[squid-users] squid 3.0 transparent problem
greetings i'm setting up a new squid box running 3.0 stable 16 in transparent mode. the problem is, no call ever gets to squid, unless I configure the client to look at " squidip " port 3128. Browser fails to connect. If I tell the system to use proxy at squidip 3128, it works fine. I have made the new transparent changes to my config. and I have redirected destined for port 80 to squid. here is my simplified config. #l acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localnet src 192.168.1.100 255.255.255.255 # http_access allow manager localhost http_access deny manager http_access allow localnet # And finally deny all other access to this proxy http_access allow all # NETWORK OPTIONS # - #http_port 3128 http_port 10.0.2.3:3128 transparent #Default: # cache_mem 8 MB cache_mem 128 MB #Default: # maximum_object_size_in_memory 8 KB maximum_object_size_in_memory 80 KB ipcache_size 1024 cache_dir ufs /usr/local/squid/var/cache 2048 16 256 maximum_object_size 40 MB access_log /usr/local/squid/var/logs/access.log cache_log /usr/local/squid/var/logs/cache.log cache_store_log /usr/local/squid/var/logs/store.log #Suggested default: refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user squid cache_effective_group wheel visible_hostname hook2 - #ipfw redirect here you can see the redirect going to the port from the client hook2:~ root# ipfw show 1 0 0 allow udp from any 626 to any dst-port 626 00500 0 0 fwd 127.0.0.1,3128 tcp from 10.135.1.100 to any dst- port 80 in recv en1 65535 559 359882 allow ip from any to any hook2:~ root# ipfw show 10 0 allow udp from any 626 to any dst-port 626 005001 64 fwd 127.0.0.1,3128 tcp from 192.168.1.100 to any dst-port 80 in recv en1 65535 3530 2143506 allow ip from any to any the client is OSX 10.5.6 leopard. browser cannot connect. any ideas ? my previous setup used these transparent options, http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on tia -jeff
Re: [squid-users] squid 3.0 transparent problem
On Jul 27, 2009, at 10:37 PM, Amos Jeffries wrote: Your firewall says its sending packets to 127.0.0.1,3128 Your new squid.conf says interception is happening on 10.0.2.3:3128 If you removed the IP or changed it to 127.0.0.1:3128 in squid.conf it would work. Amos Thanks for the reply,... I just noticed that. Accepting transparently proxied HTTP connections at 10.0.2.3, port 3128, FD 10. I changed the ipfw and it works. Thanks for getting back to me. -j
Re: [squid-users] Transparent mode with just 1 Ethernet port ?
On Jul 28, 2009, at 3:53 PM, Kevin C. Connell wrote: Thanks Kinkie, and Chris - much appreciated! I am definitely going to upgrade Squid. Regarding changing to transparent mode, I'm glad to learn that I can do it with a single Ethernet port, however, I am rethinking doing this, based on your input. I certainly don't want to complicate things for no solid reason. We recently upgraded our network to MPLS (over a mix of DSL and T1 lines), and our network provider recommended that we switch to transparent mode on our proxy server. They manage all of the routers, and they have set our Squid box as the default route for all of our remote locations. I am questioning their recommendation: My thought now is that the Cisco's should default route everything out to the proper Internet portal based on location, and we leave the Squid box to do caching and proxying, and leave the routing to the Cisco's. -Kevin Hi kevin, I've running squid transparent for years, and for scalability reasons I find myself just wishing I had everyone configure their browsers. mho -j
[squid-users] Unsupported method in request '_'
Greetings I'm seeing this error in cache.log 2009/08/13 09:31:30| clientParseRequestMethod: Unsupported method in request '_' I thought i compiled with enable underscores. So im not sure what is causing this error. Im seeing it in 3.0 stable 18 &16 root# squid -v Squid Cache: Version 3.0.STABLE18 configure options: '--enable-async-io' '--enable-icmp' '--enable- delay-pools' '--disable-htcp' '--enable-ssl' '--enable-ipfw- transparent' '--enable-snmp' '--enable-underscores' '--enable-basic- auth-helpers=NCSA,LDAP' thanks.
Re: [squid-users] Unsupported method in request '_'
On Aug 13, 2009, at 9:56 AM, Amos Jeffries wrote: donovan jeffrey j wrote: Greetings I'm seeing this error in cache.log 2009/08/13 09:31:30| clientParseRequestMethod: Unsupported method in request '_' I thought i compiled with enable underscores. So im not sure what is causing this error. Im seeing it in 3.0 stable 18 &16 --enable-underscores affects whether URLs which violate HTTP standards and contain _ in the domain name are accepted and passed around. METHOD being an underscore may mean some random binary byte was received at the start of the request. We replace them in the log with underscores to prevent bad things happening when the logs are viewed. Ah ha. thank you. I'm pretty much extension_method illiterate. -j
Re: [squid-users] Unsupported method in request '_'
On Aug 13, 2009, at 10:24 AM, Ralf Hildebrandt wrote: * donovan jeffrey j : Greetings I'm seeing this error in cache.log 2009/08/13 09:31:30| clientParseRequestMethod: Unsupported method in request '_' What does the request "_" do? I thought it was attached at the end of a url some-site-had-many- hyphens-then_ _.jpg im not sure I need to grab a better snapshot. -j
Re: [squid-users] secured authentication
On Sep 30, 2009, at 1:10 AM, Amos Jeffries wrote: For proxy-browser authentication: The preferred option is Kerberos / Negotiate authentication. I'm not sure of the Safari support level. IE needs to be version 7 or newer. Second best is NTLM. They should all support that. Squid has some helpers to authenticate through winbind to the AD. http://wiki.squid-cache.org/ConfigExamples#Authentication Amos Amos is right OSX does not support kerberos for proxy Authentication. BASIC ncsa has been great with Safari and osx. -j
Re: [squid-users] http_port 80 transparent issues
