[squid-users] NTLM Authentication / access.log
Hello list, is there a way to deny the logging of the 407/DENIED or 403/DENIED requests to squid. How should the acl for the access_log entry look like ? access_log [ [acl acl ...]] acl log_todo (I have no idea) access_log /var/log/squid/access.log squid log_todo Has someone a solution for this ? -- regards, TR pgpiSZ3P9htHV.pgp Description: PGP signature
Re: [squid-users] Regular Expression Content Changes
* Rob Gunther <[EMAIL PROTECTED]> wrote: > I would like to use squid for a project I'm working on. > > What I basically want to do is have all HTML pages that are pulled > through squid have some search & replace filters run on them before > being fed back to the client and stored in the cache. > > I skimmed the manual, and see there are some plugins to do this to > actual URL's themselves but does anyone have a suggestion how this > could be done on actual HTML content? Maybe this will work for you: http://sites.inka.de/~bigred/devel/squid-filter.html -- regards, TR pgppDcJT8d1Mb.pgp Description: PGP signature
Re: [squid-users] Regular Expression Content Changes
* Rob Gunther <[EMAIL PROTECTED]> wrote: > I would like to use squid for a project I'm working on. > > What I basically want to do is have all HTML pages that are pulled > through squid have some search & replace filters run on them before > being fed back to the client and stored in the cache. > > I skimmed the manual, and see there are some plugins to do this to > actual URL's themselves but does anyone have a suggestion how this > could be done on actual HTML content? I think, it is planned for Squid 3, but the current 2.x releases haven't such a feature. If I am wrong and you find something usefull - please tell me ;) -- regards, TR pgpdkxUddvyvg.pgp Description: PGP signature
Re: [squid-users] SQUID + Trend Micro IWSS
* nonama <[EMAIL PROTECTED]> wrote: > HI there, > This is urgent. Need to find out some configuration & > setting. Is there anybody out there using SQUID and > Trend Micro IWSS (http anti virus scanning)? Please > reply ASAP!! Ask Trend Micro. It's a comercial product, where you buy the software and its support. -- regards, TR pgpPc9Qu12ti8.pgp Description: PGP signature
Re: [squid-users] Stream audio/video
* Marcel Werner <[EMAIL PROTECTED]> wrote: > Hi *, > > I have to block all audio / video streams. > > I have createt rules to block the download of *pls|mp3| > Thats worked. > > But when the user go to a website like : > > http://www.liveradio.de/ > > and klick to the link a php download opend and squid doesnt filter that > think. > > Ok now I have readed about a acl like browser but the download is no > mimetype video or audio, its like a normal file. Suggestion 1: Just use Squidwall and set up an banner filter with regex.7 expressions on the content (bcfilter). The squidwall filter would look like: ^Content-Type: application/x-shockwave-flash ^Content-Type: audio/.* ^Content-Type: video/.* Every Video/Audiostream will be replaced with an 1x1 pixel ;) Suggestion 2: If you want to show some deny page, you have to choose the crfilter - content regex filter. Every attempt to load some video will be redirected to your "Hey, YOU SHOULDN'T DO THAT" page ;) -- regards, TR pgpTYHv4Wr4ZR.pgp Description: PGP signature
Re: [squid-users] slow squid 2.6.stable3 comparing stable2 ?
When run stable3, it was many logs like this : 2006/08/19 22:08:04| STALE: Entry's timestamp greater than check time. Clock going backwards? 2006/08/19 22:08:04|check_time: Sat, 19 Aug 2006 15:07:04 GMT 2006/08/19 22:08:04|entry->timestamp: Sat, 19 Aug 2006 15:07:23 GMT 2006/08/19 22:08:04|staleness: 19 After downgrade again to stable2, no log found like above. I'm using the same box & cache disk cleaned first, with the same squid.conf file & exact ./configure options I test it regulary with surfing to popular site. With Stable3 it was longer time to loading a page. Tino - Original Message - From: "Adrian Chadd" <[EMAIL PROTECTED]> To: "tino" <[EMAIL PROTECTED]> Cc: Sent: Friday, August 25, 2006 9:56 AM Subject: Re: [squid-users] slow squid 2.6.stable3 comparing stable2 ? On Fri, Aug 25, 2006, tino wrote: Hi, all I've been upgrade from 2.6S2 to 2.6S3. it seems stable3 noticable slower. yesterday I was rolling-back again to stable2, and it is faster. Both stable3 & stable2 utilize cpu,memory,fdescriptor almost the same. How's squid-2.6stable3 noticably slower? Can you provide further information? Squid-2.6stable3 fixes quite a few bugs which you really do want to have fixed in your running caches. Adrian
[squid-users] slow squid 2.6.stable3 comparing stable2 ?
