Re: [squid-users] SQUID_ERR_SSL_HANDSHAKE
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 18/12/2014 5:32 p.m., Roman Gelfand wrote: > *The squid version is 3.4.5. The server certificate is sslv3 > generated by openssl. Not quite sure as to what the problem is.* > Problem 1: "The server certificate is sslv3" A certficate has two things: * a format+data * a security key Neither of these things is particularly attached to use on SSLv3 *protocol*, other than being defined there. The format used by all protocols SSLv2 and later is self-descriptive, you should be able to use it for secure TLS. Did you mean cert format v3? > > *Failed to establish a secure connection to 192.168.3.108* > > The system returned: > > (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) > > Handshake with SSL server failed: error:140770FC:SSL > routines:SSL23_GET_SERVER_HELLO:unknown protocol > > This proxy and the remote host failed to negotiate a mutually > acceptable security settings for handling your request. It is > possible that the remote host does not support secure connections, > or the proxy is not satisfied with the host security credentials. > > This seems to be *a* Squid generated error page BUT... > > The ssl configuration is... > > https_port 443 cert=/etc/ssl/certs/webfarm.crt > key=/etc/ssl/private/webfarm.key accel vport > options=NO_SSLv2:NO_TLSv1:CIPHER_SERVER_PREFERENCE > cipher=RC4:!MD5:!aNULL:!EDH > Problem 2: Squid-3 no longer impicitly enables "options=ALL". What that means is that if you explicitly configure an options= or cipher= only what you sepecifically configure there is available for use. Omitting those parameters entirely uses the OpenSSL libraries config settings rather than "ALL". Your proxy is presenting a very restricted set of ciphers. RC4 only, with SSLv3, TLSv1.1, TLSv1.2 as protocol. > cache_peer 192.168.3.108 parent 80 0 no-query originserver > login=PASS front-end-https=on name=cmm2Server > > acl cmm2 dstdomain [my domain] cache_peer_access cmm2Server allow > cmm2 never_direct allow cmm2 > > http_access allow cmm2 > You have no TLS/SSL settings on this cache_peer. So Squid has no reason to be using SSL/TLS to connect to it. You don't mention any sslproxy_* settings so I cant be sure. But the only way for your proxy to generate that page is for somethign like https://192.168.3.108/ to be requested by the client and allowed through your proxy. Far more likely that it comes from some other proxy which does proper securty checking and complaining about your https_port requirements. My advice: * see if your cert can be used over any of the TLS versions. Very likely it can, especially as you are already offering to use it over TLSv1.1 or TLSv1.2. * update the proxy allowed ciphers to include some modern secure ones. - may require upgrading your OpenSSL library. * If the cert really is tying you back see if you can get a better/newer one. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUko9kAAoJELJo5wb/XPRj7QUH/3pFtmKow6VbcIkJ9s/grWhS 0qEAIeHKfrkkqTyCYReFOimj60NIS43ogrFjcVNxlbFx8jqQMKgVJsfont99/D20 h+R3mro7/4EVp8rJYqouKbx3qSWac4leB6wyBWHzKPg2sNTNWWqxfQA38kIAqm6C +nhUHqrGvVfrdXybtYNj639alHZ7FkoDgw7Xy2CQfaSMMIx6FuJ/0zWH6zYddfWi L4O7qth0HGpbwtzMwZiwyjEVHoVEKlQVFYSCQx1XjWNOpPSZHcJxO3QrTJ2NZRte gq3IHXDBJIUBatCW4xMqXGjLTeHDE+L9obEstJdZWeWyXjD1UydfCWoTHKcJFWI= =MUH8 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Debian 7 LDAP auth to 2008r2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 18/12/2014 11:28 a.m., Bert wrote: > Man I just can't seem to make this work. I followed this guide: > > http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy > > > and everything went well but as soon as I get to the > squid_ldap_group test I get nothing back, or the second time I hit > enter it returns a "invalid entry" error. > > /usr/lib/squid3/squid_ldap_group -R -K -S -b "dc=example,dc=local" > -D squid@example.local -W /etc/squid3/ldappass.txt -f > "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Security > > Groups,ou=MyBusiness,dc=example,dc=local))" -h dc1.example.local > EXAMPLE\Username Internet%20Users%20Standard > > Can anyone tell me what to look for as far as testing? I have run > this test with debug -d but that doesn't seem to return anything. > My understanding of the command above is it's taking the basedn and > a user name that I have setup and created a password for and > attempting to query the AD server that is listed after the -h > option. The part of the line I don't understand is cn=%g. No idea > what might be plugged in there as "g" is not initialized anywhere. %g is the group name being looked up. acl .. external groupName1 groupName2 ... > Based on the options returned after squid_ldap_group I think I get > what's going on and the last two entries on the line are the > queried username against the security groups I created in AD and > the user I have been testing is a member of the internet users > group. This seems pretty straight forward but I get nothing and so > this query is basically the same in the squid.conf so if it doesn't > work here it's obviously not going to work from a browser. > The tutorial is a bit broken. Firstly, it does not explain the "bug" causing group names to have to be in files loaded by Squid external ACL is that the squid.conf parser uses whitespace as reserved characters delimiting words. The normal ACL syntax is: acl foo external memberof Group1Name Group2Name ... It then recommends that -f parameter which contains whitespace directly in squid.conf... You need to replace "Security Groups" with "Security\ Groups" and if that does not work by itself upgrade to a current Squid version. Squid-3.4 or later should accept \-escapes in quoted strings. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUkpf3AAoJELJo5wb/XPRjLHAH/RhYmHXjlZFPPGzd02VpILIE aVTacnsnauzQeLIUNH+EWjU5wCDN9byPE7kjC/h7yo3f1cirV2UIR7vw7s12SkVH BWBNzdhNGe5uQsJ6al33USYKUeuVxdVhMJs6orJAQWzxgRK8xqktJFcDSivv+opN 5HmKXqBK4S1sXtGDzybu6lJzRC/ycZMAuDjT2Mbs5pF/Pw5eQd0KW9A5RE9DQT6q HkCQl9B7HDhiYs0hMVVc7ayjcg//r+BVqI1Y5uEl+/AaUqkYjlQqiQG/Y+Ls2HrX YIq2n6fzvrzSpE0drac7iyIM6RyGQ4Fh7LkCS8ae9mBNFI4nAZXYnldseReKVJA= =e4Co -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid 3.4.10 incorrectly configured on Solaris 10
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, yesterday (and during last four day) I've try to build transparent caching proxy on Solaris 10 (x86_64) testing environment. Configuration options are: # Without SSL 64 bit GCC ./configure '--prefix=/usr/local/squid' '--enable-translation' '--enable-external-acl-helpers=file_userip,unix_group' '--enable-icap-client' '--enable-ipf-transparent' '--enable-storeio=diskd' '--enable-removal-policies=lru,heap' '--enable-devpoll' '--disable-wccp' '--enable-wccpv2' '--enable-http-violations' '--enable-follow-x-forwarded-for' '--enable-arp-acl' '--enable-htcp' '--enable-cache-digests' '--with-dl' '--enable-auth-negotiate=none' '--disable-auth-digest' '--disable-auth-ntlm' '--disable-auth-basic' '--enable-storeid-rewrite-helpers=file' '--enable-log-daemon-helpers=file' '--with-filedescriptors=131072' '--with-build-environment=POSIX_V6_LP64_OFF64' 'CFLAGS=-O3 -m64 -fPIE -fstack-protector -mtune=core2 --param=ssp-buffer-size=4 -pipe' 'CXXFLAGS=-O3 -m64 -fPIE -fstack-protector -mtune=core2 --param=ssp-buffer-size=4 -pipe' 'CPPFLAGS=-I/usr/include -I/opt/csw/include' 'LDFLAGS=-fPIE -pie -Wl,-z,now' But binaries built without interceptor support. Some investigation: Config.log has errors with ip_nat.h compilation: configure:27435: checking for netinet/ip_nat.h configure:27435: g++ -c -m64 -O3 -m64 -fPIE -fstack-protector -mtune=core2 --param=ssp-buffer-size=4 -pipe -march=native -std=c++11 -I/usr/include -I/opt/csw/include -I/usr/include/gssapi -I/usr/include/kerberosv5 conftest.cpp >&5 In file included from conftest.cpp:266:0: /opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:98:2: error: 'ipfmutex_t' does not name a type ipfmutex_t nat_lock; ^ /opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:108:2: error: 'frentry_t' does not name a type frentry_t *nat_fr; /* filter rule ptr if appropriate */ ^ /opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:112:2: error: 'ipftqent_t' does not name a type ipftqent_t nat_tqe; ^ /opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:113:2: error: 'u_32_t' does not name a type u_32_t nat_flags; ^ /opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:114:2: error: 'u_32_t' does not name a type u_32_t nat_sumd[2]; /* ip checksum delta for data segment */ ^ /opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:115:2: error: 'u_32_t' does not name a type u_32_t nat_ipsumd; /* ip checksum delta for ip header */ ^ /opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:116:2: error: 'u_32_t' does not name a type u_32_t nat_mssclamp; /* if != zero clamp MSS to this */ ^ /opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:117:2: error: 'i6addr_t' does not name a type i6addr_t nat_inip6; and so, configure does not see IP Filter finally, ergo cannot build interceptor. Yes, IP Filter installed in system. Yes, I've try to build 32 bit also. Yes, I've try to build on another system. Yes, I've try to play with configure option. Yes, I've try also development version 3.5.x - with the same result. Amos, need your help. Thanks in advance, WBR, Yuri -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBAgAGBQJUkt4vAAoJENNXIZxhPexGn9EH/3CUqof3f4xHNBuZIhC35Zup EgTYQGwUck0hq98GP+USC7C186qW3pscafTO82olbb55xb7Bpmw6b0YVgsVK9AJy u2IFnc6MQe1rhYl8NM5L9B5XC6K5gKb8P4UQYAirYPvu0XDxWJYd0N8HqL+8uI6+ 3OtvrGnQZyCOHTuQ8Ubu2y3yDpjdUhjX7sCRER8QiLR/IMTyXAu2pmIpMISLTMK+ wmI1xVfrafpg5TO+RzkwQFbWQhNUq1JqY6kttHb9D/Qg5eTw2ceFLYsrkTiuwpYv czjRk2J4F7WYmbFJ0sTwRqyAZtM8xC8b9dk4SjkqOEpgIE/wdnqCJp/yQbfo/kk= =LWVp -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.4.10 incorrectly configured on Solaris 10
Hello Yuri, this is probably a system header dependency. Could you check if the manuals mention anything about ipfmutex_t ? If they do, at the beginning of the page they should include a list of #include <...> lines. Could you copy-paste these lines here? Thanks On Thu, Dec 18, 2014 at 3:01 PM, Yuri Voinov wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi there, > > yesterday (and during last four day) I've try to build transparent > caching proxy on Solaris 10 (x86_64) testing environment. > > Configuration options are: > > # Without SSL 64 bit GCC > ./configure '--prefix=/usr/local/squid' '--enable-translation' > '--enable-external-acl-helpers=file_userip,unix_group' > '--enable-icap-client' '--enable-ipf-transparent' > '--enable-storeio=diskd' '--enable-removal-policies=lru,heap' > '--enable-devpoll' '--disable-wccp' '--enable-wccpv2' > '--enable-http-violations' '--enable-follow-x-forwarded-for' > '--enable-arp-acl' '--enable-htcp' '--enable-cache-digests' '--with-dl' > '--enable-auth-negotiate=none' '--disable-auth-digest' > '--disable-auth-ntlm' '--disable-auth-basic' > '--enable-storeid-rewrite-helpers=file' > '--enable-log-daemon-helpers=file' '--with-filedescriptors=131072' > '--with-build-environment=POSIX_V6_LP64_OFF64' 