On Oct 9, 2009, at 10:31 AM, Ross Kovelman wrote: I am unable to save this line in the squid.conf: http_port 80 transparent issues FATAL: Bungled squid.conf line 57: http_port 80 transparent Squid Cache (Version 2.5.STABLE10): Terminated abnormally. Any reason why? Its the 1st line in my configuration. Thanks is your box setup as a transparent proxy ? grep your config for transparent
Re: [squid-users] http_port 80 transparent issues
On Oct 9, 2009, at 10:46 AM, Ross Kovelman wrote: From: donovan jeffrey j Date: Fri, 9 Oct 2009 10:42:53 -0400 To: Ross Kovelman Cc: "squid-users@squid-cache.org" Subject: Re: [squid-users] http_port 80 transparent issues On Oct 9, 2009, at 10:31 AM, Ross Kovelman wrote: I am unable to save this line in the squid.conf: http_port 80 transparent issues FATAL: Bungled squid.conf line 57: http_port 80 transparent Squid Cache (Version 2.5.STABLE10): Terminated abnormally. Any reason why? Its the 1st line in my configuration. Thanks is your box setup as a transparent proxy ? grep your config for transparent Is it true that in version 2.5 that does not work but this does the same thing? http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Thanks yep those are the transparent options. -j
Re: [squid-users] squid performance
On Oct 12, 2009, at 11:11 AM, Jason Martina wrote: Hello, Well im looking for a better solution than MS ISA proxy, we have 3000 users that uses 4 ISA proxy servers, and its a managment nightmare so im going to attempt to use squid+dansguardian, on the squid side of things i cant find anything about using it in a large orginization and with the users we have about 1500-2000 hit the proxy's at a time, there heavily used for customer service agents and i would like to use ONE server to control all, so im looking for some help or a document dealing with Larger companys!! i run 2 primary transparent/nocache squid + squidguard 2 Authenticated squid cache + squidguard covering 27 buildings and 2000 staff 9000 kids, and someone decided to give them all laptops one day :) squid can hang
[squid-users] assertion failed: store_swapout.cc:317: "mem->swapout.sio == self
Squid keeps restarting. as soon as the store rebuilds,... squid reboots. Do i need to zip the cache and starts clean ? 2009/10/16 09:17:14| assertion failed: store_swapout.cc:317: "mem- >swapout.sio == self" 2009/10/16 09:17:19| Starting Squid Cache version 3.0.STABLE19 for i686-apple-darwin9.7.0... 2009/10/16 09:17:19| Process ID 5605 2009/10/16 09:17:19| With 1024 file descriptors available 2009/10/16 09:17:19| Performing DNS Tests... 2009/10/16 09:17:19| Successful DNS name lookup tests... 2009/10/16 09:17:19| ipcacheAddEntryFromHosts: Bad IP address 'fe80::1%lo0' 2009/10/16 09:17:19| DNS Socket created at 0.0.0.0, port 53007, FD 6 2009/10/16 09:17:19| Adding domain beth.k12.pa.us from /etc/resolv.conf 2009/10/16 09:17:19| Adding nameserver x.x.1.2 from /etc/resolv.conf 2009/10/16 09:17:19| Adding nameserver x.x.9.2 from /etc/resolv.conf 2009/10/16 09:17:19| helperOpenServers: Starting 40/40 'squidGuard' processes 2009/10/16 09:17:19| Unlinkd pipe opened on FD 51 2009/10/16 09:17:19| Swap maxSize 67107840 + 262144 KB, estimated 5182306 objects 2009/10/16 09:17:19| Target number of buckets: 259115 2009/10/16 09:17:19| Using 262144 Store buckets 2009/10/16 09:17:19| Max Mem size: 262144 KB 2009/10/16 09:17:19| Max Swap size: 67107840 KB 2009/10/16 09:17:19| Version 1 of swap file with LFS support detected... 2009/10/16 09:17:19| Rebuilding storage in /Volumes/cache2/cache (DIRTY) 2009/10/16 09:17:19| Using Least Load store dir selection 2009/10/16 09:17:19| Current Directory is /private/var/root 2009/10/16 09:17:19| Loaded Icons. 2009/10/16 09:17:19| Accepting transparently proxied HTTP connections at 10.0.2.3, port 3128, FD 53. 2009/10/16 09:17:19| HTCP Disabled. 2009/10/16 09:17:19| Pinger socket opened on FD 55 2009/10/16 09:17:19| Ready to serve requests. 2009/10/16 09:17:19| icmpSend: send: (61) Connection refused 2009/10/16 09:17:19| Closing Pinger socket on FD 55 2009/10/16 09:17:20| Store rebuilding is 0.10% complete 2009/10/16 09:17:35| Store rebuilding is 23.84% complete 2009/10/16 09:17:50| Store rebuilding is 44.92% complete 2009/10/16 09:18:05| Store rebuilding is 62.54% complete 2009/10/16 09:18:20| Store rebuilding is 78.10% complete 2009/10/16 09:18:32| clientParseRequestMethod: Unsupported method attempted by x.x.19.166: This is not a bug. see squid.conf extension_methods 2009/10/16 09:18:32| clientParseRequestMethod: Unsupported method in request '__v___' 2009/10/16 09:18:32| clientProcessRequest: Invalid Request 2009/10/16 09:18:35| Store rebuilding is 91.83% complete 2009/10/16 09:18:45| Done reading /Volumes/cache2/cache swaplog (4003455 entries) 2009/10/16 09:18:45| Finished rebuilding storage from disk. 2009/10/16 09:18:45| 3983870 Entries scanned 2009/10/16 09:18:45| 0 Invalid entries. 2009/10/16 09:18:45| 0 With invalid flags. 2009/10/16 09:18:45| 3962109 Objects loaded. 2009/10/16 09:18:45| 0 Objects expired. 2009/10/16 09:18:45| 17546 Objects cancelled. 2009/10/16 09:18:45| 2702 Duplicate URLs purged. 2009/10/16 09:18:45| 1513 Swapfile clashes avoided. 2009/10/16 09:18:45| Took 85.28 seconds (46462.03 objects/sec). 2009/10/16 09:18:45| Beginning Validation Procedure 2009/10/16 09:18:45| 262144 Entries Validated so far. 2009/10/16 09:18:45| 524288 Entries Validated so far. 2009/10/16 09:18:46| 1048576 Entries Validated so far. 2009/10/16 09:18:46| 1310720 Entries Validated so far. 2009/10/16 09:18:47| 1835008 Entries Validated so far. 2009/10/16 09:18:47| 2097152 Entries Validated so far. 2009/10/16 09:18:47| 2359296 Entries Validated so far. 2009/10/16 09:18:48| 2621440 Entries Validated so far. 2009/10/16 09:18:48| 2883584 Entries Validated so far. 2009/10/16 09:18:48| 3145728 Entries Validated so far. 2009/10/16 09:18:48| 3407872 Entries Validated so far. 2009/10/16 09:18:49| 3932160 Entries Validated so far. 2009/10/16 09:18:50| 4456448 Entries Validated so far. 2009/10/16 09:18:51| 5505024 Entries Validated so far. 2009/10/16 09:18:51| 6029312 Entries Validated so far. 2009/10/16 09:18:52| 6815744 Entries Validated so far. 2009/10/16 09:18:52| 7077888 Entries Validated so far. 2009/10/16 09:18:53| 7340032 Entries Validated so far. 2009/10/16 09:18:53| 7602176 Entries Validated so far. 2009/10/16 09:18:53| 7864320 Entries Validated so far. 2009/10/16 09:18:53| Completed Validation Procedure 2009/10/16 09:18:53| Validated 7926537 Entries 2009/10/16 09:18:53| store_swap_size = 60622580