Hi, all I've been upgrade from 2.6S2 to 2.6S3. it seems stable3 noticable slower. yesterday I was rolling-back again to stable2, and it is faster. Both stable3 & stable2 utilize cpu,memory,fdescriptor almost the same. I'm using the same box & cache disk, with the same squid.conf file & exact ./configure options squid was transparent wccpv2+tproxy. When run stable3, it was many logs like this : 2006/08/19 22:08:04| STALE: Entry's timestamp greater than check time. Clock going backwards? 2006/08/19 22:08:04|check_time: Sat, 19 Aug 2006 15:07:04 GMT 2006/08/19 22:08:04|entry->timestamp: Sat, 19 Aug 2006 15:07:23 GMT 2006/08/19 22:08:04|staleness: 19 After downgrade again to stable2, no log found like above. When upgrade to stable3 and downgrade again to stable2, I'm formating cache-disk first to make it clean. regards, Tino
Re: [squid-users] Squid -2.6 with Tproxy
have you try my last hints ? I'm using fc4 , then upgrade it to kernel 2.6.15.7 ( did you use fc5 ? then I could be some problem to downgrade from original 2.6.16 to 2.6.15 ?) & patch cttproxy-2.6.15-2.0.4.tar.gz iptables-1.3.0.tar.bz2 from netfilter.org (first i was using 1.3.4 & 5 which not working) after patch with balabit iptables, ./configure & make make sure libipt_tproxy.so exist in /lib/iptables. If it is not there, than you have to 'gcc' manually from iptables source you extracted, check inside folder at /extentions/ regards, Tino - Original Message - From: "Angel Mieres" <[EMAIL PROTECTED]> To: "Sunil K.P." <[EMAIL PROTECTED]> Cc: Sent: Friday, August 18, 2006 7:08 PM Subject: Re: [squid-users] Squid -2.6 with Tproxy Sorry Sunil for my late reply (i have problems with my internet provider) Of course i haven't been able to implement Tproxy, im using since start only sources and all looks like compile ok. This is my procedure: - I patch kernel 2.6.15.2 vanilla with balabit patch from cttproxy-2.6.15-2.0.4.tar.gz - modify my kernel adding TPROXY support. - compiled & etc etc etc - patch iptables sources 1.3.4 , make KERNEL_DIR=... && make install KERNEL_DIR=... - On squid-2.6STABLE2... "./configure --enable-linux-tproxy --enable-linux-netfilter && make all && make install" (if in this step you have problems copy /include/linux/netfilter_ipv4/ into your /usr/include/linux/netfilter_ipv4/ ) When i try to run squid in tproxy mode... Meeeak! Error port assign 0! I think im dreaming with this error all nights xD, the error looks like it's not able to spoofing clients. Can someone help us with this stuff? El mié, 16-08-2006 a las 21:32 +0100, Sunil K.P. escribió: Hi Angel, Have you been able to implement Tproxy successfully? Regards Sunil Angel Mieres wrote: > Sunil, im trying to do the same that you are trying, i patched iptables > 1.3.5 & 1.3.4 and the problem persist. > > Tino, have you work this succesfully? could you told me version have > you > used?(i refer iptables, patch aplied, kernel used, patch tproxy > used...) > > Im using kernel 2.6.15.2 with balabit tproxy patch iptables 1.3.5 and > squid 2.6 STABLE2 and always squid debug mode show me the same that > show > Sunil. > > I think that my problem is on iptables version and his patch. > > Regards, > Angel M. > > >> Your iptables patch not complete >> fc5 use iptables rpm source, you need iptables from tar.gz/bz source >> - uninstall the iptables rpm, >> - download tar.gz/bz source from netfilter.org >> - patch it with iptables-1.3-cttproxy.diff before ./configure >> >> >> rgds, >> Tino >> >> - Original Message - >> From: "Sunil K.P." <[EMAIL PROTECTED]> >> To: >> Sent: Friday, August 11, 2006 4:33 PM >> Subject: [squid-users] Squid -2.6 with Tproxy >> >> >> >>> Hi, >>> >>> I have squid 2.6 STABLE 2 running on FC 2.6.15.2. >>> It is working fine in transparent mode. >>> >>> But I am trying to use Tproxy so that all the requests will spoofed >>> to >>> show the clients IP address and not the cache server. >>> The patches have been applied to the kernel, compiled and applied as >>> per >>> procedure. >>> After restarting the system the modules ipt_tproxy and ipt_TPROXY are >>> loaded. >>> >>> The problem starts when I apply the following iptables rule >>> iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j >>> TPROXY --on-port 3128 >>> >>> The traffic stops going thru the cache server. If the rule is removed >>> the traffic goes smoothly. >>> Cache.log shows the following error >>> tproxy ip=192.168.10.11,0x9eec383e,port=0 ERROR ASSIGN >>> >>> There seems to be no proper documentation for implementation of >>> tproxy >>> with squid on the net. >>> Pls. advice. >>> >>> Regards >>> Sunil >>> -- Angel Mieres - [EMAIL PROTECTED] / Gentoo has you...
