Re: [squid-users] Squid 3.4.10 incorrectly configured on Solaris 10

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
I found,

from where legs grows.

The problems beguns from ip_compat.h:

configure:27435: checking for netinet/ip_compat.h
configure:27435: g++ -c -m64 -O3 -m64 -fPIE -fstack-protector
-mtune=core2 --param=ssp-buffer-size=4 -pipe -march=native -std=c++11
-I/usr/include -I/opt/csw/include
-I/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/
-I/usr/include/gssapi -I/usr/include/kerberosv5 conftest.cpp >&5
In file included from conftest.cpp:261:0:
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_compat.h:1094:14:
error: conflicting declaration 'typedef int minor_t'
 typedef int  minor_t;
  ^
In file included from conftest.cpp:211:0:
/usr/include/sys/types.h:303:16: note: previous declaration as 'typedef
uint_t minor_t'
 typedef uint_t minor_t; /* minor part of device number */
^
configure:27435: $? = 1
configure: failed program was:

Try to find workaround...

18.12.2014 20:11, Kinkie пишет:
> Hello Yuri,
>   this is probably a system header dependency.
> Could you check if the manuals mention anything about ipfmutex_t ? If
> they do, at the beginning of the page they should include a list of
> #include <...> lines. Could you copy-paste these lines here?
>
> Thanks
>
> On Thu, Dec 18, 2014 at 3:01 PM, Yuri Voinov  wrote:
>>
> Hi there,
>
> yesterday (and during last four day) I've try to build transparent
> caching proxy on Solaris 10 (x86_64) testing environment.
>
> Configuration options are:
>
> # Without SSL 64 bit GCC
> ./configure '--prefix=/usr/local/squid' '--enable-translation'
> '--enable-external-acl-helpers=file_userip,unix_group'
> '--enable-icap-client' '--enable-ipf-transparent'
> '--enable-storeio=diskd' '--enable-removal-policies=lru,heap'
> '--enable-devpoll' '--disable-wccp' '--enable-wccpv2'
> '--enable-http-violations' '--enable-follow-x-forwarded-for'
> '--enable-arp-acl' '--enable-htcp' '--enable-cache-digests' '--with-dl'
> '--enable-auth-negotiate=none' '--disable-auth-digest'
> '--disable-auth-ntlm' '--disable-auth-basic'
> '--enable-storeid-rewrite-helpers=file'
> '--enable-log-daemon-helpers=file' '--with-filedescriptors=131072'
> '--with-build-environment=POSIX_V6_LP64_OFF64' 'CFLAGS=-O3 -m64 -fPIE
> -fstack-protector -mtune=core2 --param=ssp-buffer-size=4 -pipe'
> 'CXXFLAGS=-O3 -m64 -fPIE -fstack-protector -mtune=core2
> --param=ssp-buffer-size=4 -pipe' 'CPPFLAGS=-I/usr/include
> -I/opt/csw/include' 'LDFLAGS=-fPIE -pie -Wl,-z,now'
>
> But binaries built without interceptor support.
>
> Some investigation:
>
> Config.log has errors with ip_nat.h compilation:
>
> configure:27435: checking for netinet/ip_nat.h
> configure:27435: g++ -c -m64 -O3 -m64 -fPIE -fstack-protector
> -mtune=core2 --param=ssp-buffer-size=4 -pipe -march=native -std=c++11
> -I/usr/include -I/opt/csw/include -I/usr/include/gssapi
> -I/usr/include/kerberosv5 conftest.cpp >&5
> In file included from conftest.cpp:266:0:
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:98:2:
> error: 'ipfmutex_t' does not name a type
>   ipfmutex_t nat_lock;
>   ^
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:108:2:
> error: 'frentry_t' does not name a type
>   frentry_t *nat_fr; /* filter rule ptr if appropriate */
>   ^
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:112:2:
> error: 'ipftqent_t' does not name a type
>   ipftqent_t nat_tqe;
>   ^
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:113:2:
> error: 'u_32_t' does not name a type
>   u_32_t  nat_flags;
>   ^
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:114:2:
> error: 'u_32_t' does not name a type
>   u_32_t  nat_sumd[2]; /* ip checksum delta for data segment */
>   ^
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:115:2:
> error: 'u_32_t' does not name a type
>   u_32_t  nat_ipsumd; /* ip checksum delta for ip header */
>   ^
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:116:2:
> error: 'u_32_t' does not name a type
>   u_32_t  nat_mssclamp; /* if != zero clamp MSS to this */
>   ^
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:117:2:
> error: 'i6addr_t' does not name a type
>   i6addr_t nat_inip6;
>
> and so, configure does not see IP Filter finally, ergo cannot build
> interceptor.
>
> Yes, IP Filter installed in system. Yes, I've try to build 32 bit also.
> Yes, I've try to build on another system. Yes, I've try to play with
> configure option. Yes, I've try also development version 3.5.x - with
> the same result.
>
> Amos, need your help.
>
> Thanks in advance,
>
> WBR, Yuri
>
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUk+0vAAoJENNXIZxhPexG

[squid-users] You MUST specify at least one Domain Controller.You can use either \ or / as separator between the domain name

[Ahmed Allzaeem]

Hi guys im trygint to use Kerberos authentication between squid & AD.

I have configured ntp  , dns , winbind , samba and also joinf the squid to
the AD domina

 

Now the issue I have is running squid

I added the following helpers below :

 


#Kerberos config for squid

auth_param ntlm program /usr/lib/squid/ntlm_smb_lm_auth
--helper-protocol=squid-2.5-basic

auth_param ntlm children 10

auth_param basic program /usr/lib/squid/ntlm_smb_lm_auth
--helper-protocol=squid-2.5-basic

auth_param basic children 5

auth_param basic realm Domain Proxy Server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

authenticate_cache_garbage_interval 10 seconds

authenticate_ttl 0 seconds

acl lcl src 192.168.1.0/24

acl auth proxy_auth REQUIRED

http_access allow auth

 

 

And I have the errors below :


You MUST specify at least one Domain Controller.

You can use either \ or / as separator between the domain name 

and the controller name

(ntlm_smb_lm_auth): invalid option -- 's'

unknown option: -?. Exiting

(ntlm_smb_lm_auth) usage:

(ntlm_smb_lm_auth) [-b] [-f] [-d] [-l] domain\controller [domain\controller
...]

-b enables load-balancing among controllers

-f enables failover among controllers (DEPRECATED and always active)

-l changes behavior on domain controller failyures to last-ditch.

-d enables debugging statements if DEBUG was defined at build-time.

 

You MUST specify at least one Domain Controller.

You can use either \ or / as separator between the domain name 

and the controller name

(ntlm_smb_lm_auth): invalid option -- 'i'

unknown option: -?. Exiting

(ntlm_smb_lm_auth) usage:

(ntlm_smb_lm_auth) [-b] [-f] [-d] [-l] domain\controller [domain\controller
...]

-b enables load-balancing among controllers

-f enables failover among controllers (DEPRECATED and always active)

-l changes behavior on domain controller failyures to last-ditch.

-d enables debugging statements if DEBUG was defined at build-time.

 

You MUST specify at least one Domain Controller.

You can use either \ or / as separator between the domain name 

and the controller name

(ntlm_smb_lm_auth): invalid option -- 'c'

unknown option: -?. Exiting

(ntlm_smb_lm_auth) usage:

(ntlm_smb_lm_auth) [-b] [-f] [-d] [-l] domain\controller [domain\controller
...]

-b enables load-balancing among controllers

-f enables failover among controllers (DEPRECATED and always active)

-l changes behavior on domain controller failyures to last-ditch.

-d enables debugging statements if DEBUG was defined at build-time.

 

You MUST specify at least one Domain Controller.

You can use either \ or / as separator between the domain name 

and the controller name

2014/12/19 07:22:52| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec

2014/12/19 07:22:52| Store logging disabled

2014/12/19 07:22:52| Swap maxSize 0 + 262144 KB, estimated 20164 objects

2014/12/19 07:22:52| Target number of buckets: 1008

2014/12/19 07:22:52| Using 8192 Store buckets

2014/12/19 07:22:52| Max Mem  size: 262144 KB

2014/12/19 07:22:52| Max Swap size: 0 KB

2014/12/19 07:22:52| Using Least Load store dir selection

2014/12/19 07:22:52| Set Current Directory to /var/spool/squid

2014/12/19 07:22:52| Loaded Icons.

2014/12/19 07:22:52| Accepting  HTTP connections at [::]:3128, FD 45.

2014/12/19 07:22:52| HTCP Disabled.

2014/12/19 07:22:52| Squid plugin modules loaded: 0

2014/12/19 07:22:52| Adaptation support is off.

2014/12/19 07:22:52| Ready to serve requests.

2014/12/19 07:22:52| WARNING: ntlmauthenticator #1 (FD 10) exited

2014/12/19 07:22:52| WARNING: ntlmauthenticator #2 (FD 12) exited

2014/12/19 07:22:52| WARNING: ntlmauthenticator #3 (FD 14) exited

2014/12/19 07:22:52| WARNING: ntlmauthenticator #4 (FD 16) exited

2014/12/19 07:22:52| WARNING: ntlmauthenticator #5 (FD 18) exited

2014/12/19 07:22:52| Too few ntlmauthenticator processes are running

2014/12/19 07:22:52| storeDirWriteCleanLogs: Starting...

2014/12/19 07:22:52|   Finished.  Wrote 0 entries.

2014/12/19 07:22:52|   Took 0.00 seconds (  0.00 entries/sec).

FATAL: The ntlmauthenticator helpers are crashing too rapidly, need help!

 

Squid Cache (Version 3.1.10): Terminated abnormally.

CPU Usage: 0.044 seconds = 0.023 user + 0.021 sys

Maximum Resident Size: 37216 KB

Page faults with physical i/o: 0

Memory usage for squid via mallinfo():

total space in arena:3188 KB

Ordinary blocks: 3068 KB 20 blks

Small blocks:   0 KB  0 blks

Holding blocks:  1012 KB  4 blks

Free Small blocks:  0 KB

Free Ordinary blocks: 119 KB

Total in use:4080 KB 128%

Total free:   119 KB 4%

 

 

Imusing  centos 6.x wth squid verison as :


[root@drvirus ~]# squid -v

Squid Cache: Version 3.1.10

configure options:  '--build=i386-redhat-linux-gnu'
'--host=i386-redhat-linux-gnu' '--target=i686-redhat-linux-gnu'
'--program-prefix='

Re: [squid-users] Transparent proxy with Peek and Splice feature.

[Vadim Rogoziansky]

Any ideas, any thoughts?
Thanks.


11/29/2014 6:17 AM, Amos Jeffries написав(ла):

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 28/11/2014 2:48 a.m., Vadim Rogoziansky wrote:

Hello Amos.

Thank you for answer.

There was made an investigation related to squid's peek and splice
issues in transparent mode. One-line explanation is as follows - in
intercept mode squid can't get a server host name from the request
header and uses clent IP address instead for both fake cert
generation and as a SNI record in server bump SSL handshaking. This
is the root of the problem. However this can be fixed if squid uses
SNI field taken from client TLS Hello message for that purposes.
Can you hack squid in this way? What do you think?

I think peek-n-splice is supposed to already be doing that.