'CFLAGS=-O3 -m64 -fPIE > -fstack-protector -mtune=core2 --param=ssp-buffer-size=4 -pipe' > 'CXXFLAGS=-O3 -m64 -fPIE -fstack-protector -mtune=core2 > --param=ssp-buffer-size=4 -pipe' 'CPPFLAGS=-I/usr/include > -I/opt/csw/include' 'LDFLAGS=-fPIE -pie -Wl,-z,now' > > But binaries built without interceptor support. > > Some investigation: > > Config.log has errors with ip_nat.h compilation: > > configure:27435: checking for netinet/ip_nat.h > configure:27435: g++ -c -m64 -O3 -m64 -fPIE -fstack-protector > -mtune=core2 --param=ssp-buffer-size=4 -pipe -march=native -std=c++11 > -I/usr/include -I/opt/csw/include -I/usr/include/gssapi > -I/usr/include/kerberosv5 conftest.cpp >&5 > In file included from conftest.cpp:266:0: > /opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:98:2: > error: 'ipfmutex_t' does not name a type > ipfmutex_t nat_lock; > ^ > /opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:108:2: > error: 'frentry_t' does not name a type > frentry_t *nat_fr; /* filter rule ptr if appropriate */ > ^ > /opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:112:2: > error: 'ipftqent_t' does not name a type > ipftqent_t nat_tqe; > ^ > /opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:113:2: > error: 'u_32_t' does not name a type > u_32_t nat_flags; > ^ > /opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:114:2: > error: 'u_32_t' does not name a type > u_32_t nat_sumd[2]; /* ip checksum delta for data segment */ > ^ > /opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:115:2: > error: 'u_32_t' does not name a type > u_32_t nat_ipsumd; /* ip checksum delta for ip header */ > ^ > /opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:116:2: > error: 'u_32_t' does not name a type > u_32_t nat_mssclamp; /* if != zero clamp MSS to this */ > ^ > /opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:117:2: > error: 'i6addr_t' does not name a type > i6addr_t nat_inip6; > > and so, configure does not see IP Filter finally, ergo cannot build > interceptor. > > Yes, IP Filter installed in system. Yes, I've try to build 32 bit also. > Yes, I've try to build on another system. Yes, I've try to play with > configure option. Yes, I've try also development version 3.5.x - with > the same result. > > Amos, need your help. > > Thanks in advance, > > WBR, Yuri > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBAgAGBQJUkt4vAAoJENNXIZxhPexGn9EH/3CUqof3f4xHNBuZIhC35Zup > EgTYQGwUck0hq98GP+USC7C186qW3pscafTO82olbb55xb7Bpmw6b0YVgsVK9AJy > u2IFnc6MQe1rhYl8NM5L9B5XC6K5gKb8P4UQYAirYPvu0XDxWJYd0N8HqL+8uI6+ > 3OtvrGnQZyCOHTuQ8Ubu2y3yDpjdUhjX7sCRER8QiLR/IMTyXAu2pmIpMISLTMK+ > wmI1xVfrafpg5TO+RzkwQFbWQhNUq1JqY6kttHb9D/Qg5eTw2ceFLYsrkTiuwpYv > czjRk2J4F7WYmbFJ0sTwRqyAZtM8xC8b9dk4SjkqOEpgIE/wdnqCJp/yQbfo/kk= > =LWVp > -END PGP SIGNATURE- > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with digest authentification and credential backend
Patch for squid 3.5.0.3
| Tested with both nonce_count and nonce_max_duration, no problem. Do you known
if it works with squid 3.5 ?
Be careful chech_nonce_count is broken, you can see in your log that there are
many unexpected 407, my advice is to set the value check_nonce_count to off
It's an old bug but fortunately it's transparent for users.
For me still two problems with digest:
1) chech_nonce_count -> but not annoying for me ...