Re: [squid-users] squidGuard Dansguardian etc etc
On Jan 19, 2010, at 11:41 AM, Jeronimo Garcia wrote: Hi guys. So I'll need to implement some content filtering in my Squid servers and I've checked these two: Dan's one latest stable release is somewhere in September 2009 , even that that's not so long ago i wanted to know if some one in the list know how active it is SquidGuard Looks promising and I'm giving it a shot right now . In your opinion what's the best content filtering "plug-in" for squid ? I would be using in conjunction with ntlm_auth , and some others ACLs messing up with wbinfo_group.pl so the order of the ACLs would a sort of 1)ntlm_auth 2)wbinfo_group 3)content filtering (squidGuard, DansGuarding, or whatever is best) Thanks in advance. Cheers -J Greetings, I have been using squidguard for years. I have never had a need to try dansguardian. Sg has been very fast and very stable. -j
Re: [squid-users] Configuring Squid on a MAC
On Jan 29, 2010, at 6:52 AM, akosh.kobash wrote: I have installed squid 3.0 on a MAC mini running Leopard 10.5.8. I would like to configure squid to act 1. as a proxy 2. as a web cache How do I go about this Am using webmin as a GUI tool for configuring squid. read the squid docs,.. there is a great wiki covers everything. on the mac just add a user named squid to your local directory, and give read write to /usr/local/squid and to your cache drives. did you compile squid yourself or did you download a pre-compiled binary ? -j
Re: [squid-users] WebFilter by ip
On Mar 24, 2010, at 8:30 PM, Landy Landy wrote: Hello List. I have an acl blocking a batch of ip addresses banned from using the internet and have others that can use the internet without problems. Now, I would like to filter the web content to those users that use the internet. I would like to block sexual content and stuff like that that can be desturbing at work. How can I create another acl to filter pages to the specific ip's that are allowed to the internet? Any suggestions??? Thanks in advanced for your help. greetings Squid + SquidGuard very easy to do. you need to ask yourself, do you want transparent or configure the client browser ? then you can filter with a blacklist start here for one. http://www.shallalist.de/categories.html any and all traffic that comes into the device can be viewed and sent to a log file for processing. -j
[squid-users] filter suggestion for 443
Greetings i have a transparent squid with squidguard. i have a case where i need to allow all connections to port 443 except somesite.com. since Im not redirecting any 443 through squid. i guess i have to do it at the firewall level. unless someone could suggest a better way. basically " http://www.somesite.com " is blocked, but " https://www.somesite.com " is not. Ive tried very hard to stay away from filtering on 443. any insight would be helpful tnx -j
[squid-users] UDP errors after upgrade to 3.1.1
Greetings compiled 3.1.1 on 2 OSX machines, both running 10.5.8 one is transparent the and the other is straight up. build went fine. no errors. fired up squid ( squid -d1x ) clients connected but as soon as a request for a site came through I got a ton of these on both systems; 2010/04/01 10:38:48| idnsSendQuery: FD 6: sendto: (22) Invalid argument 2010/04/01 10:38:56| comm_udp_sendto: FD 6, (family=2) 209.96.96.2:53: (22) Invalid argument here is my previous build: Version 3.0.STABLE24 configure options: '--enable-async-io' '--enable-icmp' '--enable- delay-pools' '--disable-htcp' '--enable-ssl' '--enable-ipfw- transparent' '--enable-snmp' '--enable-underscores' '--enable-basic- auth-helpers=NCSA,LDAP,getpwnam' i quickly flipped back to my previous build until I can figure out what changed. -jeff
Re: [squid-users] Fwd: Squid 2.7 with NTLM auth
On Apr 7, 2010, at 10:53 AM, Milan wrote: > I have tried the below lines and it works but I would prefer to get it > working using the allowed_ip.txt file. In that case we can just add ip > address to allow through the proxy instead of making additional acls. > > acl goto_meeting dst 216.115.208.0/20 216.219.112.0/20 66.151.158.0/24 > 66.151.150.160/27 66.151.115.128/26 64.74.80.0/24 202.173.24.0/21 > 67.217.64.0/19 78.108.112.0/20 68.64.0.0/19 206.183.100.0/22 > > http_access allow goto_meeting > > > Any ideas? acl foo src 10.0.0.0/255.255.0.0 proxy_auth REQUIRED acl bar proxy_auth luke yoda darth joe acl acl myNet src 11.0.0.0/255.255.0.0 http_access allow foo http_access allow bar http_access allow myNet http_access deny all i could be wrong,.. never tried it before. -j
Re: [squid-users] UDP errors after upgrade to 3.1.1
> >> >> Second and probably more important. >> squid -d1x >> squid -k check shows " squid: ERROR: No running copy " >> squid -k rotate " squid: ERROR: No running copy " >> squid -k shutdown " squid: ERROR: No running copy " >> >> ps -ax | grep squid >> root# ps -ax | grep squid >> 29428 ?? 0:00.00 squid -d1x >> 29430 ?? 0:01.30 (squid) -d1x >> 29431 ?? 0:00.04 (squidGuard) -c >> /usr/local/squidGuard/squidGuard.conf > >> >> is there a new way to start stop ? >> > > Ouch, check if the squid.pid file also exists with the current Squid > worker process PID (29430) inside it. no pid file in the 3.1.1 build. I check my other copies and they all made the PID file in /usr/local/squid/var/logs/squid.pid nothing is in my 3.1.1 cat: /usr/local/squid/var/logs/squid.pid: No such file or directory > "-k check" maybe should not be doing that test anyway. But the others > require a running Squid they can contact. > > Amos >
Re: [squid-users] UDP errors after upgrade to 3.1.1