However it does depend on whether you are bumping the connection at
step 1 (before ClientHello), step 2 (after ClientHello, before
ServerHello), or step 3 (after both ClientHello and ServerHello) of
the TLS handshake whether the SNI details are present.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUeUjPAAoJELJo5wb/XPRj6QEIAOHrR8wmDcjkfgUh2UtPwpHP
vVkPMEuIrUq9Gxx3uSojCZjlFJPuCQ2UafS1p8LuxcEQ+TRmUFbAu4AkKoO2RoZ5
7fCGoiXTwn4TzFf0pLh9SPBq9j12OJ3uT28EEqbILrT0sbKP02xK/qiJfCLR61Ev
vprAdggapbKg/ns1l1H3BBgZR2A4W/abQPIq6/Eu/r+7nYK6L2oOdqPDWTJjudMV
8D9sdOD9mYYryrdptU0GLh9Q/V5QEhipSkuA936iZ0Dfa2ZSr4gphJyaRAFWSMf3
q502lZy+ASkDa2vAbjALRBgn3VwYWl8KBQcypUKF4UXtaLtF0EIrLMun+p4QxUM=
=44aG
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] You MUST specify at least one Domain Controller.You can use either \ or / as separator between the domain name

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/12/2014 11:25 a.m., Ahmed Allzaeem wrote:
> Hi guys im trygint to use Kerberos authentication between squid &
> AD.
> 
> I have configured ntp  , dns , winbind , samba and also joinf the
> squid to the AD domina
> 
> 
> 
> Now the issue I have is running squid
> 
> I added the following helpers below :
> 
> 
> 
> 
> #Kerberos config for squid
> 
> auth_param ntlm program /usr/lib/squid/ntlm_smb_lm_auth

This is *not* the Samba NTLM helper. This helper does not even perform
NTLMv1. It performs LM protocol (used for authenticating against
Windows 3.1 servers) using HTTP "NTLM" auth scheme headers.


> --helper-protocol=squid-2.5-basic

This is a command line parameter for the Samba ntlm_auth helper.

The samba helper still uses the name ntlm_auth. It is probably located
in /usr/bin/ or /usr/local/bin/.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUlCGbAAoJELJo5wb/XPRj1awIAI0+646wnDRvjed2bSw7Cote
9tIBA0j7VLF0wcWx1HLpViLhatq2ep7S/isz0pkGwUgcX3w20f1sXfuM3MbdGYH6
Gh3lRCsOaXqRhIQY80pNjfQKs75oGn8Zelqlm3DmJjxCcFLOtj/5Du1CASquajJ5
26T11+HZ9EJ4rwG+LXN3nAXRjcoEGdIt09VmiCLGukHN1FvkFo7Ms0CR0i7urTYD
IQUI4uoObQJVq+vY9gJyzhyEdWJqvK9Q1fM7fUptCcaIGMhkM70Ue8RLu4YUWH82
GzXTf+Hdt7zfnyq0ALusvGOiXyQ3UFcYRfijBuhfEAjPd2Vr2F/7oCoGueieFb8=
=48pC
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid doesn't do a fallback from ipv6 to ipv4, if the ipv6 connect fails

[Dieter Bloms]

Hello Amos,

thank you for the reply.

On Thu, Dec 11, Amos Jeffries wrote:

> > we use squid 3.4.9 as proxy for our company with ipv4 and ipv6
> > dual stack. It works good, but if a destination has an A and 
> > record and the webserver isn't reachable via ipv6, squid generates
> > an error page instead of trying a connection via ipv4.
> > 
> > One example is the url:
> > 
> > https://ssl.ratsinfo-online.net/pirna-ri/logon.asp
> > 
> > where squid tries to reach the webside via the ip 
> > 2001:8d8:87c:5f00::6e:72d6, but without success, because it isn't 
> > reachable.
> > 
> > Now I want, that squid does a fallback to ipv4 after
> > connect_timeout, but squid returns an error page (ERR_CONNECT_FAIL)
> > to the client.
> > 
> 
> Squid rarely sees https:// URLs like that. Check if it is being given
> the server name in a way that it can lookup all IPs, or just the one
> IP address.

in my squidlogs I see a line like:

Fri Dec 19 13:49:18 2014   4789 10.252.16.100 TCP_MISS/503 0 CONNECT 
ssl.ratsinfo-online.net:443 - HIER_NONE/- -

So I think squid gets the hostname instead of an ip address.

> It also depends on how long the connection attempt(s) take.
>  If it takes longer to lookup the DNS (dns_timeout) and try that one
> IP (connect_timeout * connect_retries) than the entire transaction is
> permitted to use (forward_timeout), then there is of course no time to
> try anything else.

when I do a "host ssl.ratsinfo-online.net" on the server where squid
runs I get the Ipv4 and the Ipv6 immediately.

I didn't set any of the parameters forward_timeout, connect_timeout,
connect_retries.

> Note also that the message in the ERR_CONNECT_FAIL page is the result
> of the final attempt made. Squid may have made several connection
> attempts to other IP which also failed.

for a http connections, the fallback to ipv4 works, but not for a https 
connection.

The web server ssl.ratsinfo-online.net listens on port 80 for http and
on port 443 for https.

When I do a http://ssl.ratsinfo-online.net/ the fallback from ipv6 to
ipv4 works fine, but when I do a https://ssl.ratsinfo-online.net/ squid tries
ipv6 only and doesn't do a fallback to ipv4.

I would be nice, if you can try it on your dial stack setup.

Thank you.

-- 
Regards

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] You MUST specify at least one Domain Controller.You can use either \ or / as separator between the domain name

[Ahmed Allzaeem]

HI amos , thanks for clarification , 
Actually I modified it with the correct samba path with ==> /usr/bin/ntlm_auth 
whereas I checked and found that helper !


So , my squid config  file to  :
===
##Kerberos config for squid
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
authenticate_ttl 0 seconds
acl lcl src 192.168.1.0/24
acl auth proxy_auth REQUIRED
http_access allow auth




But I have an error below :
===
2014/12/19 08:11:00|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: authenticateNTLMHandleReply: *** Unsupported helper response ***, 'ERR'

Squid Cache (Version 3.1.10): Terminated abnormally.
CPU Usage: 0.047 seconds = 0.022 user + 0.025 sys
Maximum Resident Size: 37904 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
total space in arena:3192 KB
Ordinary blocks: 3105 KB 15 blks
Small blocks:   0 KB  0 blks
Holding blocks:  1012 KB  4 blks
Free Small blocks:  0 KB
Free Ordinary blocks:  86 KB
Total in use:4117 KB 129%
Total free:86 KB 3%
2014/12/19 08:11:03| Starting Squid Cache version 3.1.10 for 
i386-redhat-linux-gnu...
2014/12/19 08:11:03| Process ID 7571
2014/12/19 08:11:03| With 1024 file descriptors available
2014/12/19 08:11:03| Initializing IP Cache...
2014/12/19 08:11:03| DNS Socket created at [::], FD 8
2014/12/19 08:11:03| DNS Socket created at 0.0.0.0, FD 9
2014/12/19 08:11:03| Adding nameserver 192.168.1.242 from /etc/resolv.conf
2014/12/19 08:11:03| Adding nameserver 199.85.126.20 from /etc/resolv.conf
2014/12/19 08:11:03| helperOpenServers: Starting 10/10 'ntlm_auth' processes
2014/12/19 08:11:03| helperOpenServers: Starting 5/5 'ntlm_auth' processes
2014/12/19 08:11:03| User-Agent logging is disabled.
2014/12/19 08:11:03| Referer logging is disabled.
2014/12/19 08:11:04| Unlinkd pipe opened on FD 44
2014/12/19 08:11:04| Local cache digest enabled; rebuild/rewrite every 
3600/3600 sec
2014/12/19 08:11:04| Store logging disabled
2014/12/19 08:11:04| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2014/12/19 08:11:04| Target number of buckets: 1008
2014/12/19 08:11:04| Using 8192 Store buckets
2014/12/19 08:11:04| Max Mem  size: 262144 KB
2014/12/19 08:11:04| Max Mem  size: 262144 KB
2014/12/19 08:11:04| Max Swap size: 0 KB
2014/12/19 08:11:04| Using Least Load store dir selection
2014/12/19 08:11:04| Set Current Directory to /var/spool/squid
2014/12/19 08:11:04| Loaded Icons.
2014/12/19 08:11:04| Accepting  HTTP connections at [::]:3128, FD 45.
2014/12/19 08:11:04| HTCP Disabled.
2014/12/19 08:11:04| Squid plugin modules loaded: 0
2014/12/19 08:11:04| Adaptation support is off.
2014/12/19 08:11:04| Ready to serve requests.
2014/12/19 08:11:04| Adaptation support is off.
2014/12/19 08:11:04| Ready to serve requests.
2014/12/19 08:11:04| storeDirWriteCleanLogs: Starting...
2014/12/19 08:11:04|   Finished.  Wrote 0 entries.
2014/12/19 08:11:04|   Took 0.00 seconds (  0.00 entries/sec).
2014/12/19 08:11:04|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: authenticateNTLMHandleReply: *** Unsupported helper response ***, 'ERR'

Squid Cache (Version 3.1.10): Terminated abnormally.
CPU Usage: 0.040 seconds = 0.027 user + 0.013 sys
Maximum Resident Size: 38976 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
total space in arena:5120 KB
Ordinary blocks: 4105 KB 13 blks
Small blocks:   0 KB  0 blks
Holding blocks: 0 KB  0 blks
Free Small blocks:  0 KB
Free Ordinary blocks:1014 KB
Total in use:4105 KB 80%
Total free:  1014 KB 20%
2014/12/19 08:11:07| Starting Squid Cache version 3.1.10 for 
i386-redhat-linux-gnu...
2014/12/19 08:11:07| Process ID 7589
2014/12/19 08:11:07| With 1024 file descriptors available
2014/12/19 08:11:07| Initializing IP Cache...
2014/12/19 08:11:07| DNS Socket created at [::], FD 8
2014/12/19 08:11:07| DNS Socket created at 0.0.0.0, FD 9
2014/12/19 08:11:07| Adding nameserver 192.168.1.242 from /etc/resolv.conf
2014/12/19 08:11:07| Adding nameserver 199.85.126.20 from /etc/resolv.conf
2014/12/19 08:11:07| helperOpenServers: Starting 10/10 'ntlm_auth' processes
2014/12/19 08:11:07| helperOpenServers: Starting 5/5 'ntlm_auth' processes
2014/12/19 08:11:07| User-Agent logging is disabled.
2014/12/19 08:11:07| Referer logging is disabled.
2014/12/19 08:11:07| Unlinkd pipe opened on FD 44
2014/12/19 08:11:07| Local cache digest enabled; rebuild/rewrite every 

Re: [squid-users] Squid doesn't do a fallback from ipv6 to ipv4, if the ipv6 connect fails

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/12/2014 2:08 a.m., Dieter Bloms wrote:
> 
> When I do a http://ssl.ratsinfo-online.net/ the fallback from ipv6
> to ipv4 works fine, but when I do a
> https://ssl.ratsinfo-online.net/ squid tries ipv6 only and doesn't
> do a fallback to ipv4.
> 
> I would be nice, if you can try it on your dial stack setup.
> 
> Thank you.
> 

It takes me 10-20 sec to receive any response on the very first DNS
lookup for that domain. After which all responses are quite fast for a
few minutes. Then repeat with the slow lookup.

Like you say it responds with 1 IPv4 and 1 IPv6. Which is not too
many, and none actually failing to resolve. So DNS is reasonable even
with the occasional delay.

I am seeing approx 40-90% packet loss on several of the NTT.net
transit hops between me and the site in IPv4. Not sure if that is
related in any way related to your access path.

My current colo provider blocks network measurements from end-servers
(but only on v6) so I cant adequately test the v6 connectivity
anymore. But your log entry indicates that probably a TCP SYN
handshake did not finish over either IP version.