2) smp aware -> http://bugs.squid-cache.org/show_bug.cgi?id=3517 because we can
reduce the cpu load with smp
Amos, I can't post the patch in bugzilla: The function
Bugzilla::Attachment->create requires a description argument, and that argument
was not set
I tried some different descriptions without more success (Firefox 34.0)
Regards,
Fred
http://numsys.eu
http://e2guardian.orgdiff -aburN src/auth/digest/Config.cc ../squid-3.4.5-good/src/auth/digest/auth_digest.cc
--- src/auth/digest/Config.cc 2014-05-02 14:09:05.0 +0200
@@ -1038,12 +1038,7 @@
debugs(29, 2, "Username for the nonce does not equal the username for the request");
nonce = NULL;
}
-/* check for stale nonce */
-if (authDigestNonceIsStale(nonce)) {
-debugs(29, 3, "The received nonce is stale from " << username);
-digest_request->setDenyMessage("Stale nonce");
-nonce = NULL;
-}
+
if (!nonce) {
/* we couldn't find a matching nonce! */
debugs(29, 2, "Unexpected or invalid nonce received from " << username);
diff -aburN src/auth/digest/UserRequest.cc ../squid-3.4.5-good/src/auth/digest/UserRequest.cc
--- src/auth/digest/UserRequest.cc 2014-05-02 14:09:05.0 +0200
+++ ../squid-3.4.5-good/src/auth/digest/UserRequest.cc 2014-06-11 13:43:31.0 +0200
@@ -152,10 +152,15 @@
}
/* check for stale nonce */
-if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) {
-debugs(29, 3, "user '" << auth_user->username() << "' validated OK but nonce stale");
-auth_user->credentials(Auth::Handshake);
-digest_request->setDenyMessage("Stale nonce");
+/* And check for nonce expired */
+/* check Auth::Pending to avoid loop */
+
+if ((!authDigestNonceIsValid(digest_request->nonce, digest_request->nc) || authDigestNonceIsStale(nonce)) && ( user()->credentials() != Auth::Pending )) {
+ debugs(29, 3, HERE << auth_user->username() << "' validated OK but nonce stale: " << digest_request->nonceb64);
+ /* Pending prevent banner and makes a ldap control */
+ auth_user->credentials(Auth::Pending);
+ nonce->flags.valid = false;
+ authDigestNoncePurge(nonce);
return;
}
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Error negotiating SSL connection
2014/12/18 06:16:13 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 86: error::lib(0):func(0):reason(0) (5/0/0) 2014/12/18 06:16:13 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 91: error::lib(0):func(0):reason(0) (5/0/0) 2014/12/18 06:16:13 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 80: error::lib(0):func(0):reason(0) (5/0/0) 2014/12/18 06:16:15 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 82: error::lib(0):func(0):reason(0) (5/0/0) 2014/12/18 06:16:15 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 93: error::lib(0):func(0):reason(0) (5/0/0) 2014/12/18 06:16:15 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 94: error::lib(0):func(0):reason(0) (5/0/0) 2014/12/18 06:16:21 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 86: error::lib(0):func(0):reason(0) (5/0/0) 2014/12/18 06:16:21 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 134: error::lib(0):func(0):reason(0) (5/0/0) 2014/12/18 06:16:21 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 135: error::lib(0):func(0):reason(0) (5/0/0) 2014/12/18 06:16:40 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 86: error::lib(0):func(0):reason(0) (5/0/0) 2014/12/18 06:16:40 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 93: error::lib(0):func(0):reason(0) (5/0/0) 2014/12/18 06:16:42 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 93: error::lib(0):func(0):reason(0) (5/0/0) 2014/12/18 06:16:43 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 97: error::lib(0):func(0):reason(0) (5/0/0) 2014/12/18 06:16:48 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 86: error::lib(0):func(0):reason(0) (5/0/0) 2014/12/18 06:16:48 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 93: error::lib(0):func(0):reason(0) (5/0/0) https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem http_port 3129 http_port 3128 intercept sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/squid/ssl_db/certs/ -M 4MB sslcrtd_children 32 startup=30 idle=1 ssl_unclean_shutdown on sslproxy_version 1 always_direct allow all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER ssl_bump server-first all -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Error-negotiating-SSL-connection-tp4668748.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Unable to configure cache_dir with only TCP_MISS/200
Using squid 3.3.8 on Ubuntu 14.04.
Copied default configuration file for version from
http://wiki.squid-cache.org/Squid-3.3, modified refresh pattern and acl to:
refresh_pattern . 1440 20% 4320
acl localnet src 129.236.0.0/16
start squid, execute squidclient http://wiki.squid-cache.org/ twice, get
expected responses:
1418930476.244565 127.0.0.1 TCP_MISS/200 16286 GET
http://wiki.squid-cache.org/ - HIER_DIRECT/77.93.254.178 text/html
1418930486.000 0 127.0.0.1 TCP_MEM_HIT/200 16293 GET
http://wiki.squid-cache.org/ - HIER_NONE/- text/html
Tried to enable cache_dir, add line to config:
cache_dir ufs /var/spool/squid3 100 16 256
Create cache with sudo squid3 -z ; start squid, repeat above squidclient
commands and get only TCP_MISS/200:
1418930731.778 5548 127.0.0.1 TCP_MISS/200 16286 GET
http://wiki.squid-cache.org/ - HIER_DIRECT/77.93.254.178 text/html
1418930738.044774 127.0.0.1 TCP_MISS/200 16286 GET
http://wiki.squid-cache.org/ - HIER_DIRECT/77.93.254.178 text/html
Check cache dirs to see if any file has been create, and one is there:
$ sudo find /var/spool/squid3/ -type f -exec ls -l {} \;
-rw-r- 1 proxy proxy 288 Dec 18 14:25 /var/spool/squid3/swap.state
-rw-r- 1 proxy proxy 16393 Dec 18 14:25 /var/spool/squid3/00/00/0001
Note: I have tried other pages which for sure do not have do not cache
instructions with same result.