Re: [squid-users] Squid -2.6 with Tproxy
Hi, sorry for late reply .. I'm using fc4 upgrade & it to kernel 2.6.15.7 iptables-1.3.0.tar.bz2 from netfilter.org after patch with balabit iptables, ./configure & make, make sure libipt_tproxy.so exist in /lib/iptables. If it is not there, than you have to 'gcc' manually from iptables source you extracted, check inside folder at /extentions/ - Original Message - From: "Angel Mieres" <[EMAIL PROTECTED]> To: "tino" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; Sent: Friday, August 11, 2006 6:46 PM Subject: Re: [squid-users] Squid -2.6 with Tproxy Sunil, im trying to do the same that you are trying, i patched iptables 1.3.5 & 1.3.4 and the problem persist. Tino, have you work this succesfully? could you told me version have you used?(i refer iptables, patch aplied, kernel used, patch tproxy used...) Im using kernel 2.6.15.2 with balabit tproxy patch iptables 1.3.5 and squid 2.6 STABLE2 and always squid debug mode show me the same that show Sunil. I think that my problem is on iptables version and his patch. Regards, Angel M. Your iptables patch not complete fc5 use iptables rpm source, you need iptables from tar.gz/bz source - uninstall the iptables rpm, - download tar.gz/bz source from netfilter.org - patch it with iptables-1.3-cttproxy.diff before ./configure rgds, Tino - Original Message - From: "Sunil K.P." <[EMAIL PROTECTED]> To: Sent: Friday, August 11, 2006 4:33 PM Subject: [squid-users] Squid -2.6 with Tproxy > Hi, > > I have squid 2.6 STABLE 2 running on FC 2.6.15.2. > It is working fine in transparent mode. > > But I am trying to use Tproxy so that all the requests will spoofed to > show the clients IP address and not the cache server. > The patches have been applied to the kernel, compiled and applied as > per > procedure. > After restarting the system the modules ipt_tproxy and ipt_TPROXY are > loaded. > > The problem starts when I apply the following iptables rule > iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j > TPROXY --on-port 3128 > > The traffic stops going thru the cache server. If the rule is removed > the traffic goes smoothly. > Cache.log shows the following error > tproxy ip=192.168.10.11,0x9eec383e,port=0 ERROR ASSIGN > > There seems to be no proper documentation for implementation of tproxy > with squid on the net. > Pls. advice. > > Regards > Sunil -- Angel Mieres - [EMAIL PROTECTED] / Gentoo has you...
Re: [squid-users] Squid -2.6 with Tproxy
Your iptables patch not complete fc5 use iptables rpm source, you need iptables from tar.gz/bz source - uninstall the iptables rpm, - download tar.gz/bz source from netfilter.org - patch it with iptables-1.3-cttproxy.diff before ./configure rgds, Tino - Original Message - From: "Sunil K.P." <[EMAIL PROTECTED]> To: Sent: Friday, August 11, 2006 4:33 PM Subject: [squid-users] Squid -2.6 with Tproxy Hi, I have squid 2.6 STABLE 2 running on FC 2.6.15.2. It is working fine in transparent mode. But I am trying to use Tproxy so that all the requests will spoofed to show the clients IP address and not the cache server. The patches have been applied to the kernel, compiled and applied as per procedure. After restarting the system the modules ipt_tproxy and ipt_TPROXY are loaded. The problem starts when I apply the following iptables rule iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 The traffic stops going thru the cache server. If the rule is removed the traffic goes smoothly. Cache.log shows the following error tproxy ip=192.168.10.11,0x9eec383e,port=0 ERROR ASSIGN There seems to be no proper documentation for implementation of tproxy with squid on the net. Pls. advice. Regards Sunil
[squid-users] Re: strange squid 2.6S1 behavior
Hi, Henrik I've been upgrade it from 2.6.stable1 to daily auto-generated release, squid-2.6.STABLE1-20060724 2 Runnig wccpv2+cttproxy almost 24 hour stable & fast without 'xstrdup' message which cause squid restarted I'm looking forward for stable2. regards, Tino - Original Message - From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "tino" <[EMAIL PROTECTED]> Cc: Sent: Tuesday, July 25, 2006 6:02 PM Subject: Re: strange squid 2.6S1 behavior On Mon, 2006-07-24 at 15:53 +0700, tino wrote: Jul 24 15:38:32 tproxy (squid): xstrdup: tried to dup a NULL pointer! Probably a already fixed bug, but please get a stack trace and file a bug report just in case. Regards Henrik
[squid-users] Re: strange squid 2.6S1 behavior
Hi, Sorry, this is my message log (I was turn-off syslog before) Jul 24 15:38:32 tproxy (squid): xstrdup: tried to dup a NULL pointer! Jul 24 15:38:33 tproxy squid[2049]: Squid Parent: child process 2051 exited due to signal 6 I though it was a bug-listed in Squid-2.6.PRE1 ? http://www.squid-cache.org/bugs/show_bug.cgi?id=1589 Which patch should I added ? I'm on 2.6.stable1, wccpv2+cttproxy regards, Tino - Original Message - From: tino To: squid-users@squid-cache.org Sent: Monday, July 24, 2006 2:29 PM Subject: strange squid 2.6S1 behavior hi, I notice something strange, suddenly cache hit become zero for a couple of second & then ok again Cache information for squid: Request Hit Ratios: 5min: 0.0%, 60min: 0.0% Byte Hit Ratios: 5min: -0.0%, 60min: -0.0% Request Memory Hit Ratios: 5min: 0.0%, 60min: 0.0% Request Disk Hit Ratios: 5min: 0.0%, 60min: 0.0% I was use wccpv2 When this happend, wccp still up & redirecting packets , access.log still active writing clients response. NO error in /var/log/message or cache.log Anyone experience the same problem ? regards, Tino