Amos

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUlCofAAoJELJo5wb/XPRjtC8H/jza0kveI1sedrGVqAUleGxL
sD0V7gOy7sb6INFcIKKhl9VhTZf43m6zB4qcP/bJ9AtvjAJKc9D4FLNAaicvzTJr
e2IS+glEfg8bXC67DEbH1YpMo6R3iK73LX5T50+E+SqrYbsRv8xXqkEnU6J7d4dL
dFsYFbYFs7zqcOCSkqHFHuWmAKsi86zmmvuLgBxsmOGuHUPMR70J8MtFxSZTL3DJ
zCyDESIuw3L3P+fJw9A0SiKiXLCagj6Gv/XKWpOiBvwUhUSow0D+avsH37J1rAOC
ddZuzOOfNHbPCuQT41X7xN3AWfY42fvJmz3Ihr0sgzkBQph9IBSIqvx21cuxq8s=
=J0by
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with running squid 3.5 on windows 7

[Eldar Akchurin]

Hi Amos,
It seems it uses a posix resolver for that, because it cannot find the native 
implementation.  configure:37657: checking for getaddrinfo
configure:37657: x86_64-w64-mingw32-g++ -o conftest.exe -DWINVER=0x601 
-D_WIN32_WINNT=0x601 -fpermissive -L/usr/lib -mthreads -static-libgcc 
-static-libstdc++  -g conftest.cpp  -lpsapi >&5
/tmp/cckciKLu.o: In function `main':
/usr/src/squid-3.5.0.3-20141209-r13687/conftest.cpp:204: undefined reference to 
`getaddrinfo'
collect2: error: ld returned 1 exit status
configure:37657: $? = 1  Is this expected? If not, I will look how I can enable 
the native implementation.Thank you!
 > Date: Fri, 19 Dec 2014 16:08:03 +1300
> From: squ...@treenet.co.nz
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Problem with running squid 3.5 on windows 7
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On 19/12/2014 12:32 p.m., Eldar Akchurin wrote:
> > 
> > 
> > 
> > Hi, I have cross-compiled squid 3.5 with mingw32-w64 on Ubuntu. The
> > properties are: c:\squid\sbin>squid -v Squid Cache: Version
> > 3.5.0.3-20141209-r13687 Service Name: squid Test build configure
> > options:  '--host=i686-w64-mingw32' '--prefix=c:/squid'
> > 'CXXFLAGS=-DWI NVER=0x601 -D_WIN32_WINNT=0x601 -fpermissive'
> > 'CFLAGS=-DWINVER=0x601 -D_WIN32_WI NNT=0x601 -fpermissive'
> > 'BUILDCXX=g++' 'BUILDCXXFLAGS=-DFOO' '--enable-build-inf o=Test
> > build' 'host_alias=i686-w64-mingw32' --enable-ltdl-convenience
> > 
> > When I try to run it on windows 7 64, it gives a critical error at
> > start, below is the debug trace
> 
> 
> 
> > 2014/12/19 00:17:40.171| Address.cc(379) lookupHostIP: Given Non-IP
> > '127.0.0.1': No such host is known. 2014/12/19 00:17:40.171|
> > aclIpParseIpData: unknown first address in '127.0.0.1/3 2' 
> > 2014/12/19 00:17:40.171| tools.cc(543) leave_suid: leave_suid: PID
> > 4792 called FATAL: Bungled Default Configuration line 6: acl
> > localhost src 127.0.0.1/32 ::1 Squid Cache (Version
> > 3.5.0.3-20141209-r13687): Terminated abnormally. CPU Usage: 0.000
> > seconds = 0.000 user + 0.000 sys Maximum Resident Size: 0 KB Page
> > faults with physical i/o: 0 Could you please advice what I'm doing
> > wrong or whether this is a bug? Thank you!-eAdd to Calendar
> > 
> 
> Thank you for testing this all out Eldar. It seems you have gotten a
> little further than I have with this (I diverted to working on native
> MinGW build issues).
> 
> This is a bug. Though where it is coming from is still unknown. The
> operation being performed is that Squid is passing the IP text string
> to the system getaddrinfo() resolver API for conversion to a number.
> 
> First thing to check is whether Squid is actually using the native OS
> API or the stub replacement bundled in compat/. The config.log file
> generated during build will have an entry indicating whether
> getaddrinfo() was found or not in the MinGW headers. If the detection
> failed there will be some debug info about what broke.
> 
> Amos
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.22 (MingW32)
> 
> iQEcBAEBAgAGBQJUk5aTAAoJELJo5wb/XPRjiLkIAL0nS83JZLdTV7DfMFsDFqRJ
> yU7rFKWwqXp8P64K5Woedwga4JMpUrkxvbQ1t+wqS3mKWX3hJ72+M71juVeyt7pr
> pMZYGkoSZNXwhh/i73BxH2hVX7lysI8WKUw0NgBW7cZYe7KleLIODf8GWQhmXhJi
> vQh5uAfeYO6W/V+wwiRpY47H49yuU3UpypzsZ4P2i88+QvKZaef0T4ZJN8Wlresg
> ldc7vwBTqQ7p810s87dUrYAuCYZJKqYj/cQnUX86dEgkfxZSPwbDHS8qQdUxAvMb
> DqIZRp+H7hdO2DK1Sh1FCwyDEEbkuc0O/GurH6Nnw9IVpSAmWr4l8l82WdDXd4o=
> =4unG
> -END PGP SIGNATURE-
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

  ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] You MUST specify at least one Domain Controller.You can use either \ or / as separator between the domain name

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/12/2014 12:13 p.m., Ahmed Allzaeem wrote:
> HI amos , thanks for clarification , Actually I modified it with
> the correct samba path with ==> /usr/bin/ntlm_auth whereas I
> checked and found that helper !
> 
> 
> So , my squid config  file to  : === ##Kerberos config for
> squid auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic

That should be:
  --helper-protocol=squid-2.5-ntlmssp

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUlCsPAAoJELJo5wb/XPRjbX8IANahhzgeqoXQy9nVPbhfTAAB
53MDu/3ZzMXeK3mw60c/xzA0FV/F5iBQuXh+zydMlRUeqYDTU7WhRJ+Si0AbM0MX
6fsiHSJ++/1mY/4UyG/TlhmFc9ByxuXfYEoDFntUOb7hT3DDSrKZVYvZ6T4QdaCX
fqfDAHsxfaRt8j7gOcZhQOOeWA5khSbWxsTAsO7DKzBf2pZItNi3CLGzAg8OkVqo
6C1XtZ5sFGj3Ij/3tGngKYlNTnv6A3rt3N2+b63TWTbdWVvQLlkZqAfC5GF3tw0j
9wiBSOOuzxCSRTXo2/6r3dvnVK3tqMyBwngeIafOjIl0prmAbcegZVgLzX5hKBY=
=AFDb
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.4.10 incorrectly configured on Solaris 10

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
If i do durty hack with editing these includes (ip_compat.h or
ip_nat.h), configuration went ok,
but build interceptor has errors and squid cannot be build.

Also, squid 3.4.8 in OpenCSW repository (built with ipf transparent
option) also cannot work in transparent mode.

So, need help - I need transparent proxy, not forwarding.

2.7 is too obsolete and contains strange bug (sometimes dies with fatal
error when high load).

Change OS is not an option.

WBR, Yuri

18.12.2014 20:11, Kinkie ?:
> Hello Yuri,
>   this is probably a system header dependency.
> Could you check if the manuals mention anything about ipfmutex_t ? If
> they do, at the beginning of the page they should include a list of
> #include <...> lines. Could you copy-paste these lines here?
>
> Thanks
>
> On Thu, Dec 18, 2014 at 3:01 PM, Yuri Voinov  wrote:
>>
> Hi there,
>
> yesterday (and during last four day) I've try to build transparent
> caching proxy on Solaris 10 (x86_64) testing environment.
>
> Configuration options are:
>
> # Without SSL 64 bit GCC
> ./configure '--prefix=/usr/local/squid' '--enable-translation'
> '--enable-external-acl-helpers=file_userip,unix_group'
> '--enable-icap-client' '--enable-ipf-transparent'
> '--enable-storeio=diskd' '--enable-removal-policies=lru,heap'
> '--enable-devpoll' '--disable-wccp' '--enable-wccpv2'
> '--enable-http-violations' '--enable-follow-x-forwarded-for'
> '--enable-arp-acl' '--enable-htcp' '--enable-cache-digests' '--with-dl'
> '--enable-auth-negotiate=none' '--disable-auth-digest'
> '--disable-auth-ntlm' '--disable-auth-basic'
> '--enable-storeid-rewrite-helpers=file'
> '--enable-log-daemon-helpers=file' '--with-filedescriptors=131072'
> '--with-build-environment=POSIX_V6_LP64_OFF64' 'CFLAGS=-O3 -m64 -fPIE
> -fstack-protector -mtune=core2 --param=ssp-buffer-size=4 -pipe'
> 'CXXFLAGS=-O3 -m64 -fPIE -fstack-protector -mtune=core2
> --param=ssp-buffer-size=4 -pipe' 'CPPFLAGS=-I/usr/include
> -I/opt/csw/include' 'LDFLAGS=-fPIE -pie -Wl,-z,now'
>
> But binaries built without interceptor support.
>
> Some investigation:
>
> Config.log has errors with ip_nat.h compilation:
>
> configure:27435: checking for netinet/ip_nat.h
> configure:27435: g++ -c -m64 -O3 -m64 -fPIE -fstack-protector
> -mtune=core2 --param=ssp-buffer-size=4 -pipe -march=native -std=c++11
> -I/usr/include -I/opt/csw/include -I/usr/include/gssapi
> -I/usr/include/kerberosv5 conftest.cpp >&5
> In file included from conftest.cpp:266:0:
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:98:2:
> error: 'ipfmutex_t' does not name a type
>   ipfmutex_t nat_lock;
>   ^
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:108:2:
> error: 'frentry_t' does not name a type
>   frentry_t *nat_fr; /* filter rule ptr if appropriate */
>   ^
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:112:2:
> error: 'ipftqent_t' does not name a type
>   ipftqent_t nat_tqe;
>   ^
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:113:2:
> error: 'u_32_t' does not name a type
>   u_32_t  nat_flags;
>   ^
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:114:2:
> error: 'u_32_t' does not name a type
>   u_32_t  nat_sumd[2]; /* ip checksum delta for data segment */
>   ^
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:115:2:
> error: 'u_32_t' does not name a type
>   u_32_t  nat_ipsumd; /* ip checksum delta for ip header */
>   ^
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:116:2:
> error: 'u_32_t' does not name a type
>   u_32_t  nat_mssclamp; /* if != zero clamp MSS to this */
>   ^
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/4.9.2/include-fixed/netinet/ip_nat.h:117:2:
> error: 'i6addr_t' does not name a type
>   i6addr_t nat_inip6;
>
> and so, configure does not see IP Filter finally, ergo cannot build
> interceptor.
>
> Yes, IP Filter installed in system. Yes, I've try to build 32 bit also.
> Yes, I've try to build on another system. Yes, I've try to play with
> configure option. Yes, I've try also development version 3.5.x - with
> the same result.
>
> Amos, need your help.
>
> Thanks in advance,
>
> WBR, Yuri
>
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUlCv/AAoJENNXIZxhPexGyYUH/jl6MeJZcF/Krw+nYL/okEO6
YAH0k+zk/p2uhXARenFNXpoTJkUwi1yoOFrmCgo2sgw9wmEk418OGKTii+JgDh2L
ZpI0pvGhmkX84bbFuyU4SkXRi+NZAcR0gJRfCra7itibeDvJ7DlOm2pxuteLXqdz
EduGcMI8l2jmVf6Ib3CVKfYNXPMhJiPmIkXuPCfms+T2CLFuGRvrwoM44SjKra8e
vADuIBJkUF6kg0psz3GmNQLm2NLqusB8yt7kF0/WecK5OkeIGXI5JY+jJrGkrnI1
UtRau1AsxqVz9gWsptArUwWVfBazxYZNk73/4PI5MqQTtVJ8ilOAjn1WxnImTaQ=
=PGXC
-END PGP SIGNATURE-

___
squid-users mailing

Re: [squid-users] You MUST specify at least one Domain Controller.You can use either \ or / as separator between the domain name

[Ahmed Allzaeem]

Thank  you Amos , don’t know wt to say , u helped me a lot !