I have tried this on three different ubuntu machines, no luck. BTW, more
complex squid config we have with 3.1.19 on ubuntu 12 works fine. Can not
upgrade for now.
Any help is appreciated.
Bob
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[squid-users] cache_peer configuration
My goal is to accept ssl requests/connections from wan, decrypt them and forward the decrypted requests/connection to apache web server over port 80. Below, is my configuration to accomplish that. However, it appears that the requests/connections from squid to apache web server are encrypted. I am not sure why. How do I make it decrypted? https_port 443 cert=/etc/ssl/certs/webfarm.crt key=/etc/ssl/private/webfarm.key accel vport options=ALL cache_peer 192.168.3.108 parent 80 0 no-query originserver login=PASS front-end-https=on name=cmm2Server acl cmm2 dstdomain [my domain] cache_peer_access cmm2Server allow cmm2 never_direct allow cmm2 http_access allow cmm2 Thanks in advance ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Problem with running squid 3.5 on windows 7
Hi, I have cross-compiled squid 3.5 with mingw32-w64 on Ubuntu. The properties are: c:\squid\sbin>squid -v Squid Cache: Version 3.5.0.3-20141209-r13687 Service Name: squid Test build configure options: '--host=i686-w64-mingw32' '--prefix=c:/squid' 'CXXFLAGS=-DWI NVER=0x601 -D_WIN32_WINNT=0x601 -fpermissive' 'CFLAGS=-DWINVER=0x601 -D_WIN32_WI NNT=0x601 -fpermissive' 'BUILDCXX=g++' 'BUILDCXXFLAGS=-DFOO' '--enable-build-inf o=Test build' 'host_alias=i686-w64-mingw32' --enable-ltdl-convenience When I try to run it on windows 7 64, it gives a critical error at start, below is the debug trace:c:\squid\sbin>squid.exe -X -f squid.conf 2014/12/19 00:17:40.101| debug.cc(403) parseOptions: command-line -X overrides: ALL,7 2014/12/19 00:17:40.101| signal: sig=31 func=sigusr2_handle: (0) No error. 2014/12/19 00:17:40.101| cache_manager.cc(80) registerProfile: registering legac y mem 2014/12/19 00:17:40.101| cache_manager.cc(114) findAction: CacheManager::findAct ion: looking for action mem 2014/12/19 00:17:40.101| cache_manager.cc(122) findAction: Action not found. 2014/12/19 00:17:40.101| cache_manager.cc(65) registerProfile: registered profil e: mem 2014/12/19 00:17:40.101| cache_manager.cc(80) registerProfile: registering legac y squidaio_counts 2014/12/19 00:17:40.111| cache_manager.cc(114) findAction: CacheManager::findAct ion: looking for action squidaio_counts 2014/12/19 00:17:40.111| cache_manager.cc(122) findAction: Action not found. 2014/12/19 00:17:40.121| cache_manager.cc(65) registerProfile: registered profil e: squidaio_counts 2014/12/19 00:17:40.121| rock/RockStoreFileSystem.cc(50) setup: Will use Rock FS2014/12/19 00:17:40.121| Startup: Initializing Authentication Schemes ... 2014/12/19 00:17:40.121| Startup: Initialized Authentication Scheme 'basic' 2014/12/19 00:17:40.121| Startup: Initialized Authentication Scheme 'digest' 2014/12/19 00:17:40.121| Startup: Initialized Authentication Scheme 'negotiate' 2014/12/19 00:17:40.121| Startup: Initialized Authentication Scheme 'ntlm' 2014/12/19 00:17:40.121| Startup: Initialized Authentication. 