On Apr 8, 2010, at 9:12 AM, Dean Weimer wrote: > -Original Message- > From: donovan jeffrey j [mailto:dono...@beth.k12.pa.us] > Sent: Thursday, April 08, 2010 7:37 AM > To: Amos Jeffries > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] UDP errors after upgrade to 3.1.1 > > > > >> no pid file in the 3.1.1 build. > >> I check my other copies and they all made the PID file in > /usr/local/squid/var/logs/squid.pid >> nothing is in my 3.1.1 > >> cat: /usr/local/squid/var/logs/squid.pid: No such file or directory > > The machines I have installed 3.1.1 on want to place the pid file in > /usr/local/squid/var/run/squid.pid > > Unfortunately the install doesn't appear to build that directory, simply > do a mkdir /usr/local/squid/var/run (make sure its owned by your squid > user). Then either kill and restart squid, or manually create a > squid.pid file with the process id in it. YAY! nc-106:var root# mkdir run nc-106:var root# chown squid:wheel run nc-106:var root# ls -la total 0 drwxr-xr-x 4 squid wheel 136 Apr 8 09:27 . drwxr-xr-x 11 root wheel 374 Apr 1 10:20 .. drwxr-xr-x 36 squid wheel 1224 Apr 8 08:55 logs drwxr-xr-x 2 squid wheel68 Apr 8 09:27 run nc-106:var root# cd run nc-106:run root# ls nc-106:run root# squid -d1x nc-106:run root# ls squid.pid nc-106:run root# cat squid.pid 36555 nc-106:run root# squid -k check "no news is good news " nc-106:run root# squid -k rotate logfileRotate: /usr/local/squid/var/logs/access.log nc-106:run root# squid -k shutdown Squid Cache (Version 3.1.1): Exiting normally. worked like a champ. I had to create the " run " directory, then all was happy. thanks dean -j
Re: [squid-users] Shalla's blacklist
On May 17, 2010, at 11:33 AM, Rich Winkel wrote: > Could someone explain the organization of this blacklist? There's a BL > directory > which includes the same categories as the top-level directory (and more) but > the overlapping categories seem to have more entries. Is this for differing > levels of safety or ?? > > Thanks! > Rich you don't have to deploy all of them.
Re: [squid-users] squidGuard Stopped
On Jul 12, 2010, at 4:44 AM, squidACL wrote: > > Good Day > > I work with squidGuard to do the filtre , it's working well but i dont know > after each tow days the squidGuard stopped > > I did squidGuard -C all and squid -k reconfigure > > how can i do to live the squidGuard stay started ? > > I will be thankfull if you can help me about this issue > > 2010-07-12 09:36:24 [12169] New setting: dbhome: /var/squidGuard/blacklists > > > Thank you how many squidguard processes are your running ? does your squid logs or system log give you any clues as to why SG would stop. -j
Re: [squid-users] Squid and squidguard
On Aug 12, 2010, at 12:10 PM, Mamadou Touré wrote: > Hi, > all when configuring squid for squidguard. > we have : > > redirect_program /usr/bin/squidGuard > redirect_children 10 > > what mean redirect_children. > > and value should have for squid wich manage about 100 clients. > > regards. > it means how many squidguard instances should squid spawn. /usr/local/bin/squidguard /usr/local/bin/squidguard /usr/local/bin/squidguard /usr/local/bin/squidguard /usr/local/bin/squidguard watch your processes ie Top or netstat, and watch how many are being used. then you can adjust accordingly. 10 is usually just fine. I have a case where i have thousands of connections so i run 100 redirects. Your squid logs will also tell you if your running out. -j
Re: [squid-users] Squid + IPFW on Mac OS X
On Oct 4, 2010, at 3:34 PM, Haravikk wrote: > Been bashing my brains out on this one for ages, but I'm going to have to > admit defeat, as network stuff really isn't my thing. > > Basically, I'm installing Squid on my local machine, and want it to handle > outgoing requests to a particular port, unfortunately the app in question > (Second Life) does not support OS defined proxy servers, so I'm forced to try > and redirect it. The only solution really is ipfw I think, I've already > corrected for the weird OS X.6 issue with ipfw forwarding which now works as > it should. > > I've compiled Squid3 with the ipfw transparent support that is required to > use the intercept option. > > Configuration sets up Squid3 to listen on port 3128, and also to intercept on > port 3178. This appears to work correctly. > > So now all I need is to set up an IPFW rule to direct traffic to 3178, and > I've done the following: > > 100 fwd 127.0.0.1,3178 from any to any dst-port 12046 > > However this seems to generate a loop whereby traffic from Second Life is > routed to localhost:3178, but traffic from squid is also routed to the same > address (itself!) > > I'm completely stumped on how I go about telling ipfw to only redirect > messages from Second Life to port 12046, and allow requests from squid so > that it can actually do its thing. > > Any help is greatly appreciated! I've bounced around various articles in > Google to little avail, either I just don't understand what the solutions > have been, or none of them are working for some reason because I'm missing a > step somewhere. > > Thanks! > Haravikk here is a sample of my ipfw script i run. if you would like to see the full blown version i can message off list. #!/bin/sh #Quietly flush out rules /sbin/ipfw -q zero /sbin/ipfw -q -f flush #Set command prefix (add "-q" option after development to turn on quiet mode) cmd="/sbin/ipfw -q add" $cmd 507 fwd 10.0.2.3,3128 tcp from 10.149.0.0/16 to any dst-port 80 in recv en1 $cmd 508 fwd 10.0.2.3,3128 tcp from 10.150.0.0/16 to any dst-port 80 in recv en1 $cmd 509 fwd 10.0.2.3,3128 tcp from 10.151.0.0/16 to any dst-port 80 in recv en1 $cmd 510 fwd 10.0.2.3,3128 tcp from 10.152.0.0/16 to any dst-port 80 in recv en1 $cmd 511 fwd 10.0.2.3,3128 tcp from 10.153.0.0/16 to any dst-port 80 in recv en1 $cmd 512 fwd 10.0.2.3,3128 tcp from 10.142.0.0/16 to any dst-port 80 in recv en1 $cmd 513 fwd 10.0.2.3,3128 tcp from 10.140.0.0/16 to any dst-port 80 in recv en1 $cmd 514 fwd 10.0.2.3,3128 tcp from 10.104.0.0/16 to any dst-port 80 in recv en1 these are just network redirects to squid. -j osx H00t
[squid-users] Squid 3.1.9 OSX client_side.cc okToAccept: WARNING! Your cache is running out of filedescriptors
