Re: [squid-users] Server-first SSL bump in Squid 3.5.x
Right, I see. So I’ve got a special ACL to always allow that Test URL for the sake of our certcheck … but it’s doing it by dstdomain. So if there are rules to say “always redirect to the certificate splash page if you can’t connect to the URL”, then it will never pass it because the initial CONNECT step can never match a dstdomain and will always be DENIED. So what I really need to do is change that test URL’s ACL to be a dst instead (and find a URL that isn’t going to resolve to different IPs over time). Okay. While we’re at it, is there a Peek Splice equivalent of the config I posted before? Kind regards Dan On 19 Mar 2015, at 5:18 pm, Amos Jeffries squ...@treenet.co.nz wrote: On 19/03/2015 6:36 p.m., Dan Charlesworth wrote: Hey y’all Finally got 3.5.2 running. I was under the impression that using server-first SSL bump would still be compatible, despite all the Peek Splice changes, but apparently not. Hopefully someone can explain what might be going wrong here ... Sadly being compatible with an broken design does not mean working. server-first only works nicely if the client, Squid, and server are operating with the same TLS features - which is uncommon. Using the same SSL Bump config that we used for 3.4, we now seeing this happen: 19/Mar/2015-16:21:32 22 d4:f4:6f:71:90:e6 10.0.1.71 TCP_DENIED 200 0 CONNECT 94.31.29.230:443 - server-first - HIER_NONE/- - - The CONNECT request in the clear-text HTTP layer is now subject to access controls before any bumping takes place. Earlier Squid would let the CONNECT through if you were bumping, even if it would have been blocked by your access controls normally. This is unrelated to server-first or any other ssl_bump action. Instead of this: 19/Mar/2015-14:42:04736 d4:f4:6f:71:90:e6 10.0.1.71 TCP_MISS 200 96913 GET https://code.jquery.com/jquery-1.11.0.min.js - server-first Mozilla/5.0%20(iPhone;%20CPU%20iPhone%20OS%208_2%20like%20Mac%20OS%20X)%20AppleWebKit/600.1.4%20(KHTML,%20like%20Gecko)%20Mobile/12D508 ORIGINAL_DST/94.31.29.53 application/x-javascript - That is a different HTTP message from inside the encryption. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid not responding during file upload.
Hello all, I am using Squid 3.4 to inspect content that heads out to the cloud from enterprise. I have two c-icap filter that does the content inspection. Observation: - Upload 3000 1M files to cloud passes through successfully. - Upload 300 40M files to cloud results in multiple failures. Some of errors: 400 Bad Request, Request Timed out.. Tcpdump of the 40MB file upload tests indicate the following: - Boto client used to upload sends packet to squid proxy. - Proxy does not acknowledge. - Client sends the data again at least 6 times, Squid does not respond. - After 20-25 seconds of this (where Squid did not send any data to cloud), Cloud storage vendor returns a BAD Request response. Uploading 300 files seems to be a load that should be manageable by Squid. Can anyone guide me on how to optimize Squid for the above scenario? Are there any performance parameters that I can tweak so Squid handles this correctly? Thanks, Saravanan ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Server-first SSL bump in Squid 3.5.x
On 19/03/2015 6:36 p.m., Dan Charlesworth wrote: Hey y’all Finally got 3.5.2 running. I was under the impression that using server-first SSL bump would still be compatible, despite all the Peek Splice changes, but apparently not. Hopefully someone can explain what might be going wrong here ... Sadly being compatible with an broken design does not mean working. server-first only works nicely if the client, Squid, and server are operating with the same TLS features - which is uncommon. Using the same SSL Bump config that we used for 3.4, we now seeing this happen: 19/Mar/2015-16:21:32 22 d4:f4:6f:71:90:e6 10.0.1.71 TCP_DENIED 200 0 CONNECT 94.31.29.230:443 - server-first - HIER_NONE/- - - The CONNECT request in the clear-text HTTP layer is now subject to access controls before any bumping takes place. Earlier Squid would let the CONNECT through if you were bumping, even if it would have been blocked by your access controls normally. This is unrelated to server-first or any other ssl_bump action. Instead of this: 19/Mar/2015-14:42:04736 d4:f4:6f:71:90:e6 10.0.1.71 TCP_MISS 200 96913 GET https://code.jquery.com/jquery-1.11.0.min.js - server-first Mozilla/5.0%20(iPhone;%20CPU%20iPhone%20OS%208_2%20like%20Mac%20OS%20X)%20AppleWebKit/600.1.4%20(KHTML,%20like%20Gecko)%20Mobile/12D508 ORIGINAL_DST/94.31.29.53 application/x-javascript - That is a different HTTP message from inside the encryption. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] WARNING: 1 swapin MD5 mismatches and BUG 3279: HTTP reply without Date:
Alberto - I created a script to do that overnight, every night, and it did not stop the error occurring during the following day. On Fri, Mar 20, 2015 at 12:01 PM, Alberto Perez alberto2pe...@gmail.com wrote: I read once in this list a response to this same question, each time I see this in my cache logs I stop squid, remove swap.state file and run squid3 -z, after that start squid again and the issue its gone. Regards On 3/19/15, Dan Charlesworth d...@getbusi.com wrote: Hi John This bug has been affecting me on an off for a while as well. I believe it only affects aufs and, unfortunately, has been around for years. See: http://bugs.squid-cache.org/show_bug.cgi?id=3279 And see: http://bugs.squid-cache.org/show_bug.cgi?id=3483 On 19 March 2015 at 22:37, johnzeng johnzeng2...@yahoo.com wrote: Hello All i check squid log, and i found some Warning info and bug info , Whether it will affect normal access ? if possible, please give me some direction for sloving the problem 2015/03/19 19:29:02 kid1| WARNING: 1 swapin MD5 mismatches 2015/03/19 19:29:02 kid1| Could not parse headers from on disk object 2015/03/19 19:29:02 kid1| BUG 3279: HTTP reply without Date: 2015/03/19 19:29:02 kid1| StoreEntry-key: 04F6FAEC243D0C8E4A3DAB9C14276F04 2015/03/19 19:29:02 kid1| StoreEntry-next: 0 2015/03/19 19:29:02 kid1| StoreEntry-mem_obj: 0xb096600 2015/03/19 19:29:02 kid1| StoreEntry-timestamp: -1 2015/03/19 19:29:02 kid1| StoreEntry-lastref: 1426764542 2015/03/19 19:29:02 kid1| StoreEntry-expires: -1 2015/03/19 19:29:02 kid1| StoreEntry-lastmod: -1 2015/03/19 19:29:02 kid1| StoreEntry-swap_file_sz: 0 2015/03/19 19:29:02 kid1| StoreEntry-refcount: 1 2015/03/19 19:29:02 kid1| StoreEntry-flags: PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/03/19 19:29:02 kid1| StoreEntry-swap_dirn: -1 2015/03/19 19:29:02 kid1| StoreEntry-swap_filen: -1 2015/03/19 19:29:02 kid1| StoreEntry-lock_count: 3 2015/03/19 19:29:02 kid1| StoreEntry-mem_status: 0 2015/03/19 19:29:02 kid1| StoreEntry-ping_status: 2 2015/03/19 19:29:02 kid1| StoreEntry-store_status: 1 2015/03/19 19:29:02 kid1| StoreEntry-swap_status: 0 2015/03/19 19:29:02 kid1| assertion failed: store.cc:1885: isEmpty() ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] assertion failed: client_side.cc:1515: connIsUsable(http-getConn())
Well I got 3.5.2 into production for a few hours and Bad Things happened:1) A hefty performance hitLoad average was maybe a tad higher but CPU. memory and I/O were about the same. However the system seemed to top out at around 40 requests per second (on a client that usually hits 100—150 rps) and squid became very slow to respond to squidclient requests:[root@proxy-LS5 ~]# time squidclient -p 8080 mgr:utilization | grep client_http.requestsclient_http.requests = 40.965955/secclient_http.requests = 41.168528/secclient_http.requests = 42.111847/secclient_http.requests = 166646real 0m7.163suser 0m0.002ssys 0m0.006s2) Lots of Segment ViolationsThese obviously suck. Backtrace attached.Just cannot win. Is it possible these two issues are due to the patch for #4206?bt full #0 0x00397e232625 in ?? () No symbol table info available. #1 0x00397e233e05 in ?? () No symbol table info available. #2 0x00bb88a8 in queried_keys () No symbol table info available. #3 0x00bb88b0 in queried_keys () No symbol table info available. #4 0x0039864f32c0 in ?? () No symbol table info available. #5 0x0059000b in operator std::char_traitschar (this=0x2f89f30) at /usr/include/c++/4.4.7/ostream:510 No locals. #6 FileMap::grow (this=0x2f89f30) at filemap.cc:75 _dbo = @0x8d01b90 old_sz = 0 old_map = 0x8bbb9e0 __FUNCTION__ = grow #7 0x0002 in ?? () No symbol table info available. #8 0x3ffd091c087442c8 in ?? () No symbol table info available. #9 0x00bb91e0 in queried_keys () No symbol table info available. #10 0x0001 in ?? () No symbol table info available. #11 0x000c6e84 in ?? () No symbol table info available. #12 0x0002 in ?? () No symbol table info available. #13 0x4135 in ?? () No symbol table info available. #14 0x0020 in ?? () No symbol table info available. #15 0x in ?? () No symbol table info available. On 16 Mar 2015, at 6:18 pm, Amos Jeffries squ...@treenet.co.nz wrote:On 16/03/2015 7:16 p.m., Dan Charlesworth wrote:Hey again Amos -Unfortunately the patch for #4206 won’t apply to squid-3.4.12. I was going to try creating a new one but couldn’t find an equivalentline in client_side.cc for that version.I guess the #4206 issue doesn’t apply to v3.4.x after all?Correct. Oh well.[Not a C programmer]Thanks for your time today.P.S. I'd love to upgrade to v3.5 but I'm waiting for somebody smarter than me to take the lead on a CentOS 6 RPM SPEC file.Eliezer to the rescue ;-)http://wiki.squid-cache.org/KnowledgeBase/CentOS#Squid-3.5Amos___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid will not authenticate NTLM/Kerberos when behind a haproxy load balancer
Hello All, I have 2 squid servers that authenticate correctly when you point your browser to either of them. I'm using a negotiate_wrapper. I set it up following this ( http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory ) I would like to set both servers behind a haproxy load balancer, however when you try to utilize the haproxy load balancer, it will not authenticate anymore. It just gives an error asking to authenticate. Any ideas? Thanks in advance. ##HAPROXY.CFG## global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon defaults log global mode http option httplog option dontlognull contimeout 5000 clitimeout 5 srvtimeout 5 # reverse proxy-squid listen proxy 10.10.0.254:3128 mode http cookie SERVERID insert indirect nocache balance roundrobin option httpclose option forwardfor header X-Client server squid1 10.10.0.253:3128 check inter 2000 rise 2 fall 5 server squid2 10.10.0.252:3128 check inter 2000 rise 2 fall 5 ##SQUID.CONF## #Kerberos and NTLM authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=.LOCAL --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param negotiate children 30 auth_param negotiate keep_alive off # LDAP authentication auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b DC=,DC=local -D CN=SQUID,OU=Service Accounts,DC=,DC=local -w -f sAMAccountName=%s -h 10.0.0.200,10.0.0.199,10.0.0.194,10.0.0.193 auth_param basic children 