2014/12/19 00:17:40.151| tools.cc(47) ProbeTransport: Detected IPv6 hybrid or v4 -mapping stack... 2014/12/19 00:17:40.151| tools.cc(61) ProbeTransport: IPv6 transport Enabled 2014/12/19 00:17:40.151| Config.cc(48) registerTokens: register format tokens f or 'adapt' 2014/12/19 00:17:40.151| Config.cc(48) registerTokens: register format tokens f or 'icap' 2014/12/19 00:17:40.151| cache_cf.cc(570) parseConfigFile: 2014/12/19 00:17:40.151| cf_parser.cci(4089) free_all: 2014/12/19 00:17:40.151| Acl.cc(396) Registered: ACL::Prototype::Registered: inv oked for type src 2014/12/19 00:17:40.151| Acl.cc(400) Registered: ACL::Prototype::Registered: yes 2014/12/19 00:17:40.151| Acl.cc(97) FindByName: ACL::FindByName 'all' 2014/12/19 00:17:40.151| Acl.cc(103) FindByName: ACL::FindByName found no match 2014/12/19 00:17:40.151| Acl.cc(238) ParseAclLine: aclParseAclLine: Creating ACL 'all' 2014/12/19 00:17:40.151| Acl.cc(432) Factory: ACL::Prototype::Factory: cloning a n object for type 'src' 2014/12/19 00:17:40.151| Ip.cc(233) FactoryParse: aclIpParseIpData: all 2014/12/19 00:17:40.161| Ip.cc(237) FactoryParse: aclIpParseIpData: magic 'all' found. 2014/12/19 00:17:40.161| Acl.cc(396) Registered: ACL::Prototype::Registered: inv oked for type url_regex 2014/12/19 00:17:40.161| Acl.cc(400) Registered: ACL::Prototype::Registered: yes 2014/12/19 00:17:40.161| Acl.cc(97) FindByName: ACL::FindByName 'manager' 2014/12/19 00:17:40.161| Acl.cc(103) FindByName: ACL::FindByName found no match 2014/12/19 00:17:40.161| Acl.cc(238) ParseAclLine: aclParseAclLine: Creating ACL 'manager' 2014/12/19 00:17:40.161| Acl.cc(432) Factory: ACL::Prototype::Factory: cloning a n object for type 'url_regex' 2014/12/19 00:17:40.161| RegexData.cc(303) aclParseRegexList: aclParseRegexList: new Regex line or file 2014/12/19 00:17:40.161| RegexData.cc(311) aclParseRegexList: aclParseRegexList: buffering RE '-i' 2014/12/19 00:17:40.161| RegexData.cc(311) aclParseRegexList: aclParseRegexList: buffering RE '^cache_object://' 2014/12/19 00:17:40.161| RegexData.cc(311) aclParseRegexList: aclParseRegexList: buffering RE '+i' 2014/12/19 00:17:40.161| RegexData.cc(311) aclParseRegexList: aclParseRegexList: buffering RE '^https?://[^/]+/squid-internal-mgr/' 2014/12/19 00:17:40.161| RegexData.cc(194) compileOptimisedREs: compileOptimised REs: -i 2014/12/19 00:17:40.161| RegexData.cc(218) compileOptimisedREs: compileOptimised REs: adding RE '^cache_object://' 2014/12/19 00:17:40.161| RegexData.cc(208) compileOptimisedREs: compileOptimised REs: +i 2014/12/19 00:17:40.161| RegexData.cc(153) compileRE: compileRE: compiled '(^cac he_object://)' with flags 11 2014/12/19 00:17:40.171| RegexData.cc(218) compileOptimisedREs: compileOptimised REs: adding RE '^https?://[^/]+/squid-internal-mgr/' 2014/12/19 00:17:40.171| RegexData.cc(153) compileRE: compileRE: compiled '(^htt ps?://[^/]+/squid-internal-mgr/)' with flags