Now it get user/pwd

But still a new issue appeared !!

Now the browsing is so slow !!

I check the logs of squid I found a lot of TCP_denied and some of TCP_MISS


The question is being asked ... why a lot of requests is being deinied ans some 
is  being accepted ???

Here is a sample :
1418996889.904  1 192.168.1.5 TCP_DENIED/407 3972 GET http://google.com/ - 
NONE/- text/html
1418996889.925  1 192.168.1.5 TCP_DENIED/407 4189 GET http://google.com/ - 
NONE/- text/html
1418996889.936  2 192.168.1.5 TCP_DENIED/407 4506 GET http://google.com/ - 
NONE/- text/html
1418996889.943  2 192.168.1.5 TCP_DENIED/407 4189 GET http://google.com/ - 
NONE/- text/html
1418996897.774   7830 192.168.1.5 TCP_MISS/302 1258 GET http://google.com/ b 
DIRECT/74.125.232.228 text/html
1418996905.927   8142 192.168.1.5 TCP_MISS/302 1266 GET http://www.google.ps/? 
b DIRECT/74.125.232.247 text/html
1418996905.943  3 192.168.1.5 TCP_DENIED/407 4128 CONNECT 
dtex4kvbppovt.cloudfront.net:443 - NONE/- text/html
1418996905.946  2 192.168.1.5 TCP_DENIED/407 4128 CONNECT 
dtex4kvbppovt.cloudfront.net:443 - NONE/- text/html
1418996905.949  4 192.168.1.5 TCP_DENIED/407 4128 CONNECT 
dtex4kvbppovt.cloudfront.net:443 - NONE/- text/html
1418996905.949  4 192.168.1.5 TCP_DENIED/407 4128 CONNECT 
dtex4kvbppovt.cloudfront.net:443 - NONE/- text/html
1418996905.953  2 192.168.1.5 TCP_DENIED/407 3851 CONNECT www.google.ps:443 
- NONE/- text/html
1418996905.955  4 192.168.1.5 TCP_DENIED/407 4128 CONNECT 
dtex4kvbppovt.cloudfront.net:443 - NONE/- text/html
1418996905.969  2 192.168.1.5 TCP_DENIED/407 4068 CONNECT www.google.ps:443 
- NONE/- text/html
1418996905.973  1 192.168.1.5 TCP_DENIED/407 4393 CONNECT www.google.ps:443 
- NONE/- text/html
1418996905.980  1 192.168.1.5 TCP_DENIED/407 4068 CONNECT www.google.ps:443 
- NONE/- text/html
1418996908.011  1 192.168.1.5 TCP_DENIED/407 4103 POST 
http://clients1.google.com/ocsp - NONE/- text/html
1418996908.015  1 192.168.1.5 TCP_DENIED/407 4320 POST 
http://clients1.google.com/ocsp - NONE/- text/html
1418996908.019  2 192.168.1.5 TCP_DENIED/407 4661 POST 
http://clients1.google.com/ocsp - NONE/- text/html
1418996909.041  1 192.168.1.5 TCP_DENIED/407 3859 CONNECT 
ssl.gstatic.com:443 - NONE/- text/html
1418996909.089  2 192.168.1.5 TCP_DENIED/407 4076 CONNECT 
ssl.gstatic.com:443 - NONE/- text/html
1418996909.097  2 192.168.1.5 TCP_DENIED/407 4405 CONNECT 
ssl.gstatic.com:443 - NONE/- text/html
1418996909.104  2 192.168.1.5 TCP_DENIED/407 4076 CONNECT 
ssl.gstatic.com:443 - NONE/- text/html
1418996910.755  1 192.168.1.5 TCP_DENIED/407 3859 CONNECT 
www.gstatic.com:443 - NONE/- text/html
1418996910.784  1 192.168.1.5 TCP_DENIED/407 4076 CONNECT 
www.gstatic.com:443 - NONE/- text/html
1418996910.791  2 192.168.1.5 TCP_DENIED/407 4405 CONNECT 
www.gstatic.com:443 - NONE/- text/html
1418996910.796  1 192.168.1.5 TCP_DENIED/407 4076 CONNECT 
www.gstatic.com:443 - NONE/- text/html
1418996917.152  2 192.168.1.5 TCP_DENIED/407 4103 POST 
http://clients1.google.com/ocsp - NONE/- text/html
1418996917.156  2 192.168.1.5 TCP_DENIED/407 4320 POST 
http://clients1.google.com/ocsp - NONE/- text/html
1418996917.161  2 192.168.1.5 TCP_DENIED/407 4663 POST 
http://clients1.google.com/ocsp - NONE/- text/html
1418996920.312  1 192.168.1.5 TCP_DENIED/407 3903 CONNECT 
tiles.services.mozilla.com:443 - NONE/- text/html
1418996920.334  4 192.168.1.5 TCP_DENIED/407 4120 CONNECT 
tiles.services.mozilla.com:443 - NONE/- text/html
1418996920.471  2 192.168.1.5 TCP_DENIED/407 4483 CONNECT 
tiles.services.mozilla.com:443 - NONE/- text/html
1418996926.896  1 192.168.1.5 TCP_DENIED/407 4120 CONNECT 
tiles.services.mozilla.com:443 - NONE/- text/html
1418996935.623  1 192.168.1.5 TCP_DENIED/407 4079 POST 
http://ocsp.digicert.com/ - NONE/- text/html
1418996935.630  3 192.168.1.5 TCP_DENIED/407 4296 POST 
http://ocsp.digicert.com/ - NONE/- text/html
1418996935.633  2 192.168.1.5 TCP_DENIED/407 4635 POST 
http://ocsp.digicert.com/ - NONE/- text/html
1418996935.640  2 192.168.1.5 TCP_DENIED/407 4296 POST 
http://ocsp.digicert.com/ - NONE/- text/html
1418996935.810   7242 192.168.1.5 TCP_MISS/200 6448 GET 
http://whatismyipaddress.com/ b DIRECT/66.171.248.172 text/html
1418996935.852  1 192.168.1.5 TCP_DENIED/407 4349 GET 
http://maps.google.com/maps/api/js? - NONE/- text/html
1418996935.862  2 192.168.1.5 TCP_DENIED/407 4566 GET 
http://maps.google.com/maps/api/js? - NONE/- text/html
1418996935.868  4 192.168.1.5 TCP_DENIED/407 4901 GET 
http://maps.google.com/maps/api/js? - NONE/- text/html
1418996935.876  3 192.168.1.5 TCP_DENIED/407 4566 GET 
http://maps.google.com/maps/api/js? - NONE/- text/html
1418996935.904  0 192.168.1.5 TCP_DENIED/407 4076 GET 
http://cdn.whatismyipaddress.com/favicon.ico - NONE/- text/html
1418996

Re: [squid-users] Problem with running squid 3.5 on windows 7

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/12/2014 2:35 a.m., Eldar Akchurin wrote:
> Hi Amos,
> 
> It seems it uses a posix resolver for that, because cannot find the
> native implementation.
> 
> 
> 
> 
> 
> *configure:37657: checking for getaddrinfoconfigure:37657: 
> x86_64-w64-mingw32-g++ -o conftest.exe -DWINVER=0x601
> -D_WIN32_WINNT=0x601 -fpermissive -L/usr/lib -mthreads
> -static-libgcc -static-libstdc++  -g conftest.cpp  -lpsapi
> >&5/tmp/cckciKLu.o: In function 
> `main':/usr/src/squid-3.5.0.3-**20141209-r13687/conftest.cpp:*
> 
> *204: undefined reference to `getaddrinfo'collect2: error: ld
> returned 1 exit statusconfigure:37657: $? = 1 *
> 
> 
> Is this expected? If not, I will look how I can enable the native 
> implementation.

Well, the targeted Win7 version (0x601) is supposed to supply a native
getaddrinfo() and IIRC the MinGW headers included a definition. So I
expect (more of a hope really) that the MinGW supplied version should
be detected and used with the right autoconf test.

If you are able to figure this one out it would be a great help. I'm
not able to spare any time to Windows for a few weeks at least.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUlC10AAoJELJo5wb/XPRjRQsH+gMtH17XrfhnwDicZMS5iRlQ
aYcE7ocsX355703i1QnKi3IXtDdrxnMG8AD8xmlyvnEjvnrZKGc2tSQrl6WZNygW
VP3dt/hTWzI7x4+gYBwPmMMYojQKvLUaDwX3vTX6cpRBJY/U07NdjQF4F2OPoU6Z
DON68zCz3K/b8IABhWYNFuyT/bcAsb5U+XbPiVGSnPxH1ArH1++Uqn0+hnTUWJoD
9A8rNbj4aoJz4JnM/8v89dsQFBVFmSyGBqmPk4CpIUc1oZewyf8+BMvxK6VhwoAo
mH9n7jq+Hy/i9lOGQ1FwjbiL52pnJxszvaxqBb+pED0c8tD/N4wqkM4F331/ZQ0=
=9NMH
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.4.10 incorrectly configured on Solaris 10

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/12/2014 2:45 a.m., Yuri Voinov wrote:
> 
> If i do durty hack with editing these includes (ip_compat.h or 
> ip_nat.h), configuration went ok, but build interceptor has errors
> and squid cannot be build.
> 
> Also, squid 3.4.8 in OpenCSW repository (built with ipf
> transparent option) also cannot work in transparent mode.
> 
> So, need help - I need transparent proxy, not forwarding.
> 
> 2.7 is too obsolete and contains strange bug (sometimes dies with
> fatal error when high load).
> 
> Change OS is not an option.
> 
> WBR, Yuri

The problem is clearly two Solaris OS headers contradicting each other.

I think you should take this to the Solaris or IP Filter developers
and see if they can provide help. It may require patching the system
headers (best if they produce that) or they might be able to supply a
working #include set for us to patch into Squid.

Either way they will be the people who know what is needed.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUlC8BAAoJELJo5wb/XPRjuhoIANsyr9hBzSVP4OrK4unMBVuh
/83vhatRiStNO69xQ2ZmidDZqV7ZSlTiVp7hLXw26j0phIQN+k44arU06Dc+Qegz
qnmESIhPpiZANvJrO4DoahL4TknJ3LP7IF2PZDfKt0JmAgIOkWTGVspr1nUXAE+m
2O8+ssdyA2a11TLg9fY4FLzrZ3a2O4UnV+KTe/eBrPsIfc9B0Lj7f7gKHUj+OSiQ
35huA921tyW91b44ymwD751SDYCZmmupY0JHqJxtntk171TAn0LbmFvJbDJLzuO8
h3GyTfu+2z3G/KL4Vd4bqnoX1uGNGH92vmRCKc7UdmHQXUh5VavlbRQD7EMyGJQ=
=1sWd
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] You MUST specify at least one Domain Controller.You can use either \ or / as separator between the domain name

[Alex Crow]

Hi,

That is how NTLM works. It doesn't (normally) indicate anything is 
wrong. You do seem to have a /lot/ of DENIED though.