greetings updated 2 transparent proxies last night. and both are spewing noise about filedescriptors. this is coming from the system. 2010/11/03 08:48:36| client_side.cc(2980) okToAccept: WARNING! Your cache is running out of filedescriptors 2010/11/03 08:48:52| client_side.cc(2980) okToAccept: WARNING! Your cache is running out of filedescriptors 2010/11/03 08:49:08| client_side.cc(2980) okToAccept: WARNING! Your cache is running out of filedescriptors 2010/11/03 08:49:24| client_side.cc(2980) okToAccept: WARNING! Your cache is running out of filedescriptors 2010/11/03 08:49:40| client_side.cc(2980) okToAccept: WARNING! Your cache is running out of filedescriptors 2010/11/03 08:49:56| client_side.cc(2980) okToAccept: WARNING! Your cache is running out of filedescriptors 2010/11/03 08:50:12| client_side.cc(2980) okToAccept: WARNING! Your cache is running out of filedescriptors 2010/11/03 08:50:28| client_side.cc(2980) okToAccept: WARNING! Your cache is running out of filedescriptors 2010/11/03 08:50:44| client_side.cc(2980) okToAccept: WARNING! Your cache is running out of filedescriptors 2010/11/03 08:51:00| client_side.cc(2980) okToAccept: WARNING! Your cache is running out of filedescriptors here is what sysctl -a gives me. kern.exec: unknown type returned kern.maxfiles = 12288 kern.maxfilesperproc = 10240 kern.corefile = /cores/core.%P kern.maxfiles: 12288 kern.maxfilesperproc: 10240 what should i set these to and do I need to recompile with any special adjustments ? ./configure --enable-icmp --enable-storeio=diskd,ufs,aufs --enable-delay-pools --disable-htcp --enable-ssl --enable-ipfw-transparent --enable-snmp --enable-underscores --enable-basic-auth-helpers=NCSA,LDAP,getpwnam
Re: [squid-users] client_side_request.cc messages in cache.log
I On Nov 4, 2010, at 12:09 PM, Dean Weimer wrote: > I just setup a new site through my reverse proxy running Squid 3.1.9, and > though it's working fine, I am receiving the follow message every time an url > on the new site is accessed. > > 010/11/04 10:39:32| client_side_request.cc(1047) clientRedirectDone: > redirecting body_pipe 0x8016a1e38*1 from request 0x802637800 to 0x802242000 > > The url in question is an HTTPS url, and is passed through a self written url > rewrite program (written in Python), I have verified that the processes are > not crashing or causing any internal errors when rewriting this url. The > application is a vendor provided ASP.net application running on IIS 6.0. So > far it's only available to internal users, for testing so there isn't a heavy > load for this url on the proxy yet. There isn't any perceivable difference > in performance between the reverse proxy and accessing the site directly > (Though I wouldn't expect to see the performance advantages of Squid with the > currently load on the backend server being next to nothing at this point), so > whatever is causing the error doesn't seem to be affecting performance. > > I am concerned that this message may be a sign of a more major problem when > the server gets placed under a larger load. > > Thanks, > Dean Weimer I am seeing the same things ,I think it's normal behavior but im not sure either. 2010/11/04 12:19:12| client_side_request.cc(1047) clientRedirectDone: redirecting body_pipe 0xcc167c0*2 from request 0x96c400 to 0xa326a00 2010/11/04 12:19:15| client_side_request.cc(1047) clientRedirectDone: redirecting body_pipe 0x140dbb70*1 from request 0x3dc5c00 to 0x2cd6c00 2010/11/04 12:19:43| client_side_request.cc(1047) clientRedirectDone: redirecting body_pipe 0x1b8b350*1 from request 0xa3b4000 to 0x314 -j
Re: [squid-users] client_side_request.cc messages in cache.log
On Nov 4, 2010, at 11:10 PM, Amos Jeffries wrote: > On 05/11/10 05:23, donovan jeffrey j wrote: >> I >> On Nov 4, 2010, at 12:09 PM, Dean Weimer wrote: >> >>> I just setup a new site through my reverse proxy running Squid 3.1.9, and >>> though it's working fine, I am receiving the follow message every time an >>> url on the new site is accessed. >>> >>> 010/11/04 10:39:32| client_side_request.cc(1047) clientRedirectDone: >>> redirecting body_pipe 0x8016a1e38*1 from request 0x802637800 to 0x802242000 >>> >>> The url in question is an HTTPS url, and is passed through a self written >>> url rewrite program (written in Python), I have verified that the processes >>> are not crashing or causing any internal errors when rewriting this url. >>> The application is a vendor provided ASP.net application running on IIS >>> 6.0. So far it's only available to internal users, for testing so there >>> isn't a heavy load for this url on the proxy yet. There isn't any >>> perceivable difference in performance between the reverse proxy and >>> accessing the site directly (Though I wouldn't expect to see the >>> performance advantages of Squid with the currently load on the backend >>> server being next to nothing at this point), so whatever is causing the >>> error doesn't seem to be affecting performance. >>> >>> I am concerned that this message may be a sign of a more major problem when >>> the server gets placed under a larger load. >>> >>> Thanks, >>> Dean Weimer >> >> I am seeing the same things ,I think it's normal behavior but im not sure >> either. >> 2010/11/04 12:19:12| client_side_request.cc(1047) clientRedirectDone: >> redirecting body_pipe 0xcc167c0*2 from request 0x96c400 to 0xa326a00 >> 2010/11/04 12:19:15| client_side_request.cc(1047) clientRedirectDone: >> redirecting body_pipe 0x140dbb70*1 from request 0x3dc5c00 to 0x2cd6c00 >> 2010/11/04 12:19:43| client_side_request.cc(1047) clientRedirectDone: >> redirecting body_pipe 0x1b8b350*1 from request 0xa3b4000 to 0x314 >> >> -j > > At first glance it seems to be a debug message which has been left at the > wrong priority. It indicates that the connection was URL re-written instead > of HTTP redirected. squid -d1 > > It should be noted that re-writing the HTTPS / CONNECT request URL is a very > dangerous activity. It will result directly in the client connecting and > sending SSL credentials to a server it was not intending to contact at all. > The safe way to do it is with a true HTTP redirect via the 302:/303:/307: > status code. Unfortunately some browsers dont like these, so transition