Re: [squid-users] 2.6S1 WCCP2 problems
Yes, check your rp_filter=0 Be sure to try your squid in non-transparent (fill the proxy in client browser) is work well You also had to search topics in web http://www.squid-cache.org/mail-archive/squid-users/200502/0909.html rgds, Tino - Original Message - From: "Bryan Shoebottom" <[EMAIL PROTECTED]> To: "Henrik Nordstrom" <[EMAIL PROTECTED]> Cc: "tino" <[EMAIL PROTECTED]>; Sent: Thursday, July 20, 2006 2:54 AM Subject: Re: [squid-users] 2.6S1 WCCP2 problems Henrik, I will give that a shot. Is there any reason why this isn't in the FAQ? This is the first place i checked when my config didn't work. Thanks, Bryan On Wed, 2006-07-19 at 10:04 -0400, Henrik Nordstrom wrote: ons 2006-07-19 klockan 07:25 +0700 skrev tino: > RE: [squid-users] 2.6S1 WCCP2 problems http_port 3128 transparent > vhost vport=80 why vhost and vport=80? These are for accelerator/reverse proxy mode, not Internet proxies.. The transparent keyword takes care of all which is needed in transparent interception. > #-at squid: > insmod ip_gre > ifconfig gre0 up > ip addr add 172.0.0.2 255.255.255.252 dev gre0 I would say it's better to create a new GRE tunnel for the router. ip tunnel add wccp mode gre remote ip.of.router ip addr add proxy.server.ip/32 dev wccp ip link set wccp up and intercepted packets redirected by the router should be coming in on the virtual wccp interface, where they can easily be redirected to Squid iptables -t nat -A PREROUTING -i wccp -p tcp -j REDIRECT --to 3128 You quite likely also need to disable reverse-path lookups on the wccp interface echo 0 >/proc/sys/net/ipv4/conf/wccp/rp_filter IP forwarding does not need to be enabled. Regards Henrik
Re: [squid-users] 2.6S1 WCCP2 problems
RE: [squid-users] 2.6S1 WCCP2 problems http_port 3128 transparent vhost vport=80 tcp_outgoing address 10.10.10.1 wccp2_router 10.10.10.2 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 As far I know, kernel 2.6.9 & up , you do need bringing up loopback0 at cisco router (this is because wccp will use it as router identifier) #at router : interface lo0 ip address 172.0.0.1 255.255.255.252 no shut #-at squid: insmod ip_gre ifconfig gre0 up ip addr add 172.0.0.2 255.255.255.252 dev gre0 If you shut loopback0, wccp mechanism still alive at router, but no traffic being redirected ( gre_tunnel is established between lo0<-->gre0 & via this tunnel where web-traffic redirected) Also put "ip wccp web-cache exclude in" in the router interface where squid attached & make sure it is not same vlan where traffic redirected regards Tino - Original Message - From: Shoebottom, Bryan To: tino ; squid-users@squid-cache.org Sent: Tuesday, July 18, 2006 7:06 PM Subject: RE: [squid-users] 2.6S1 WCCP2 problems Tino, Our lookback interface is not configured and never has been in the past for caches to work. You do bring up an interesting point of the IP address of the gre interface. In the past i have simply used an IP that is not on our network, maybe i can't do that anymore. What wccp directives do you have configured in your squid.conf? Thanks, Bryan -Original Message- From: tino [mailto:[EMAIL PROTECTED] Sent: Mon 7/17/2006 8:17 PM To: Shoebottom, Bryan; squid-users@squid-cache.org Subject: Re: [squid-users] 2.6S1 WCCP2 problems Hi, Bryan what is your interface loopback0 status & ip address at L3 6500 ? It should be in the same subnet with your gre0 ip address. I'm running 6500 earlier version than yours (supervisor engine-1a & msfc1), ip cef enable, & wccpv2 work ok with squid-2.6S1, I'm using kernel 2.6.15.7 with ip_gre loaded from kernel module. It also work when I put squid-2.6.S1 with 3620 router, ios 12.2(t) & as5300, ios 12.0.7(t) also, make sure iptables loaded first before running squid rgds, Tino - Original Message - From: Shoebottom, Bryan <mailto:[EMAIL PROTECTED]> To: tino <mailto:[EMAIL PROTECTED]> ; squid-users@squid-cache.org Sent: Monday, July 17, 2006 7:29 PM Subject: RE: [squid-users] 2.6S1 WCCP2 problems -6500 running code 12.1(26)E -ip wccp we redirect in configured on vlans ip wccp web-cache -2.6.17 -/sbin/iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 eth0 Link encap:Ethernet HWaddr 00:14:C2:C3:3B:1D inet addr:10.10.101.3 Bcast:10.10.101.7 Mask:255.255.255.248 inet6 addr: fe80::214:c2ff:fec3:3b1d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:53302 errors:0 dropped:0 overruns:0 frame:0 TX packets:41745 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:7311146 (6.9 MiB) TX bytes:6586185 (6.2 MiB) Interrupt:185 gre0 Link encap:UNSPEC HWaddr 00-00-00-00-BD-BF-A8-4C-00-00-00-00-00-00-00-00 inet addr:10.2.1.1 Mask:255.255.255.252 UP RUNNING NOARP MTU:1476 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:104 errors:0 dropped:0 overruns:0 frame:0 TX packets:104 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:19992 (19.5 KiB) TX bytes:19992 (19.5 KiB) I have enabled wccp2 when configuring squid. Thanks, Bryan -Original Message- From: tino [mailto:[EMAIL PROTECTED] Sent: Sun 7/16/2006 11:11 PM To: Shoebottom, Bryan; squid-users@squid-cache.org Subject: Re: [squid-users] 2.6S1 WCCP2 problems give me this data : -cisco router version & ios version -cisco runnning config -kernel version -iptables setting -output of ifconfig -when ./configure , your need add this options --enable_wccpv2 rgds, Tino - Original Message - From: "Shoebottom, Bryan" <[EMAIL PROTECTED]> To: Sent: Saturday, July 15, 2006 1:27 AM Subject: RE: [squid-users