150 auth_param basic realm Please enter your Domain credentials to continue auth_param basic credentialsttl 1 hour # AD group membership commands external_acl_type ldap_group ttl=60 children-startup=10 children-max=50 children-idle=2 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b DC=,DC=local -D CN=SQUID,OU=Service Accounts,DC=,DC=local -w -f ((objectclass=person) (sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL Groups,DC=,DC=local)) -h dc1..local,dc2..local,dc3..local,dc4..local acl auth proxy_auth REQUIRED acl REQGROUPS external ldap_group PROXY-HIGHLY-RESTRICTIVE PROXY-MEDIUM-RESTRICTIVE PROXY-MINIMAL-RESTRICTIVE PROXY-UNRESTRICTED PROXY-DEV PROXY-SALES http_access deny !auth all http_access deny !REQGROUPS all -- Samuel Anderson | Information Technology Administrator | International Document Services IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607 -- CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system. Any unauthorized review, use, disclosure or distribution is prohibited. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid + AD + Kerb auth question
Hi Joao, OK now you use the authentication rule. How did you create the keytab ? Does the hostname match the keytab entry ? Can you run the helper with –d to get more debug ? Markus From: Joao Paulo Monticelli Gaspar Sent: Thursday, March 19, 2015 12:41 AM To: Markus Moeller Subject: Re: [squid-users] Squid + AD + Kerb auth question gettin access denied now watch the logs == /var/log/squid/squid.out == == /var/log/squid/access.log == 1426725527.219 1 192.168.1.251 TCP_DENIED/407 4509 GET http://www.eset.com.br/download/business - NONE/- text/html == /var/log/squid/cache.log == 2015/03/18 21:38:47| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. ' guess my SOO isnt working right? 2015-03-18 20:46 GMT-03:00 Markus Moeller hua...@moeller.plus.com: Hi Joao Then you hit http_access allow localnet and not http_access allow ad_auth Comment out the following line in squid.conf http_access allow localnet and try again. Markus From: Joao Paulo Monticelli Gaspar Sent: Wednesday, March 18, 2015 11:38 PM To: Markus Moeller Subject: Re: [squid-users] Squid + AD + Kerb auth question yes, I'm using localnet, this is a virtual test lab enviorment, here are some log entries 1426694349.225 59653 192.168.1.251 TCP_MISS/200 4775 CONNECT p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i2-v6exp3-ds.metric.gstatic.com:443 - DIRECT/216.58.222.35 - 1426694352.258 62686 192.168.1.251 TCP_MISS/200 4774 CONNECT p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i1-v6exp3-v4.metric.gstatic.com:443 - DIRECT/216.58.222.46 - 1426694613.543 58996 192.168.1.251 TCP_MISS/200 1112 CONNECT safebrowsing.google.com:443 - DIRECT/173.194.42.133 - when I looked at the access.log manual pages I saw that if squid cant get user info, he uses the - sign on the access, and we can see it there, but why he cant get the user info? 2015-03-18 20:20 GMT-03:00 Markus Moeller hua...@moeller.plus.com: Hi, From which network do you surf ? From localnet ? Can you send sample log entries ? Markus From: Joao Paulo Monticelli Gaspar Sent: Wednesday, March 18, 2015 9:18 PM To: Markus Moeller Subject: Re: [squid-users] Squid + AD + Kerb auth question squid.conf visible_hostname proxy.joznet.local auth_param negotiate program /usr/lib64/squid/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param basic credentialsttl 2 hours acl ad_auth proxy_auth REQUIRED acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 192.168.1.0/24 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access allow ad_auth http_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = JOZNET.LOCAL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true ; for Windows 2008 with AES ;default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ;default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ;permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; for MIT/Heimdal kdc no need to restrict encryption type [realms] JOZNET.LOCAL = { kdc = srvjoznt.joznet.local:88 admin_server = srvjoznt.joznet.local:749 default_domain = joznet.local }
Re: [squid-users] squid SMP and SNMP
Hi. On 18.03.2015 19:02, Amos Jeffries wrote: Process kid3 (SMP coordinator) is attempting to respond. Since you configured: snmp_port 340${process_number} and the coordinator is process number 3 I think it will be using port 3403 for that response. Nobody is listening on these ports: [root@taiga:local/squidquotas]# netstat -an | grep udp | grep 340 udp46 0 0 *.3401 *.* udp46 0 0 *.3402 *.* [root@taiga:local/squidquotas]# Eugene. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Open Squid Box - FREE
Hi Amos, This is not a LiveCD, this is a *complete solution* including Squid, web console, statistics, graphs, StoreID plugin, etc... An Open solution for people who needs an all-in-one system ready and running in 10 min maxi... Bye Fred -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Open-Squid-Box-FREE-tp4670502p4670504.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Open Squid Box - FREE
Unveiltech already have a listing for Squid based product since years back. http://www.squid-cache.org/Support/products.html And most of what the feature description can also be used as-is to describe the default Squid packages from squid-cache.org provide on installation without any configuration or tuning. So whats new about this? You put it on a LiveCD and ... ? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid not responding during file upload.