Re: [squid-users] Problem with running squid 3.5 on windows 7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 19/12/2014 12:32 p.m., Eldar Akchurin wrote: > > > > Hi, I have cross-compiled squid 3.5 with mingw32-w64 on Ubuntu. The > properties are: c:\squid\sbin>squid -v Squid Cache: Version > 3.5.0.3-20141209-r13687 Service Name: squid Test build configure > options: '--host=i686-w64-mingw32' '--prefix=c:/squid' > 'CXXFLAGS=-DWI NVER=0x601 -D_WIN32_WINNT=0x601 -fpermissive' > 'CFLAGS=-DWINVER=0x601 -D_WIN32_WI NNT=0x601 -fpermissive' > 'BUILDCXX=g++' 'BUILDCXXFLAGS=-DFOO' '--enable-build-inf o=Test > build' 'host_alias=i686-w64-mingw32' --enable-ltdl-convenience > > When I try to run it on windows 7 64, it gives a critical error at > start, below is the debug trace > 2014/12/19 00:17:40.171| Address.cc(379) lookupHostIP: Given Non-IP > '127.0.0.1': No such host is known. 2014/12/19 00:17:40.171| > aclIpParseIpData: unknown first address in '127.0.0.1/3 2' > 2014/12/19 00:17:40.171| tools.cc(543) leave_suid: leave_suid: PID > 4792 called FATAL: Bungled Default Configuration line 6: acl > localhost src 127.0.0.1/32 ::1 Squid Cache (Version > 3.5.0.3-20141209-r13687): Terminated abnormally. CPU Usage: 0.000 > seconds = 0.000 user + 0.000 sys Maximum Resident Size: 0 KB Page > faults with physical i/o: 0 Could you please advice what I'm doing > wrong or whether this is a bug? Thank you!-eAdd to Calendar > Thank you for testing this all out Eldar. It seems you have gotten a little further than I have with this (I diverted to working on native MinGW build issues). This is a bug. Though where it is coming from is still unknown. The operation being performed is that Squid is passing the IP text string to the system getaddrinfo() resolver API for conversion to a number. First thing to check is whether Squid is actually using the native OS API or the stub replacement bundled in compat/. The config.log file generated during build will have an entry indicating whether getaddrinfo() was found or not in the MinGW headers. If the detection failed there will be some debug info about what broke. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUk5aTAAoJELJo5wb/XPRjiLkIAL0nS83JZLdTV7DfMFsDFqRJ yU7rFKWwqXp8P64K5Woedwga4JMpUrkxvbQ1t+wqS3mKWX3hJ72+M71juVeyt7pr pMZYGkoSZNXwhh/i73BxH2hVX7lysI8WKUw0NgBW7cZYe7KleLIODf8GWQhmXhJi vQh5uAfeYO6W/V+wwiRpY47H49yuU3UpypzsZ4P2i88+QvKZaef0T4ZJN8Wlresg ldc7vwBTqQ7p810s87dUrYAuCYZJKqYj/cQnUX86dEgkfxZSPwbDHS8qQdUxAvMb DqIZRp+H7hdO2DK1Sh1FCwyDEEbkuc0O/GurH6Nnw9IVpSAmWr4l8l82WdDXd4o= =4unG -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Unable to configure cache_dir with only TCP_MISS/200
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 19/12/2014 8:37 a.m., Red wrote: > Using squid 3.3.8 on Ubuntu 14.04. This is probably bug 3806. Which was fixed in 3.3.12 release. Can you try an upgrade to 3.4 ? The Debian Jesse/Testing package 3.4.8-* should work fine in Ubuntu 14.* Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUk5r2AAoJELJo5wb/XPRj7iAH/ij3XrL4iy+UClCb+vXhmORj TnpKonk2pRwOyTh2Vhx0Kh69yRuX298W74dbB5VA93SmtBwpDORZbTWhuUUxlaCz xFHCVKJ6LluVmqYlqmomq8KG8NwxzhNjMNtKWV4RI3q3rs+wCEwebF7m5DNVcdYY bw+N+iJJzZEwbwDMa0orlxG18GazLV0/hryg2yFO/0h9SU5dpiyyjeh8bChRxRln fb5Fg7CRsPX6t1Z8vSKR+Y2/xsQIfqRrKeNOcPGCzDgoq5VhS7CQVavV90nnmfA1 C4DbsyGgXOJAaAJ0tbZ0KuFISR5eudaX2cm9vT1vp/wjO7o14ero7yVX3uIDa/E= =VKEV -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