Re: [squid-users] 2.6S1 WCCP2 problems
give me this data : -cisco router version & ios version -cisco runnning config -kernel version -iptables setting -output of ifconfig -when ./configure , your need add this options --enable_wccpv2 rgds, Tino - Original Message - From: "Shoebottom, Bryan" <[EMAIL PROTECTED]> To: Sent: Saturday, July 15, 2006 1:27 AM Subject: RE: [squid-users] 2.6S1 WCCP2 problems Does anyone have this problem on 2.6S1??? With debug on on the router I get this error: Here_I_Am packet from 10.10.101.3 w/bad rcv_id Any help would be appreciated. Thanks, Bryan -Original Message- From: Shoebottom, Bryan [mailto:[EMAIL PROTECTED] Sent: July 13, 2006 1:18 PM To: squid-users@squid-cache.org Subject: [squid-users] 2.6S1 WCCP2 problems Hey, I can't seem to get wccpv2 working in squid 2.6Stable1. My wccp config is as follows: wccp2_router 10.10.101.1 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 My router only seems to see L2 redirection even though I have specified GRE/WCCP: ROUTER#sho ip wcc we d WCCP Cache-Engine information: Web Cache ID: 10.10.101.3 Protocol Version: 2.0 State: NOT Usable Redirection: L2 Packet Return: L2 Packets Redirected:0 Connect Time: 00:00:29 Assignment:MASK ROUTER# After 30 seconds, the connect time for the cache restarts. I am running a 2.6.17 kernel which supports WCCP in the GRE module and have this loaded as gre0. Has anyone else gotten this to work under the new 2.6 release yet? Anyone have any suggestions? Thanks, Bryan
[squid-users] Re: error transparent squid.2.6.stable1 with wccpv2 and tproxy
partially solved, my iptables patch not complete (re-patch again with iptables tar source, not rpm) right now : -no /var/log/message indicate error -no cache.log error I saw wccp hit increments at router, by redirect packet to squid-box . Service Identifier: 80 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:1123 Redirect access-list:155 Total Packets Denied Redirect: 650922 Total Packets Unassigned:25043 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Service Identifier: 90 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:224 Redirect access-list:156 Total Packets Denied Redirect: 206844 Total Packets Unassigned:17095 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 I saw hit increments in iptables : Chain PREROUTING (policy ACCEPT 11517 packets, 2009K bytes) pkts bytes target prot opt in out source destination 76 24942 TPROXY all -- anyany anywhere anywhere TPROXY redirect 0.0.0.0:3128 But still no hit at access.log, and my host still can't open the web My last squid-box config : #iptables : iptables -t tproxy -A PREROUTING -j TPROXY --on-port 3128 #part squid.conf : http_port 3128 transparent tproxy vhost vport=80 always_direct allow all wccp2_router y.y.y.y wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service dynamic 80 wccp2_service dynamic 90 wccp2_service_info 80 protocol=tcp flags=dst_ip_hash priority=240 ports=80 wccp2_service_info 90 protocol=tcp flags=src_ip_hash,ports_source priority=240 ports=80 #part of my cisco config: ip wccp 80 redirect-list 155 ip wccp 90 redirect-list 156 int fasteth0 >ip wccp 80 redirect out int fasteth1 >ip wccp 90 redirect out int fasteth3 >ip wccp redirect exclude in ( the port that squid-box attached) access-list 155 permit ip host x.x.x.x any access-list 156 permit ip any host x.x.x.x #modules: [EMAIL PROTECTED] sbin]# lsmod Module Size Used by ipt_TPROXY 2176 1 iptable_tproxy 17708 1 ip_nat 18604 1 iptable_tproxy ip_conntrack 49836 2 iptable_tproxy,ip_nat ip_tables 20096 2 ipt_TPROXY,iptable_tproxy ip_gre 13472 0 Does anyone try this with success? no-clues when googled regards, Tino - Original Message - From: "tino" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 11, 2006 9:27 AM Subject: error transparent squid.2.6.stable1 with wccpv2 and tproxy Hi, I just install squid.2.6.stable1, kernel 2.6.15.7 with cttproxy It work good when running transparent & wccpv2 web-cache mode But when I addding wccp dynamic service for IP-Spoof, I get an error : 2006/07/11 08:00:37| tproxy ip=x.x.x.x,0x7a0989ca,port=0 ERROR ASSIGN #part of my squid.conf : http_port 3128 transparent tproxy vhost vport=80 always_direct allow all wccp2_router x.x.x.x wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=src_ip_hash priority=1 ports=80 #part of my cisco run: ip wccp web-cache redirect-list 155 ip wccp 90 redirect-list 156 int fasteth0 >ip wccp web-cache redirect out int fasteth1 >ip wccp 90 redirect out #my iptables at linux: Chain PREROUTING (policy ACCEPT 262 packets, 18290 bytes) pkts bytes target prot opt in out source destination 112 6710 REDIRECT tcp -- gre0 any anywhere anywhere tcp dpt:http redir ports 3128 #my sysctl: [EMAIL PROTECTED] sbin]# sysctl -a | grep rp.filter net.ipv4.conf.gre0.arp_filter = 0 net.ipv4.conf.gre0.rp_filter = 0 net.ipv4.conf.eth0.arp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.lo.arp_filter = 0 net.ipv4.conf.lo.rp_filter = 0 regards, Tino