NTLM Auth will slow down browsing somewhat because authentication is 
performed for every object retrieved. Google Maps can be a real nasty 
because it loads lots of small images for the map tiles. However I don't 
know /how/ slow your access is so I can't really say if it's likely to 
be a problem.


Cheers

Alex

On 19/12/14 23:50, Ahmed Allzaeem wrote:

Thank  you Amos , don’t know wt to say , u helped me a lot !

Now it get user/pwd

But still a new issue appeared !!

Now the browsing is so slow !!

I check the logs of squid I found a lot of TCP_denied and some of TCP_MISS


The question is being asked ... why a lot of requests is being deinied ans some 
is  being accepted ???

Here is a sample :
1418996889.904  1 192.168.1.5 TCP_DENIED/407 3972 GET http://google.com/ - 
NONE/- text/html
1418996889.925  1 192.168.1.5 TCP_DENIED/407 4189 GET http://google.com/ - 
NONE/- text/html
1418996889.936  2 192.168.1.5 TCP_DENIED/407 4506 GET http://google.com/ - 
NONE/- text/html
1418996889.943  2 192.168.1.5 TCP_DENIED/407 4189 GET http://google.com/ - 
NONE/- text/html
1418996897.774   7830 192.168.1.5 TCP_MISS/302 1258 GET http://google.com/ b 
DIRECT/74.125.232.228 text/html
1418996905.927   8142 192.168.1.5 TCP_MISS/302 1266 GET http://www.google.ps/? 
b DIRECT/74.125.232.247 text/html
1418996905.943  3 192.168.1.5 TCP_DENIED/407 4128 CONNECT 
dtex4kvbppovt.cloudfront.net:443 - NONE/- text/html
1418996905.946  2 192.168.1.5 TCP_DENIED/407 4128 CONNECT 
dtex4kvbppovt.cloudfront.net:443 - NONE/- text/html
1418996905.949  4 192.168.1.5 TCP_DENIED/407 4128 CONNECT 
dtex4kvbppovt.cloudfront.net:443 - NONE/- text/html
1418996905.949  4 192.168.1.5 TCP_DENIED/407 4128 CONNECT 
dtex4kvbppovt.cloudfront.net:443 - NONE/- text/html
1418996905.953  2 192.168.1.5 TCP_DENIED/407 3851 CONNECT www.google.ps:443 
- NONE/- text/html
1418996905.955  4 192.168.1.5 TCP_DENIED/407 4128 CONNECT 
dtex4kvbppovt.cloudfront.net:443 - NONE/- text/html
1418996905.969  2 192.168.1.5 TCP_DENIED/407 4068 CONNECT www.google.ps:443 
- NONE/- text/html
1418996905.973  1 192.168.1.5 TCP_DENIED/407 4393 CONNECT www.google.ps:443 
- NONE/- text/html
1418996905.980  1 192.168.1.5 TCP_DENIED/407 4068 CONNECT www.google.ps:443 
- NONE/- text/html
1418996908.011  1 192.168.1.5 TCP_DENIED/407 4103 POST 
http://clients1.google.com/ocsp - NONE/- text/html
1418996908.015  1 192.168.1.5 TCP_DENIED/407 4320 POST 
http://clients1.google.com/ocsp - NONE/- text/html
1418996908.019  2 192.168.1.5 TCP_DENIED/407 4661 POST 
http://clients1.google.com/ocsp - NONE/- text/html
1418996909.041  1 192.168.1.5 TCP_DENIED/407 3859 CONNECT 
ssl.gstatic.com:443 - NONE/- text/html
1418996909.089  2 192.168.1.5 TCP_DENIED/407 4076 CONNECT 
ssl.gstatic.com:443 - NONE/- text/html
1418996909.097  2 192.168.1.5 TCP_DENIED/407 4405 CONNECT 
ssl.gstatic.com:443 - NONE/- text/html
1418996909.104  2 192.168.1.5 TCP_DENIED/407 4076 CONNECT 
ssl.gstatic.com:443 - NONE/- text/html
1418996910.755  1 192.168.1.5 TCP_DENIED/407 3859 CONNECT 
www.gstatic.com:443 - NONE/- text/html
1418996910.784  1 192.168.1.5 TCP_DENIED/407 4076 CONNECT 
www.gstatic.com:443 - NONE/- text/html
1418996910.791  2 192.168.1.5 TCP_DENIED/407 4405 CONNECT 
www.gstatic.com:443 - NONE/- text/html
1418996910.796  1 192.168.1.5 TCP_DENIED/407 4076 CONNECT 
www.gstatic.com:443 - NONE/- text/html
1418996917.152  2 192.168.1.5 TCP_DENIED/407 4103 POST 
http://clients1.google.com/ocsp - NONE/- text/html
1418996917.156  2 192.168.1.5 TCP_DENIED/407 4320 POST 
http://clients1.google.com/ocsp - NONE/- text/html
1418996917.161  2 192.168.1.5 TCP_DENIED/407 4663 POST 
http://clients1.google.com/ocsp - NONE/- text/html
1418996920.312  1 192.168.1.5 TCP_DENIED/407 3903 CONNECT 
tiles.services.mozilla.com:443 - NONE/- text/html
1418996920.334  4 192.168.1.5 TCP_DENIED/407 4120 CONNECT 
tiles.services.mozilla.com:443 - NONE/- text/html
1418996920.471  2 192.168.1.5 TCP_DENIED/407 4483 CONNECT 
tiles.services.mozilla.com:443 - NONE/- text/html
1418996926.896  1 192.168.1.5 TCP_DENIED/407 4120 CONNECT 
tiles.services.mozilla.com:443 - NONE/- text/html
1418996935.623  1 192.168.1.5 TCP_DENIED/407 4079 POST 
http://ocsp.digicert.com/ - NONE/- text/html
1418996935.630  3 192.168.1.5 TCP_DENIED/407 4296 POST 
http://ocsp.digicert.com/ - NONE/- text/html
1418996935.633  2 192.168.1.5 TCP_DENIED/407 4635 POST 
http://ocsp.digicert.com/ - NONE/- text/html
1418996935.640  2 192.168.1.5 TCP_DENIED/407 4296 POST 
http://ocsp.digicert.com/ - NONE/- text/html
1418996935.810   7242 192.168.1.5 TCP_MISS/200 6448 GET 
http://whatismyipaddress.com/ b DIRECT/66.171.248.172 text/html
1418996935.852  1 192.168.1.5 TCP_DENIED/407 4349 GET 
http://maps.google.com/maps/api/js? - N

Re: [squid-users] You MUST specify at least one Domain Controller.You can use either \ or / as separator between the domain name

[Ahmed Allzaeem]

If you look @ the logs , it seems it  recognize a username when it allow , but 
when it deny it don’t recognize a username

Plz look @ logs below :
N username here , but I put the username "b"
> 1418996889.943  2 192.168.1.5 TCP_DENIED/407 4189 GET http://google.com/ 
> - NONE/- text/html


Down  here itc MISS , u will see the username "b" after the google.com
> 1418996897.774   7830 192.168.1.5 TCP_MISS/302 1258 GET http://google.com/ b 
> DIRECT/74.125.232.228 text/html

Compare both of them
U will see that user "b" ibcluded when its allowed

Im not sure why all of that slow in Kerberos ???!!!

cheers

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Alex Crow
Sent: Friday, December 19, 2014 6:02 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] You MUST specify at least one Domain Controller.You 
can use either \ or / as separator between the domain name

Hi,

That is how NTLM works. It doesn't (normally) indicate anything is wrong. You 
do seem to have a /lot/ of DENIED though.

NTLM Auth will slow down browsing somewhat because authentication is performed 
for every object retrieved. Google Maps can be a real nasty because it loads 
lots of small images for the map tiles. However I don't know /how/ slow your 
access is so I can't really say if it's likely to be a problem.

Cheers

Alex

On 19/12/14 23:50, Ahmed Allzaeem wrote:
> Thank  you Amos , don’t know wt to say , u helped me a lot !
>
> Now it get user/pwd
>
> But still a new issue appeared !!
>
> Now the browsing is so slow !!
>
> I check the logs of squid I found a lot of TCP_denied and some of 
> TCP_MISS
>
>
> The question is being asked ... why a lot of requests is being deinied ans 
> some is  being accepted ???
>
> Here is a sample :
> 1418996889.904  1 192.168.1.5 TCP_DENIED/407 3972 GET http://google.com/ 
> - NONE/- text/html
> 1418996889.925  1 192.168.1.5 TCP_DENIED/407 4189 GET http://google.com/ 
> - NONE/- text/html
> 1418996889.936  2 192.168.1.5 TCP_DENIED/407 4506 GET http://google.com/ 
> - NONE/- text/html
> 1418996889.943  2 192.168.1.5 TCP_DENIED/407 4189 GET http://google.com/ 
> - NONE/- text/html
> 1418996897.774   7830 192.168.1.5 TCP_MISS/302 1258 GET http://google.com/ b 
> DIRECT/74.125.232.228 text/html
> 1418996905.927   8142 192.168.1.5 TCP_MISS/302 1266 GET 
> http://www.google.ps/? b DIRECT/74.125.232.247 text/html
> 1418996905.943  3 192.168.1.5 TCP_DENIED/407 4128 CONNECT 
> dtex4kvbppovt.cloudfront.net:443 - NONE/- text/html
> 1418996905.946  2 192.168.1.5 TCP_DENIED/407 4128 CONNECT 
> dtex4kvbppovt.cloudfront.net:443 - NONE/- text/html
> 1418996905.949  4 192.168.1.5 TCP_DENIED/407 4128 CONNECT 
> dtex4kvbppovt.cloudfront.net:443 - NONE/- text/html
> 1418996905.949  4 192.168.1.5 TCP_DENIED/407 4128 CONNECT 
> dtex4kvbppovt.cloudfront.net:443 - NONE/- text/html
> 1418996905.953  2 192.168.1.5 TCP_DENIED/407 3851 CONNECT 
> www.google.ps:443 - NONE/- text/html
> 1418996905.955  4 192.168.1.5 TCP_DENIED/407 4128 CONNECT 
> dtex4kvbppovt.cloudfront.net:443 - NONE/- text/html
> 1418996905.969  2 192.168.1.5 TCP_DENIED/407 4068 CONNECT 
> www.google.ps:443 - NONE/- text/html
> 1418996905.973  1 192.168.1.5 TCP_DENIED/407 4393 CONNECT 
> www.google.ps:443 - NONE/- text/html
> 1418996905.980  1 192.168.1.5 TCP_DENIED/407 4068 CONNECT 
> www.google.ps:443 - NONE/- text/html
> 1418996908.011  1 192.168.1.5 TCP_DENIED/407 4103 POST 
> http://clients1.google.com/ocsp - NONE/- text/html
> 1418996908.015  1 192.168.1.5 TCP_DENIED/407 4320 POST 
> http://clients1.google.com/ocsp - NONE/- text/html
> 1418996908.019  2 192.168.1.5 TCP_DENIED/407 4661 POST 
> http://clients1.google.com/ocsp - NONE/- text/html
> 1418996909.041  1 192.168.1.5 TCP_DENIED/407 3859 CONNECT 
> ssl.gstatic.com:443 - NONE/- text/html
> 1418996909.089  2 192.168.1.5 TCP_DENIED/407 4076 CONNECT 
> ssl.gstatic.com:443 - NONE/- text/html
> 1418996909.097  2 192.168.1.5 TCP_DENIED/407 4405 CONNECT 
> ssl.gstatic.com:443 - NONE/- text/html
> 1418996909.104  2 192.168.1.5 TCP_DENIED/407 4076 CONNECT 
> ssl.gstatic.com:443 - NONE/- text/html
> 1418996910.755  1 192.168.1.5 TCP_DENIED/407 3859 CONNECT 
> www.gstatic.com:443 - NONE/- text/html
> 1418996910.784  1 192.168.1.5 TCP_DENIED/407 4076 CONNECT 
> www.gstatic.com:443 - NONE/- text/html
> 1418996910.791  2 192.168.1.5 TCP_DENIED/407 4405 CONNECT 
> www.gstatic.com:443 - NONE/- text/html
> 1418996910.796  1 192.168.1.5 TCP_DENIED/407 4076 CONNECT 
> www.gstatic.com:443 - NONE/- text/html
> 1418996917.152  2 192.168.1.5 TCP_DENIED/407 4103 POST 
> http://clients1.google.com/ocsp - NONE/- text/html
> 1418996917.156  2 192.168.1.5 TCP_DENIED/407 4320 POST 
> http://clients1.google.com/ocsp - NONE/- text/html
> 1418996917.161  2 192.168.1.5 TCP_DENIED/407 4663 POST 
> http://clients1.google.com/ocsp - NONE/- text/html