to > correct usage needs to be done with care. > > Amos not sure I intended to re-write anything on purpose. squid 3.1.9 running transparent with SquidGuard. https is not proxied it goes direct # - acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localnet src x.x.x.x # #windows updates # acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl CONNECT method CONNECT acl wuCONNECT dstdomain www.update.microsoft.com http_access allow CONNECT wuCONNECT localnet http_access allow CONNECT wuCONNECT localhost http_access allow windowsupdate localnet http_access allow windowsupdate localhost # http_access allow manager localhost http_access allow localnet # And finally deny all other access to this proxy http_access deny all # NETWORK OPTIONS # - #http_port 3128 http_port 10.0.x.x:3128 transparent # REDIRECT OPTIONS # - redirect_program/usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf redirect_children 100 cache_mem 256 MB maximum_object_size_in_memory 512 KB ipcache_size 1024 cache_dir ufs /Volumes/cache2/cache 65535 16 256 cache_dir ufs /Volumes/cache3/cache 65535 16 256 maximum_object_size 4096 KB access_log /usr/local/squid/var/logs/access.log cache_log /usr/local/squid/var/logs/cache.log cache_store_log none #Suggested default: refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 range_offset_limit -1 cache_effective_user squid cache_effective_group wheel visible_hostname hook2 shutdown_lifetime 10 seconds
Re: [squid-users] client_side_request.cc messages in cache.log
On Nov 5, 2010, at 9:27 AM, Amos Jeffries wrote: > On 06/11/10 01:55, donovan jeffrey j wrote: >> >> On Nov 4, 2010, at 11:10 PM, Amos Jeffries wrote: >> >>> On 05/11/10 05:23, donovan jeffrey j wrote: >>>> I >>>> On Nov 4, 2010, at 12:09 PM, Dean Weimer wrote: >>>> >>>>> I just setup a new site through my reverse proxy running Squid 3.1.9, and >>>>> though it's working fine, I am receiving the follow message every time an >>>>> url on the new site is accessed. >>>>> >>>>> 010/11/04 10:39:32| client_side_request.cc(1047) clientRedirectDone: >>>>> redirecting body_pipe 0x8016a1e38*1 from request 0x802637800 to >>>>> 0x802242000 >>>>> >>>>> The url in question is an HTTPS url, and is passed through a self written >>>>> url rewrite program (written in Python), I have verified that the >>>>> processes are not crashing or causing any internal errors when rewriting >>>>> this url. The application is a vendor provided ASP.net application >>>>> running on IIS 6.0. So far it's only available to internal users, for >>>>> testing so there isn't a heavy load for this url on the proxy yet. There >>>>> isn't any perceivable difference in performance between the reverse proxy >>>>> and accessing the site directly (Though I wouldn't expect to see the >>>>> performance advantages of Squid with the currently load on the backend >>>>> server being next to nothing at this point), so whatever is causing the >>>>> error doesn't seem to be affecting performance. >>>>> >>>>> I am concerned that this message may be a sign of a more major problem >>>>> when the server gets placed under a larger load. >>>>> >>>>> Thanks, >>>>> Dean Weimer >>>> >>>> I am seeing the same things ,I think it's normal behavior but im not sure >>>> either. >>>> 2010/11/04 12:19:12| client_side_request.cc(1047) clientRedirectDone: >>>> redirecting body_pipe 0xcc167c0*2 from request 0x96c400 to 0xa326a00 >>>> 2010/11/04 12:19:15| client_side_request.cc(1047) clientRedirectDone: >>>> redirecting body_pipe 0x140dbb70*1 from request 0x3dc5c00 to 0x2cd6c00 >>>> 2010/11/04 12:19:43| client_side_request.cc(1047) clientRedirectDone: >>>> redirecting body_pipe 0x1b8b350*1 from request 0xa3b4000 to 0x314 >>>> >>>> -j >>> >>> At first glance it seems to be a debug message which has been left at the >>> wrong priority. It indicates that the connection was URL re-written instead >>> of HTTP redirected. >> >> squid -d1 >> >>> >>> It should be noted that re-writing the HTTPS / CONNECT request URL is a >>> very dangerous activity. It will result directly in the client connecting >>> and sending SSL credentials to a server it was not intending to contact at >>> all. >>> The safe way to do it is with a true HTTP redirect via the 302:/303:/307: >>> status code. Unfortunately some browsers dont like these, so transition to >>> correct usage needs to be done with care. >>> >>> Amos >> >> not sure I intended to re-write anything on purpose. >> >> squid 3.1.9 running transparent with SquidGuard. https is not proxied it >> goes direct >> > > squidguard is a re-writer. The message is caused by its output back to Squid. > > I would hope it is only configured "on purpose" ;-) > > >> # NETWORK OPTIONS >> # >> - >> >> #http_port 3128 >> http_port 10.0.x.x:3128 transparent >> >> >> # REDIRECT OPTIONS >> # >> - >> >> redirect_program /usr/local/bin/squidGuard -c >> /usr/local/squidGuard/squidGuard.conf >> redirect_children 100 > > These directives are deprecated Rename them to "url_rewrite_program" and > "url_rewrite_children" there will be no operational difference in 3.1.9 but > will save upgrade problems later. > does this look right ? #redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf #redirect_children 100 url_rewrite_children 100 -j
Re: [squid-users] client_side_request.cc messages in cache.log
On Nov 5, 2010, at 10:24 AM, Amos Jeffries wrote: > On 06/11/10 03:20, donovan jeffrey j wrote: >> > >> >> does this look right ? >> >> #redirect_program/usr/local/bin/squidGuard -c >> /usr/local/squidGuard/squidGuard.conf >> url_rewrite_program /usr/local/bin/squidGuard -c >> /usr/local/squidGuard/squidGuard.conf >> #redirect_children 100 >> url_rewrite_children 100 >> > > Yes. is it okay to issue a - k reconfigure for this change or it better to wait until not many users are accessing? -j
Re: [squid-users] client_side_request.cc messages in cache.log