[squid-users] error transparent squid.2.6.stable1 with wccpv2 and tproxy
Hi, I just install squid.2.6.stable1, kernel 2.6.15.7 with cttproxy It work good when running transparent & wccpv2 web-cache mode But when I addding wccp dynamic service for IP-Spoof, I get an error : 2006/07/11 08:00:37| tproxy ip=x.x.x.x,0x7a0989ca,port=0 ERROR ASSIGN #part of my squid.conf : http_port 3128 transparent tproxy vhost vport=80 always_direct allow all wccp2_router x.x.x.x wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=src_ip_hash priority=1 ports=80 #part of my cisco run: ip wccp web-cache redirect-list 155 ip wccp 90 redirect-list 156 int fasteth0 >ip wccp web-cache redirect out int fasteth1 >ip wccp 90 redirect out #my iptables at linux: Chain PREROUTING (policy ACCEPT 262 packets, 18290 bytes) pkts bytes target prot opt in out source destination 112 6710 REDIRECT tcp -- gre0 any anywhere anywhere tcp dpt:http redir ports 3128 #my sysctl: [EMAIL PROTECTED] sbin]# sysctl -a | grep rp.filter net.ipv4.conf.gre0.arp_filter = 0 net.ipv4.conf.gre0.rp_filter = 0 net.ipv4.conf.eth0.arp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.lo.arp_filter = 0 net.ipv4.conf.lo.rp_filter = 0 regards, Tino
[squid-users] error compile squid2.6.stable1
Hi, I just configure squid.2.6.stable1, (fedora4 & kernel 2.6.15.7 with cttproxy patch) & get the following error : tools.c:40:28: error: sys/capability.h: No such file or directory tools.c: In function âleave_suidâ: tools.c:636: error: âcap_user_header_tâ undeclared (first use in this function) tools.c:636: error: (Each undeclared identifier is reported only once tools.c:636: error: for each function it appears in.) tools.c:636: error: syntax error before âheadâ tools.c:637: error: âcap_user_data_tâ undeclared (first use in this function) tools.c:639: error: âheadâ undeclared (first use in this function) tools.c:639: error: â_LINUX_CAPABILITY_VERSIONâ undeclared (first use in this function) tools.c:641: error: âcapâ undeclared (first use in this function) tools.c:641: error: âCAP_NET_ADMINâ undeclared (first use in this function) tools.c:641: error: âCAP_NET_BIND_SERVICEâ undeclared (first use in this function) tools.c:641: error: âCAP_NET_BROADCASTâ undeclared (first use in this function) tools.c:642: warning: implicit declaration of function âcapsetâ solved after copy capability.h from /usr/include/linux/ to /usr/include/sys/ regards, Tino
Re: [squid-users] Squid acl containing hostnames issue
* Jason Bassett <[EMAIL PROTECTED]> wrote: > > I am therefore looking for the easiest and most time effective method > of blocking rooms when required. Hostnames seemed to be the best way. > > Any ideas on this issue? Restricting access an a per user Basis can also be done... just install an ident daemon with your netlogon script and forbid / allow access, based on them. Ident daemons are availably for most (all?) Openrating Systems... I have written a redirector, were you can allow / disallow access to users / hosts per webinterface on-the-fly ... maybe that's also an point :) See http://www.mcmilk.de/projects/squidwall/ for more information about the redirector. -- regards, TR
[squid-users] SQUID authentication, re-authentication necessary
Hallo, I have 2 squid-server working in a chain. The first forwards all queries to the second. The second asks for password authentication. Most of the time it works very well, but sometimes the users have to repeat the authentication two or three times, before the user was authenticated by squid. Any recommendations? Mit freundlichen Grüßen Chiabudini, Tino CNS Systemhaus Hoyerswerda 02977 Hoyerswerda Industriegelände Str. E Tel.: 03571-9122-0 Fax: 03571-9122-16 eMail: [EMAIL PROTECTED]
Re: [squid-users] Which the best OS for Squid?
* Odhiambo Washington <[EMAIL PROTECTED]> wrote: > * On 06/10/05 23:25 +1300, D & E Radel wrote: > > > > - Original Message - > > From: "Askar" <[EMAIL PROTECTED]> > > To: "Bonnici Daniel" <[EMAIL PROTECTED]> > > Cc: > > Sent: Thursday, October 06, 2005 11:09 PM > > Subject: Re: [squid-users] Which the best OS for Squid? > > > > > > >Bonnici Daniel wrote: > > > > > >>Hi, which is the best linux OS for security and to run squid?? > > >> > > >>cheers > > >> > > >>Daniel > > >> > > >> > > >> > > >> > > >> > > >www.slackware.com > > > > > >coz it follows KISS (Keep It Simple Stupid) ;) > > > > Debian, "apt-get install squid". :-) > > > FreeBSD, "portinstall squid". :-))) Arch Linux "pacman -S squid" :-() -- regards, TR
AW: AW: [squid-users] problems with squid 2.5.Stable7 in accelera tor mode with https