Re: [squid-users] You MUST specify at least one Domain Controller.You can use either \ or / as separator between the domain name

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/12/2014 12:50 p.m., Ahmed Allzaeem wrote:
> Thank  you Amos , don’t know wt to say , u helped me a lot !
> 
> Now it get user/pwd
> 
> But still a new issue appeared !!
> 
> Now the browsing is so slow !!
> 
> I check the logs of squid I found a lot of TCP_denied and some of
> TCP_MISS
> 

Thats DENIED/407. In particular sets of 5 requests.
 Four auth challenges (407) followed by one final/successful request
(non-407).

NTLM handshake normally works in threes. Two 407's then one non-407.

NOTE: The non-407 can appear much later in the log than the two 407's.
A very good example of this is the 5 "POST http://ocsp.digicert.com/";
log lines. You can see the set of 407s occuring, then ~2 seconds later
the non-407 saying it took 1974 ms (~2 sec) to complete.


I suspect what you are seeing in that log is the mess that happens
when browsers (un)Happy Eyeballs algorithm collides with NTLM. The
browser opening connections in pairs to see which will be usable first
needs to authenticate both, but final request only sent on first
connection to complete the auth.
 *If* I am right about this then the slowdown should only happen on
startup when a lot of stuff has to be done by the browser and the
experience will get faster over time. The browser can technically save
the second-opened connections for later use, some do.


Also, ensure that persistent connections are enabled to both server
and clients. This will help minimize the number of handshakes
required. That is about all you can do to optimize NTLM unfortunately,
it is a truely nasty protocol.


Also, if you are seeing some clients looping with many 407 trying the
same credentials over and over try the setting:
 auth_param ntlm keepalive off

However, dont confuse this "keepalive" option with persistent
connections. It is a hack specially crafted to work with NTLM and
Negotiate auth to fix old IE brokenness and has proven useful with
some Java apps and recent Firefox versions. Its not harmful to any
client, but can limit the proxy total traffic capacity somewhat so
best to avoid if you dont need it.

HTH
Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUlDYLAAoJELJo5wb/XPRj558H/12+3ARMFEHINczwgrPjzFBx
3la3Vn+mBo8NOaxCgEcJP73F1ZHH58oTlBcUygj1h9ecj7/fikil6IXhDvV87W4s
esS+IIFbOekKKFXxfGiSa0hg4G3NEEepmPfAx8OT8UWLC68fkESOCeOP99LYY3q5
7xZ7bef1ieudgDAUI7zuTCb8tEsV47SRFRQESOJefcXz3YkXhtL5ouNaK56sfp03
iaP33AzkjC9HBVxcfp4h4rInMO3VVbSecKtrHdStmnty5pU7lkXvMgSDtP1Kf71z
5waoPr7+8sf2uyUx/c42/RFpLIH0gfjg++WcIAXfF9gzmALNwhImvtb8JnRfHHk=
=autN
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] You MUST specify at least one Domain Controller.You can use either \ or / as separator between the domain name

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/12/2014 1:08 p.m., Ahmed Allzaeem wrote:
> If you look @ the logs , it seems it  recognize a username when it
> allow , but when it deny it don’t recognize a username
> 

The 407 is sent because there is nobody authenticated. Nobody
authenticated means no username.


> Plz look @ logs below : N username here , but I put the username
> "b"
>> 1418996889.943  2 192.168.1.5 TCP_DENIED/407 4189 GET
>> http://google.com/ - NONE/- text/html

One of teh 407 is before you put any username in. The second one is
after you entered username, but before its fully authenticated.

> 
> 
> Down  here itc MISS , u will see the username "b" after the
> google.com
>> 1418996897.774   7830 192.168.1.5 TCP_MISS/302 1258 GET
>> http://google.com/ b DIRECT/74.125.232.228 text/html
> 
> Compare both of them U will see that user "b" ibcluded when its
> allowed
> 
> Im not sure why all of that slow in Kerberos ???!!!

You are not using Kerberos. You are using NTLM.

Kerberos is part of the "Negotiate" auth scheme.


Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUlDorAAoJELJo5wb/XPRjBjkIANDA0SQMtglLVBj/6reDISIj
goYqOQzq4Aw5hP60RcDuIazo//mHTHLLFRof95hmIFCRlo3kHt4aF9EFKQ03gih1
+jvbQ4V2MdZq3+oJiULGhME73DjpZOe9mxhz5FZFMGkOazOd+LIVhipXeoJbK7As
BkpCqHnY7N0l4QtvwO85Ea+9jdSC5dws7CIcrN6+J49h7g/J5b7jQRgOdhm+2MoE
jg936RA8dM3i/usW7E/CRfdvAS4N7BUXtRsbk88I/YgRJhXRRhpl2FUOa9dCoJXT
ol1jibwWjyc1Kjsmn/MZLIBiMrhrBnNOSjSZXldGslEvRN60HptPxetQ4WDgpBw=
=L19J
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Unable to configure cache_dir with only TCP_MISS/200

[Red]

Thank You Amos;
I have tried that already, however  I get "Error: Dependancy not
satisfiable: libstdc++6 (>= 4.9)".  I am not sure what forcing upgrade
of libraries will do to OS, so I guess it would be the best for me to
just sit upgrade out until it can be done smoothly.
Thank You again,
Bob

On 12/18/2014 10:26 PM, Amos Jeffries wrote:
> On 19/12/2014 8:37 a.m., Red wrote:
> > Using squid 3.3.8 on Ubuntu 14.04.
>
> This is probably bug 3806. Which was fixed in 3.3.12 release.
>
> Can you try an upgrade to 3.4 ?
> The Debian Jesse/Testing package 3.4.8-* should work fine in Ubuntu 14.*
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] You MUST specify at least one Domain Controller.You can use either \ or / as separator between the domain name

[Ahmed Allzaeem]

Thank you a lot a lot a lot .
Great mailing list with people like you. "Amos"

Soon I will jump to Kerberos and if I got hanged I will ask here again :)
 
thanks

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Friday, December 19, 2014 6:46 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] You MUST specify at least one Domain Controller.You 
can use either \ or / as separator between the domain name

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/12/2014 1:08 p.m., Ahmed Allzaeem wrote:
> If you look @ the logs , it seems it  recognize a username when it 
> allow , but when it deny it don’t recognize a username
> 

The 407 is sent because there is nobody authenticated. Nobody authenticated 
means no username.


> Plz look @ logs below : N username here , but I put the username "b"
>> 1418996889.943  2 192.168.1.5 TCP_DENIED/407 4189 GET
>> http://google.com/ - NONE/- text/html

One of teh 407 is before you put any username in. The second one is after you 
entered username, but before its fully authenticated.

> 
> 
> Down  here itc MISS , u will see the username "b" after the google.com
>> 1418996897.774   7830 192.168.1.5 TCP_MISS/302 1258 GET
>> http://google.com/ b DIRECT/74.125.232.228 text/html
> 
> Compare both of them U will see that user "b" ibcluded when its 
> allowed
> 
> Im not sure why all of that slow in Kerberos ???!!!

You are not using Kerberos. You are using NTLM.

Kerberos is part of the "Negotiate" auth scheme.


Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUlDorAAoJELJo5wb/XPRjBjkIANDA0SQMtglLVBj/6reDISIj
goYqOQzq4Aw5hP60RcDuIazo//mHTHLLFRof95hmIFCRlo3kHt4aF9EFKQ03gih1
+jvbQ4V2MdZq3+oJiULGhME73DjpZOe9mxhz5FZFMGkOazOd+LIVhipXeoJbK7As
BkpCqHnY7N0l4QtvwO85Ea+9jdSC5dws7CIcrN6+J49h7g/J5b7jQRgOdhm+2MoE
jg936RA8dM3i/usW7E/CRfdvAS4N7BUXtRsbk88I/YgRJhXRRhpl2FUOa9dCoJXT
ol1jibwWjyc1Kjsmn/MZLIBiMrhrBnNOSjSZXldGslEvRN60HptPxetQ4WDgpBw=
=L19J
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Determining unique clients in Squid

[Veiko Kukk]

Hi,

I have been trying to understand, how does Squid determine different 
clients, but it is not clear from the documentation. I guess this does 
not depend entirely on IP address, right? Otherwise all clients behind 
NAT would be considered as single client.


Reason behind this is that I'd like to configure a forward proxy for 
(mostly) binary files caching. All requests have Authorization headers 
(API key) and come from single IP address (localhost, python 
application, not generic web browser).


client  squid ssl_bump to see inside https  remote cloud 
storage


http://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_are_private_and_public_keys.3F
"Private objects are associated with only a single client whereas a 
public object may be sent to multiple clients at the same time."


I wonder if it would be possible to use Squid for effectively cache 
larger objects locally with this type of configuration?


Best regards,
Veiko
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid doesn't do a fallback from ipv6 to ipv4, if the ipv6 connect fails

[Dieter Bloms]

Hello Amos,

On Sat, Dec 20, Amos Jeffries wrote:

> > When I do a http://ssl.ratsinfo-online.net/ the fallback from ipv6
> > to ipv4 works fine, but when I do a
> > https://ssl.ratsinfo-online.net/ squid tries ipv6 only and doesn't
> > do a fallback to ipv4.
> > 
> > I would be nice, if you can try it on your dial stack setup.
> > 
> > Thank you.
> > 
> 
> It takes me 10-20 sec to receive any response on the very first DNS
> lookup for that domain. After which all responses are quite fast for a
> few minutes. Then repeat with the slow lookup.
> 
> Like you say it responds with 1 IPv4 and 1 IPv6. Which is not too
> many, and none actually failing to resolve. So DNS is reasonable even
> with the occasional delay.
> 
> I am seeing approx 40-90% packet loss on several of the NTT.net
> transit hops between me and the site in IPv4. Not sure if that is
> related in any way related to your access path.
> 
> My current colo provider blocks network measurements from end-servers
> (but only on v6) so I cant adequately test the v6 connectivity
> anymore. But your log entry indicates that probably a TCP SYN
> handshake did not finish over either IP version.

with https squid doesn't try to connect the webserver over ipv4 (verfied
with tcpdump).

So I think you can test the missing failover from ipv6 to ipv4, if a
connect over ipv6 isn't possible with https connection.

