trying with a Cisco LinkSys routers the same thing occurs It seems to me as I can't forward anything My ssh ports are Not the standards ports 22. My ssh ports are 22XX They worked fine for years using the same router and using iptables but as soon as I installed the proxy server I can no longer access them. Anyone has any suggestions please on what needs to doing? And many other things aren't working since the installation of my proxy server. Any suggestion or help would be much much appreciated Thank you all
[squid-users] SSH not working With Squid3.0
Hello All, I have posted this already but haven't seen any reply I am using Squid3.0 Only one SSH account works in my entire netwoirk, I can only access the SSH that is running on the same machine as the Squid Despite the fact I forward requets to all other SSH servers in my network absolutely no access whatsoever Before I installed Squid3.0 I could access every host's ssh server, but not since no matter what I do I simply cannot access the back end SSH servers Does anyone knows of any secret way of working around this please, as it's not very practical not to be able to access the other machines remotely Any ideas of what I need to do please? I can't think of anything more, I have allowed the access to those ports on my Squid config on my linkSys router but impossible to connect to the server Any help would be much appreciated Regards Adam
Re: [squid-users] SSH not working With Squid3.0
Hi there, I have tried with iptable to forward requests it didn't work I am trying now with the linksys router not working either for the internal gateway yes Basically I have three backend machines I can only access the proxy machine's SSH even if I try internally to access the other machine's SSH servers the connection is refused But the gateway is on the router I am using my ISP's gateway not the Squid's machine I am forwarding other ports via my router, such as IRC ports etc.. it's working fine but when I forward to SSH ports the connection is refused. Any other suggestions pleaase? Regards Adam
Re: [squid-users] SSH not working With Squid3.0
Hi, Yes I have searched why but could not find why not in the log not anywhere else. Tried with Iptables, with router same thing. How do I know? Ok if I shut down the proxy machine and completely remove it from the network and try again absolutely no problems in connecting to all my ssh servers but when I run the proxy server, the problem comes back how about that? I know it is the proxy server, what I don't know is why? Any ideas please? Thanks - Original Message - From: "John Doe" To: Sent: Wednesday, May 05, 2010 12:40 PM Subject: Re: [squid-users] SSH not working With Squid3.0 From: "a...@gmail" even if I try internally to access the other machine's SSH servers the connection is refused Fix that first... Searched why it is refused? And why do you say it is squid fault? JD
Re: [squid-users] SSH not working With Squid3.0
I have tried to use their FQDN, have tried using their IP Addresses, have tried locally connection refused whichever way I do it's the same problem. Regards Adam - Original Message - From: "Nyamul Hassan" To: "Squid Users" Sent: Thursday, May 06, 2010 1:18 AM Subject: Re: [squid-users] SSH not working With Squid3.0 Are you trying to do SSH to the servers using their FQDN? Or IP Address? Regards HASSAN On Thu, May 6, 2010 at 02:31, a...@gmail wrote: Hi, Yes I have searched why but could not find why not in the log not anywhere else. Tried with Iptables, with router same thing. How do I know? Ok if I shut down the proxy machine and completely remove it from the network and try again absolutely no problems in connecting to all my ssh servers but when I run the proxy server, the problem comes back how about that? I know it is the proxy server, what I don't know is why? Any ideas please? Thanks - Original Message - From: "John Doe" To: Sent: Wednesday, May 05, 2010 12:40 PM Subject: Re: [squid-users] SSH not working With Squid3.0 From: "a...@gmail" even if I try internally to access the other machine's SSH servers the connection is refused Fix that first... Searched why it is refused? And why do you say it is squid fault? JD
Re: [squid-users] SSH not working With Squid3.0
Hi, Yes, I can ping their IPs They are reachable internally and externally The reason I am asking here hoping that someone had a similar problem in the past who might be able to help Or perhaps something I need to do with the Squid's config in order to successfully reach these SSH servers. Logically speaking, Squid should not interfer with SSH connections, should it? But in my case I know it does. The only SSH I can access internally or externally is the SSH server that is running on the same box as Squid Regards Adam - Original Message - From: "Nyamul Hassan" To: "Squid Users" Sent: Thursday, May 06, 2010 10:01 AM Subject: Re: [squid-users] SSH not working With Squid3.0 Is their IP reachable from the host your are trying to access SSH? Regards HASSAN On Thu, May 6, 2010 at 14:51, a...@gmail wrote: I have tried to use their FQDN, have tried using their IP Addresses, have tried locally connection refused whichever way I do it's the same problem. Regards Adam - Original Message - From: "Nyamul Hassan" To: "Squid Users" Sent: Thursday, May 06, 2010 1:18 AM Subject: Re: [squid-users] SSH not working With Squid3.0 Are you trying to do SSH to the servers using their FQDN? Or IP Address? Regards HASSAN On Thu, May 6, 2010 at 02:31, a...@gmail wrote: Hi, Yes I have searched why but could not find why not in the log not anywhere else. Tried with Iptables, with router same thing. How do I know? Ok if I shut down the proxy machine and completely remove it from the network and try again absolutely no problems in connecting to all my ssh servers but when I run the proxy server, the problem comes back how about that? I know it is the proxy server, what I don't know is why? Any ideas please? Thanks - Original Message - From: "John Doe" To: Sent: Wednesday, May 05, 2010 12:40 PM Subject: Re: [squid-users] SSH not working With Squid3.0 From: "a...@gmail" even if I try internally to access the other machine's SSH servers the connection is refused Fix that first... Searched why it is refused? And why do you say it is squid fault? JD
Re: [squid-users] SSH not working With Squid3.0