Hello Henrik thanks for your help. I have changed my configuration like this: https_port 192.168.20.10:443 cert=/opt/squid/etc/cert/server.crt key=/opt/squid/etc/cert/server.pem defaultsite=exchange.testnetz.de i think defaultsite is ok. before i have modified the dns, the clients have connect with "http://exchange.testnetz.de/exchange"; the OWA. cache_peer 192.168.20.20 parent 80 0 originserver proxy-only no-query no-digest front-end-https=on login=pass 192.168.20.20 is the IP of the Exchange server (exchange.testnetz.de). My client is connecting the squid with https. Squid try to connect with port 443 (https) the Exchange server but my Exchange is listen to port 80: 09:50:50.341989 192.168.10.10.1583 > 192.168.20.20.443: S 2333132721:2333132721(0) win 5840 (DF) 09:50:50.342175 192.168.20.20.443 > 192.168.10.10.1583: R 0:0(0) ack 2333132722 win 0 I have found a patch for a similiare problem "cache_peer originserver connects to wrong port". If i try to apply this patch, i see the following errors: squid:/usr/src# ls -la total 53060 drwxrwsr-x9 root src 4096 Dec 23 10:49 . drwxr-xr-x 12 root root 4096 Nov 15 13:17 .. drwxrwxrwx 14 1012 1012 4096 Aug 16 2003 squid-3.0-PRE3 lrwxrwxrwx1 root src14 Dec 22 11:02 squid3 -> squid-3.0-PRE3 squid:/usr/src#patch -p0 < squid-3.0.PRE3-originserver_port.patch patching file squid3/src/forward.cc Hunk #1 FAILED at 576. 1 out of 1 hunk FAILED -- saving rejects to file squid3/src/forward.cc.rej squid:/usr/src# Is this patch required ? tino > > > > On Tue, 21 Dec 2004, Glatzel Tino wrote: > > > Hello Henrik, > > > > > > I have tested squid-3.0pre3 the last three days, but > without success. > > I access with the browser of my client to exchange.testnetz.de with > > https. I see the authentication dialog an with netstat -an > i see the > > connections from the client to the squid with port 443. If > i press the > > OK-Button in the authentication dialog i see a message > like: "You will > > left a secure internetconnection" if i press the OK-Button a new > > authentication dialog pops up. At the client i see the > connection with > > port 80 to the squid. My client resolves the name of the > Exchange with > > the ip of the squid. The Squid resolves the name of the > Exchange with > > the real ip-address. Squid is compiled with: > > > > ./configure --prefix=/opt/squid-3.0-PRE3 > > --exec-prefix=/opt/squid-3.0-PRE3 --enable-ssl > > --enable-x-accelerator-vary make make install > > > > squid.conf: > > > > http_port 192.168.20.10:80 accel defaultsite=exchange.testnetz.de > > > > https_port 192.168.20.10:443 accel defaultsite=exchange.testnetz.de > > protocol=http cert=/opt/squid/etc/cert/server.crt > > key=/opt/squid/etc/cert/server.pem > > Don't use protocol=.. there > > And the defaultsite=.. should be the exact name you are > requesting in the > browser, not the actual server name. > > if unsure use the vhost option in which case Squid will > automatically pick > up whatever you typed in your browser and forward this to OWA > for use when > rendering links within the OWA application. > > > cache_peer exchange.testnetz.de parent 80 0 proxy-only originserver > > forceddomain=exchange.testnetz.de front-end-https=on > > Since you accept both http and https you should use > front-end-https=auto > > Don't use forceddomain. This is only needed in a very special case > involving redundant servers needing to be called by their > explicit name. > > Regards > Henrik >
[squid-users] problems with squid 2.5.Stable7 in accelerator mode with https
Hello list, i want to use my squid in accelerator mode to secure the access to our Exchange Server (Outlook Webaccess). If i use port 80 to connect to the squid, it works fine. All traffic to the Exchange Server will be routed to the squid. With netstat -an i can see it. If i connect with port 443 to the squid, i see a message like this: the side contains secure and unsecure objects. Do you want to display the unsecure objects ? When i press the YES button, my workstation connect to the Exchange Server direct. I see it with netstat -an. This is my configuration: Debian GNU Linux woody Squid-2.5.Stable7 Usersystem HTTPS Squid -HTTP Exchange Server owa.testnetz.de exchange.testnetz.de Request:192.168.20.10 192.168.20.20 https://owa.testnetz.de/exchangeCertificate is generated for owa.testnetz.de /opt/squid/etc/squid.conf http_port 80 https_port 443 cert=/opt/squid/etc/server.crt key=/opt/squid/etc/server.key httpd_accel_host 192.168.20.20 httpd_accel_port 80 httpd_accel_uses_host_header on httpd_accel_single_host off cache_mgr [EMAIL PROTECTED] visible_hostname owa.testnetz.de dns_testnames owa.testnetz.de debug_options ALL,2 logfile_rotate 5 cache_log /opt/squid/var/logs/cache.log cache_access_log /opt/squid/var/logs/access.log cache_store_log /opt/squid/var/logs/store.log coredump_dir /opt/squid/var/logs/ pid_filename /opt/squid/var/logs/squid.pid error_directory /opt/squid/share/errors/German cache_replacement_policy lru cache_dir ufs /opt/squid/var/cache 1024 64 256 cache_swap_low 90 cache_swap_high 95 maximum_object_size 2046 MB store_dir_select_algorithm least-load cache_mem 64 MB maximum_object_size_in_memory 64 KB memory_replacement_policy lru mime_table /opt/squid/etc/mime.conf ipcache_size 1 ipcache_low 90 ipcache_high 95 fqdncache_size 1024 refresh_pattern . 