Again with http the failover from ipv6 to ipv4 occur, only https is a
problem.


-- 
Regards

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] error compiling 3.4.10

[Alan Lehman]

Alex,
This corrected the compile problem. It now compiles and installs without error. 
Thank you!

Eliezer,
Thanks for sharing the script. I will save that for future reference.

Alan


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Alex Domoradov
Sent: Saturday, December 13, 2014 5:52 AM
To: Eliezer Croitoru
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] error compiling 3.4.10

According to the following lines

> /usr/bin/ld: cannot find -lssl
> /usr/bin/ld: cannot find -lcrypto
it seems that you forgot to install devel package - openssl-devel

On Sat, Dec 13, 2014 at 1:58 AM, Eliezer Croitoru  wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hey Alan,

The main issue is the unknown environment.
Can you run this script:
http://www1.ngtech.co.il/squid/basic_data.sh

The script will give us the basic details about the build system.
When you use the script make sure there are no confidential details.

I did not tested yet this build on CentOS 7 but it builds on 6.6 and
couple others so it should be something solvable.

Eliezer

On 12/12/2014 11:57 PM, Alan Lehman wrote:
> config options: --enable-ssl --enable-useragent-log
> --enable-referer-log --with-filedescriptors=8192
> --disable-loadable-modules --prefix=/usr --includedir=/usr/include
> --datadir=/usr/share --bindir=/usr/sbin --libexecdir=/usr/lib/squid
> --localstatedir=/var --sysconfdir=/etc/squid
> --with-openssl=/usr/lib64/openssl

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJUi4EQAAoJENxnfXtQ8ZQUpnwIAJ1ZSDa7OKpl51C6ZTObBTy+
StROk+SlEPX7g6Vg+zL+TL9emoEIbHYXNZ0Pi8jRsiVi2W0VZaMowD8inglZwLqP
WIz6ChROO9jIMy7N2TK8VuoCJC4DwrishAD/K0UH0S1jqArTE6ngzCrCGwWg8bNI
9HxflR6Tc+eOXYhe5bvcEBufKtFv9249dsktr6IJvgT+IZ+RAhVc0SXeZMbIPX18
HYVEtBYZsyzXbiLJAmFcw9tbLteZrKlZe1GhkCmt6wa8/Sm9I+OvlCvjuO/zhfta
qxhVzKjOlOeydH8TMxCZ+P3se3zEbGu11FjzPSP2cmw0kcWS+IHz3YpRETeQjjQ=
=n9Jj
-END PGP SIGNATURE-


Alan Lehman, PE, DCEP, Senior Associate
GBA, 9801 Renner Boulevard, Lenexa, KS 66219-9745
D: (913) 577-8829 | M: (816) 210-8785 | F: (913) 577-8264


CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is 
intended for the person or entity to which it is addressed and may contain 
confidential and/or privileged material. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all copies of 
the original message. Thank you.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Unable to configure cache_dir with only TCP_MISS/200

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/12/2014 3:45 a.m., Red wrote:
> Thank You Amos; I have tried that already, however  I get "Error:
> Dependancy not satisfiable: libstdc++6 (>= 4.9)".  I am not sure
> what forcing upgrade of libraries will do to OS, so I guess it
> would be the best for me to just sit upgrade out until it can be
> done smoothly.

Darn. Yeah okay, libstdc++ impacts a lot of things and across-OS is
worse than just a version bump.


You could try the version in backports repository. Otherwise you are
stuck doing a custom build to patch - in which case you may as well
build the latest version anyway.

Amos

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUlEAJAAoJELJo5wb/XPRjOdQH/ivueQ2uKdZ5kytmyNB0WK7s
Zz8Qml0U9c74QPLwj4HUZvShGsm4befACSbSUq3O936g+ZsE/VHLtkJYBEJNlgNW
fMO9x9fcvL9iwSkcwmH/4iodx68gluqMG2qpUw6RNWoQTLOci5OALzE4KZox5fmf
8jYWEHPXosqAeRChkUbrGBqeUEgGtdXpcjzGorpReydOIAqXuYtWXQFhJBS3oTSp
agMkuWkofixazST2zmdjOpI0mZvpAvQXU4OnoT17xmWFMgmHD0Gk4wjNxqcwKIlY
lIRWLWwu6KMwpkeBwFdK4VQufp2RZt24yisEfsSS1mrrCYEN3SCJFqiJaLldlO0=
=ohqA
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] ERR_CONNECT_FAIL 110

[Alfredo Rezinovsky]

I have a few TPROXY implementations with squid. In only one of them 
recently I'm getting lots of: "x-squid-error: ERR_CONNECT_FAIL 110" and 
some 504 timeouts.


Squid Cache: Version 3.4.10-20141218-r13197
configure options:  '--prefix=/opt/sepia/squid' 
'--sysconfdir=/var/lib/sepia/' '--disable-auth' '--disable-auto-locale' 
'--disable-cache-digests' '--disable-cpu-profiling' 
'--disable-debug-cbdata' '--disable-delay-pools' '--disable-devpoll' 
'--disable-ecap' '--disable-esi' '--disable-eui' 
'--disable-external-acl-helpers' '--disable-follow-x-forwarded-for' 
'--disable-forw-via-db' '--enable-gnuregex' '--disable-htcp' 
'--disable-icap-client' '--disable-ident-lookups' 
'--enable-internal-dns' '--disable-ipf-transparent' 
'--disable-ipfw-transparent' '--disable-ipv6' '--disable-leakfinder' 
'--disable-pf-transparent' '--disable-poll' '--disable-select' 
'--disable-snmp' '--enable-ssl' '--disable-stacktraces' 
'--disable-translation' '--disable-url-rewrite-helpers' '--disable-wccp' 
'--disable-wccpv2' '--disable-win32-service' 
'--disable-x-accelerator-vary' '--disable-icmp' 
'--disable-storeid-rewrite-helpers' '--enable-async-io' 
'--enable-disk-io' '--enable-epoll' '--enable-http-violations' 
'--enable-inline' '--enable-kill-parent-hack' '--enable-linux-netfilter' 
'--enable-log-daemon-helpers' '--enable-removal-policies' 
'--enable-storeio' '--enable-unlinkd' '--enable-x-accelerator-vary' 
'--enable-zph-qos' '--with-default-user=nobody' 
'--with-logdir=/var/log/sepia' '--with-pthreads' '--with-included-ltdl' 
'--with-pidfile=/var/lib/sepia/squid.pid' '--with-netfilter-conntrack' 
--enable-ltdl-convenience


Is a custom compiled squid with everything I don't need disabled.

Running in Ubuntu with kernel 3.13.0

PMTU from the proxy to both the servers and the clients seems to be 1500.

Any clue?

--
Alfrenovsky

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Determining unique clients in Squid

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/12/2014 3:52 a.m., Veiko Kukk wrote:
> Hi,
> 
> I have been trying to understand, how does Squid determine
> different clients, but it is not clear from the documentation. I
> guess this does not depend entirely on IP address, right? Otherwise
> all clients behind NAT would be considered as single client.

It depends ...

 ... for Squids' network measurement mechanisms and client_db* do
depend on IP address alone.

 ... security contexts like TLS/SSL or connection pinning depend on
the TCP socket numbers in use.


Other concepts of "client" such as authenticated user or end-user or
remote software agent are not relevant to Squid beyond the ACLs you
configure.


> 
> Reason behind this is that I'd like to configure a forward proxy
> for (mostly) binary files caching. All requests have Authorization
> headers (API key) and come from single IP address (localhost,
> python application, not generic web browser).


*Caching* is not related to the client though. Whether an object can
be cached depends solely on the request/reply message headers.

see below...

> 
> client  squid ssl_bump to see inside https  remote
> cloud storage
> 
> http://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_are_private_and_public_keys.3F
>
>  "Private objects are associated with only a single client whereas
> a public object may be sent to multiple clients at the same time."
> 
> I wonder if it would be possible to use Squid for effectively
> cache larger objects locally with this type of configuration?
> 

Some points:

0) the document above is referring to the internal hash keys Squid
uses for indexing objects. Its describing the technical mechanism by
which Squid remembders which object is which type. Not much relevance
to your query as such.

1) Squid-3.2 and later are HTTP/1.1 compliant and able to cache
authenticated replies (and many other types of client-specific
objects) in accordance with the HTTP/1.1 rules for them.

2) client proxy-authorization credentials have no effect on
cacheability. Only credentials in www-authorization header affect
that, and only if the reply message does not make the object cacheable
by providing certain cache-control settings.

4) "HTTP" and "HTTPS" are both the same HTTP protocol. The only
difference is that one is inside a TLS channel. A lot of people seem
to think its more secure somehow, but its not really. SSL-Bumped HTTPS
requests are just as cacheable (or not) as they would be if
intercepted on port 80.

5) Size of objects is related only to the size limits you configure
into Squid. Default config is up to 4MB is cached to disks, up to
512KB to memory.

Amos

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUlEgwAAoJELJo5wb/XPRjCawH/1joPQ6E4bBAJglfiyT39JNO
GFZZ21Oo2ew74gyz0K99fXlOXIpz1l9IupHgayHm+R7ezfMLWen3CGfWOK6QukC/
7NpjdkqCDUxwhhJ70XeWdgrw1rMRXwBlMZUGkwrQ4mGTuBA7DsFjneEg6H9PmY7r
zJLTb8NVbQAwzVRKmq9etJHpBbMN1QmZUYHLHV7uFIUirwpD58gfgvWBdPGFKTDF
I5+RwmzDP0Lmri7dPGWJwYTUPVCdyJ848Fjhvj/gVLuaBwEjZI+CxuSANrRa8Rr5
tAQKDMY7Zp5MTO/sYOTEg8I4yavP2UCtXBh3SpT+AzBium5PlQdVIlc45yVlo5k=
=Ik7x
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ERR_CONNECT_FAIL 110

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/12/2014 4:21 a.m., Alfredo Rezinovsky wrote:
> I have a few TPROXY implementations with squid. In only one of
> them recently I'm getting lots of: "x-squid-error: ERR_CONNECT_FAIL
> 110" and some 504 timeouts.
> 
> Squid Cache: Version 3.4.10-20141218-r13197 configure options:
> '--prefix=/opt/sepia/squid' '--sysconfdir=/var/lib/sepia/'
> '--disable-auth' '--disable-auto-locale' '--disable-cache-digests'
> '--disable-cpu-profiling' '--disable-debug-cbdata'
> '--disable-delay-pools' '--disable-devpoll' '--disable-ecap'
> '--disable-esi' '--disable-eui' '--disable-external-acl-helpers'
> '--disable-follow-x-forwarded-for' '--disable-forw-via-db'
> '--enable-gnuregex' '--disable-htcp' '--disable-icap-client'
> '--disable-ident-lookups' '--enable-internal-dns'
> '--disable-ipf-transparent' '--disable-ipfw-transparent'
> '--disable-ipv6' '--disable-leakfinder' '--disable-pf-transparent'
> '--disable-poll' '--disable-select' '--disable-snmp' '--enable-ssl'
> '--disable-stacktraces' '--disable-translation'
> '--disable-url-rewrite-helpers' '--disable-wccp' '--disable-wccpv2'
> '--disable-win32-service' '--disable-x-accelerator-vary'
> '--disable-icmp' '--disable-storeid-rewrite-helpers'
> '--enable-async-io' '--enable-disk-io' '--enable-epoll'
> '--enable-http-violations' '--enable-inline'
> '--enable-kill-parent-hack' '--enable-linux-netfilter' 
> '--enable-log-daemon-helpers' '--enable-removal-policies' 
> '--enable-storeio' '--enable-unlinkd'
> '--enable-x-accelerator-vary' '--enable-zph-qos'
> '--with-default-user=nobody' '--with-logdir=/var/log/sepia'
> '--with-pthreads' '--with-included-ltdl' 
> '--with-pidfile=/var/lib/sepia/squid.pid'
> '--with-netfilter-conntrack' --enable-ltdl-convenience
> 
> Is a custom compiled squid with everything I don't need disabled.
> 
> Running in Ubuntu with kernel 3.13.0
> 
> PMTU from the proxy to both the servers and the clients seems to be
> 1500.
> 
> Any clue?