On Nov 5, 2010, at 7:37 PM, Amos Jeffries wrote: > On 06/11/10 03:28, donovan jeffrey j wrote: >> >> On Nov 5, 2010, at 10:24 AM, Amos Jeffries wrote: >> >>> On 06/11/10 03:20, donovan jeffrey j wrote: >>>> >>> >>>> >>>> does this look right ? >>>> >>>> #redirect_program /usr/local/bin/squidGuard -c >>>> /usr/local/squidGuard/squidGuard.conf >>>> url_rewrite_program /usr/local/bin/squidGuard -c >>>> /usr/local/squidGuard/squidGuard.conf >>>> #redirect_children 100 >>>> url_rewrite_children 100 >>>> >>> >>> Yes. >> >> is it okay to issue a - k reconfigure for this change or it better to wait >> until not many users are accessing? >> -j > > reconfigure is enough. It is just a cosmetic config change at this point. > > Amos okay im getting same message under load. 2010/11/08 09:04:50| client_side_request.cc(1047) clientRedirectDone: redirecting body_pipe 0x2135be20*2 from request 0x14e14200 to 0x8ac0200 2010/11/08 09:04:56| client_side_request.cc(1047) clientRedirectDone: redirecting body_pipe 0x1fabb330*2 from request 0xc7a5e00 to 0xe05d000 2010/11/08 09:05:00| client_side_request.cc(1047) clientRedirectDone: redirecting body_pipe 0x2135be20*1 from request 0x8fa7200 to 0x127f7400 2010/11/08 09:05:06| client_side_request.cc(1047) clientRedirectDone: redirecting body_pipe 0x20606560*1 from request 0x11508200 to 0x11add800 2010/11/08 09:05:07| client_side_request.cc(1047) clientRedirectDone: redirecting body_pipe 0x21278360*1 from request 0xbcbc00 to 0x190d4a00 and yes there is redirection going on so it's not lying to me. ^^^ client redirect done. is this just a notification of the redirect ? or is it an error ? -j
[squid-users] test post ::please delete::
testing for bounces -j
[squid-users] best practice for transparent
greetings i recently updated my transparent proxy to sq 3.1.9, which also uses squidguard for url filters. this have been bogging down. browser always says ,.." waiting for google,... or waiting for www.abc.com I could have a dns issue or I could have a cache swap issue or a squidguard issue. I first wanted to make sure that running 3.1.9 transparent is the best version for the job. I had read a while back in a thread that v2.7 might be better than 3.1.x. Can anyone confirm ? heres a snap shot of cache.log hook2:bin root# ulimit -n 2048 hook2:bin root# squid -d1x hook2:bin root# 2010/12/07 11:12:34| Starting Squid Cache version 3.1.9 for i686-apple-darwin9.8.0... 2010/12/07 11:12:34| Process ID 5210 2010/12/07 11:12:34| With 2048 file descriptors available 2010/12/07 11:12:34| Initializing IP Cache... 2010/12/07 11:12:34| DNS Socket created at [::], FD 6 2010/12/07 11:12:34| DNS Socket created at 0.0.0.0, FD 7 2010/12/07 11:12:34| Adding domain beth.k12.pa.us from /etc/resolv.conf 2010/12/07 11:12:34| Adding nameserver 8.8.8.8 from /etc/resolv.conf 2010/12/07 11:12:34| Adding nameserver 209.96.96.2 from /etc/resolv.conf 2010/12/07 11:12:34| helperOpenServers: Starting 100/100 'squidGuard' processes 2010/12/07 11:12:35| Unlinkd pipe opened on FD 212 2010/12/07 11:12:35| Store logging disabled 2010/12/07 11:12:35| Swap maxSize 134215680 + 262144 KB, estimated 1038 objects 2010/12/07 11:12:35| Target number of buckets: 517222 2010/12/07 11:12:35| Using 524288 Store buckets 2010/12/07 11:12:35| Max Mem size: 262144 KB 2010/12/07 11:12:35| Max Swap size: 134215680 KB 2010/12/07 11:12:35| Version 1 of swap file with LFS support detected... 2010/12/07 11:12:35| Rebuilding storage in /Volumes/cache2/cache (CLEAN) 2010/12/07 11:12:35| Version 1 of swap file with LFS support detected... 2010/12/07 11:12:35| Rebuilding storage in /Volumes/cache3/cache (CLEAN) 2010/12/07 11:12:35| Using Least Load store dir selection 2010/12/07 11:12:35| Current Directory is /usr/bin 2010/12/07 11:12:35| Loaded Icons. 2010/12/07 11:12:35| Accepting intercepted HTTP connections at 10.0.2.3:3128, FD 217. 2010/12/07 11:12:35| HTCP Disabled. 2010/12/07 11:12:35| Squid modules loaded: 0 2010/12/07 11:12:35| Ready to serve requests. 2010/12/07 11:12:35| Store rebuilding is 0.12% complete 2010/12/07 11:13:25| Done reading /Volumes/cache3/cache swaplog (3496117 entries) 2010/12/07 11:13:25| Store rebuilding is 99.79% complete 2010/12/07 11:13:25| Done reading /Volumes/cache2/cache swaplog (3510803 entries) 2010/12/07 11:13:25| Finished rebuilding storage from disk. 2010/12/07 11:13:25| 7006920 Entries scanned 2010/12/07 11:13:25| 0 Invalid entries. 2010/12/07 11:13:25| 0 With invalid flags. 2010/12/07 11:13:25| 7006920 Objects loaded. 2010/12/07 11:13:25| 0 Objects expired. 2010/12/07 11:13:25| 0 Objects cancelled. 2010/12/07 11:13:25| 0 Duplicate URLs purged. 2010/12/07 11:13:25| 0 Swapfile clashes avoided. 2010/12/07 11:13:25| Took 50.69 seconds (138218.19 objects/sec). 2010/12/07 11:13:25| Beginning Validation Procedure 2010/12/07 11:13:26| 262144 Entries Validated so far. 2010/12/07 11:13:26| 1310720 Entries Validated so far. 2010/12/07 11:13:26| 1572864 Entries Validated so far. 2010/12/07 11:13:26| 3407872 Entries Validated so far. 2010/12/07 11:13:26| 3670016 Entries Validated so far. 2010/12/07 11:13:26| 4718592 Entries Validated so far. 2010/12/07 11:13:26| 4980736 Entries Validated so far. 2010/12/07 11:13:26| 6291456 Entries Validated so far. 2010/12/07 11:13:26| 6553600 Entries Validated so far. 2010/12/07 11:13:27| 6815744 Entries Validated so far. 2010/12/07 11:13:27| 8388608 Entries Validated so far. 2010/12/07 11:13:27| 8650752 Entries Validated so far. 2010/12/07 11:13:27| 8912896 Entries Validated so far. 2010/12/07 11:13:27| 9699328 Entries Validated so far. 2010/12/07 11:13:27| 9961472 Entries Validated so far. 2010/12/07 11:13:27| 10223616 Entries Validated so far. 2010/12/07 11:13:27| 10485760 Entries Validated so far. 2010/12/07 11:13:27| 10747904 Entries Validated so far. 2010/12/07 11:13:27| 12845056 Entries Validated so far. 2010/12/07 11:13:28| Completed Validation Procedure 2010/12/07 11:13:28| Validated 14013839 Entries 2010/12/07 11:13:28| store_swap_size = 120801068
Re: [squid-users] best practice for transparent