0 20% 4320 acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl Exchange_IP dst 192.168.20.20 acl SSL_ports port 443 acl Safe_ports port 443 # https acl Safe_ports port 80 # http acl Exchange_Port port 80 acl CONNECT method CONNECT always_direct allow all http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access allow all Exchange_IP http_access deny all http_reply_access allow all icp_access deny all cache_effective_user squid cache_effective_group squid /etc/hosts edm:~# cat /etc/hosts 127.0.0.1 localhost 192.168.20.20 owa.testnetz.de owa can anyone help me ?? tino Mit freundlichen Grüssen Tino Glatzel badenIT Innovationstechnologie für Ihre Zukunft Tino Glatzel badenIT GmbH System Support Tullastr. 70 D-79108 Freiburg Tel. +49 761 279-2804 Fax +49 761 279-572804 mailto:[EMAIL PROTECTED] www.badenIT.de
[squid-users] Squid 2.5Stable7 with NTLM -- Number of maximum children
Hello, I use Samba-3.0.8pre1 in a ADS Domain and Squid 2.5Stable7 for NTLM Authentication. With the following parameters, it works fine. auth_param ntlm children 13 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 20 minutes auth_param ntlm program /opt/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp after changing the auth_param ntlm children to 14 squid can't start. I see the following errors: Nov 26 16:45:01 squid squid[1204]: Squid Parent: child process 1206 exited due to signal 9 Nov 26 16:45:01 squid squid[1233]: Squid Parent: child process 1235 started Nov 26 16:45:01 squid (squid): Failed to create unlinkd subprocess Nov 26 16:45:01 squid squid[1233]: Squid Parent: child process 1235 exited due to signal 6 Nov 26 16:45:04 squid squid[1233]: Squid Parent: child process 1256 started Nov 26 16:45:05 squid (squid): Failed to create unlinkd subprocess Nov 26 16:45:05 squid squid[1233]: Squid Parent: child process 1256 exited due to signal 6 Nov 26 16:45:08 squid squid[1233]: Squid Parent: child process 1277 started Nov 26 16:45:08 squid (squid): Failed to create unlinkd subprocess Nov 26 16:45:08 squid squid[1233]: Squid Parent: child process 1277 exited due to signal 6 Nov 26 16:45:11 squid squid[1233]: Squid Parent: child process 1298 started Nov 26 16:45:12 squid (squid): Failed to create unlinkd subprocess Nov 26 16:45:12 squid squid[1233]: Squid Parent: child process 1298 exited due to signal 6 Nov 26 16:45:15 squid squid[1233]: Squid Parent: child process 1319 started Nov 26 16:45:15 squid (squid): Failed to create unlinkd subprocess Nov 26 16:45:15 squid squid[1233]: Squid Parent: child process 1319 exited due to signal 6 Nov 26 16:45:15 squid squid[1233]: Exiting due to repeated, frequent failures Whats wrong ? Can anyone help me? tino
[squid-users] maximum_object_size 2 GB
Hello, if the parameter maximum_object_size 2 GB is set squid dont cache files on the disk. Why ? The squid is squid-2.5.STABLE6 with the ufs-patch. without the parameter maximum_object_size 2 GB i see the following messages in store.log 1092981051.275 SWAPOUT 00 000C 766D43AFC4F5F97EA1BA769F65A0D69E 200 1092981051 1069086584-1 image/jpeg 3796/3796 GET http://www.xxx.de/images/xxx.jpg with the parameter maximum_object_size 2 GB i see the following messages in store.log 1092980898.479 RELEASE -1 C2CBC3753455A9B4464FDC5633167FB4 200 1092980898 1069086584-1 image/jpeg 3796/3796 GET http://www.xxx.de/images/xxx.jpg After a change in the config file, i have removed the files in the cache-directory an i have made a squid -z. What is wrong with the parameter maximum_object_size ? tino
[squid-users] SO_FAIL
Hello Squid does not save internetfiles on the harddisk. In the store.log, i see the following messages: 1092911664.677 SO_FAIL -1 AA5601EB2B243693AFEAFAEF68C230BF 200 1092911664 1092815319-1 text/html 15488/13312 GET http://www.qmail.org/ 1092911664.731 SO_FAIL -1 AA5601EB2B243693AFEAFAEF68C230BF 200 1092911664 1092815319-1 text/html 15488/14760 GET http://www.qmail.org/ 1092911664.781 SO_FAIL -1 AA5601EB2B243693AFEAFAEF68C230BF 200 1092911664 1092815319-1 text/html 15488/15488 GET http://www.qmail.org/ 1092911664.781 SO_FAIL -1 AA5601EB2B243693AFEAFAEF68C230BF 200 1092911664 1092815319-1 text/html 15488/15488 GET http://www.qmail.org/ 1092911664.821 SO_FAIL -1 AA5601EB2B243693AFEAFAEF68C230BF 200 1092911664 1092815319-1 text/html 15488/15488 GET http://www.qmail.org/ 1092911665.507 SO_FAIL -1 E92BF1F9FA38BCA0CB53FF7B795CA79C 200 1092911665 1047680620-1 image/gif 36/36 GET http://www.qmail.org/red.gif 1092911665.553 SO_FAIL -1 6294F0BE30FE84B743E3B80BD9F6CF3A 200 1092911665 978674019-1 image/gif 1444/1444 GET http://www.qmail.org/powered-by-djbdns.gif My system is a Debian woody with kernel 2.4.26, Squidversion is: squid1:~# /opt/squid/sbin/squid -v Squid Cache: Version 2.5.STABLE6 configure options: --prefix=/opt/squid-2.5.STABLE6 --exec-prefix=/opt/squid-2.5.STABLE6 --enable-auth=ntlm,basic --enable-external-acl-helpers=wbinfo_group --with-samba-sources=/usr/src/samba-3.0.4 squid1:~# I have not found dokumentation to this messages. Can anyone help me ? Tino