On 19/03/2015 8:11 p.m., Saravanan Coimbatore wrote: Hello all, I am using Squid 3.4 to inspect content that heads out to the cloud from enterprise. I have two c-icap filter that does the content inspection. Observation: - Upload 3000 1M files to cloud passes through successfully. - Upload 300 40M files to cloud results in multiple failures. Some of errors: 400 Bad Request, Request Timed out.. Tcpdump of the 40MB file upload tests indicate the following: - Boto client used to upload sends packet to squid proxy. Squid on receiving requests sends them to the ICAP REQMOD service, and waits for its response, then sends the ICAP REQMOD result to the origin server, and waits for its response, then sends that to the ICAP RESPMOD service, and waits for its response, then sends that to the client. So... What is the ICAP service and the origin server doing? - Proxy does not acknowledge. What type of acknowledge are you expecting here? HTTP or TCP level? - Client sends the data again at least 6 times, Squid does not respond. At TCP or HTTP layer? - After 20-25 seconds of this (where Squid did not send any data to cloud), Cloud storage vendor returns a BAD Request response. Uploading 300 files seems to be a load that should be manageable by Squid. Can anyone guide me on how to optimize Squid for the above scenario? Are there any performance parameters that I can tweak so Squid handles this correctly? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Redirect on Debian 7
Hello, I use the standard-Squid on Debian 7 and I'd like to create a redirect script. The documentation looks quite simple, but its not very logical to me. Some say just repeating the URL is ok, others say there is an ID that needs to get repeated in the answer. Some say you need to send an OK with the answer. Then I tried to use a simple script with tee to debug. It works quite well on the console, but does nothing in Squid. Squid behaves strange when I use the script. So: Is there a tutorial that fits the Debian 7 version (3.1.20-2.2+deb7u2) for a dummy like me that explains how to create a redirect script including logging? Thanks in advance nobs ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Open Squid Box - FREE
*WAN Optimization and Internet Acceleration in Open Source*. OpenSquidBox is an Open Source of an already pre-configured Squid Proxy Cache Server under Linux that can be installed within few minute. It’s an ISO Software Appliance that can be loaded on any hardware and virtual appliance. It contains an already pre-installed configured 64 bits Linux OS and Squid Proxy Cache software and includes a web graphical console for easy configuration management of your cache server. The Installation of the ISO file on your own hardware/software appliance takes only few minutes. No extra manual installation or configuration is required. Your cache server is then immediately ready to work. Easy customizable solution for those you need to install rapidly a Cache Server or want to learn practice Squid Cache with a nice open source graphical web console. Dedicated website about * http://osb.unveiltech.com OpenSquidBox* *Startup Users*: You are not yet an expert in Linux nor in Squid Cache but you need something ready to go to work/play with it. You can not invest time to investigate how to install/setup and configure. *Advanced Admins*: You need to setup a new Proxy Cache server but you do not have time to install and configure it. You need something ready-to-use and to install on your hardware appliance. Within few minutes you have something installed and working. Worry-free solution. *Professionals*: You are looking for a software appliance solution to deploy at your customers site. You need something ready-to-use and to install on your hardware appliance. Get an immediate solution within few minutes. Easy configurable solution. *Main Features* ISO Software Appliance solution ready to download ISO file already containing Linux OS pre-configured Contains most popular Squid Proxy Cache software pre-configured Easy to Install on your own hardware appliance 64 bits OS and Proxy Cache Server Installation in few minutes No extra manual installation or configuration required Works on Hardware or Virtual Appliance Already preconfigured with default settings Includes a web graphical console for easy configuration management: Modern graphical console Realtime and Mbps graphs No need to manually configure setting files Rapid access to configuration with web console Easy Customizable Solution Ready to use solution Good solution to learn and practice Squid Proxy Cache Open Source solution (Root account is provided for free) Version 1.03 - March 19th 2015 ISO is now available to all in Open Source including the SquidVideoBooster plugin trial 7 days *Installation*: - Download the ISO - Burn a CD or USB stick - Boot on the CD/USB and install - Once installed, go to the web console: http://opensquidbox-ip-address:81 Feel free for comment, suggest or improve it... Enjoy, Bye Fred -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Open-Squid-Box-FREE-tp4670502.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] WARNING: 1 swapin MD5 mismatches and BUG 3279: HTTP reply without Date:
Hello All i check squid log, and i found some Warning info and bug info , Whether it will affect normal access ? if possible, please give me some direction for sloving the problem 2015/03/19 19:29:02 kid1| WARNING: 1 swapin MD5 mismatches 2015/03/19 19:29:02 kid1| Could not parse headers from on disk object 2015/03/19 19:29:02 kid1| BUG 3279: HTTP reply without Date: 2015/03/19 19:29:02 kid1| StoreEntry-key: 04F6FAEC243D0C8E4A3DAB9C14276F04 2015/03/19 19:29:02 kid1| StoreEntry-next: 0 2015/03/19 19:29:02 kid1| StoreEntry-mem_obj: 0xb096600 2015/03/19 19:29:02 kid1| StoreEntry-timestamp: -1 2015/03/19 19:29:02 kid1| StoreEntry-lastref: 1426764542 2015/03/19 19:29:02 kid1| StoreEntry-expires: -1 2015/03/19 19:29:02 kid1| StoreEntry-lastmod: -1 2015/03/19 19:29:02 kid1| StoreEntry-swap_file_sz: 0 2015/03/19 19:29:02 kid1| StoreEntry-refcount: 1 2015/03/19 19:29:02 kid1| StoreEntry-flags: PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/03/19 19:29:02 kid1| StoreEntry-swap_dirn: -1 2015/03/19 19:29:02 kid1| StoreEntry-swap_filen: -1 2015/03/19 19:29:02 kid1| StoreEntry-lock_count: 3 2015/03/19 19:29:02 kid1| StoreEntry-mem_status: 0 2015/03/19 19:29:02 kid1| StoreEntry-ping_status: 2 2015/03/19 19:29:02 kid1| StoreEntry-store_status: 1 2015/03/19 19:29:02 kid1| StoreEntry-swap_status: 0 2015/03/19 19:29:02 kid1| assertion failed: store.cc:1885: isEmpty() ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] assertion failed: client_side.cc:1515: connIsUsable(http-getConn())
Hello Dan: i used 3.5.2 just now , i worried 3.5.3 isn't very stable too , i use 2.7stable 9 ago , and you ? if version is 3.xxx , which version is stablest until now . Best Regard 于 2015年03月20日 08:07, Dan Charlesworth 写道: Well I got 3.5.2 into production for a few hours and Bad Things happened: *1) A hefty performance hit* Load average was maybe a tad higher but CPU. memory and I/O were about the same. However the system seemed to top out at around 40 requests per second (on a client that usually hits 100—150 rps) and squid became very slow to respond to squidclient requests: [root@proxy-LS5 ~]# time squidclient -p 8080 mgr:utilization | grep client_http.requests client_http.requests = 40.965955/sec client_http.requests = 41.168528/sec client_http.requests = 42.111847/sec client_http.requests = 166646 real0m7.163s user0m0.002s sys0m0.006s *2) Lots of Segment Violations* These obviously suck. Backtrace attached. Just cannot win. Is it possible these two issues are due to the patch for #4206? On 16 Mar 2015, at 6:18 pm, Amos Jeffries squ...@treenet.co.nz mailto:squ...@treenet.co.nz wrote: On 16/03/2015 7:16 p.m., Dan Charlesworth wrote: Hey again Amos - Unfortunately the patch for #4206 won’t apply to squid-3.4.12. I was going to try creating a new one but couldn’t find an equivalent line in client_side.cc for that version. I guess the #4206 issue doesn’t apply to v3.4.x after all? Correct. Oh well. [Not a C programmer] Thanks for your time today. P.S. I'd love to upgrade to v3.5 but I'm waiting for somebody smarter than me to take the lead on a CentOS 6 RPM SPEC file. Eliezer to the rescue ;-) http://wiki.squid-cache.org/KnowledgeBase/CentOS#Squid-3.5 Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SNMP queries to squid never go beyond 1 GB
No matter what cache_mem I set it seems that MRTG queries via SNMP never seem to get beyond 1 GB even running the latest 3.5 code. Amos, is the code capable of allocating more than one gig of memory? Storage Mem Size @ x The statistics were last updated Thursday, 19 March 2015 at 18:48, at which time 'squid 3.5.1' had been up for 10:27:16. `Daily' Graph (5 Minute Average) Max Average Current Mem Size 980.8 MBytes 648.1 MBytes 139.5 MBytes Convert your dreams to achievable and realistic goals, this way the journey is satisfying and progressive. - LP Best regards, The Geek Guy Lawrence Pingree http://www.lawrencepingree.com/resume/ http://www.lawrencepingree.com/resume/ Author of The Manager's Guide to Becoming Great http://www.management-book.com/ http://www.Management-Book.com https://webportal.isc2.org/custom/CertificationVerificationResults.aspx?FN= LawrenceLN=PingreeCN=76042 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid will not authenticate NTLM/Kerberos when behind a haproxy load balancer
Hey Samuel, Not related to your post at squid-cache, I have tried to access your site from my testing grounds and I do not seem to be able to access it. Not even an ICMP echo ping. It is maybe something in the route between my client to your server but I was wondering if I should contact my ISP or you know about something? Eliezer ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] WARNING: 1 swapin MD5 mismatches and BUG 3279: HTTP reply without Date:
Another one here not using SMP, and using aufs. I stopped seen this issue frequently when I reduced my cache size, from 70 GB to 30 GB now. Regards On 3/19/15, Dan Charlesworth d...@getbusi.com wrote: Hey Eliezer I don't actually use SMP. I could be wrong about the aufs thing; I haven't personally tested—and don't currently plan to test—any other cache types. I just gleaned that from the comments in the bug reports. Kind regards Dan On 20 March 2015 at 13:45, Eliezer Croitoru elie...@ngtech.co.il wrote: Hey Dan and John, If indeed this bug is only for UFS\AUFS cache_dir then I would try to make sure that large-rock will not sustain the same issue. I have not seen in any of the bug reports anything that would reproduce the issue. To make sure the issue is understood and can or cannot be reproduced using ufs\aufs will give one direction. I would try to test large rock in my next testing round with SMP but if anyone has some option to test it first I will be glad if it will be done to make sure ufs\aufs is the culprit. Also if indeed it's with aufs\ufs only with SMP then it means that the issue is related to the way SMP can make a ufs\aufs cache_dir dirty and there for the answer would be pretty simple to the issue in hands. Eliezer On 20/03/2015 00:32, Dan Charlesworth wrote: Hi John This bug has been affecting me on an off for a while as well. I believe it only affects aufs and, unfortunately, has been around for years. See:http://bugs.squid-cache.org/show_bug.cgi?id=3279 And see:http://bugs.squid-cache.org/show_bug.cgi?id=3483 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Redirect on Debian 7