Nope you omitted the best clues. :-)

The access.log entries matching those errors would be a good start if
you can identify them.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUlEnxAAoJELJo5wb/XPRjZ0IIAIw6hUQdmnVtXEF7UU0o5Zp6
Q3zhRdXfNVuqc7xHgmyakD8UIsLM8lmKb/43qiHqvbU9ZVvg0WslloSS05eDjG6m
FcTzgeVaQJImiSvkZ2Ei6MGlLgiuxDR4BIUxRWxhhuD7UFvsG8Ese45yM55ivq6C
ocEThNWHZYbwTsCbKOIZz5Be6pEHVh8EkNAIAl7+/+cnXG6fc7qUPnG471piOu4a
LNnhJdDqlYhe3vwKcVSN0aIjz+lrtB6tMs4DDT2GpX+LZ6tOIihsCZOHij31M4Z2
qpVWs4i4r7aKmideSYMsr2SSd9s8zzLGel3ReXuPhKvFZsZOiP8uZtBJEm47n/4=
=tGQM
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Determining unique clients in Squid

[Stakres]

Hi Veiko,

 

Correct me if I’m wrong, you need to use Squid in HTTPS decryption and try
to cache maximum of objects (mainly big), am I right ?

Regarding the private/public objects, I could not answer here as I don’t see
what your project is – then I’m not a member of the Squid team so I’m not
informed about all tricks J

 

So, do you plan to install a Squid for your users for regular internet
traffic or do you have special restrictions for a specific Squid
installation ?

 

Ready to help you but need more details on what you want to do J

 

Bye Fred

 

De : Veiko Kukk [via Squid Web Proxy Cache]
[mailto:ml-node+s1019090n4668773...@n4.nabble.com] 
Envoyé : vendredi 19 décembre 2014 15:43
À : Stakres
Objet : Determining unique clients in Squid

 

Hi, 

I have been trying to understand, how does Squid determine different 
clients, but it is not clear from the documentation. I guess this does 
not depend entirely on IP address, right? Otherwise all clients behind 
NAT would be considered as single client. 

Reason behind this is that I'd like to configure a forward proxy for 
(mostly) binary files caching. All requests have Authorization headers 
(API key) and come from single IP address (localhost, python 
application, not generic web browser). 

client  squid ssl_bump to see inside https  remote cloud 
storage 

http://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_are_private_and_publ
ic_keys.3F
"Private objects are associated with only a single client whereas a 
public object may be sent to multiple clients at the same time." 

I wonder if it would be possible to use Squid for effectively cache 
larger objects locally with this type of configuration? 

Best regards, 
Veiko 
___ 
squid-users mailing list 
[hidden email] 
http://lists.squid-cache.org/listinfo/squid-users



  _  

If you reply to this email, your message will be added to the discussion
below:

http://squid-web-proxy-cache.1019090.n4.nabble.com/Determining-unique-client
s-in-Squid-tp4668773.html 

To start a new topic under Squid - Users, email
ml-node+s1019090n1019091...@n4.nabble.com 
To unsubscribe from Squid Web Proxy Cache, click here
 .
 
 NAML 





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Determining-unique-clients-in-Squid-tp4668773p4668780.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with running squid 3.5 on windows 7

[Eldar Akchurin]

Hi Amos,
 
Thanks a lot for the hint!
Specifying LIBS="-lws2_32" fixes this particular issue. Let's see what comes up 
next.
 
--e
 
> Date: Sat, 20 Dec 2014 02:51:49 +1300
> From: squ...@treenet.co.nz
> To: al.akchu...@googlemail.com
> CC: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Problem with running squid 3.5 on windows 7
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On 20/12/2014 2:35 a.m., Eldar Akchurin wrote:
> > Hi Amos,
> > 
> > It seems it uses a posix resolver for that, because cannot find the
> > native implementation.
> > 
> > 
> > 
> > 
> > 
> > *configure:37657: checking for getaddrinfoconfigure:37657: 
> > x86_64-w64-mingw32-g++ -o conftest.exe -DWINVER=0x601
> > -D_WIN32_WINNT=0x601 -fpermissive -L/usr/lib -mthreads
> > -static-libgcc -static-libstdc++  -g conftest.cpp  -lpsapi
> > >&5/tmp/cckciKLu.o: In function 
> > `main':/usr/src/squid-3.5.0.3-**20141209-r13687/conftest.cpp:*
> > 
> > *204: undefined reference to `getaddrinfo'collect2: error: ld
> > returned 1 exit statusconfigure:37657: $? = 1 *
> > 
> > 
> > Is this expected? If not, I will look how I can enable the native 
> > implementation.
> 
> Well, the targeted Win7 version (0x601) is supposed to supply a native
> getaddrinfo() and IIRC the MinGW headers included a definition. So I
> expect (more of a hope really) that the MinGW supplied version should
> be detected and used with the right autoconf test.
> 
> If you are able to figure this one out it would be a great help. I'm
> not able to spare any time to Windows for a few weeks at least.
> 
> Amos
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.22 (MingW32)
> 
> iQEcBAEBAgAGBQJUlC10AAoJELJo5wb/XPRjRQsH+gMtH17XrfhnwDicZMS5iRlQ
> aYcE7ocsX355703i1QnKi3IXtDdrxnMG8AD8xmlyvnEjvnrZKGc2tSQrl6WZNygW
> VP3dt/hTWzI7x4+gYBwPmMMYojQKvLUaDwX3vTX6cpRBJY/U07NdjQF4F2OPoU6Z
> DON68zCz3K/b8IABhWYNFuyT/bcAsb5U+XbPiVGSnPxH1ArH1++Uqn0+hnTUWJoD
> 9A8rNbj4aoJz4JnM/8v89dsQFBVFmSyGBqmPk4CpIUc1oZewyf8+BMvxK6VhwoAo
> mH9n7jq+Hy/i9lOGQ1FwjbiL52pnJxszvaxqBb+pED0c8tD/N4wqkM4F331/ZQ0=
> =9NMH
> -END PGP SIGNATURE-
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
  ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with running squid 3.5 on windows 7

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/12/2014 7:05 a.m., Eldar Akchurin wrote:
> Hi Amos,
> 
> Thanks a lot for the hint! Specifying LIBS="-lws2_32" fixes this
> particular issue. Let's see what comes up next.
> 
> --e

Great! thank you. I have added that to Squid-3. For the next release
you should not have to explicitly define it or the 0x601 version options.

Amos

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUlI7AAAoJELJo5wb/XPRjBWgIAJ6G3bJ50M9x1l5lkT8VULXg
TeMQ2F88gOAE2bPfPGr+jZ2vxxmS+I/cRNGaZd5icEsMVtFCVHvtVwgRMyLNB0l/
sJSMqhRT2RZvJZBb13GeQsthUh0e0Resfj44T3YMzntVpEPx4nkEWtRv97iaLgDp
yA8imLIPtieX2GN+m4BXpKVc8Y842nfAcDKbRGbpqZQ0V56QOwHhGNzyuEIgYjad
kzrtfQKs4m4BHvk6kCr4OHJHvE6E+VKQpKc4IBxpv5gwu9atP6ayMKFZEgCC4mdP
BfPgf9SRIy3KQri2RNTCiS0x9xLrCYLGflXuifs1dRz4UIOJQCrPdE6Kz1WPFbw=
=d93Y
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent proxy with Peek and Splice feature.

[James Harper]

The following "works" for me:

# intercept for transparent proxy of ssl connections
https_port 3130 name=transproxyssl intercept ssl-bump 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
cert=/usr/local/squid/etc/ca.pem

# just testing with my laptop
acl james_src arp 11:11:11:11:11:11

# name of port used for transparent ssl interception
acl transproxyssl myportname transproxyssl

ssl_bump stare transproxyssl james_src
ssl_bump bump james_src
ssl_bump splice all

But "works" is probably a bit of an exaggeration. I was seeing lots of this 
sort of thing in the logs:
 
Error negotiating SSL on FD 75: error:1409F07F:SSL 
routines:SSL3_WRITE_PENDING:bad write retry (1/-1/0)
hold write on SSL connection on FD 65
BUG 3556: FD 112 is not an open socket.
assertion failed: Read.cc:69: "fd_table[conn->fd].halfClosedReader != NULL"

And squid restarting a lot. This was with squid-3.5.0.2-20141121-r13666 and so 
hopefully I was seeing some bugs that are now fixed, and it's not that I am 
abusing the configuration or something...

I'm upgrading to the latest snapshot now for further testing.

James


> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
> Behalf Of Vadim Rogoziansky
> Sent: Friday, 19 December 2014 11:29 PM
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Transparent proxy with Peek and Splice feature.
> 
> Any ideas, any thoughts?
> Thanks.
> 
> 
> 11/29/2014 6:17 AM, Amos Jeffries написав(ла):
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > On 28/11/2014 2:48 a.m., Vadim Rogoziansky wrote:
> >> Hello Amos.
> >>
> >> Thank you for answer.
> >>
> >> There was made an investigation related to squid's peek and splice
> >> issues in transparent mode. One-line explanation is as follows - in
> >> intercept mode squid can't get a server host name from the request
> >> header and uses clent IP address instead for both fake cert
> >> generation and as a SNI record in server bump SSL handshaking. This
> >> is the root of the problem. However this can be fixed if squid uses
> >> SNI field taken from client TLS Hello message for that purposes.
> >> Can you hack squid in this way? What do you think?
> > I think peek-n-splice is supposed to already be doing that.
> >
> > However it does depend on whether you are bumping the connection at
> > step 1 (before ClientHello), step 2 (after ClientHello, before
> > ServerHello), or step 3 (after both ClientHello and ServerHello) of
> > the TLS handshake whether the SNI details are present.
> >
> > Amos
> > -BEGIN PGP SIGNATURE-
> > Version: GnuPG v2.0.22 (MingW32)
> >
> >
> iQEcBAEBAgAGBQJUeUjPAAoJELJo5wb/XPRj6QEIAOHrR8wmDcjkfgUh2UtPw
> pHP
> >
> vVkPMEuIrUq9Gxx3uSojCZjlFJPuCQ2UafS1p8LuxcEQ+TRmUFbAu4AkKoO2Ro
> Z5
> > 7fCGoiXTwn4TzFf0pLh9SPBq9j12OJ3uT28EEqbILrT0sbKP02xK/qiJfCLR61Ev
> >
> vprAdggapbKg/ns1l1H3BBgZR2A4W/abQPIq6/Eu/r+7nYK6L2oOdqPDWTJjud
> MV
> >
> 8D9sdOD9mYYryrdptU0GLh9Q/V5QEhipSkuA936iZ0Dfa2ZSr4gphJyaRAFWSMf
> 3
> >
> q502lZy+ASkDa2vAbjALRBgn3VwYWl8KBQcypUKF4UXtaLtF0EIrLMun+p4QxU
> M=
> > =44aG
> > -END PGP SIGNATURE-
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users