Ok I'll try and describe it the best I can. I have a router LinkSys/Cisco This is how it goes: Internet > [ISP-Modem] (LocalNetwork ) Local Network > Machine1 Machine2 Machine3 Machine4 Machine5 Machine6 Machine1 = SQUID3.0 Machine2= Mail-Server Machine3= Webserver1 Machine4= Webserver2 Machine5=DSN server Machine6= Other services (Chat server) And 3 Windows Clients In All There are 9 Machines I can access these machines except via SSH Even though I have forwarded requests to each machine's SSH port Now for the errors When I try internally to connect to any of the SSH servers I get this error Let's say the only accessible SSH is the one running on the Squid's machine it has a port number , ok? Now if I want to ssh machine 192.168.1.3 on port 2224 ssh 192.168.1.3 2224 I get the following connect to host 192.168.1.3 port : Connection refused Do you see what I mean even though I do specify the port number of the machine which in this case is the port 2224 But I get the error message replying with the Squid's port number , and that is regardless from which machine I am trying to send the SSH request And from outside I get "Network Error Connection refused" if I try with putty for example: But if I turn off Squid's machine and unplug it from the network, I have absolutely no problem accessing these servers. Very strange Regards Adam - Original Message - From: "John Doe" To: Sent: Thursday, May 06, 2010 9:55 AM Subject: Re: [squid-users] SSH not working With Squid3.0 From: "a...@gmail" Yes I have searched why but could not find why not in the log not anywhere else. Tried with Iptables, with router same thing. How do I know? Ok if I shut down the proxy machine and completely remove it from the network and try again absolutely no problems in connecting to all my ssh serversbut when I run the proxy server, the problem comes back how about that? I know it is the proxy server, what I don't know is why? ok, so it is not a squid problem, but a server problem... Tried ssh -v (or -vv, -vvv)? What's the denied message in sshd logs? If you don't describe your setup (topology, routing, iptables rules...), we can barely try to guess... JD
Re: [squid-users] SSH not working With Squid3.0
- Original Message - From: "John Doe" To: Sent: Thursday, May 06, 2010 3:04 PM Subject: Re: [squid-users] SSH not working With Squid3.0 From: "a...@gmail" Internet > [ISP-Modem] (LocalNetwork ) Local Network > Machine1 Machine2 Machine3 Machine4 Machine5 Machine6 Machine1 = SQUID3.0 Machine2= Mail-Server ... I can access these machines except via SSH Even though I have forwarded requests to each machine's SSH port Forwarded requests? We were talking about local sshing... right? Why would you forward, how, and from where to where? Are you talking about ssh from the Internet to the local network, through the firewall? I did ask if local ssh was working... Is it? If you go on a local machine and try to ssh to another local machine, does it work? I was talking about both from the internet and the local Network I did explain that from the local if I do ssh 192.168.1.6 on port 2224 I get the error message ssh host 192.168.1.6 port connection refused And the port is the port of the machine on which the proxy server runs it doesn't matter from which machine I am trying to ssh another machine I get the same error message: As if my entire network is locked into one ssh port and that is the ssh which also runs the router Do you see what I mean even though I do specify the port number of the machine which in this case is the port 2224 But I get the error message replying with the Squid's port number , and that is regardless from which machine I am trying to send the SSH request No, I don't understand how this squid server would magicaly capture all the packets... If from machine A I try to ssh to machine B, the packet will go to machine B directly. Unless I am wrong, it will only go through the gateway if the target IP network is different. We still miss information, like routing, forwarding rules, etc... try to follow the packets routes. Maybe you will need to look at tcpdumps... Yes normally when you ssh a machine internally you don't need rerouting or forwarding I am not saying I have forwarded the internal requests, I forwarded requests coming from the internet for instance using clients such as putty etc.. But no connection is allowed either internally or externally. I hope that helps JD Regards Adam
Re: [squid-users] weird problem with gmail, firefox and squid 2.7
Hi there, There are a lot of issues at the moment with FireFox 3.x.x It has issues in so many areas, especially with some java applets I would investigate that if I were you. I could well be a Firefox problem rather than a Squid issue. Try and use Firefox from somewhere else and see what happens Regards Adam - Original Message - From: "Diego" To: Sent: Friday, May 07, 2010 6:23 PM Subject: [squid-users] weird problem with gmail, firefox and squid 2.7 Hi List, I am having a weird problem with gmail. When I tried to load the gmail page using firefox 3.5.x and squid 2.7.7 the login form of the page does not appear. If I use IE it works, regardless the squid version. If I use Firefox 2.X it works, regardless the squid version. If I use firefox 3.5.x and Squid 2.6.6 it works. This only happens with firefox 3.5.x and squid 2.7.7. Any help ? Thanks Galle
[squid-users] removing Proxy
Hello all I was wondering if anyone knows how to remove a proxy from a linux system I haven't added the proy to any files, but everytime I try for instance to connect it keeps searching for the proxy I initially added the proxy with export http://proxy:port Now when I do unset http_proxy I can connect to the internet and do the apt-get and use synaptic without a problem but if I reboot the machine it comes back again, unless I unset the proxy manually everytime does anyone know where I can remove it from an Ubuntu hardy based system please? I decided to stop using squid it caused me a lot of problems since I installed it it was non stop one problem after another. I came to realise that squid doesn't like me lol so I am going to do without it. Too many things didn't work while using it, now that I stopped the proxy they all back to normal If anyone knows how to remove it please let me know Best of luck everyone KR Adam