On 19/03/2015 11:28 p.m., n...@nobswolf.info wrote: Hello, I use the standard-Squid on Debian 7 and I'd like to create a redirect script. The documentation looks quite simple, but its not very logical to me. Some say just repeating the URL is ok, others say there is an ID that needs to get repeated in the answer. Some say you need to send an OK with the answer. That depends on what version of the helper protocol the tutorial was written about. It also varies by when helper type you are writing. The definitive reference is the Squid wiki feature page about helpers http://wiki.squid-cache.org/Features/AddonHelpers Then I tried to use a simple script with tee to debug. It works quite well on the console, but does nothing in Squid. Squid behaves strange when I use the script. The brief FAQ section at the top of the wiki page has outline of the common problems encountered. You can find example scripts in the Squid sources as helpers called fake. http://bazaar.launchpad.net/~squid/squid/3.5/files/head:/helpers/url_rewrite/fake/ Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] WARNING: 1 swapin MD5 mismatches and BUG 3279: HTTP reply without Date:
Hey Dan and John, If indeed this bug is only for UFS\AUFS cache_dir then I would try to make sure that large-rock will not sustain the same issue. I have not seen in any of the bug reports anything that would reproduce the issue. To make sure the issue is understood and can or cannot be reproduced using ufs\aufs will give one direction. I would try to test large rock in my next testing round with SMP but if anyone has some option to test it first I will be glad if it will be done to make sure ufs\aufs is the culprit. Also if indeed it's with aufs\ufs only with SMP then it means that the issue is related to the way SMP can make a ufs\aufs cache_dir dirty and there for the answer would be pretty simple to the issue in hands. Eliezer On 20/03/2015 00:32, Dan Charlesworth wrote: Hi John This bug has been affecting me on an off for a while as well. I believe it only affects aufs and, unfortunately, has been around for years. See:http://bugs.squid-cache.org/show_bug.cgi?id=3279 And see:http://bugs.squid-cache.org/show_bug.cgi?id=3483 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] WARNING: 1 swapin MD5 mismatches and BUG 3279: HTTP reply without Date:
Hey Eliezer I don't actually use SMP. I could be wrong about the aufs thing; I haven't personally tested—and don't currently plan to test—any other cache types. I just gleaned that from the comments in the bug reports. Kind regards Dan On 20 March 2015 at 13:45, Eliezer Croitoru elie...@ngtech.co.il wrote: Hey Dan and John, If indeed this bug is only for UFS\AUFS cache_dir then I would try to make sure that large-rock will not sustain the same issue. I have not seen in any of the bug reports anything that would reproduce the issue. To make sure the issue is understood and can or cannot be reproduced using ufs\aufs will give one direction. I would try to test large rock in my next testing round with SMP but if anyone has some option to test it first I will be glad if it will be done to make sure ufs\aufs is the culprit. Also if indeed it's with aufs\ufs only with SMP then it means that the issue is related to the way SMP can make a ufs\aufs cache_dir dirty and there for the answer would be pretty simple to the issue in hands. Eliezer On 20/03/2015 00:32, Dan Charlesworth wrote: Hi John This bug has been affecting me on an off for a while as well. I believe it only affects aufs and, unfortunately, has been around for years. See:http://bugs.squid-cache.org/show_bug.cgi?id=3279 And see:http://bugs.squid-cache.org/show_bug.cgi?id=3483 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] assertion failed: client_side.cc:1515: connIsUsable(http-getConn())
John - For us the 3.4 series is definitely the stablest. I was hoping 3.5.2 + plus a patch would avoid the error in this thread’s subject—and it might have done—but it introduced two other major problems (for us). On 20 Mar 2015, at 2:29 pm, johnzeng johnzeng2...@yahoo.com wrote: Hello Dan: i used squid 2.7stable9 ago ,and i worried whether squid 3.5.2 is stablest for us until now too . and you ? Do you think Whether version is stablest at squid 3.xxx ? Well I got 3.5.2 into production for a few hours and Bad Things happened: *1) A hefty performance hit* Load average was maybe a tad higher but CPU. memory and I/O were about the same. However the system seemed to top out at around 40 requests per second (on a client that usually hits 100—150 rps) and squid became very slow to respond to squidclient requests: [root@proxy-LS5 ~]# time squidclient -p 8080 mgr:utilization | grep client_http.requests client_http.requests = 40.965955/sec client_http.requests = 41.168528/sec client_http.requests = 42.111847/sec client_http.requests = 166646 real0m7.163s user0m0.002s sys0m0.006s *2) Lots of Segment Violations* These obviously suck. Backtrace attached. Just cannot win. Is it possible these two issues are due to the patch for #4206? On 16 Mar 2015, at 6:18 pm, Amos Jeffries squ...@treenet.co.nz mailto:squ...@treenet.co.nz wrote: On 16/03/2015 7:16 p.m., Dan Charlesworth wrote: Hey again Amos - Unfortunately the patch for #4206 won’t apply to squid-3.4.12. I was going to try creating a new one but couldn’t find an equivalent line in client_side.cc for that version. I guess the #4206 issue doesn’t apply to v3.4.x after all? Correct. Oh well. [Not a C programmer] Thanks for your time today. P.S. I'd love to upgrade to v3.5 but I'm waiting for somebody smarter than me to take the lead on a CentOS 6 RPM SPEC file. Eliezer to the rescue ;-) http://wiki.squid-cache.org/KnowledgeBase/CentOS#Squid-3.5 Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] assertion failed: client_side.cc:1515: connIsUsable(http-getConn())
Hello Dan: i used squid 2.7stable9 ago ,and i worried whether squid 3.5.2 is stablest for us until now too . and you ? Do you think Whether version is stablest at squid 3.xxx ? Well I got 3.5.2 into production for a few hours and Bad Things happened: *1) A hefty performance hit* Load average was maybe a tad higher but CPU. memory and I/O were about the same. However the system seemed to top out at around 40 requests per second (on a client that usually hits 100—150 rps) and squid became very slow to respond to squidclient requests: [root@proxy-LS5 ~]# time squidclient -p 8080 mgr:utilization | grep client_http.requests client_http.requests = 40.965955/sec client_http.requests = 41.168528/sec client_http.requests = 42.111847/sec client_http.requests = 166646 real0m7.163s user0m0.002s sys0m0.006s *2) Lots of Segment Violations* These obviously suck. Backtrace attached. Just cannot win. Is it possible these two issues are due to the patch for #4206? On 16 Mar 2015, at 6:18 pm, Amos Jeffries squ...@treenet.co.nz mailto:squ...@treenet.co.nz wrote: On 16/03/2015 7:16 p.m., Dan Charlesworth wrote: Hey again Amos - Unfortunately the patch for #4206 won’t apply to squid-3.4.12. I was going to try creating a new one but couldn’t find an equivalent line in client_side.cc for that version. I guess the #4206 issue doesn’t apply to v3.4.x after all? Correct. Oh well. [Not a C programmer] Thanks for your time today. P.S. I'd love to upgrade to v3.5 but I'm waiting for somebody smarter than me to take the lead on a CentOS 6 RPM SPEC file. Eliezer to the rescue ;-) http://wiki.squid-cache.org/KnowledgeBase/CentOS#Squid-3.5 Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid will not authenticate NTLM/Kerberos when behind a haproxy load balancer
On Thu, 2015-03-19 at 19:01 -0600, Samuel Anderson wrote: Hello All, I have 2 squid servers that authenticate correctly when you point your browser to either of them. I'm using a negotiate_wrapper. I set it up following this (http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory) I would like to set both servers behind a haproxy load balancer, however when you try to utilize the haproxy load balancer, it will not authenticate anymore. It just gives an error asking to authenticate. Any ideas? Thanks in advance. ##HAPROXY.CFG## global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon defaults log global mode http option httplog option dontlognull contimeout 5000 clitimeout 5 srvtimeout 5 # reverse proxy-squid listen proxy 10.10.0.254:3128 mode http cookie SERVERID insert indirect nocache balance roundrobin option httpclose option forwardfor header X-Client server squid1 10.10.0.253:3128 check inter 2000 rise 2 fall 5 server squid2 10.10.0.252:3128 check inter 2000 rise 2 fall 5 ##SQUID.CONF## #Kerberos and NTLM authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=.LOCAL --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param negotiate children 30 auth_param negotiate keep_alive off # LDAP authentication auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b DC=,DC=local -D CN=SQUID,OU=Service Accounts,DC=,DC=local -w -f sAMAccountName=%s -h 10.0.0.200,10.0.0.199,10.0.0.194,10.0.0.193 auth_param basic children 150 auth_param basic realm Please enter your Domain credentials to continue auth_param basic credentialsttl 1 hour # AD group membership commands external_acl_type ldap_group ttl=60 children-startup=10 children-max=50 children-idle=2 % LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b DC=,DC=local -D CN=SQUID,OU=Service Accounts,DC=,DC=local -w -f ((objectclass=person) (sAMAccountname=%v)(memberof=CN=% a,OU=PROXY,ou=ALL Groups,DC=,DC=local)) -h dc1..local,dc2..local,dc3..local,dc4..local acl auth proxy_auth REQUIRED acl REQGROUPS external ldap_group PROXY-HIGHLY-RESTRICTIVE PROXY-MEDIUM-RESTRICTIVE PROXY-MINIMAL-RESTRICTIVE PROXY-UNRESTRICTED PROXY-DEV PROXY-SALES http_access deny !auth all http_access deny !REQGROUPS all -- Samuel Anderson | Information Technology Administrator | International Document Services IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607 CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system. Any unauthorized review, use, disclosure or distribution is prohibited. how did you create and distribute the keytab for the proxies? you must create one keytab and put the same exact one on each of the proxies. the KVNO numbers must match on every proxy. run klist -Kket /path/to/the.keytab on the proxies to check. kerberos is heavily dependent on DNS. the keytab should contain PRIMARY/instance.domain.tld@REALM where PRIMARY is HTTP, instance.domain.tld is the FQDN of the 10.10.0.254 IP, not either or both of the individual proxies, and REALM should be the Kerberos REALM. did you export the environment variable for the keytab? on fedora, i put the following in /etc/sysconfig/squid: KRB5_KTNAME=/etc/squid/squid.keytab export KRB5_KTNAME do you get a HTTP ticket from the directory? from a command prompt, what does klist tickets show? you can also install the XP resource kit and run kerbtray.exe to get that info. win7 and newer may have it built in. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid will not authenticate NTLM/Kerberos when behind a haproxy load balancer
On Thu, 2015-03-19 at 19:32 -0600, Samuel Anderson wrote: Hey, I actually just figured it out. literally about 2 minutes ago. I changed the mode from (http) to (tcp) in the HAPROXY.CFG It looks like its able to authenticate again. Thanks for the response. On Thu, Mar 19, 2015 at 7:27 PM, Brendan Kearney bpk...@gmail.com wrote: On Thu, 2015-03-19 at 19:01 -0600, Samuel Anderson wrote: Hello All, I have 2 squid servers that authenticate correctly when you point your browser to either of them. I'm using a negotiate_wrapper. I set it up following this (http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory) I would like to set both servers behind a haproxy load balancer, however when you try to utilize the haproxy load balancer, it will not authenticate anymore. It just gives an error asking to authenticate. Any ideas? Thanks in advance. ##HAPROXY.CFG## global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon defaults log global mode http option httplog option dontlognull contimeout 5000 clitimeout 5 srvtimeout 5 # reverse proxy-squid listen proxy 10.10.0.254:3128 mode http cookie SERVERID insert indirect nocache balance roundrobin option httpclose option forwardfor header X-Client server squid1 10.10.0.253:3128 check inter 2000 rise 2 fall 5 server squid2 10.10.0.252:3128 check inter 2000 rise 2 fall 5 ##SQUID.CONF## #Kerberos and NTLM authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=.LOCAL --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param negotiate children 30 auth_param negotiate keep_alive off # LDAP authentication auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b DC=,DC=local -D CN=SQUID,OU=Service Accounts,DC=,DC=local -w -f sAMAccountName=%s -h 10.0.0.200,10.0.0.199,10.0.0.194,10.0.0.193 auth_param basic children 150 auth_param basic realm Please enter your Domain credentials to continue auth_param basic credentialsttl 1 hour # AD group membership commands external_acl_type ldap_group ttl=60 children-startup=10 children-max=50 children-idle=2 % LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b DC=,DC=local -D CN=SQUID,OU=Service Accounts,DC=,DC=local -w -f ((objectclass=person) (sAMAccountname=% v)(memberof=CN=% a,OU=PROXY,ou=ALL Groups,DC=,DC=local)) -h dc1..local,dc2..local,dc3..local,dc4..local acl auth proxy_auth REQUIRED acl REQGROUPS external ldap_group PROXY-HIGHLY-RESTRICTIVE PROXY-MEDIUM-RESTRICTIVE PROXY-MINIMAL-RESTRICTIVE PROXY-UNRESTRICTED PROXY-DEV PROXY-SALES http_access deny !auth all http_access deny !REQGROUPS all -- Samuel Anderson | Information Technology Administrator | International Document Services IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607 CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system. Any unauthorized review, use, disclosure or distribution is prohibited. how did you create and distribute the keytab for the proxies? you must create one keytab and put the same exact one on
Re: [squid-users] WARNING: 1 swapin MD5 mismatches and BUG 3279: HTTP reply without Date:
Ours usually run 50–100 GB. We don’t see it super frequently. But when it happens it tends to keep happening over and over until the swap.sate’s rebuilt. On 20 Mar 2015, at 2:37 pm, Alberto Perez alberto2pe...@gmail.com wrote: Another one here not using SMP, and using aufs. I stopped seen this issue frequently when I reduced my cache size, from 70 GB to 30 GB now. Regards On 3/19/15, Dan Charlesworth d...@getbusi.com wrote: Hey Eliezer I don't actually use SMP. I could be wrong about the aufs thing; I haven't personally tested—and don't currently plan to test—any other cache types. I just gleaned that from the comments in the bug reports. Kind regards Dan On 20 March 2015 at 13:45, Eliezer Croitoru elie...@ngtech.co.il wrote: Hey Dan and John, If indeed this bug is only for UFS\AUFS cache_dir then I would try to make sure that large-rock will not sustain the same issue. I have not seen in any of the bug reports anything that would reproduce the issue. To make sure the issue is understood and can or cannot be reproduced using ufs\aufs will give one direction. I would try to test large rock in my next testing round with SMP but if anyone has some option to test it first I will be glad if it will be done to make sure ufs\aufs is the culprit. Also if indeed it's with aufs\ufs only with SMP then it means that the issue is related to the way SMP can make a ufs\aufs cache_dir dirty and there for the answer would be pretty simple to the issue in hands. Eliezer On 20/03/2015 00:32, Dan Charlesworth wrote: Hi John This bug has been affecting me on an off for a while as well. I believe it only affects aufs and, unfortunately, has been around for years. See:http://bugs.squid-cache.org/show_bug.cgi?id=3279 And see:http://bugs.squid-cache.org/show_bug.cgi?id=3483 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users