On Dec 7, 2010, at 5:13 PM, Amos Jeffries wrote: > On 08/12/10 05:32, donovan jeffrey j wrote: >> greetings >> >> i recently updated my transparent proxy to sq 3.1.9, which also uses >> squidguard for url filters. > > First "best practice" is to use the right terminology. sorry i forgot we changed that ;) > > Your log traces says "Accepting intercepted HTTP connections at > 10.0.2.3:3128" So they are NAT interception connections. yes I am using NAT after Squid. client --- > [ squid ] > [ NAT ] ---> > > >> >> this have been bogging down. browser always says ,.." waiting for >> google,... or waiting for www.abc.com >> I could have a dns issue or I could have a cache swap issue or a squidguard >> issue. I first wanted to make sure that running 3.1.9 transparent is the >> best version for the job. I had read a while back in a thread that v2.7 >> might be better than 3.1.x. Can anyone confirm ? > > 2.7 should not be. > > I've not had anyone explicitly mention whether the NAT logic upgrades to 3.x > worked or not in Mac. The BSD ones needed some extra fixes which were done > back around 3.1.6 So basically 3.1.9 should be fine for my purposes then. here is my config. does anything stand out as wrong or should be adjusted ? # squid.conf # # # # set logging to the lowest level debug_options ALL,1 #access to squid and the cache manager # acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl all src 0.0.0.0/0.0.0.0 acl noc src 10.3.1.0/24 10.135.0.0/16 10.235.0.0/16 10.35.1.0/24 acl admin src 10.139.0.0/16 10.136.0.0/16 10.103.0.0/16 acl hs src 10.150.0.0/16 10.149.0.0/16 10.151.0.0/16 10.152.0.0/16 10.153.0.0/16 acl ms src 10.142.0.0/16 10.140.0.0/16 acl ele src 10.104.0.0/16 #no cache settings no_cache deny noc no_cache deny admin no_cache deny hs no_cache deny ms no_cache deny ele no_cache deny all http_access allow manager localhost #http_access allow manager apache http_access allow noc http_access allow admin http_access allow hs http_access allow ms http_access allow ele http_access deny all #Squid's user and group cache_effective_user squid squid #visible hostname visible_hostname T1-2 # set log directories cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log # set cache directories of 16GB each cache_dir ufs /usr/local/squid/var/cache 100 16 256 request_header_max_size 1000 KB # set the cache memory target for the Squid process cache_mem 100 MB http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on # redirect_program /usr/local/bin/squidGuard redirect_children 100 client_persistent_connections off server_persistent_connections off
Re: [squid-users] best practice for transparent
On Dec 7, 2010, at 5:13 PM, Amos Jeffries wrote: > Your log traces says "Accepting intercepted HTTP connections at > 10.0.2.3:3128" So they are NAT interception connections. question on terminology; which one do I use for 3.1 http_port 10.0.2.2:3128 transparent or http_port 10.0.2.2:3128 intercept tnx -j
[squid-users] it was a slow death
Greetings i discovered the culprit to my woes as my internet connections slowly died. It was my 2 cache drives. As they would fill, and swap, and fill, and swap.. well you get the picture. Both drives just burned up and won't mount. So im running a cache_less system, which we are finding is really quick. does this look right for intercept only no cache ? are there any performance adjustments I can do ? squid 3.1.9 http_port 10.0.1.1:3128 transparent hierarchy_stoplist cgi-bin ? refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network cache deny all acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow localnet http_access deny all
Re: [squid-users] Re: Squid + SSL + Safari
On Jan 24, 2011, at 1:09 PM, jam...@mail.milton.k12.wi.us wrote: > Hello Folks, > > > > We're currently using squid + DG as a content filtering system and it's > fantastic. The problem lies with a combination of Squid + Safari and the > site facebook.com. Students can currently get around our blocks by > changing the protocol from http to https. The logs show that squid sees > the "CONNECT" function and tries to block it but it still passes through. > All other browsers it's fine and all other sites + safari it appears to > also be fine. Anyone have any ideas? We've tried blocking using DG and > then directly through squid by blocking the CONNECT function to facebook. > > Squid version 3.0.STABLE24 > Hi James, I ran into the same problem using squidguard. I used a pretty harsh denial in my firewall. My squid SG works in " intercept " mode so I wrote an IPFW statement to deny https for facebook. deny ip from any to 66.220.144.0/20 dst-port 443 deny ip from any to 69.63.176.0/20 dst-port 443 hope this helps -j
Re: [squid-users] Some pages loading very slow in 3.1.10 Stable
On Jan 24, 2011, at 3:39 PM, Marcus Kool wrote: > I did not find options to configure bind/named to ignore lookups either > so I would love to see Squid have the new option. man named if your running bind 9 you can force it to operate in v4 only. named -4 OPTIONS -4 Use IPv4 only even if the host machine is capable of IPv6. -4 and -6 are mutually exclusive. -6 Use IPv6 only even if the host machine is capable of IPv4. -4 and -6 are mutually exclusive.
Re: [squid-users] "Bypassing" Squid
On Feb 8, 2011, at 8:49 PM, Jobst Schmalenbach wrote: > Hi > > How can I let packages/sites "bypass" Squid? it depends on how your users are configured. Do they have a static entry for an http proxy for their client? or is everything transparent ? -j > > I do not mind if people listen to online stuff, what I mind is that I end up > with loads of entries in the squid log and in the cache. > > For example I want squid not to touch/log/cache/whatever any packet that is > "application/x-fcs" (and other media stuff) > > > Is this correct, i.e. it will allow it through but not log nor cache it? > > Also is my understanding correct that ACL are cumulative (as below) so I can > use multiple lines for the same ACL name? > > > acl media urlpath_regex \.(afx|asf)(\?.*)?$ > acl media urlpath_regex \.flv(\?.*)?$ > acl media urlpath_regex \.swf(\?.*)?$ > acl media rep_mime_type x-fcs > > cache deny media > > > > Jobst > > > > -- > If you want something done, forbid your children from doing it. > > | |0| | Jobst Schmalenbach, jo...@barrett.com.au, General Manager > | | |0| Barrett Consulting Group P/L & The Meditation Room P/L > |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia