[squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
hello all, I currently get some sun v210 boxes running solaris 8 and squid-2.6.12 and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next monday but before doing this I would like to ask you your advices and/or experiences with tuning these kind of boxes. the service is running well today except we regularly get authentication popup boxes. This is really exasperating our Users. I already spent lot of times on the net in the hope finding a clear explanation about it but i am still searching. I already configured starting 128 ntlm_auth processes on each of my servers. This gives better results but problem still remains. I also made some patching in my new package I will deploy next week by overwrting some samba values .. below my little patch .. --- samba-3.0.32.orig/source/include/local.h2008-08-25 23:09:21.0 +0200 +++ samba-3.0.32/source/include/local.h 2008-10-09 13:09:59.784144000 +0200 @@ -222,7 +222,7 @@ #define WINBIND_SERVER_MUTEX_WAIT_TIME (( ((NUM_CLI_AUTH_CONNECT_RETRIES) * ((CLI_AUTH_TIMEOUT)/1000)) + 5)*2) /* Max number of simultaneous winbindd socket connections. */ -#define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 200 +#define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 1024 /* Buffer size to use when printing backtraces */ #define BACKTRACE_STACK_SIZE 64 I currently do not use 'auth_param ntlm keep_alive on' because I do not know if it will not cause some side effects for web browser used in our company (ie/windows xp sp2). I already use some parameters today like these ones below ... set shmsys:shminfo_shmseg=16 set shmsys:shminfo_shmmni=32 set shmsys:shminfo_shmmax=2097152 set msgsys:msginfo_msgmni=40 set msgsys:msginfo_msgmax=2048 set msgsys:msginfo_msgmnb=8192 set msgsys:msginfo_msgssz=64 set msgsys:msginfo_msgtql=2048 set rlim_fd_max=8192 arp_cleanup_interval=6 ip_forward_directed_broadcasts=0 ip_forward_src_routed=0 ip6_forward_src_routed=0 ip_ignore_redirect=1 ip6_ignore_redirect=1 ip_ire_flush_interval=6 ip_ire_arp_interval=6 ip_respond_to_address_mask_broadcast=0 ip_respond_to_echo_broadcast=0 ip6_respond_to_echo_multicast=0 ip_respond_to_timestamp=0 ip_respond_to_timestamp_broadcast=0 ip_send_redirects=0 ip6_send_redirects=0 ip_strict_dst_multihoming=1 ip6_strict_dst_multihoming=1 ip_def_ttl=255 tcp_conn_req_max_q0=4096 tcp_conn_req_max_q=1024 tcp_rev_src_routes=0 tcp_extra_priv_ports_add=6112 udp_extra_priv_ports_add= tcp_smallest_anon_port=32768 tcp_largest_anon_port=65535 udp_smallest_anon_port=32768 udp_largest_anon_port=65535 tcp_smallest_nonpriv_port=1024 udp_smallest_nonpriv_port=1024 after some investigations on my servers, I notice we often get lots of connections in status CLOSE_WAIT and FIN_WAIT_2. I also get lots of connections in status ESTABLISHED. If I have a look on squid statistics these are some files giving an idea on the load handled by our machines .. SUNW,Sun-Fire-V210 2048 Memory size bge0 100-fdx (or) 1000-fdx client_http.requests = 242/sec server.http.requests = 163/sec Number of clients accessing cache: 1486 cpu_usage = 45.065136% /dev/dsk/c0t0d0s520655529 15015444 5433530 74% /var/cache0 /dev/dsk/c0t1d0s520655529 14971972 5477002 74% /var/cache1 1746418 Store Entries (some) 1265 ESTABLISHED tcp connections (at high load) (some) 132 CLOSE_WAIT (or) FIN_WAIT_2 connections so these servers are relatively heavy loaded and this is the reason why I think I still can tune some tcp/udp values in order to optimize and reduce the cpu usage on my servers. I already found some ideas on the net like these values below but this is not guraranteed .. ndd -set /dev/tcp tcp_time_wait_interval 6 ndd -set /dev/tcp tcp_fin_wait_2_flush_interval 67500 ndd -set /dev/tcp tcp_keepalive_interval 15000 many thks to help me because we are really in trouble and I am sure we can solve these little problems by setting/tuning some parameters. vincent. - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
hello all, I currently get some sun v210 boxes running solaris 8 and squid-2.6.12 and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next monday but before doing this I would like to ask you your advices and/or experiences with tuning these kind of boxes. the service is running well today except we regularly get authentication popup boxes. This is really exasperating our Users. I already spent lot of times on the net in the hope finding a clear explanation about it but i am still searching. I already configured starting 128 ntlm_auth processes on each of my servers. This gives better results but problem still remains. I also made some patching in my new package I will deploy next week by overwrting some samba values .. below my little patch .. --- samba-3.0.32.orig/source/include/local.h2008-08-25 23:09:21.0 +0200 +++ samba-3.0.32/source/include/local.h 2008-10-09 13:09:59.784144000 +0200 @@ -222,7 +222,7 @@ #define WINBIND_SERVER_MUTEX_WAIT_TIME (( ((NUM_CLI_AUTH_CONNECT_RETRIES) * ((CLI_AUTH_TIMEOUT)/1000)) + 5)*2) /* Max number of simultaneous winbindd socket connections. */ -#define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 200 +#define WINBINDD_MAX_SIMULTANEOUS_CLIENTS 1024 /* Buffer size to use when printing backtraces */ #define BACKTRACE_STACK_SIZE 64 I currently do not use 'auth_param ntlm keep_alive on' because I do not know if it will not cause some side effects for web browser used in our company (ie/windows xp sp2). I already use some parameters today like these ones below ... set shmsys:shminfo_shmseg=16 set shmsys:shminfo_shmmni=32 set shmsys:shminfo_shmmax=2097152 set msgsys:msginfo_msgmni=40 set msgsys:msginfo_msgmax=2048 set msgsys:msginfo_msgmnb=8192 set msgsys:msginfo_msgssz=64 set msgsys:msginfo_msgtql=2048 set rlim_fd_max=8192 arp_cleanup_interval=6 ip_forward_directed_broadcasts=0 ip_forward_src_routed=0 ip6_forward_src_routed=0 ip_ignore_redirect=1 ip6_ignore_redirect=1 ip_ire_flush_interval=6 ip_ire_arp_interval=6 ip_respond_to_address_mask_broadcast=0 ip_respond_to_echo_broadcast=0 ip6_respond_to_echo_multicast=0 ip_respond_to_timestamp=0 ip_respond_to_timestamp_broadcast=0 ip_send_redirects=0 ip6_send_redirects=0 ip_strict_dst_multihoming=1 ip6_strict_dst_multihoming=1 ip_def_ttl=255 tcp_conn_req_max_q0=4096 tcp_conn_req_max_q=1024 tcp_rev_src_routes=0 tcp_extra_priv_ports_add=6112 udp_extra_priv_ports_add= tcp_smallest_anon_port=32768 tcp_largest_anon_port=65535 udp_smallest_anon_port=32768 udp_largest_anon_port=65535 tcp_smallest_nonpriv_port=1024 udp_smallest_nonpriv_port=1024 after some investigations on my servers, I notice we often get lots of connections in status CLOSE_WAIT and FIN_WAIT_2. I also get lots of connections in status ESTABLISHED. If I have a look on squid statistics these are some files giving an idea on the load handled by our machines .. SUNW,Sun-Fire-V210 2048 Memory size bge0 100-fdx (or) 1000-fdx client_http.requests = 242/sec server.http.requests = 163/sec Number of clients accessing cache: 1486 cpu_usage = 45.065136% /dev/dsk/c0t0d0s520655529 15015444 5433530 74% /var/cache0 /dev/dsk/c0t1d0s520655529 14971972 5477002 74% /var/cache1 1746418 Store Entries (some) 1265 ESTABLISHED tcp connections (at high load) (some) 132 CLOSE_WAIT (or) FIN_WAIT_2 connections so these servers are relatively heavy loaded and this is the reason why I think I still can tune some tcp/udp values in order to optimize and reduce the cpu usage on my servers. I already found some ideas on the net like these values below but this is not guraranteed .. ndd -set /dev/tcp tcp_time_wait_interval 6 ndd -set /dev/tcp tcp_fin_wait_2_flush_interval 67500 ndd -set /dev/tcp tcp_keepalive_interval 15000 many thks to help me because we are really in trouble and I am sure we can solve these little problems by setting/tuning some parameters. I made some further investigations and found maybe some relevant issues .. * first of all, seems the tcp queues are not large enough with some 173201 dropped connections # netstat -sP tcp | fgrep -i listendrop tcpListenDrop =173201 tcpListenDropQ0 = 0 * seems we do not get any connection problems with our servers and l2 switches ... only 280 input errors on 583 days uptime. # netstat -i Name Mtu Net/Dest AddressIpkts Ierrs Opkts Oerrs Collis Queue lo0 8232 loopback localhost 251726967 0 251726967 0 0 0 bge0 1500 sbepskcv sbepskcv 1607581016 280 1645158342 0 0 0 bge1 1500 sbepskcv-bge1 sbepskcv-bge1 2920250 3355944 0 0 0 * seems we can optimize a bit tcp time-to-live connections because I see hundreds connections in status CLOSE_WAIT FIN_WAIT_2 TIME_WAIT * this is a command I see on the net but to be honnest I do not understand the output of such a command # netstat -k inode_cache inode_cache: size 157855 maxsize 128252 hits 573916370 misses
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
hello all, I currently get some sun v210 boxes running solaris 8 and squid-2.6.12 and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next monday but before doing this I would like to ask you your advices and/or experiences with tuning these kind of boxes. the service is running well today except we regularly get authentication popup boxes. This is really exasperating our Users. I already spent lot of times on the net in the hope finding a clear explanation about it but i am still searching. I already configured starting 128 ntlm_auth processes on each of my servers. This gives better results but problem still remains. I also made some patching in my new package I will deploy next week by overwrting some samba values .. below my little patch .. first of all, man thanks to enter this discussion in order to help me solve my problems .. Before digging deep into OS settings check your squid.conf auth, acl and http_access settings. okay let's go concerning auth part of the squid.conf, I would like to say, nothing special .. below the ntlm config part auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 128 auth_param ntlm keep_alive on acl ntlmauth proxy_auth REQUIRED ... http_access allow ntlmauth all http_reply_access allow all http_access deny all deny_info TCP_RESET all Check the TTL settings on your auth config. If it's not long enough squid will re-auth between request and reply. not really sure to understand what setting you are speaking about ?? For the access controls there are a number of ways they can trigger authentication popups. %LOGIN passed to external helper, proxy_auth REQUIRED acl, and an auth ACL being last on an http_access line. if I good understand you get requested config line above .. Also, interception setups hacked with bad flags to (wrongly) permit auth can appear working but cause popups on every object request and also leak clients credentials to all remote sites that use auth. what kind of interception are you speaking about ?? Amos - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
hello all, I currently get some sun v210 boxes running solaris 8 and squid-2.6.12 and samba 3.0.20b I will upgrade these proxies into 2.7.4/3.0.32 next monday but before doing this I would like to ask you your advices and/or experiences with tuning these kind of boxes. the service is running well today except we regularly get authentication popup boxes. This is really exasperating our Users. I already spent lot of times on the net in the hope finding a clear explanation about it but i am still searching. I already configured starting 128 ntlm_auth processes on each of my servers. This gives better results but problem still remains. I also made some patching in my new package I will deploy next week by overwrting some samba values .. below my little patch .. first of all, man thanks to enter this discussion in order to help me solve my problems .. Before digging deep into OS settings check your squid.conf auth, acl and http_access settings. okay let's go concerning auth part of the squid.conf, I would like to say, nothing special .. below the ntlm config part auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 128 auth_param ntlm keep_alive on acl ntlmauth proxy_auth REQUIRED ... http_access allow ntlmauth all http_reply_access allow all http_access deny all deny_info TCP_RESET all Hmm, what those lines do is: - test the request for auth details (allow ntlmauth), - if correct details found, allow (allow ntlmauth all). - if none are found, or bad details ignore (allow ntlmauth all) - but send a RESET on the TCP link (deny all + TCP_RESET) something I tried last week to see if it could solve my problem. The clients will never get any correction when auth details are invalid. They will just get a completely new session, the browser will try to resend the same broken details until it gives up and re-asks the user. The 'all' silencing hack is intended for situations where auth may be the preferred methods of access, but an alternative exists and can be taken easily when it fails. It prevents the browser being notified when credentials are wrong. Does it work if you make that line just: http_access allow ntlmauth indeed seems also working, if no valid credential 'cache access denied' otherwise goes to internet. does it change the internal squid behaviour by removing all ?? Check the TTL settings on your auth config. If it's not long enough squid will re-auth between request and reply. not really sure to understand what setting you are speaking about ?? auth_param ntlm ttl do you advice using it because I do not find any reference on it on squid configuration guide website. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2 - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
Before digging deep into OS settings check your squid.conf auth, acl and http_access settings. okay let's go concerning auth part of the squid.conf, I would like to say, nothing special .. below the ntlm config part auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 128 auth_param ntlm keep_alive on acl ntlmauth proxy_auth REQUIRED ... http_access allow ntlmauth all http_reply_access allow all http_access deny all deny_info TCP_RESET all Hmm, what those lines do is: - test the request for auth details (allow ntlmauth), - if correct details found, allow (allow ntlmauth all). - if none are found, or bad details ignore (allow ntlmauth all) - but send a RESET on the TCP link (deny all + TCP_RESET) something I tried last week to see if it could solve my problem. The clients will never get any correction when auth details are invalid. They will just get a completely new session, the browser will try to resend the same broken details until it gives up and re-asks the user. The 'all' silencing hack is intended for situations where auth may be the preferred methods of access, but an alternative exists and can be taken easily when it fails. It prevents the browser being notified when credentials are wrong. Does it work if you make that line just: http_access allow ntlmauth indeed seems also working, if no valid credential 'cache access denied' otherwise goes to internet. as announced in my previous mails, I migrated all my proxies servers last night. this ran fine and the packages are running well. I updated access ntlm rule by removing 'all' at the end of the line but this does not chnage anything except it happened at most 37 times on one of of the proxies. I got this more than 100 times a day before. so can I still try something else ? does it change the internal squid behaviour by removing all ?? Check the TTL settings on your auth config. If it's not long enough squid will re-auth between request and reply. not really sure to understand what setting you are speaking about ?? auth_param ntlm ttl do you advice using it because I do not find any reference on it on squid configuration guide website. you spoke about ttl parameter .. do you advice using it ?? - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] NTLM auth popup boxes Solaris 8 tuning for upgrade into 2.7.4
auth_param ntlm ttl do you advice using it because I do not find any reference on it on squid configuration guide website. you spoke about ttl parameter .. do you advice using it ?? Not sure who spoke about an auth_param ntlm ttl parameter, but there is no such parameter. The ntlm scheme only has three parameters program children keep_alive there the first (program) specifies the helper to use, the second (children) needs to be tuned to at least fit your load or there will be issues with rejected access or sporatic authentication prompts, and the third is a minor optimization. okay but I already get 128 ntlm_auth processes running .. is this enough for a load of 250 req/sec ?? on the other hand, and this is also the meaning of this conversation, it seems this popup box not always come with some load issues but can happen for other reasons I totally ignore .. and the way to troubleshoot this really ? Regards Henrik - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
[squid-users] winbind directories permissions issue
Hello all, I really get a strange ( maybe not ?? ) problem. I get Squid 2.7.4 running on Solaris 8 with Samba 3.0.32. My clients are essentially running Windows XP SP2 with IE6. authentication scheme is exclusively based on ntlm so this is the reason why winbindd is also running, smbd and nmbd are not running because I think this is not needed. this is all working fine but I randomly get thousands of lines appearing in cache.log file .. see below what I get. [2008/12/04 10:10:57, 0] utils/ntlm_auth.c:winbind_pw_check(515) Login for user [EMAIL PROTECTED] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/l ib/samba/winbindd_privileged are set correctly.] process squid is running as user squid and group squidg so afaik permissions below are correct .. 3429241 drwxr-x--- 5 root squidg512 Dec 4 03:36 /var/lib/samba 3549461 drwxr-x--- 4 root squidg512 Nov 18 01:34 /var/lib/samba/locks 3609791 drwxr-x--- 2 root squidg512 Nov 18 01:34 /var/lib/samba/locks/printing 3669891 drwxr-x--- 2 root squidg512 Nov 18 01:34 /var/lib/samba/locks/winbindd_privileged 3429308 -rw-r- 1 root squidg 8192 Dec 4 03:37 /var/lib/samba/gencache.tdb 3429321 -rw-r- 1 root squidg696 Nov 18 01:34 /var/lib/samba/idmap_cache.tdb 3429331 -rw-r- 1 root squidg696 Dec 3 17:35 /var/lib/samba/messages.tdb 342935 56 -rw--- 1 root root57344 Dec 3 17:36 /var/lib/samba/winbindd_cache.tdb 342936 29752 -rw-r- 1 root squidg 30441472 Dec 4 09:58 /var/lib/samba/netsamlogon_cache.tdb 1383801 drwxr-x--- 2 root squidg512 Dec 3 17:35 /var/lib/samba/winbindd_privileged 1383810 srwxrwxrwx 1 root root0 Dec 3 17:35 /var/lib/samba/winbindd_privileged/pipe 2225991 drwxr-x--- 2 root squidg512 Dec 4 03:36 /var/lib/samba/smb_krb5 3429371 -rw-r--r-- 1 root root 268 Dec 4 03:36 /var/lib/samba/smb_krb5/krb5.conf.EUROPE I did not find any explanation right now except applying same security settings on directories again and reloading process squid. We are already running squid more than 3 years and never got the problem before .. Can somebody really help me because each time we encounter this issue hundreds of my users are impacted. many thanks for your help. - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] winbind directories permissions issue
Hello all, I really get a strange ( maybe not ?? ) problem. I get Squid 2.7.4 running on Solaris 8 with Samba 3.0.32. My clients are essentially running Windows XP SP2 with IE6. authentication scheme is exclusively based on ntlm so this is the reason why winbindd is also running, smbd and nmbd are not running because I think this is not needed. this is all working fine but I randomly get thousands of lines appearing in cache.log file .. see below what I get. [2008/12/04 10:10:57, 0] utils/ntlm_auth.c:winbind_pw_check(515) Login for user [EMAIL PROTECTED] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/l ib/samba/winbindd_privileged are set correctly.] process squid is running as user squid and group squidg so afaik permissions below are correct .. 3429241 drwxr-x--- 5 root squidg512 Dec 4 03:36 /var/lib/samba 3549461 drwxr-x--- 4 root squidg512 Nov 18 01:34 /var/lib/samba/locks 3609791 drwxr-x--- 2 root squidg512 Nov 18 01:34 /var/lib/samba/locks/printing 3669891 drwxr-x--- 2 root squidg512 Nov 18 01:34 /var/lib/samba/locks/winbindd_privileged 3429308 -rw-r- 1 root squidg 8192 Dec 4 03:37 /var/lib/samba/gencache.tdb 3429321 -rw-r- 1 root squidg696 Nov 18 01:34 /var/lib/samba/idmap_cache.tdb 3429331 -rw-r- 1 root squidg696 Dec 3 17:35 /var/lib/samba/messages.tdb 342935 56 -rw--- 1 root root57344 Dec 3 17:36 /var/lib/samba/winbindd_cache.tdb 342936 29752 -rw-r- 1 root squidg 30441472 Dec 4 09:58 /var/lib/samba/netsamlogon_cache.tdb 1383801 drwxr-x--- 2 root squidg512 Dec 3 17:35 /var/lib/samba/winbindd_privileged 1383810 srwxrwxrwx 1 root root0 Dec 3 17:35 /var/lib/samba/winbindd_privileged/pipe 2225991 drwxr-x--- 2 root squidg512 Dec 4 03:36 /var/lib/samba/smb_krb5 3429371 -rw-r--r-- 1 root root 268 Dec 4 03:36 /var/lib/samba/smb_krb5/krb5.conf.EUROPE I did not find any explanation right now except applying same security settings on directories again and reloading process squid. We are already running squid more than 3 years and never got the problem before .. Can somebody really help me because each time we encounter this issue hundreds of my users are impacted. many thanks for your help. Please first ensure that you DO NOT have cache_effective_group configured in your squid.conf. All squid group settings under this setup need to be OS-defined correctly and working properly that way. yes sure I get 'cache_effective_user squid' 'cache_effective_group squidg' configured in squid config file ... this was alaways so .. is there a specific issue with it ?? Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1 - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] winbind directories permissions issue
Hello all, I really get a strange ( maybe not ?? ) problem. I get Squid 2.7.4 running on Solaris 8 with Samba 3.0.32. My clients are essentially running Windows XP SP2 with IE6. authentication scheme is exclusively based on ntlm so this is the reason why winbindd is also running, smbd and nmbd are not running because I think this is not needed. this is all working fine but I randomly get thousands of lines appearing in cache.log file .. see below what I get. [2008/12/04 10:10:57, 0] utils/ntlm_auth.c:winbind_pw_check(515) Login for user [EMAIL PROTECTED] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/l ib/samba/winbindd_privileged are set correctly.] process squid is running as user squid and group squidg so afaik permissions below are correct .. 3429241 drwxr-x--- 5 root squidg512 Dec 4 03:36 /var/lib/samba 3549461 drwxr-x--- 4 root squidg512 Nov 18 01:34 /var/lib/samba/locks 3609791 drwxr-x--- 2 root squidg512 Nov 18 01:34 /var/lib/samba/locks/printing 3669891 drwxr-x--- 2 root squidg512 Nov 18 01:34 /var/lib/samba/locks/winbindd_privileged 3429308 -rw-r- 1 root squidg 8192 Dec 4 03:37 /var/lib/samba/gencache.tdb 3429321 -rw-r- 1 root squidg696 Nov 18 01:34 /var/lib/samba/idmap_cache.tdb 3429331 -rw-r- 1 root squidg696 Dec 3 17:35 /var/lib/samba/messages.tdb 342935 56 -rw--- 1 root root57344 Dec 3 17:36 /var/lib/samba/winbindd_cache.tdb 342936 29752 -rw-r- 1 root squidg 30441472 Dec 4 09:58 /var/lib/samba/netsamlogon_cache.tdb 1383801 drwxr-x--- 2 root squidg512 Dec 3 17:35 /var/lib/samba/winbindd_privileged 1383810 srwxrwxrwx 1 root root0 Dec 3 17:35 /var/lib/samba/winbindd_privileged/pipe 2225991 drwxr-x--- 2 root squidg512 Dec 4 03:36 /var/lib/samba/smb_krb5 3429371 -rw-r--r-- 1 root root 268 Dec 4 03:36 /var/lib/samba/smb_krb5/krb5.conf.EUROPE I did not find any explanation right now except applying same security settings on directories again and reloading process squid. We are already running squid more than 3 years and never got the problem before .. Can somebody really help me because each time we encounter this issue hundreds of my users are impacted. many thanks for your help. Please first ensure that you DO NOT have cache_effective_group configured in your squid.conf. All squid group settings under this setup need to be OS-defined correctly and working properly that way. yes sure I get 'cache_effective_user squid' 'cache_effective_group squidg' configured in squid config file ... this was alaways so .. is there a specific issue with it ?? The squid.conf configured group forces override of any OS settings from squid point of view. Particularly to the effect of erasing membership of secondary groups and group aliases. Winbind only obeys and verifies against the OS settings, so there is a high likelyhood that your issue is a mismatch between the privileges seen by squid with group configured and the system settings. effective_group may have been needed in 2.5 and earlier and before we sorted out the winbind privileges system. But has really been obsolete since group membership was fixed in Squid-2.6. Amos, many thks for your help .. I made the change yesterday morning and seems to be okay till now. I keep you informed later if this stays as is. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1 - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] winbind directories permissions issue
Hello all, I really get a strange ( maybe not ?? ) problem. I get Squid 2.7.4 running on Solaris 8 with Samba 3.0.32. My clients are essentially running Windows XP SP2 with IE6. authentication scheme is exclusively based on ntlm so this is the reason why winbindd is also running, smbd and nmbd are not running because I think this is not needed. this is all working fine but I randomly get thousands of lines appearing in cache.log file .. see below what I get. [2008/12/04 10:10:57, 0] utils/ntlm_auth.c:winbind_pw_check(515) Login for user [EMAIL PROTECTED] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/l ib/samba/winbindd_privileged are set correctly.] process squid is running as user squid and group squidg so afaik permissions below are correct .. 3429241 drwxr-x--- 5 root squidg512 Dec 4 03:36 /var/lib/samba 3549461 drwxr-x--- 4 root squidg512 Nov 18 01:34 /var/lib/samba/locks 3609791 drwxr-x--- 2 root squidg512 Nov 18 01:34 /var/lib/samba/locks/printing 3669891 drwxr-x--- 2 root squidg512 Nov 18 01:34 /var/lib/samba/locks/winbindd_privileged 3429308 -rw-r- 1 root squidg 8192 Dec 4 03:37 /var/lib/samba/gencache.tdb 3429321 -rw-r- 1 root squidg696 Nov 18 01:34 /var/lib/samba/idmap_cache.tdb 3429331 -rw-r- 1 root squidg696 Dec 3 17:35 /var/lib/samba/messages.tdb 342935 56 -rw--- 1 root root57344 Dec 3 17:36 /var/lib/samba/winbindd_cache.tdb 342936 29752 -rw-r- 1 root squidg 30441472 Dec 4 09:58 /var/lib/samba/netsamlogon_cache.tdb 1383801 drwxr-x--- 2 root squidg512 Dec 3 17:35 /var/lib/samba/winbindd_privileged 1383810 srwxrwxrwx 1 root root0 Dec 3 17:35 /var/lib/samba/winbindd_privileged/pipe 2225991 drwxr-x--- 2 root squidg512 Dec 4 03:36 /var/lib/samba/smb_krb5 3429371 -rw-r--r-- 1 root root 268 Dec 4 03:36 /var/lib/samba/smb_krb5/krb5.conf.EUROPE I did not find any explanation right now except applying same security settings on directories again and reloading process squid. We are already running squid more than 3 years and never got the problem before .. Can somebody really help me because each time we encounter this issue hundreds of my users are impacted. many thanks for your help. Please first ensure that you DO NOT have cache_effective_group configured in your squid.conf. All squid group settings under this setup need to be OS-defined correctly and working properly that way. yes sure I get 'cache_effective_user squid' 'cache_effective_group squidg' configured in squid config file ... this was alaways so .. is there a specific issue with it ?? The squid.conf configured group forces override of any OS settings from squid point of view. Particularly to the effect of erasing membership of secondary groups and group aliases. Winbind only obeys and verifies against the OS settings, so there is a high likelyhood that your issue is a mismatch between the privileges seen by squid with group configured and the system settings. effective_group may have been needed in 2.5 and earlier and before we sorted out the winbind privileges system. But has really been obsolete since group membership was fixed in Squid-2.6. Amos, many thks for your help .. I made the change yesterday morning and seems to be okay till now. I keep you informed later if this stays as is. I am back, sorry but the problem is happening again do you get some other ideas because this is becoming a real big issue here .. thks. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1 - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] winbind directories permissions issue
... I made some cut from our previous posts to avoid any confusion. Sorry I haven't had much to do with winbind than we have already tried. you are the first I've seen where these fixes have not worked. Can you get a full ls -la trace of the directory content and permissions at a time where it's working, and one where its not? Also a list of the squid user name and the groups names it belongs to. [EMAIL PROTECTED] $ egrep 'squid|winbin' /etc/passwd /etc/group /etc/passwd:squid:x:1560:1560:SQUID user:/home/SQUID:/bin/ksh /etc/group:squidg::1560: /etc/group:winbind:::squid below the situation when it works ... waiting another bug [EMAIL PROTECTED] $ [/home/SQUID/var/log] $ ls -nai /var/lib/samba total 65966 342924 drwxr-xr-x 5 0 512 Dec 9 10:39 . 66177 drwxr-xr-x 5 00512 Nov 18 01:34 .. 342930 -rw-r--r-- 1 08192 Dec 9 10:40 gencache.tdb 342932 -rw-r--r-- 1 0 696 Nov 18 01:34 idmap_cache.tdb 354946 drwxr-xr-x 4 0 512 Nov 18 01:34 locks 342933 -rw-r--r-- 1 0 696 Dec 9 10:39 messages.tdb 342936 -rw-r--r-- 1 0 33669120 Dec 9 12:59 netsamlogon_cache.tdb 222599 drwxr-xr-x 2 0 512 Dec 9 10:39 smb_krb5 342934 -rw--- 1 00 57344 Dec 9 10:44 winbindd_cache.tdb 138380 drwxr-x--- 2 0 512 Dec 9 10:39 winbindd_privileged [EMAIL PROTECTED] $ [/home/SQUID/var/log] $ ls -nai /var/lib/samba/winbindd_privileged total 4 138380 drwxr-x--- 2 0 512 Dec 9 10:39 . 342924 drwxr-xr-x 5 0 512 Dec 9 10:39 .. 138381 srwxrwxrwx 1 00 0 Dec 9 10:39 pipe On the other hand, it is maybe interesting to activate debug on this part of the code ?? if yes can you give me the exact settings I have to configure .. This will be needed by anyone who may be more able to help. Amos - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] winbind directories permissions issue
... Amos I made some cut from our previous posts to avoid any confusion. Sorry I haven't had much to do with winbind than we have already tried. you are the first I've seen where these fixes have not worked. Can you get a full ls -la trace of the directory content and permissions at a time where it's working, and one where its not? Also a list of the squid user name and the groups names it belongs to. $ egrep 'squid|winbin' /etc/passwd /etc/group /etc/passwd:squid:x:1560:1560:SQUID user:/home/SQUID:/bin/ksh /etc/group:squidg::1560: /etc/group:winbind:::squid Below what happended on one of my machine .. sbepskdd. some minutes before the bug occured .. $ ls -nai /var/lib/samba total 121612 162445 drwxr-x--- 5 0 512 Dec 15 04:14 . 330886 drwxr-xr-x 5 00512 Nov 17 19:39 .. 162448 -rw-r- 1 08192 Dec 15 04:14 gencache.tdb 162450 -rw-r- 1 0 696 Nov 17 19:39 idmap_cache.tdb 168469 drwxr-x--- 4 0 512 Nov 17 19:39 locks 162451 -rw-r- 1 08192 Dec 14 22:06 messages.tdb 162454 -rw-r- 1 0 62144512 Dec 15 08:41 netsamlogon_cache.tdb 54155 drwxr-x--- 2 0 512 Dec 15 04:14 smb_krb5 162453 -rw--- 1 00 57344 Nov 25 06:49 winbindd_cache.tdb 451222 drwxr-x--- 2 0 512 Nov 25 06:47 winbindd_privileged $ ls -nai /var/lib/samba/winbindd_privileged total 4 451222 drwxr-x--- 2 0 512 Nov 25 06:47 . 162445 drwxr-x--- 5 0 512 Dec 15 04:14 .. 451223 srwxrwxrwx 1 00 0 Nov 25 06:47 pipe when SQUID is still running but the bug is happening .. $ ls -nai /var/lib/samba total 122140 162445 drwxr-x--- 5 0 512 Dec 15 04:14 . 330886 drwxr-xr-x 5 00512 Nov 17 19:39 .. 162448 -rw-r- 1 08192 Dec 15 04:14 gencache.tdb 162450 -rw-r- 1 0 696 Nov 17 19:39 idmap_cache.tdb 168469 drwxr-x--- 4 0 512 Nov 17 19:39 locks 162451 -rw-r- 1 08192 Dec 14 22:06 messages.tdb 162454 -rw-r- 1 0 62414848 Dec 15 10:04 netsamlogon_cache.tdb 54155 drwxr-x--- 2 0 512 Dec 15 04:14 smb_krb5 162453 -rw--- 1 00 57344 Nov 25 06:49 winbindd_cache.tdb 451222 drwxr-x--- 2 0 512 Nov 25 06:47 winbindd_privileged $ ls -nai /var/lib/samba/winbindd_privileged total 4 451222 drwxr-x--- 2 0 512 Nov 25 06:47 . 162445 drwxr-x--- 5 0 512 Dec 15 04:14 .. 451223 srwxrwxrwx 1 00 0 Nov 25 06:47 pipe just after restart of SQUID process .. $ ls -nai /var/lib/samba total 122140 162445 drwxr-x--- 5 0 512 Dec 15 04:14 . 330886 drwxr-xr-x 5 00512 Nov 17 19:39 .. 162448 -rw-r- 1 08192 Dec 15 04:14 gencache.tdb 162450 -rw-r- 1 0 696 Nov 17 19:39 idmap_cache.tdb 168469 drwxr-x--- 4 0 512 Nov 17 19:39 locks 162451 -rw-r- 1 08192 Dec 14 22:06 messages.tdb 162454 -rw-r- 1 0 62414848 Dec 15 10:04 netsamlogon_cache.tdb 54155 drwxr-x--- 2 0 512 Dec 15 04:14 smb_krb5 162453 -rw--- 1 00 57344 Nov 25 06:49 winbindd_cache.tdb 451222 drwxr-x--- 2 0 512 Nov 25 06:47 winbindd_privileged $ ls -nai /var/lib/samba/winbindd_privileged total 4 451222 drwxr-x--- 2 0 512 Nov 25 06:47 . 162445 drwxr-x--- 5 0 512 Dec 15 04:14 .. 451223 srwxrwxrwx 1 00 0 Nov 25 06:47 pipe Now another notice, I made a change last tuesday on another SQUID server and this seems working almost one week .. $ ls -nai /var/lib/samba total 78156 342924 drwxr-xr-x 5 0 512 Dec 15 04:22 . 66177 drwxr-xr-x 5 00512 Nov 18 01:34 .. 342930 -rw-r--r-- 1 08192 Dec 15 04:22 gencache.tdb 342932 -rw-r--r-- 1 0 696 Nov 18 01:34 idmap_cache.tdb 354946 drwxr-xr-x 4 0 512 Nov 18 01:34 locks 342933 -rw-r--r-- 1 08192 Dec 13 22:06 messages.tdb 342936 -rw-r--r-- 1 0 39903232 Dec 15 10:20 netsamlogon_cache.tdb 222599 drwxr-xr-x 2 0 512 Dec 15 04:22 smb_krb5 342934 -rw--- 1 00 57344 Dec 9 10:44 winbindd_cache.tdb 138380 drwxr-x--- 2 0 512 Dec 9 10:39 winbindd_privileged $ ls -nai /var/lib/samba/winbindd_privileged total 4 138380 drwxr-x--- 2 0
RE: [squid-users] winbind directories permissions issue
... Amos I made some cut from our previous posts to avoid any confusion. Sorry I haven't had much to do with winbind than we have already tried. you are the first I've seen where these fixes have not worked. Can you get a full ls -la trace of the directory content and permissions at a time where it's working, and one where its not? Also a list of the squid user name and the groups names it belongs to. $ egrep 'squid|winbin' /etc/passwd /etc/group /etc/passwd:squid:x:1560:1560:SQUID user:/home/SQUID:/bin/ksh /etc/group:squidg::1560: /etc/group:winbind:::squid Below what happended on one of my machine .. sbepskdd. some minutes before the bug occured .. $ ls -nai /var/lib/samba total 121612 162445 drwxr-x--- 5 0 512 Dec 15 04:14 . 330886 drwxr-xr-x 5 00512 Nov 17 19:39 .. 162448 -rw-r- 1 08192 Dec 15 04:14 gencache.tdb 162450 -rw-r- 1 0 696 Nov 17 19:39 idmap_cache.tdb 168469 drwxr-x--- 4 0 512 Nov 17 19:39 locks 162451 -rw-r- 1 08192 Dec 14 22:06 messages.tdb 162454 -rw-r- 1 0 62144512 Dec 15 08:41 netsamlogon_cache.tdb 54155 drwxr-x--- 2 0 512 Dec 15 04:14 smb_krb5 162453 -rw--- 1 00 57344 Nov 25 06:49 winbindd_cache.tdb 451222 drwxr-x--- 2 0 512 Nov 25 06:47 winbindd_privileged $ ls -nai /var/lib/samba/winbindd_privileged total 4 451222 drwxr-x--- 2 0 512 Nov 25 06:47 . 162445 drwxr-x--- 5 0 512 Dec 15 04:14 .. 451223 srwxrwxrwx 1 00 0 Nov 25 06:47 pipe when SQUID is still running but the bug is happening .. $ ls -nai /var/lib/samba total 122140 162445 drwxr-x--- 5 0 512 Dec 15 04:14 . 330886 drwxr-xr-x 5 00512 Nov 17 19:39 .. 162448 -rw-r- 1 08192 Dec 15 04:14 gencache.tdb 162450 -rw-r- 1 0 696 Nov 17 19:39 idmap_cache.tdb 168469 drwxr-x--- 4 0 512 Nov 17 19:39 locks 162451 -rw-r- 1 08192 Dec 14 22:06 messages.tdb 162454 -rw-r- 1 0 62414848 Dec 15 10:04 netsamlogon_cache.tdb 54155 drwxr-x--- 2 0 512 Dec 15 04:14 smb_krb5 162453 -rw--- 1 00 57344 Nov 25 06:49 winbindd_cache.tdb 451222 drwxr-x--- 2 0 512 Nov 25 06:47 winbindd_privileged $ ls -nai /var/lib/samba/winbindd_privileged total 4 451222 drwxr-x--- 2 0 512 Nov 25 06:47 . 162445 drwxr-x--- 5 0 512 Dec 15 04:14 .. 451223 srwxrwxrwx 1 00 0 Nov 25 06:47 pipe just after restart of SQUID process .. $ ls -nai /var/lib/samba total 122140 162445 drwxr-x--- 5 0 512 Dec 15 04:14 . 330886 drwxr-xr-x 5 00512 Nov 17 19:39 .. 162448 -rw-r- 1 08192 Dec 15 04:14 gencache.tdb 162450 -rw-r- 1 0 696 Nov 17 19:39 idmap_cache.tdb 168469 drwxr-x--- 4 0 512 Nov 17 19:39 locks 162451 -rw-r- 1 08192 Dec 14 22:06 messages.tdb 162454 -rw-r- 1 0 62414848 Dec 15 10:04 netsamlogon_cache.tdb 54155 drwxr-x--- 2 0 512 Dec 15 04:14 smb_krb5 162453 -rw--- 1 00 57344 Nov 25 06:49 winbindd_cache.tdb 451222 drwxr-x--- 2 0 512 Nov 25 06:47 winbindd_privileged $ ls -nai /var/lib/samba/winbindd_privileged total 4 451222 drwxr-x--- 2 0 512 Nov 25 06:47 . 162445 drwxr-x--- 5 0 512 Dec 15 04:14 .. 451223 srwxrwxrwx 1 00 0 Nov 25 06:47 pipe Now another notice, I made a change last tuesday on another SQUID server and this seems working almost one week .. $ ls -nai /var/lib/samba total 78156 342924 drwxr-xr-x 5 0 512 Dec 15 04:22 . 66177 drwxr-xr-x 5 00512 Nov 18 01:34 .. 342930 -rw-r--r-- 1 08192 Dec 15 04:22 gencache.tdb 342932 -rw-r--r-- 1 0 696 Nov 18 01:34 idmap_cache.tdb 354946 drwxr-xr-x 4 0 512 Nov 18 01:34 locks 342933 -rw-r--r-- 1 08192 Dec 13 22:06 messages.tdb 342936 -rw-r--r-- 1 0 39903232 Dec 15 10:20 netsamlogon_cache.tdb 222599 drwxr-xr-x 2 0 512 Dec 15 04:22 smb_krb5 342934 -rw--- 1 00 57344 Dec 9 10:44 winbindd_cache.tdb 138380 drwxr-x--- 2 0 512 Dec 9
RE: [squid-users] winbind directories permissions issue
... Amos I made some cut from our previous posts to avoid any confusion. Sorry I haven't had much to do with winbind than we have already tried. you are the first I've seen where these fixes have not worked. Can you get a full ls -la trace of the directory content and permissions at a time where it's working, and one where its not? Also a list of the squid user name and the groups names it belongs to. $ egrep 'squid|winbin' /etc/passwd /etc/group /etc/passwd:squid:x:1560:1560:SQUID user:/home/SQUID:/bin/ksh /etc/group:squidg::1560: /etc/group:winbind:::squid Below what happended on one of my machine .. sbepskdd. some minutes before the bug occured .. $ ls -nai /var/lib/samba total 121612 162445 drwxr-x--- 5 0 512 Dec 15 04:14 . 330886 drwxr-xr-x 5 00512 Nov 17 19:39 .. 162448 -rw-r- 1 08192 Dec 15 04:14 gencache.tdb 162450 -rw-r- 1 0 696 Nov 17 19:39 idmap_cache.tdb 168469 drwxr-x--- 4 0 512 Nov 17 19:39 locks 162451 -rw-r- 1 08192 Dec 14 22:06 messages.tdb 162454 -rw-r- 1 0 62144512 Dec 15 08:41 netsamlogon_cache.tdb 54155 drwxr-x--- 2 0 512 Dec 15 04:14 smb_krb5 162453 -rw--- 1 00 57344 Nov 25 06:49 winbindd_cache.tdb 451222 drwxr-x--- 2 0 512 Nov 25 06:47 winbindd_privileged $ ls -nai /var/lib/samba/winbindd_privileged total 4 451222 drwxr-x--- 2 0 512 Nov 25 06:47 . 162445 drwxr-x--- 5 0 512 Dec 15 04:14 .. 451223 srwxrwxrwx 1 00 0 Nov 25 06:47 pipe when SQUID is still running but the bug is happening .. $ ls -nai /var/lib/samba total 122140 162445 drwxr-x--- 5 0 512 Dec 15 04:14 . 330886 drwxr-xr-x 5 00512 Nov 17 19:39 .. 162448 -rw-r- 1 08192 Dec 15 04:14 gencache.tdb 162450 -rw-r- 1 0 696 Nov 17 19:39 idmap_cache.tdb 168469 drwxr-x--- 4 0 512 Nov 17 19:39 locks 162451 -rw-r- 1 08192 Dec 14 22:06 messages.tdb 162454 -rw-r- 1 0 62414848 Dec 15 10:04 netsamlogon_cache.tdb 54155 drwxr-x--- 2 0 512 Dec 15 04:14 smb_krb5 162453 -rw--- 1 00 57344 Nov 25 06:49 winbindd_cache.tdb 451222 drwxr-x--- 2 0 512 Nov 25 06:47 winbindd_privileged $ ls -nai /var/lib/samba/winbindd_privileged total 4 451222 drwxr-x--- 2 0 512 Nov 25 06:47 . 162445 drwxr-x--- 5 0 512 Dec 15 04:14 .. 451223 srwxrwxrwx 1 00 0 Nov 25 06:47 pipe just after restart of SQUID process .. $ ls -nai /var/lib/samba total 122140 162445 drwxr-x--- 5 0 512 Dec 15 04:14 . 330886 drwxr-xr-x 5 00512 Nov 17 19:39 .. 162448 -rw-r- 1 08192 Dec 15 04:14 gencache.tdb 162450 -rw-r- 1 0 696 Nov 17 19:39 idmap_cache.tdb 168469 drwxr-x--- 4 0 512 Nov 17 19:39 locks 162451 -rw-r- 1 08192 Dec 14 22:06 messages.tdb 162454 -rw-r- 1 0 62414848 Dec 15 10:04 netsamlogon_cache.tdb 54155 drwxr-x--- 2 0 512 Dec 15 04:14 smb_krb5 162453 -rw--- 1 00 57344 Nov 25 06:49 winbindd_cache.tdb 451222 drwxr-x--- 2 0 512 Nov 25 06:47 winbindd_privileged $ ls -nai /var/lib/samba/winbindd_privileged total 4 451222 drwxr-x--- 2 0 512 Nov 25 06:47 . 162445 drwxr-x--- 5 0 512 Dec 15 04:14 .. 451223 srwxrwxrwx 1 00 0 Nov 25 06:47 pipe Now another notice, I made a change last tuesday on another SQUID server and this seems working almost one week .. $ ls -nai /var/lib/samba total 78156 342924 drwxr-xr-x 5 0 512 Dec 15 04:22 . 66177 drwxr-xr-x 5 00512 Nov 18 01:34 .. 342930 -rw-r--r-- 1 08192 Dec 15 04:22 gencache.tdb 342932 -rw-r--r-- 1 0 696 Nov 18 01:34 idmap_cache.tdb 354946 drwxr-xr-x 4 0 512 Nov 18 01:34 locks 342933 -rw-r--r-- 1 08192 Dec 13 22:06 messages.tdb 342936 -rw-r--r-- 1 0 39903232 Dec 15 10:20 netsamlogon_cache.tdb 222599 drwxr-xr-x 2 0 512 Dec 15 04:22 smb_krb5 342934 -rw--- 1 00 57344 Dec 9 10:44 winbindd_cache.tdb 138380 drwxr-x--- 2 0 512 Dec 9
RE: [squid-users] winbind directories permissions issue
... Amos I made some cut from our previous posts to avoid any confusion. Sorry I haven't had much to do with winbind than we have already tried. you are the first I've seen where these fixes have not worked. Can you get a full ls -la trace of the directory content and permissions at a time where it's working, and one where its not? Also a list of the squid user name and the groups names it belongs to. $ egrep 'squid|winbin' /etc/passwd /etc/group /etc/passwd:squid:x:1560:1560:SQUID user:/home/SQUID:/bin/ksh /etc/group:squidg::1560: /etc/group:winbind:::squid Below what happended on one of my machine .. sbepskdd. some minutes before the bug occured .. $ ls -nai /var/lib/samba total 121612 162445 drwxr-x--- 5 0 512 Dec 15 04:14 . 330886 drwxr-xr-x 5 00512 Nov 17 19:39 .. 162448 -rw-r- 1 08192 Dec 15 04:14 gencache.tdb 162450 -rw-r- 1 0 696 Nov 17 19:39 idmap_cache.tdb 168469 drwxr-x--- 4 0 512 Nov 17 19:39 locks 162451 -rw-r- 1 08192 Dec 14 22:06 messages.tdb 162454 -rw-r- 1 0 62144512 Dec 15 08:41 netsamlogon_cache.tdb 54155 drwxr-x--- 2 0 512 Dec 15 04:14 smb_krb5 162453 -rw--- 1 00 57344 Nov 25 06:49 winbindd_cache.tdb 451222 drwxr-x--- 2 0 512 Nov 25 06:47 winbindd_privileged $ ls -nai /var/lib/samba/winbindd_privileged total 4 451222 drwxr-x--- 2 0 512 Nov 25 06:47 . 162445 drwxr-x--- 5 0 512 Dec 15 04:14 .. 451223 srwxrwxrwx 1 00 0 Nov 25 06:47 pipe when SQUID is still running but the bug is happening .. $ ls -nai /var/lib/samba total 122140 162445 drwxr-x--- 5 0 512 Dec 15 04:14 . 330886 drwxr-xr-x 5 00512 Nov 17 19:39 .. 162448 -rw-r- 1 08192 Dec 15 04:14 gencache.tdb 162450 -rw-r- 1 0 696 Nov 17 19:39 idmap_cache.tdb 168469 drwxr-x--- 4 0 512 Nov 17 19:39 locks 162451 -rw-r- 1 08192 Dec 14 22:06 messages.tdb 162454 -rw-r- 1 0 62414848 Dec 15 10:04 netsamlogon_cache.tdb 54155 drwxr-x--- 2 0 512 Dec 15 04:14 smb_krb5 162453 -rw--- 1 00 57344 Nov 25 06:49 winbindd_cache.tdb 451222 drwxr-x--- 2 0 512 Nov 25 06:47 winbindd_privileged $ ls -nai /var/lib/samba/winbindd_privileged total 4 451222 drwxr-x--- 2 0 512 Nov 25 06:47 . 162445 drwxr-x--- 5 0 512 Dec 15 04:14 .. 451223 srwxrwxrwx 1 00 0 Nov 25 06:47 pipe just after restart of SQUID process .. $ ls -nai /var/lib/samba total 122140 162445 drwxr-x--- 5 0 512 Dec 15 04:14 . 330886 drwxr-xr-x 5 00512 Nov 17 19:39 .. 162448 -rw-r- 1 08192 Dec 15 04:14 gencache.tdb 162450 -rw-r- 1 0 696 Nov 17 19:39 idmap_cache.tdb 168469 drwxr-x--- 4 0 512 Nov 17 19:39 locks 162451 -rw-r- 1 08192 Dec 14 22:06 messages.tdb 162454 -rw-r- 1 0 62414848 Dec 15 10:04 netsamlogon_cache.tdb 54155 drwxr-x--- 2 0 512 Dec 15 04:14 smb_krb5 162453 -rw--- 1 00 57344 Nov 25 06:49 winbindd_cache.tdb 451222 drwxr-x--- 2 0 512 Nov 25 06:47 winbindd_privileged $ ls -nai /var/lib/samba/winbindd_privileged total 4 451222 drwxr-x--- 2 0 512 Nov 25 06:47 . 162445 drwxr-x--- 5 0 512 Dec 15 04:14 .. 451223 srwxrwxrwx 1 00 0 Nov 25 06:47 pipe Now another notice, I made a change last tuesday on another SQUID server and this seems working almost one week .. $ ls -nai /var/lib/samba total 78156 342924 drwxr-xr-x 5 0 512 Dec 15 04:22 . 66177 drwxr-xr-x 5 00512 Nov 18 01:34 .. 342930 -rw-r--r-- 1 08192 Dec 15 04:22 gencache.tdb 342932 -rw-r--r-- 1 0 696 Nov 18 01:34 idmap_cache.tdb 354946 drwxr-xr-x 4 0 512 Nov 18 01:34 locks 342933 -rw-r--r-- 1 08192 Dec 13 22:06 messages.tdb 342936 -rw-r--r-- 1 0 39903232 Dec 15 10:20 netsamlogon_cache.tdb 222599 drwxr-xr-x 2 0 512 Dec 15 04:22 smb_krb5 342934 -rw--- 1 00 57344 Dec 9 10:44 winbindd_cache.tdb 138380 drwxr-x--- 2 0 512 Dec 9
[squid-users] authenticate_ip_shortcircuit
hello all, just little question to know if somebody plans including ip_shortcircuit in 'squidclient mgr:' info pages. It should be interesting to get the list of mappings ip/identification. I should also be interesting to get another shortcircuit instruction like 'ip_shortcircuit_size' to limit the size of this list. many thks Vincent - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
[squid-users] Squid 2.7 Chained Proxies and NTLM Pass-thru
hello all, my clients should access an IIS website requesting ntlm authentication 'WWW-Authentication'. they all use ie6 and proxied through a chain of two proxies. the first one hosted in internal network making the whole job of logging, validating ntlm authentication coming from all the ie's with our internal active directories, allow/deny websites mime-types and all kind of stuffs. the other one hosted in dmz as making simply the job of gateway to the internet. Both of them are running 2.7.4 simple question .. Is that possible or not to make this surfing working .. if yes what do I have to configure ?? Do I have to activate things like squid ntlm_auth binary, connection-auth=on, login=PASS ?? many thks for your help. Vincent - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
[squid-users] ICP behaviour question ?
Hello all, I am doing some tests for implementing ICp in our SQUID platform including two level of SQUID devices, the SQUID proxies the users are connected on and the Gateways directly connected on the internet. After reading some old pdf documents I found on the net it seems if I good understood the way it works, an icp query is sent to all parent caches each time a url must be retrieved from the internet. config at proxy level .. icp_port 3130 icp_query_timeout 0 maximum_icp_query_timeout 50 # (milliseconds) dead_peer_timeout 1 second log_icp_queries off icp_hit_stale off icp_access deny all config at gateway level .. icp_port 3130 log_icp_queries off icp_hit_stale off icp_access allow srcip_internalproxies icp_access deny all I made a very little test for requesting from my proxy (sbeaskda) a web resource from the freebsd website. This proxy gets two parents (sbepskcw and sbepskcy). # squidclient http://www.freebsd.org/layout/css/fixed.css # snoop ... sbeaskda - sbepskcw UDP D=3130 S=3130 LEN=76 sbeaskda - sbepskcy UDP D=3130 S=3130 LEN=76 sbepskcw - sbeaskda UDP D=3130 S=3130 LEN=72 sbepskcy - sbeaskda UDP D=3130 S=3130 LEN=72 sbeaskda - sbepskcw HTTP GET http://www.freebsd.org/layout/css/fixed.css HTTP/1.0 sbepskcw - sbeaskda HTTP (proxy) R port=58841 sbepskcw - sbeaskda HTTP HTTP/1.0 200 OK sbeaskda - sbepskcw HTTP (proxy) C port=58841 We see the proxy sending an udp request to port 3130 to all the parents, each of them replying to the request. We then see the http query sent to sbepskcw. This is all working fine but I also read in this same pdf that if the object retrieved is not too large, the gateway can include the object (in this case the css page) in the udp reply so the proxy client does not have to send an icp and http query for each object. so my question is .. Is this still the case with SQUID ? If yes, why not in this case ? If not, do I have to enable something for this ? many thks for your help. Vincent - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
[squid-users] ICP vs Cache Digest
Hello all, something I do not understand .. I plan enabling ICP between my squid proxy web caches hosted in internal lan area and my internet gateways hosted in dmz area. Everything seem to work correctly, I see the ICP packets exchanged between all devices except I always receive this type of error message ... 2009/04/27 16:59:27| temporary disabling (Forbidden) digest from 10.66.9.193 Let we have a look on the configs in place ... All package installed are compiled with '--enable-cache-digests'. Squid (2.6.12 2.7.4) dmz internet gateways config ... icp_port 3130 log_icp_queries off icp_hit_stale off icp_access allow srcip_internalproxies icp_access deny all Squid (2.6.12) internal Proxy web caches config ... icp_port 3130 icp_query_timeout 0 maximum_icp_query_timeout 50 # (milliseconds) dead_peer_timeout 1 second log_icp_queries off icp_hit_stale off icp_access deny all cache_peer @my_cache_parent_1@ parent 8080 3130 weight=2 cache_peer @my_cache_parent_2@ parent 8080 3130 weight=1 Is that normal I get this message or is there something I did not understand with ICP and digest (e.g. not compatible) ?? Did I forget to add some parameters next to my cache_peer entries (e.g no-digest ..) ? many thks to help me. Vincent - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
[squid-users] RE: ICP vs Cache Digest
Hello all, something I do not understand .. I plan enabling ICP between my squid proxy web caches hosted in internal lan area and my internet gateways hosted in dmz area. Everything seem to work correctly, I see the ICP packets exchanged between all devices except I always receive this type of error message ... 2009/04/27 16:59:27| temporary disabling (Forbidden) digest from 10.66.9.193 Let we have a look on the configs in place ... All package installed are compiled with '--enable-cache-digests'. Squid (2.6.12 2.7.4) dmz internet gateways config ... icp_port 3130 log_icp_queries off icp_hit_stale off icp_access allow srcip_internalproxies icp_access deny all Squid (2.6.12) internal Proxy web caches config ... icp_port 3130 icp_query_timeout 0 maximum_icp_query_timeout 50 # (milliseconds) dead_peer_timeout 1 second log_icp_queries off icp_hit_stale off icp_access deny all cache_peer @my_cache_parent_1@ parent 8080 3130 weight=2 cache_peer @my_cache_parent_2@ parent 8080 3130 weight=1 Is that normal I get this message or is there something I did not understand with ICP and digest (e.g. not compatible) ?? Did I forget to add some parameters next to my cache_peer entries (e.g no-digest ..) ? any idea ??? many thks to help me. Vincent - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] RE: ICP vs Cache Digest
Hello all, something I do not understand .. I plan enabling ICP between my squid proxy web caches hosted in internal lan area and my internet gateways hosted in dmz area. Everything seem to work correctly, I see the ICP packets exchanged between all devices except I always receive this type of error message ... 2009/04/27 16:59:27| temporary disabling (Forbidden) digest from 10.66.9.193 Let we have a look on the configs in place ... All package installed are compiled with '--enable-cache-digests'. Squid (2.6.12 2.7.4) dmz internet gateways config ... icp_port 3130 log_icp_queries off icp_hit_stale off icp_access allow srcip_internalproxies icp_access deny all Squid (2.6.12) internal Proxy web caches config ... icp_port 3130 icp_query_timeout 0 maximum_icp_query_timeout 50 # (milliseconds) dead_peer_timeout 1 second log_icp_queries off icp_hit_stale off icp_access deny all cache_peer @my_cache_parent_1@ parent 8080 3130 weight=2 cache_peer @my_cache_parent_2@ parent 8080 3130 weight=1 Is that normal I get this message or is there something I did not understand with ICP and digest (e.g. not compatible) ?? Did I forget to add some parameters next to my cache_peer entries (e.g no-digest ..) ? any idea ??? I finally found why my client caches cannot get store_digest information from parent caches. This is because client caches receive a 'Forbidden' message when requesting the url http://servername:8080/squid-internal-periodic/store_digest my parent cache config ... ... http_port 127.0.0.1:8080 http_port 1.2.3.4:8080 ... acl localhost src 127.0.0.1/32 acl manager proto cache_object acl connect method CONNECT acl safe_port port 80 acl safe_port port 8080 acl safe_port port 21 acl safe_port port 443 ... http_access allow manager localhost http_access allow manager manager_hosts http_access deny manager http_access allow purge localhost http_access allow purge manager_hosts http_access deny purge http_access allow localhost http_reply_access allow localhost http_access deny connect !SSL http_access deny !safe_port http_access allow srcip_internalproxies http_reply_access allow srcip_internalproxies http_reply_access deny all http_access deny all After many many tries I noticed that denying 'connect' and 'safe_port' access lists at parent caches level blocked the clients so seems that requesting something to port 8080 is forbidden but I got no problem to reach the net ... When going forward into my tests, I just noticed that internal /squid-internal-periodic/ url path is always listening on port 3128 even if squid process is listening on another port like 8080 in my case. In other words if I add 'acl safe_port port 3128' in my parent config and I send the query http://servername:3128/squid-internal-periodic/store_digest, the issue is solved ... Is this some normal behaviour, a bug or did I make something wrong ?? many thks to help me. Vincent - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
[squid-users] TCP response time | Proxy efficiency | Paging .. pending questions
Hello all, when looking on the good working of one of my squid proxies, I see some values I think somewhat relevant for increasing the cache_mem. next to my investigations I can see this machine receives some 130req/s, sends some 80 req/s, caches some 1.2 million objects on disk. this is the very basic part of it. $ squidclient mgr:info Internal Data Structures: 1182755 StoreEntries 70431 StoreEntries with MemObjects 70365 Hot Object Cache Items 1174685 on-disk objects $ squidclient mgr:5min |egrep 'http|fault' client_http.requests = 127.388482/sec client_http.hits = 45.899453/sec client_http.errors = 0.00/sec client_http.kbytes_in = 95.962190/sec client_http.kbytes_out = 1820.344974/sec client_http.all_median_svc_time = 0.021898 seconds client_http.miss_median_svc_time = 0.042766 seconds client_http.nm_median_svc_time = 0.001789 seconds client_http.nh_median_svc_time = 0.020695 seconds client_http.hit_median_svc_time = 0.004626 seconds server.http.requests = 78.912393/sec server.http.errors = 0.00/sec server.http.kbytes_in = 1285.901343/sec server.http.kbytes_out = 66.245877/sec page_faults = 0.04/sec we can also see a correct hit (36%) and byte (20%) rate on this server but ... * what does it mean Proxy efficiency 46.01 ?? * and what does it mean Average speed increase 24.27% ?? * what does it mean TCP response time of 100%% requests .. ? the maximum time taken to make the SYN SYN/ACK ACK when asking for a socket on the parent cahe ? the maximum time taken for getting an object from the parent cache ??? Summary Calamaris statistics lines parsed: lines 15855657 invalid lines: lines 0 parse time: sec 4145 parse speed: lines/sec 3825 Proxy statistics Total amount: requests 15855657 Total Bandwidth: Byte 165G Proxy efficiency (HIT [kB/sec] / DIRECT [kB/sec]): factor 46.01 Average speed increase: % 24.27 TCP response time of 100%% requests: msec 1900 Cache statistics Total amount cached: requests 5627335 Request hit rate: % 35.49 Bandwidth savings: Byte 33781M Bandwidth savings in Percent (Byte hit rate): % 19.96 Average cached object size: Byte 6294 Average direct object size: Byte 13885 Average object size: Byte 11191 the machine squid is running on is a Sun Solaris 8 V210 with 2Gb memory. $ prtconf System Configuration: Sun Microsystems sun4u Memory size: 2048 Megabytes System Peripherals (Software Nodes): SUNW,Sun-Fire-V210 concerning the memory usage this becomes much more unclear for me ... if I good understand I see the process size is some 700mb and get some 600mb allocated. when going deeper in the vmstat stats pi and po column respectively give 825 and 236 at some time ... * is this not some too big value ?? * cache_mem is currently defined at 400mb, don't you think increasing this value to a bigger value (let's say some 500-600 mb) would not be better ?? $ squidclient mgr:info Squid Object Cache: Version 2.7.STABLE4 Start Time: Mon, 17 Aug 2009 02:00:38 GMT Current Time: Thu, 20 Aug 2009 10:48:06 GMT Connection information for squid: Number of clients accessing cache: 2264 Number of HTTP requests received: 11355087 Number of ICP messages received:11553839 Number of ICP messages sent:11564676 Number of queued ICP replies: 0 Number of HTCP messages received: 0 Number of HTCP messages sent: 0 Request failure ratio: 0.00 Average HTTP requests per minute since start: 2342.5 Average ICP messages per minute since start:4769.2 Select loop called: 94346313 times, 3.083 ms avg Cache information for squid: Request Hit Ratios: 5min: 38.8%, 60min: 30.9% Byte Hit Ratios:5min: 21.8%, 60min: 29.7% Request Memory Hit Ratios: 5min: 27.4%, 60min: 27.1% Request Disk Hit Ratios:5min: 23.4%, 60min: 18.0% Storage Swap size: 29196377 KB Storage Mem size: 409632 KB Mean Object Size: 24.85 KB Requests given to unlinkd: 114 Median Service Times (seconds) 5 min60 min: HTTP Requests (All): 0.02190 0.01035 Cache Misses: 0.04047 0.03622 Cache Hits:0.00463 0.00379 Near Hits: 0.01955 0.02317 Not-Modified Replies: 0.00179 0.00179 DNS Lookups: 0.00190 0.00190 ICP Queries: 0.00221 0.00221 Resource usage for squid: UP Time:290848.297 seconds CPU Time: 26579.690 seconds CPU Usage: 9.14% CPU Usage, 5 minute avg:30.92% CPU Usage, 60 minute avg: 32.65% Process Data Segment Size via sbrk(): 693792 KB Maximum Resident Size: 0 KB Page faults with physical i/o: 19875 Memory accounted
RE: [squid-users] TCP response time | Proxy efficiency | Paging .. pending questions
no I do not. I simply manage some 30 squid servers and I included in this mail some statistics from one of these proxies because I think I should increase the cache_mem value for some of them but I am not really sure about my suggestions ... so if some of you have deep experience in it I would be happy they help me. do not hesitate to read the 5 questions in my mail. many thks Vincent ___ From: Gerard Leonardo [mailto:gerard.leona...@gmail.com] Sent: Tuesday, August 25, 2009 3:06 PM To: Blondel, V. (Vincent) Cc: squid-users@squid-cache.org Subject: Re: [squid-users] TCP response time | Proxy efficiency | Paging .. pending questions Hi, Do you mind sending how to tune or tweak squid+dansguardian with 300 concurrent users. Thanks in advancE! Gerard On Tue, Aug 25, 2009 at 6:45 PM, vincent.blon...@ing.be wrote: Hello all, when looking on the good working of one of my squid proxies, I see some values I think somewhat relevant for increasing the cache_mem. next to my investigations I can see this machine receives some 130req/s, sends some 80 req/s, caches some 1.2 million objects on disk. this is the very basic part of it. $ squidclient mgr:info Internal Data Structures: 1182755 StoreEntries 70431 StoreEntries with MemObjects 70365 Hot Object Cache Items 1174685 on-disk objects $ squidclient mgr:5min |egrep 'http|fault' client_http.requests = 127.388482/sec client_http.hits = 45.899453/sec client_http.errors = 0.00/sec client_http.kbytes_in = 95.962190/sec client_http.kbytes_out = 1820.344974/sec client_http.all_median_svc_time = 0.021898 seconds client_http.miss_median_svc_time = 0.042766 seconds client_http.nm_median_svc_time = 0.001789 seconds client_http.nh_median_svc_time = 0.020695 seconds client_http.hit_median_svc_time = 0.004626 seconds server.http.requests = 78.912393/sec server.http.errors = 0.00/sec server.http.kbytes_in = 1285.901343/sec server.http.kbytes_out = 66.245877/sec page_faults = 0.04/sec we can also see a correct hit (36%) and byte (20%) rate on this server but ... * what does it mean Proxy efficiency 46.01 ?? * and what does it mean Average speed increase 24.27% ?? * what does it mean TCP response time of 100%% requests .. ? the maximum time taken to make the SYN SYN/ACK ACK when asking for a socket on the parent cahe ? the maximum time taken for getting an object from the parent cache ??? Summary Calamaris statistics lines parsed: lines 15855657 invalid lines: lines 0 parse time: sec 4145 parse speed: lines/sec 3825 Proxy statistics Total amount: requests 15855657 Total Bandwidth: Byte 165G Proxy efficiency (HIT [kB/sec] / DIRECT [kB/sec]): factor 46.01 Average speed increase: % 24.27 TCP response time of 100%% requests: msec 1900 Cache statistics Total amount cached: requests 5627335 Request hit rate: % 35.49 Bandwidth savings: Byte 33781M Bandwidth savings in Percent (Byte hit rate): % 19.96 Average cached object size: Byte 6294 Average direct object size: Byte 13885 Average object size: Byte 11191 the machine squid is running on is a Sun Solaris 8 V210 with 2Gb memory. $ prtconf System Configuration: Sun Microsystems sun4u Memory size: 2048 Megabytes System Peripherals (Software Nodes): SUNW,Sun-Fire-V210 concerning the memory usage this becomes much more unclear for me ... if I good understand I see the process size is some 700mb and get some 600mb allocated. when going deeper in the vmstat stats pi and po column
[squid-users] RE: TCP response time | Proxy efficiency | Paging .. pending questions
Hello all, when looking on the good working of one of my squid proxies, I see some values I think somewhat relevant for increasing the cache_mem. next to my investigations I can see this machine receives some 130req/s, sends some 80 req/s, caches some 1.2 million objects on disk. this is the very ba sic part of it. $ squidclient mgr:info Internal Data Structures: 1182755 StoreEntries 70431 StoreEntries with MemObjects 70365 Hot Object Cache Items 1174685 on-disk objects $ squidclient mgr:5min |egrep 'http|fault' client_http.requests = 127.388482/sec client_http.hits = 45.899453/sec client_http.errors = 0.00/sec client_http.kbytes_in = 95.962190/sec client_http.kbytes_out = 1820.344974/sec client_http.all_median_svc_time = 0.021898 seconds client_http.miss_median_svc_time = 0.042766 seconds client_http.nm_median_svc_time = 0.001789 seconds client_http.nh_median_svc_time = 0.020695 seconds client_http.hit_median_svc_time = 0.004626 seconds server.http.requests = 78.912393/sec server.http.errors = 0.00/sec server.http.kbytes_in = 1285.901343/sec server.http.kbytes_out = 66.245877/sec page_faults = 0.04/sec we can also see a correct hit (36%) and byte (20%) rate on this server but ... * what does it mean Proxy efficiency 46.01 ?? * and what does it mean Average speed increase 24.27% ?? * what does it mean TCP response time of 100%% requests .. ? the maximum time taken to make the SYN SYN/ACK ACK when asking for a socket on the parent cahe ? the maximum time taken for getting an object from the parent cache ??? Summary Calamaris statistics lines parsed: lines 15855657 invalid lines: lines 0 parse time: sec 4145 parse speed: lines/sec 3825 Proxy statistics Total amount: requests 15855657 Total Bandwidth: Byte 165G Proxy efficiency (HIT [kB/sec] / DIRECT [kB/sec]): factor 46.01 Average speed increase: % 24.27 TCP response time of 100%% requests: msec 1900 Cache statistics Total amount cached: requests 5627335 Request hit rate: % 35.49 Bandwidth savings: Byte 33781M Bandwidth savings in Percent (Byte hit rate): % 19.96 Average cached object size: Byte 6294 Average direct object size: Byte 13885 Average object size: Byte 11191 the machine squid is running on is a Sun Solaris 8 V210 with 2Gb memory. $ prtconf System Configuration: Sun Microsystems sun4u Memory size: 2048 Megabytes System Peripherals (Software Nodes): SUNW,Sun-Fire-V210 concerning the memory usage this becomes much more unclear for me ... if I good understand I see the process size is some 700mb and get some 600mb allocat ed. when going deeper in the vmstat stats pi and po column respectively give 825 and 236 at some time ... * is this not some too big value ?? * cache_mem is currently defined at 400mb, don't you think increasing this value to a bigger value (let's say some 500-600 mb) would not be better ?? $ squidclient mgr:info Squid Object Cache: Version 2.7.STABLE4 Start Time: Mon, 17 Aug 2009 02:00:38 GMT Current Time: Thu, 20 Aug 2009 10:48:06 GMT Connection information for squid: Number of clients accessing cache: 2264 Number of HTTP requests received: 11355087 Number of ICP messages received:11553839 Number of ICP messages sent:11564676 Number of queued ICP replies: 0 Number of HTCP messages received: 0 Number of HTCP messages sent: 0 Request failure ratio: 0.00 Average HTTP requests per minute since start: 2342.5 Average ICP messages per minute since start:4769.2 Select loop called: 94346313 times, 3.083 ms avg Cache information for squid: Request Hit Ratios: 5min: 38.8%, 60min: 30.9% Byte Hit Ratios:5min: 21.8%, 60min: 29.7% Request Memory Hit Ratios: 5min: 27.4%, 60min: 27.1% Request Disk Hit Ratios:5min: 23.4%, 60min: 18.0% Storage Swap size: 29196377 KB Storage Mem size: 409632 KB Mean Object Size: 24.85 KB Requests given to unlinkd: 114 Median Service Times (seconds) 5 min60 min: HTTP Requests (All): 0.02190 0.01035 Cache Misses: 0.04047 0.03622 Cache Hits:0.00463 0.00379 Near Hits: 0.01955 0.02317 Not-Modified Replies: 0.00179 0.00179 DNS Lookups: 0.00190 0.00190 ICP Queries: 0.00221 0.00221 Resource usage for squid: UP Time:290848.297 seconds CPU Time: 26579.690 seconds CPU Usage: 9.14% CPU Usage, 5 minute avg:30.92% CPU Usage, 60 minute avg: 32.65% Process Data Segment Size via sbrk(): 693792 KB Maximum Resident Size: 0 KB Page faults with
[squid-users] deny access with squid_ldap_group
Hello, I am trying to block Internet access for people member of one specific AD Security group called GSIFBENoInternetAccess but I get some issue with it. When I try the squid_ldap_group process from shell, the mechanism is working well. my service account correctly requests our Active Directory and gives the right response ERR/OK. When I try this mechanism from squid process, allow/deny is working well but before being blocked by squid_ldap_group I also receive an authentication popup box .. I simply press on CANCEL and receives the personalized error page. I have read on the net this may come from multiple authentication but I do not see this in my case and if this is the case thks to explain me what's wrong with this .. Is this coming from the line with ntlmauth just afterwards and how is this this possible to make this working without the authentication box ?? # my config ... auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 32 auth_param ntlm keep_alive on acl ntlmauth proxy_auth REQUIRED ... external_acl_type gg_nointernet ttl=3600 children=8 %LOGIN /usr/local/bin/squid_ldap_group ... -p 389 -P -t 2 -c 3 -R -S + acl GSIFBENoInternetAccess external gg_nointernet GSIFBENoInternetAccess ... http_access deny GSIFBENoInternetAccess deny_info ERR_LDAP GSIFBENoInternetAccess http_access allow ntlmauth http_reply_access allow all http_access deny all many thks to help me. Vincent. - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] deny access with squid_ldap_group
Hello, I am trying to block Internet access for people member of one specific AD Security group called GSIFBENoInternetAccess but I get some issue with it. When I try the squid_ldap_group process from shell, the mechanism is working well. my service account correctly requests our Active Directory and gives the right response ERR/OK. When I try this mechanism from squid process, allow/deny is working well but before being blocked by squid_ldap_group I also receive an authentication popup box .. I simply press on CANCEL and receives the personalized error page. I have read on the net this may come from multiple authentication but I do not see this in my case and if this is the case thks to explain me what's wrong with this .. Is this coming from the line with ntlmauth just afterwards and how is this this possible to make this working without the authentication box ?? Yes it is. # my config ... auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 32 auth_param ntlm keep_alive on acl ntlmauth proxy_auth REQUIRED ... external_acl_type gg_nointernet ttl=3600 children=8 %LOGIN /usr/local/bin/squid_ldap_group ... -p 389 -P -t 2 -c 3 -R -S + acl GSIFBENoInternetAccess external gg_nointernet GSIFBENoInternetAccess ... Replace this: http_access deny GSIFBENoInternetAccess deny_info ERR_LDAP GSIFBENoInternetAccess with this: # maybe needed to force credentials to be present # http_access deny !ntlmauth # do the group checking and custom denial page # without another auth popup. # acl ldapErrPage src all deny_info ERR_LDAP ldapErrPage http_access deny GSIFBENoInternetAccess ldapErrPage http_access allow ntlmauth http_reply_access allow all http_access deny all first of all many thks for the quick reply .. I tried your proposal and seems to work. I still have to check everything is ok at ldap and ntlm level but seems well until now .. about your config there is something I do not understand .. when I look at what I tried before, I deny all member of group GSIFBENoInternetAccess before requesting for authentication so afaik processing stops after the first line .. Is this correct and do I say something wrong with this ?? http_access deny GSIFBENoInternetAccess http_access allow ntlmauth http_reply_access allow all http_access deny all when I look at your proposal what I understand, client is first requested with authentication (407), then you simply define an acl matching everything, you deny all member of GSIFBENoInternetAccess for everybody (ldapErrPage is matching in this case 0.0.0.0/0.0.0.0) and last but not least but this part is not clear for me, you request credentials for the second time http_access deny !ntlmauth acl ldapErrPage src all deny_info ERR_LDAP ldapErrPage http_access deny GSIFBENoInternetAccess ldapErrPage http_access allow ntlmauth http_reply_access allow all http_access deny all in other words why did you force authentication before and after the ldap group ? I see two times ntlmauth so you should authenticate two times for the same request, right ? why did you define an acl called ldapErrPage, without ldapErrPage is not enough ? many thks for your answers. many thks to help me. Vincent. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19 Current Beta Squid 3.1.0.13 - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
[squid-users] squid_ldap_group concurrency
Hello all, have somebody already get some experience with squid_ldap_group on squid 2.7.X because I try to find some info on what reasonable value I can define for concurrency and if concurrency can also be used with children ... let we say something like this : external_acl_type name children=?? concurrency=?? ... many thks Vincent. - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
[squid-users] squid 2.7 with auth passthrough
Hello, Can somebody say me if WWW-Authenticate header is really functional on Squid 2.7.4 because I spent the whole day trying to help one business user with his application and always receive 401 error code. my proxy should reach the origin IIS server directly next to the always_direct/never_direct definitions and this is what I see in the logs. this does not work so I also made a special cache_peer definition and tried with or without connection-auth=on, connection-auth=off .. I also tried with login=PASS but nothing works ... so my question is .. Is that a normal behaviour ? Do I do something wrong ? Do I have to do something else ? many thks Vincent. - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - ING Belgium SA/nv - Bank/Lender - Avenue Marnix 24, B-1000 Brussels, Belgium - Brussels RPM/RPR - vat BE 0403.200.393 - BIC (SWIFT) : BBRUBEBB - Account: 310-9156027-89 (IBAN BE 45310-9156027-89). An insurance broker, registered with the Banking, Finance and Insurance Commission under the code number 12381A. ING Belgique SA - Banque/Preteur, Avenue Marnix 24, B-1000 Bruxelles - RPM Bruxelles - tva BE 0403 200 393 - BIC (SWIFT) : BBRUBEBB - Compte: 310-9156027-89 (IBAN: BE 45310-9156027-89). Courtier d'assurances inscrit a la CBFA sous le no 12381A ING Belgie nv - Bank/Kredietgever - Marnixlaan 24, B-1000 Brussel - RPR Brussel - btw BE 0403.200.393 - BIC (SWIFT) : BBRUBEBB - Rekening: 310-9156027-89 (IBAN: BE45 3109 1560 2789). Verzekeringsmakelaar ingeschreven bij de CBFA onder het nr. 12381A. -
RE: [squid-users] squid 2.7 with auth passthrough
Hello, Can somebody say me if WWW-Authenticate header is really functional on Squid 2.7.4 because I spent the whole day trying to help one business user with his application and always receive 401 error code. my proxy should reach the origin IIS server directly next to the always_direct/never_direct definitions and this is what I see in the logs. this does not work so I also made a special cache_peer definition and tried with or without connection-auth=on, connection-auth=off .. I also tried with login=PASS but nothing works ... so my question is .. Is that a normal behaviour ? Do I do something wrong ? Do I have to do something else ? any news ? many thks Vincent. - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - ING Belgium SA/nv - Bank/Lender - Avenue Marnix 24, B-1000 Brussels, Belgium - Brussels RPM/RPR - vat BE 0403.200.393 - BIC (SWIFT) : BBRUBEBB - Account: 310-9156027-89 (IBAN BE 45310-9156027-89). An insurance broker, registered with the Banking, Finance and Insurance Commission under the code number 12381A. ING Belgique SA - Banque/Preteur, Avenue Marnix 24, B-1000 Bruxelles - RPM Bruxelles - tva BE 0403 200 393 - BIC (SWIFT) : BBRUBEBB - Compte: 310-9156027-89 (IBAN: BE 45310-9156027-89). Courtier d'assurances inscrit a la CBFA sous le no 12381A ING Belgie nv - Bank/Kredietgever - Marnixlaan 24, B-1000 Brussel - RPR Brussel - btw BE 0403.200.393 - BIC (SWIFT) : BBRUBEBB - Rekening: 310-9156027-89 (IBAN: BE45 3109 1560 2789). Verzekeringsmakelaar ingeschreven bij de CBFA onder het nr. 12381A. -
RE: [squid-users] squid 2.7 with auth passthrough
On Tue, 01 Dec 2009 12:12:52 +1300, Amos Jeffries squ...@treenet.co.nz wrote: On Mon, 30 Nov 2009 13:38:17 +0100, vincent.blon...@ing.be wrote: Hello, Can somebody say me if WWW-Authenticate header is really functional on Squid 2.7.4 because I spent the whole day trying to help one business user with his application and always receive 401 error code. Yes the WWW-Authenticate header is functional. Squid by default simply passes it from the receiving connection to the sending connection without change. The method of authentication using it may not be able to cope with stateless HTTP behaviour. my proxy should reach the origin IIS server directly next to the always_direct/never_direct definitions and this is what I see in the logs. this does not work so I also made a special cache_peer definition and tried with or without connection-auth=on, connection-auth=off .. I also tried with login=PASS but nothing works ... so my question is .. Is that a normal behaviour ? Do I do something wrong ? Do I have to do something else ? Is the IIS server trying to do NTLM login across the web? This can be a major headache. NTLM and NTLM-like authentication assume end-to-end stateful connectivity. This works okay when only stateful NAT or a hacked-up proxy is being used. But fails if even one hop across the network is stateless. For NTLM and Negotiate you need both cache_peer options connection-auth=on login=PASS Nearly forgot: If regular proxy authentication is also being used the originserver setting cannot be used with NTLM cache_peer pass-thru. Along with: client_persistent_connections on server_persistent_connections on NP: if you added no-connection-auth to http_port it needs to be absent. You may also want to raise the connection timeout persistent_request_timeout but do so carefully, since each pconn held in a locked state by NTLM is N less client connections usable in parallel. first of all many thks for your reply :-) I made the settings and more proposed, here my conlusions ... When I remove originserver the connection breaks immediatelly with page cannot be displayed When I set originserver forceddomain and connection-auth, sometimes it works, sometines NOT when it fails the client also receives a page cannot be displayed so the normal working of the application prompts the user a first time for credentials, this seems to work, the user can use the application and when he wanna click on a specific button, it works and not depending on what ? Below you get the last lines of the squid logging but I wonder to not always see the PARENT 10.66.125.102 but also NONE/ ??? 1259769370.111 20 10.67.229.216 TCP_MISS/304 466 GET http://services.group.intranet/rec/Images/status1.gif - NONE/- - 1259769370.303 14 10.67.229.216 TCP_MISS/401 3016 GET http://services.group.intranet/rec/images/open_detail.gif - FIRST_UP_PARENT/10.66.125.102 text/html 1259769370.355 6 10.67.229.216 TCP_MISS/401 3301 GET http://services.group.intranet/rec/images/open_detail.gif - NONE/- text/html 1259769370.373 17 10.67.229.216 TCP_MISS/304 466 GET http://services.group.intranet/rec/images/open_detail.gif - NONE/- - 1259769377.543 13 10.67.229.216 TCP_MISS/401 3016 POST http://services.group.intranet/rec/Forms/BasicSkeleton.aspx?Nav=RequestA bsence - NONE/- text/html 1259769377.589 10 10.67.229.216 TCP_MISS/401 3301 POST http://services.group.intranet/rec/Forms/BasicSkeleton.aspx?Nav=RequestA bsence - NONE/- text/html 1259769377.692102 10.67.229.216 TCP_MISS/200 130429 POST http://services.group.intranet/rec/Forms/BasicSkeleton.aspx?Nav=RequestA bsence - NONE/- text/html 1259769381.417 18 10.67.229.216 TCP_MISS/401 541 POST http://services.group.intranet/rec/Forms/BasicSkeleton.aspx?Nav=RequestA bsence - FIRST_UP_PARENT/10.66.125.102 text/html the POST in the last line just above is the query giving problems at time to time below the current config client_persistent_connections on server_persistent_connections on acl protime url_regex -i ^http://services.group.intranet/rec acl protime_src src 10.67.229.216 cache_peer 10.66.125.102 parent 80 0 forceddomain=services.group.intranet originserver proxy-only no-query no-digest connection-auth=on login=PASS cache_peer_access 10.66.125.102 allow protime cache_peer_access 10.66.125.102 deny all always_direct deny protime never_direct allow protime we are very closed to get a full final working solution but seems to miss something else any idea ?? Amos - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or
RE: [squid-users] any work arounds for bug 2176
Hello all, Just to inform you I exactly get the same problem. Firstly I thought it was a problem with WWW-Authenticate but it is not ONLY next is the reference of my first post ... http://www.squid-cache.org/mail-archive/squid-users/200912/0029.html I also get this same message ( httpReadReply: Request not yet fully sent ) when sending some POST requests bigger than x bytes to an IIS server ... I applied the patch from the bugzilla (2176) on a 2.7.4. The user does not receive the traditional 'Page cannot be displayed' from Internet Explorer any more but the browser freeze instead :(- below the current config ... client_persistent_connections on server_persistent_connections on acl protime url_regex -i ^http://services.group.intranet/rec acl protime_src src all cache_peer 1.2.3.4 parent 80 0 forceddomain=services.group.intranet originserver proxy-only no-query no-digest connection-auth=on login=PASS cache_peer_access 1.2.3.4 allow protime I am certainly interested with a definitive solution so if I can be part of the tests, just say it ... many thks Vincent. -Original Message- From: Bill Allison [mailto:bill.alli...@bsw.co.uk] Sent: Friday, December 18, 2009 10:47 AM Cc: squid-users@squid-cache.org Subject: RE: [squid-users] any work arounds for bug 2176 Reposted for info to the list, without the attachments that cause the list to bounce the message -Original Message- From: Bill Allison Sent: 18 December 2009 09:43 To: 'Amos Jeffries'; Brett Lymn Cc: squid-users@squid-cache.org Subject: RE: [squid-users] any work arounds for bug 2176 I get the same error as Brett only when the body of the post is much greater than that which causes the post to fail. Correction after further testing... I get the same error as Brett only when the body of the post is much greater than that which causes the post to fail, and even then only sometimes, in repeated tests with the same file being uploaded. Other times the browser reports The connection was reset and tcpdump shows that the proxy sent a FIN to the server then to the client in response to the second 401 from the server. THe server closes the connection but the client continues sending a POST and the proxy then sends the client a string of RSTs. For info Invalid Verb is issued by http.sys in IIS 6.0, in response to receiving a header that is not strictly rfc-compliant (including truncated). Attached as requested is my squid.conf and tcpdumps of the Invalid Verb and RST failure cases. Unlike Brett I'm very much a novice C coder but I'm perfectly happy to patch, compile and test if it helps generate a solution. Regards Bill A. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: 17 December 2009 09:10 To: Brett Lymn Cc: Bill Allison; squid-users@squid-cache.org Subject: Re: [squid-users] any work arounds for bug 2176 Brett Lymn wrote: On Wed, Dec 16, 2009 at 07:57:21AM -0600, Bill Allison wrote: Sorry - that was misleading. I've had persistent_connection_after_error set on throughout my testing. I don't have that in my config file at all so I would guess it is at the default. Which is off. Now I'm confused. I get the same error as Brett only when the body of the post is much greater than that which causes the post to fail. I only tried a large-ish document. We did observe the same strange limit that Bill has seen when we tested without the patch applied, under a certain magic threshold the document would upload - the threshold seemed to be around the 50k mark, over that threshold we would just get popups. I'd like to correlate network traces with debug output and would appreciate suggestions as to which debug_options would include all possibly relevant info I am a C coder and may have some time to do some debugging on this between christmas and new year so, Amos, if you have any thoughts or hints as to where to go looking I can certainly have a stab at it. Thank you. Any help at all would be great. I *think* the relevant code is off src/client_side_reply.cc, but what to look for is where I'm currently stuck. The keep_alive values resolved things for you Brett but not Bill. The variable nature of the threshold looks like some timing between actions triggering the bug vs the rate at which Squid is sucking the request in. AFAIK popups only occur when the client gets sent two re-auth challenges. Which in the un-patched Squid was caused by the first half-authenticated link being closed by Squid before auth could complete. Then the second link being challenged for more auth would cause popup. I think the next step is to find out what the difference between your two setups is exactly: * squid.conf * headers between Squid and the POSTing app. * headers between Squid and the web server. Particularly in what reply headers are going back. That should give us a little more of an idea what areas to look at. If as you say the patch solved
RE: [squid-users] any work arounds for bug 2176
On Fri, Jan 01, 2010 at 12:36:12AM +1300, Amos Jeffries wrote: I've taken a good look at the trace files on this. It's clear that the client is in fact not sending the whole initial POST. What I see happening is that the server early response gets relayed by Squid and if the connection is not aborted Squid receives a small further portion of data from the client before it abruptly stops and starts sending the re-send POST with auth details. Since the client has indicated a certain length X of data then only sends N bytes the start of second request is lost and the server complains that some random bytes mid-way down the repeat POST are an invalid request method verb. Ah, ok. I missed that :) To get this going we are going to have to add to the patch a bit to make Squid delay the relayed reply until the initial POST is fully received. Do you need help with this? I don't know the squid code but should be able to muddle through if you can give a pointer. PS: This has pushed Squid very, very close to the wanted behavior for Expect-100 HTTP/1.1 requests/replies. Thanks guys. Thanks for looking in to this. can somebody say me if there is already a new patch for this bug ?? -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer. - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - ING Belgium SA/nv - Bank/Lender - Avenue Marnix 24, B-1000 Brussels, Belgium - Brussels RPM/RPR - vat BE 0403.200.393 - BIC (SWIFT) : BBRUBEBB - Account: 310-9156027-89 (IBAN BE 45310-9156027-89). An insurance broker, registered with the Banking, Finance and Insurance Commission under the code number 12381A. ING Belgique SA - Banque/Preteur, Avenue Marnix 24, B-1000 Bruxelles - RPM Bruxelles - tva BE 0403 200 393 - BIC (SWIFT) : BBRUBEBB - Compte: 310-9156027-89 (IBAN: BE 45310-9156027-89). Courtier d'assurances inscrit a la CBFA sous le no 12381A ING Belgie nv - Bank/Kredietgever - Marnixlaan 24, B-1000 Brussel - RPR Brussel - btw BE 0403.200.393 - BIC (SWIFT) : BBRUBEBB - Rekening: 310-9156027-89 (IBAN: BE45 3109 1560 2789). Verzekeringsmakelaar ingeschreven bij de CBFA onder het nr. 12381A. -
[squid-users] coredump files location on Solaris 8
Hello all, Can somebody say me how I can solve the way Squid stores coredump files because I already tried to use coredump_dir and/or starting Squid from a dedicated directory but none of them seem to work on Solaris 8 because dump files are always put in /var/core ? many thks Vincent - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - ING Belgium SA/nv - Bank/Lender - Avenue Marnix 24, B-1000 Brussels, Belgium - Brussels RPM/RPR - vat BE 0403.200.393 - BIC (SWIFT) : BBRUBEBB - Account: 310-9156027-89 (IBAN BE 45310-9156027-89). An insurance broker, registered with the Banking, Finance and Insurance Commission under the code number 12381A. ING Belgique SA - Banque/Preteur, Avenue Marnix 24, B-1000 Bruxelles - RPM Bruxelles - tva BE 0403 200 393 - BIC (SWIFT) : BBRUBEBB - Compte: 310-9156027-89 (IBAN: BE 45310-9156027-89). Courtier d'assurances inscrit a la CBFA sous le no 12381A ING Belgie nv - Bank/Kredietgever - Marnixlaan 24, B-1000 Brussel - RPR Brussel - btw BE 0403.200.393 - BIC (SWIFT) : BBRUBEBB - Rekening: 310-9156027-89 (IBAN: BE45 3109 1560 2789). Verzekeringsmakelaar ingeschreven bij de CBFA onder het nr. 12381A. -
[squid-users] RE: coredump files location on Solaris 8
Hello all, Can somebody say me how I can solve the way Squid stores coredump files because I already tried to use coredump_dir and/or starting Squid from a dedicated directory but none of them seem to work on Solaris 8 because dump files are always put in /var/core ? nobody got this problem in the past ? many thks Vincent - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - ING Belgium SA/nv - Bank/Lender - Avenue Marnix 24, B-1000 Brussels, Belgium - Brussels RPM/RPR - vat BE 0403.200.393 - BIC (SWIFT) : BBRUBEBB - Account: 310-9156027-89 (IBAN BE 45310-9156027-89). An insurance broker, registered with the Banking, Finance and Insurance Commission under the code number 12381A. ING Belgique SA - Banque/Preteur, Avenue Marnix 24, B-1000 Bruxelles - RPM Bruxelles - tva BE 0403 200 393 - BIC (SWIFT) : BBRUBEBB - Compte: 310-9156027-89 (IBAN: BE 45310-9156027-89). Courtier d'assurances inscrit a la CBFA sous le no 12381A ING Belgie nv - Bank/Kredietgever - Marnixlaan 24, B-1000 Brussel - RPR Brussel - btw BE 0403.200.393 - BIC (SWIFT) : BBRUBEBB - Rekening: 310-9156027-89 (IBAN: BE45 3109 1560 2789). Verzekeringsmakelaar ingeschreven bij de CBFA onder het nr. 12381A. -
RE: [squid-users] RE: coredump files location on Solaris 8
Hi, I am no Solaris expert, however what about changing the overall system variable on Solaris for crash / core locations to per process core locations? http://www.c0t0d0s0.org/archives/4388-Less-known-Solaris-features-About -crashes-and-cores-Part-3-Controlling-the-behaviour-of-the-dump-faciliti es.html http://docsun.cites.uiuc.edu/sun_docs/C/solaris_9/SUNWaadm/SYSADV2/p95. html Best Regards, this is what I am doing but I use squid with squidguard, ntlm, ldap and seems the coreadm is not inherited so I get an average of 90 processes running on each of my server meaning I made a little script to automatically coreadm each pid but this is not always working so I regularly have to coreadm processes gain and again . and this does not explain me why : * the current directory and the coredump_dir do not work ? * I get regularly core dumps in the 20 minutes after the rotation happening at midnight ? Alex On Fri, Jan 15, 2010 at 4:31 PM, vincent.blon...@ing.be wrote: Hello all, Can somebody say me how I can solve the way Squid stores coredump files because I already tried to use coredump_dir and/or starting Squid from a dedicated directory but none of them seem to work on Solaris 8 because dump files are always put in /var/core ? nobody got this problem in the past ? many thks Vincent - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - ING Belgium SA/nv - Bank/Lender - Avenue Marnix 24, B-1000 Brussels, Belgium - Brussels RPM/RPR - vat BE 0403.200.393 - BIC (SWIFT) : BBRUBEBB - Account: 310-9156027-89 (IBAN BE 45310-9156027-89). An insurance broker, registered with the Banking, Finance and Insurance Commission under the code number 12381A. ING Belgique SA - Banque/Preteur, Avenue Marnix 24, B-1000 Bruxelles - RPM Bruxelles - tva BE 0403 200 393 - BIC (SWIFT) : BBRUBEBB - Compte: 310-9156027-89 (IBAN: BE 45310-9156027-89). Courtier d'assurances inscrit a la CBFA sous le no 12381A ING Belgie nv - Bank/Kredietgever - Marnixlaan 24, B-1000 Brussel - RPR Brussel - btw BE 0403.200.393 - BIC (SWIFT) : BBRUBEBB - Rekening: 310-9156027-89 (IBAN: BE45 3109 1560 2789). Verzekeringsmakelaar ingeschreven bij de CBFA onder het nr. 12381A. -
[squid-users] small objects memory caching issue ?
After some memory upgrade to 4GB RAM, I am trying to optimize my squid caches to maintain as most as little objects in memory without storing them on disk. Big objects are not kept in memory but stored on disk. these are my config parameters ... cache_mem 600 MB memory_replacement_policy heap GDSF maximum_object_size_in_memory 16 KB cache_replacement_policy heap LFUDA minimum_object_size 16 KB maximum_object_size 100 KB cache_swap_low 95 cache_swap_high 95 acl QUERY urlpath_regex cgi-bin \? cache deny QUERY cache allow all I notice not all small objects are kept in memory but we are well speaking about objects ... * not containing ? in the query * smaller than 16KB * containing some explicit 'Content-Length' http header * not containing any 'pragma no-cache' header so my questions are ... Is 'squidclient mgr:vm_objects |egrep 'GET|POST'' really the command to get all objects in memory (or is there another command) and is this command real-time (or do we have to expect some delay ) ?? Is the instruction 'cache' applicable for all kind of caching (memory and disk) or this only for disabling disk caching ?? /system SQUID 2.7.4 in internal network behind another Internet Gateway SQUID 2.7.4 in the DMZ/ Solaris 8 many thks to help me Vincent - ATTENTION: This e-mail is intended for the exclusive use of the recipient(s). This e-mail and its attachments, if any, contain confidential information and/or information protected by intellectual property rights or other rights. This e-mail does not constitute any commitment for ING Belgium except when expressly otherwise agreed in a written agreement between the intended recipient and ING Belgium. If you receive this message by mistake, please, notify the sender with the reply option and delete immediately this e-mail from your system, and destroy all copies of it. You may not, directly or indirectly, use this e-mail or any part of it if you are not the intended recipient. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - ING Belgium SA/NV - Bank/Lender - Avenue Marnix 24, B-1000 Brussels, Belgium - Brussels RPM/RPR - VAT BE 0403.200.393 - BIC (SWIFT) : BBRUBEBB - Account: 310-9156027-89 (IBAN BE45 3109 1560 2789). An insurance broker, registered with the Banking, Finance and Insurance Commission under the code number 12381A. ING Belgique SA - Banque/Preteur, Avenue Marnix 24, B-1000 Bruxelles - RPM Bruxelles - TVA BE 0403 200 393 - BIC (SWIFT) : BBRUBEBB - Compte: 310-9156027-89 (IBAN: BE45 3109 1560 2789). Courtier d'assurances inscrit a la CBFA sous le numero 12381A. ING Belgie NV - Bank/Kredietgever - Marnixlaan 24, B-1000 Brussel - RPR Brussel - BTW BE 0403.200.393 - BIC (SWIFT) : BBRUBEBB - Rekening: 310-9156027-89 (IBAN: BE45 3109 1560 2789). Verzekeringsmakelaar ingeschreven bij de CBFA onder het nr. 12381A. -
RE: [squid-users] small objects memory caching issue ?
After some memory upgrade to 4GB RAM, I am trying to optimize my squid caches to maintain as most as little objects in memory without storing them on disk. Big objects are not kept in memory but stored on disk. these are my config parameters ... cache_mem 600 MB memory_replacement_policy heap GDSF maximum_object_size_in_memory 16 KB cache_replacement_policy heap LFUDA minimum_object_size 16 KB maximum_object_size 100 KB cache_swap_low 95 cache_swap_high 95 acl QUERY urlpath_regex cgi-bin \? cache deny QUERY The above lines are no longer recommended. Dynamic content can be and is emitted with suitable headers for caching. many thks for your help, my cache is really behaving like a charm now ... Instead of this we recommend a new refresh_pattern added directly above the . pattern one: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 can you give me some clarification on this because not so sure to understand everything ?? cache allow all I notice not all small objects are kept in memory but we are well speaking about objects ... * not containing ? in the query * smaller than 16KB * containing some explicit 'Content-Length' http header * not containing any 'pragma no-cache' header so my questions are ... Is 'squidclient mgr:vm_objects |egrep 'GET|POST'' really the command to get all objects in memory (or is there another command) and is this command real-time (or do we have to expect some delay ) ?? Yes it is. It is real-time as of the point at which squid started processing that cachemgr request. Is the instruction 'cache' applicable for all kind of caching (memory and disk) or this only for disabling disk caching ?? Yes this is a global control on cached objects. minimum_object_size and maximum_object_size are also global limits. By specifying minimum_object_size 16KB you are preventing caching of those objects smaller. Since you have Squid 2.7 you have the min-size parameter available on your cache_dir which prevents known smaller objects being stored there. I recommend a COSS directory for overflow of small objects from the RAM cache. COSS is optimized for small object storage with disk-backing a section of memory. The example COSS configs have all the settings you need to play with for splitting by object size regardless of whether you use COSS. yes indeed it is foreseen but will be implemented in a next release because I first have to upgrade my package and integrating COSS in it .. not the case today. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3 - ATTENTION: This e-mail is intended for the exclusive use of the recipient(s). This e-mail and its attachments, if any, contain confidential information and/or information protected by intellectual property rights or other rights. This e-mail does not constitute any commitment for ING Belgium except when expressly otherwise agreed in a written agreement between the intended recipient and ING Belgium. If you receive this message by mistake, please, notify the sender with the reply option and delete immediately this e-mail from your system, and destroy all copies of it. You may not, directly or indirectly, use this e-mail or any part of it if you are not the intended recipient. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - ING Belgium SA/NV - Bank/Lender - Avenue Marnix 24, B-1000 Brussels, Belgium - Brussels RPM/RPR - VAT BE 0403.200.393 - BIC (SWIFT) : BBRUBEBB - Account: 310-9156027-89 (IBAN BE45 3109 1560 2789). An insurance broker, registered with the Banking, Finance and Insurance Commission under the code number 12381A. ING Belgique SA - Banque/Preteur, Avenue Marnix 24, B-1000 Bruxelles - RPM Bruxelles - TVA BE 0403 200 393 - BIC (SWIFT) : BBRUBEBB - Compte: 310-9156027-89 (IBAN: BE45 3109 1560 2789). Courtier d'assurances inscrit a la CBFA sous le numero 12381A. ING Belgie NV - Bank/Kredietgever - Marnixlaan 24, B-1000 Brussel - RPR Brussel - BTW BE 0403.200.393 - BIC (SWIFT) : BBRUBEBB - Rekening: 310-9156027-89 (IBAN: BE45 3109 1560 2789). Verzekeringsmakelaar ingeschreven bij de CBFA onder het nr. 12381A. -
[squid-users] deny_info TCP_RESET all ?
just one little question. I am trying to get 'deny_info TCP_RESET all' working but cannot. I get a sunos 5.8 running a squid 2.6.12 and I would like not sending any error page to all clients. Maybe I did not really understand the real meaning of this statement but I understand that a reset plus the right error code are sent to any clients including localhost and/or world to any error including 400 503 .. I already tried to put this line everywhere in my config file but when I simply try to telnet the squid server with any statement, let's blablabla, I always get a text/html 503 error page. Can somebody help me troubleshoot this problem .. thks in advance . - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] deny_info TCP_RESET all ?
[EMAIL PROTECTED] wrote: just one little question. I am trying to get 'deny_info TCP_RESET all' working but cannot. I get a sunos 5.8 running a squid 2.6.12 and I would like not sending any error page to all clients. Maybe I did not really understand the real meaning of this statement but I understand that a reset plus the right error code are sent to any clients including localhost and/or world to any error including 400 503 .. I already tried to put this line everywhere in my config file but when I simply try to telnet the squid server with any statement, let's blablabla, I always get a text/html 503 error page. Can somebody help me troubleshoot this problem .. thks in advance . What that config statement means is: When user is blocked by the 'all' ACL, reset their TCP connection immediately. okay .. I see what you mean ... To use: add 'all' at the end of each *_access line you want clients to receive no error page from. now ... let we take an example ... let's immagine somebody connect on this squid and type something completely wrong ... $ telnet localhost 80 .. Escape character is '^]'. hsjhdqksdkqshdkjqshkd .. this the config .. acl PROTO proto HTTP acl METHOD method GET .. http_access deny !PROTO deny_info TCP_RESET PROTO .. http_access deny !METHOD deny_info TCP_RESET METHOD below lines I received in cache.log files ( with debug activated so I get the internal parsing ). You see squid really complains due invalid method, so he considers this as a bad request .. 2008/08/25 16:26:18| parseHttpRequest: Unsupported method 'hsjhdqksdkqshdkjqshkd 2008/08/25 16:26:18| clientReadRequest: FD 13 (x.x.x.x:50535) Invalid Request but as you can see it I still get a text/html response .. $ telnet localhost 80 .. Escape character is '^]'. hsjhdqksdkqshdkjqshkd HTTP/1.0 400 Bad Request Server: squid/2.6.STABLE16 Date: Mon, 25 Aug 2008 14:26:18 GMT Content-Type: text/html Content-Length: 1200 Expires: Mon, 25 Aug 2008 14:26:18 GMT .. So I tested some other things with success and I see your explanation is completely right ... but what did I make wrong in this case ?? thks for your help. Amos -- Please use Squid 2.7.STABLE4 or 3.0.STABLE8 - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
[squid-users] compilation issue squid-2.7.STABLE4 on Solaris 8.
Hello all, When I compile squid 2.6.21 on Solaris 8, I do not get any problem. Everything is running fine but when I try to compile last release 2.7.4 compilation ends with this error message .. . Making all in lib make[1]: Entering directory `/home/u7206160/gnu/squid/squid-2.7.STABLE4/lib' if /usr/local/bin/gcc -specs=/home/u7206160/gnu/.specs -static-libgcc -DHAVE_CONFIG_H -I. -I. -I../include -I../include -I../include -I/usr/local/includ e -I/usr/local/include -xarch=v9 -O2 -pipe -D_REENTRANT -pthreads -MT Array.o -MD -MP -MF .deps/Array.Tpo -c -o Array.o Array.c; \ then mv -f .deps/Array.Tpo .deps/Array.Po; else rm -f .deps/Array.Tpo; exit 1; fi gcc: language arch=v9 not recognized gcc: Array.c: linker input file unused because linking not done mv: cannot access .deps/Array.Tpo make[1]: *** [Array.o] Error 2 make[1]: Leaving directory `/home/u7206160/gnu/squid/squid-2.7.STABLE4/lib' make: *** [all-recursive] Error 1 . After looking at the compilation phase, I see configure script does not find any openssl, sasl, kerberos, ... and finally once the compilation starts, I get message above. Below my compile script .. . /usr/bin/env -i \ PATH=$_PATH \ CC=/usr/local/bin/gcc -specs=/home/u7206160/gnu/.specs -static-libgcc \ CXX=/usr/local/bin/g++ -specs=/home/u7206160/gnu/.specs -static-libgcc \ AUTOCONF=/usr/local/bin/autoconf \ AUTOHEADER=/usr/local/bin/autoheader \ AUTOIFNAMES=/usr/local/bin/ifnames \ AUTOM4TE=/usr/local/bin/autom4te \ AUTORECONF=/usr/local/bin/autoreconf \ AUTOSCAN=/usr/local/bin/autoscan \ AUTOUPDATE=/usr/local/bin/autoupdate \ INSTALL=/usr/local/bin/install -c -o bin -g bin -m 755 \ INSTALL_DATA=/usr/local/bin/install -o bin -g bin -m 444 \ INSTALL_PROGRAM=/usr/local/bin/install -o bin -g bin -m 555 \ INSTALL_SCRIPT=/usr/local/bin/install -o bin -g bin -m 555 \ CFLAGS=-O2 -pipe \ CPPFLAGS=-I$_PREFIX/include \ LDFLAGS=-L$_PREFIX/lib -R$_PREFIX/lib \ LD_OPTIONS=$_LD \ SHELL=/bin/sh \ CONFIG_SHELL=/bin/sh \ ./configure \ --prefix=$_PREFIX \ --sysconfdir=$_PREFIX/etc/squid \ --libexecdir=$_PREFIX/libexec/squid \ --datarootdir=$_PREFIX \ --datadir=$_PREFIX/etc/squid \ --localstatedir=$_PREFIX/squid \ --with-large-files \ --enable-large-cache-files \ --with-pthreads \ --enable-dl-malloc \ --enable-storeio=ufs,diskd,null \ --enable-removal-policies=lru,heap \ --enable-snmp \ --enable-wccp \ --enable-wccpv2 \ --enable-delay-pools \ --enable-htcp \ --enable-ssl \ --with-openssl=$_PREFIX \ --enable-cache-digests \ --enable-underscores \ --enable-referer-log \ --enable-useragent-log \ --enable-auth=basic,digest,negotiate,ntlm \ --enable-basic-auth-helpers=DB,MSNT,SMB,LDAP,SASL \ --enable-digest-auth-helpers=password,ldap \ --enable-external-acl-helpers=ip_user,session,unix_group,wbinfo_group,ld ap_group \ --enable-ntlm-auth-helpers=SMB \ --enable-negotiate-auth-helpers=squid_kerb_auth \ --enable-err-languages=English French Dutch German Italian Portuguese Spanish \ --enable-default-err-language=English \ --disable-linux-netfilter \ --disable-linux-tproxy \ --disable-carp \ --disable-epoll \ --disable-kqueue \ --disable-ident-lookups \ --build=sparc64-sun-solaris2.8 /usr/bin/env -i PATH=$_PATH LD_OPTIONS=$_LD /usr/local/bin/make sudo /usr/bin/env -i PATH=$_PATH LD_OPTIONS=$_LD /usr/local/bin/make install . Can somebody help me solving this problem .. thks ?? Vincent. - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
RE: [squid-users] compilation issue squid-2.7.STABLE4 on Solaris 8.
On lör, 2008-10-11 at 18:30 +0200, [EMAIL PROTECTED] wrote: Hello all, When I compile squid 2.6.21 on Solaris 8, I do not get any problem. Everything is running fine but when I try to compile last release 2.7.4 compilation ends with this error message .. DO you get the same error if you run just env -i \ CC=/usr/local/bin/gcc -specs=/home/u7206160/gnu/.specs -static-libgcc \ CXX=/usr/local/bin/g++ -specs=/home/u7206160/gnu/.specs -static-libgcc \ ./configure make Probably the culpit is --with-large-files (and --with-large-cache-files). These should only be used on 32-bit platforms, not platforms where I/O is natively 64-bits.. you get it, this seems the problem but I am not really sure to understand the explanation. What does it change at compilation phase ?? Finally, a little remark, I do not know if this issue has already been reported but when I compile squid_kerb_auth I have to use a workaround like this to get it compiled .. sudo /usr/local/bin/sed -i 's/^\(KERBLIBS.*\)/\1 -lsocket/g' helpers/negotiate_auth/squid_kerb_auth/Makefile many thanks for your help Vincent Regards Henrik - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -
[squid-users] URL cnbc.com : Video Streaming Problems.
Hello all, Our dealing room is trying to read some video streaming on www.cnbc.com ( Menu Video / Click on a Video ) but we encounter lots of problems with it because we cannot view these videos. We are using Squid-2.5-STABLE12 and it is not working. We also tried it with a very light config on Squid-2.6-STABLE12 on Ubuntu and we get exactly the same problem. Finally if you try this on a classic w2k desktop with Internet Explorer, we do not get any problem. I looked at the headers, mime-types but do not find anything that can explain this blocking situation. http_port 3128 cache_effective_user proxy cache_effective_group proxy access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log none cache_dir null /null hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 # https, snews acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 1025-65535 # unregistered ports acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid Many thanks to help us resolving this problem. Regards Vincent Blondel ING South West Europe OpsIT Banking Infrastructure ITI DCO GBS NM Team 3 Cours Saint Michel, 60 1040 Bruxelles - Belgium CSM 3-T2 - TLL 23 * +32 2 738 43 73 * [EMAIL PROTECTED] Disclaimer: This e-mail is intended for the exclusive use by the person(s) mentioned as recipient(s). This e-mail and its attachments, if any, contain confidential information and/or information protected by intellectual property rights or other rights. This e-mail does not constitute any commitment for ING or its subsidiaries except when expressly otherwise agreed in a written agreement between the intended recipient and the originating subsidiaries of ING, sender of the mail. If you receive this message by mistake, please, notify the sender with the reply option and delete immediately this e-mail from your system, and destroy all copies of it. You may not, directly or indirectly, use, disclose, distribute, print or copy, this e-mail or any part of it if you are not the intended recipient. You have to take at any time all necessary measures against viruses.
RE: [squid-users] URL cnbc.com : Video Streaming Problems.
ons 2007-04-11 klockan 20:42 +0200 skrev Vincent Blondel: On Wed, 2007-04-11 at 15:49 +0200, Henrik Nordstrom wrote: ons 2007-04-11 klockan 14:36 +0200 skrev [EMAIL PROTECTED]: Hello all, Our dealing room is trying to read some video streaming on www.cnbc.com ( Menu Video / Click on a Video ) but we encounter lots of problems with it because we cannot view these videos. Do Windows Media Player streaming video work on other sites? If I look at videos on other sites like Youtube.com, we do not get any problem Youtube uses flash, not Windows Media Player. If I try http://videodetective.com, we do not get any problem. After looking for a while, I suspect we get some problems due to ntlm authentication but we get a problem with it. We tried to put some sites without authentication but when clicking on videos, URL destinations are changing from video to video. So I do not know how we will solve the problem. Regards Henrik Disclaimer: This e-mail is intended for the exclusive use by the person(s) mentioned as recipient(s). This e-mail and its attachments, if any, contain confidential information and/or information protected by intellectual property rights or other rights. This e-mail does not constitute any commitment for ING or its subsidiaries except when expressly otherwise agreed in a written agreement between the intended recipient and the originating subsidiaries of ING, sender of the mail. If you receive this message by mistake, please, notify the sender with the reply option and delete immediately this e-mail from your system, and destroy all copies of it. You may not, directly or indirectly, use, disclose, distribute, print or copy, this e-mail or any part of it if you are not the intended recipient. You have to take at any time all necessary measures against viruses.
[squid-users] httpAccept: FD 51: accept failure: (130) Software caused connection abort.
Hello all, I have been working for ING bank in Belgium. I am responsible for the system administration of the Squid environnement to let our internal employees surf on the Internet. We get 15000 employees, all surfing through our 8 solaris servers. You can find below characteristics for all these servers : SUNW,Sun-Fire-V210 SunOS 5.8 Generic_117000-03 sun4u sparc 2048 Mb Memory 2 x Gbps bge Network Interfaces 2 x internal disks ( soft mirror except for the cache partition ) 2 X 20Go Squid Cache ( one on each disk ). If I look at the statistics, we currently get 1753764 cached objects on one of my Squid servers and such 60 HTTP Requests per second. We also already optimized our Solaris machines by setting up two caches separately defined on two disks, all of them mounted with next options /dev/dsk/c0t0d0s5 /dev/rdsk/c0t0d0s5 /ING/SQUID/var/cache0 ufs 2 yes logging,noatime /dev/dsk/c0t1d0s5 /dev/rdsk/c0t1d0s5 /ING/SQUID/var/cache1 ufs 2 yes logging,noatime We also defined next IPC parameters on each host set shmsys:shminfo_shmseg=16 set shmsys:shminfo_shmmni=32 set shmsys:shminfo_shmmax=2097152 set msgsys:msginfo_msgmni=40 set msgsys:msginfo_msgmax=2048 set msgsys:msginfo_msgmnb=8192 set msgsys:msginfo_msgssz=64 set msgsys:msginfo_msgtql=2048 But we get a problem. Our HTTP traffic is increasing a bit every day and I noticed today we get lots of these messages in cache.log. 2007/04/02 07:59:27| comm_accept: FD 51: (130) Software caused connection abort 2007/04/02 07:59:27| httpAccept: FD 51: accept failure: (130) Software caused connection abort 2007/04/02 08:16:27| comm_accept: FD 51: (130) Software caused connection abort 2007/04/02 08:16:27| httpAccept: FD 51: accept failure: (130) Software caused connection abort 2007/04/02 08:19:50| comm_accept: FD 51: (130) Software caused connection abort 2007/04/02 08:19:50| httpAccept: FD 51: accept failure: (130) Software caused connection abort 2007/04/02 08:22:48| comm_accept: FD 51: (130) Software caused connection abort 2007/04/02 08:22:48| httpAccept: FD 51: accept failure: (130) Software caused connection abort 2007/04/02 08:22:50| comm_accept: FD 51: (130) Software caused connection abort 2007/04/02 08:22:50| httpAccept: FD 51: accept failure: (130) Software caused connection abort I restarted process squid this morning but this did not solve the problem. After some search on the net, it seems we get some network buffers problems. It could be we can solve the problem by increasing some values in /etc/system but I do not know which one I can increase. You can find below some results from these next statements : cat cache.log ulimit -a squidclient mgr:info /usr/sbin/sysdef -i I would appreciate your help because all of these machines are running in our production environment and we can get in trouble if I do not solve it. Regards. *** 2007/04/02 07:55:48| Starting Squid Cache version 2.5.STABLE12 for sparc-sun-solaris2.8... 2007/04/02 07:55:48| Process ID 24393 2007/04/02 07:55:48| With 1024 file descriptors available 2007/04/02 07:55:48| Performing DNS Tests... 2007/04/02 07:55:48| Successful DNS name lookup tests... 2007/04/02 07:55:48| DNS Socket created at 0.0.0.0, port 61044, FD 6 2007/04/02 07:55:48| Adding nameserver 10.66.122.32 from squid.conf 2007/04/02 07:55:48| Adding nameserver 10.66.67.3 from squid.conf 2007/04/02 07:55:51| Referer logging is disabled. 2007/04/02 07:55:51| Unlinkd pipe opened on FD 47 2007/04/02 07:55:51| Swap maxSize 3072 KB, estimated 2363076 objects 2007/04/02 07:55:51| Target number of buckets: 118153 2007/04/02 07:55:51| Using 131072 Store buckets 2007/04/02 07:55:51| Max Mem size: 409600 KB 2007/04/02 07:55:51| Max Swap size: 3072 KB 2007/04/02 07:55:51| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2007/04/02 07:55:51| Store logging disabled 2007/04/02 07:55:51| Rebuilding storage in /ING/SQUID/var/cache0 (CLEAN) 2007/04/02 07:55:51| Rebuilding storage in /ING/SQUID/var/cache1 (CLEAN) 2007/04/02 07:55:51| Using Least Load store dir selection 2007/04/02 07:55:51| Current Directory is /ING/SQUID 2007/04/02 07:55:51| Loaded Icons. 2007/04/02 07:55:51| Accepting HTTP connections at 10.66.184.64, port 8080, FD 51. 2007/04/02 07:55:51| Accepting HTTP connections at 0.0.0.0, port 8080, FD 53. 2007/04/02 07:55:51| Accepting ICP messages at 0.0.0.0, port 3130, FD 54. 2007/04/02 07:55:51| Accepting HTCP messages on port 4827, FD 55. 2007/04/02 07:55:51| Accepting SNMP messages on port 3401, FD 56. 2007/04/02 07:55:51| WCCP Disabled. 2007/04/02 07:55:51| Configuring Parent 10.66.9.233/8080/0 2007/04/02 07:55:51| Configuring Parent 10.66.9.232/8080/0 2007/04/02 07:55:51| Configuring Parent 10.66.9.235/8080/0 2007/04/02 07:55:51| Configuring Parent 10.66.9.234/8080/0 2007/04/02 07:55:51| Configuring Parent 10.66.17.36/7001/0 2007/04/02