Re: [squid-users] MS Update
On 11/01/2016 2:33 p.m., Alex Samad wrote: > Hi > > I burnt up 172G of download in 24 hours with multi machines doing the > download of the same file (MS SQL patch) > > I think I am running into the same issue > > > So multiple machines are trying to do the download... > Q) why don't they share the same download ! > > 1452459804.945 64052 10.172.208.108 TCP_MISS/206 1727799 GET > http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/svpk/2015/05/sqlserver2014sp1-kb3058865-x64-enu_2c84e2ebd0d3cb4980a3a1a80d79fd7520405626.exe > - HIER_DIRECT/150.101.195.217 application/octet-stream > 1452459868.272 63326 10.172.208.108 TCP_MISS/206 1312208 GET > http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/svpk/2015/05/sqlserver2014sp1-kb3058865-x64-enu_2c84e2ebd0d3cb4980a3a1a80d79fd7520405626.exe > - HIER_DIRECT/150.101.195.217 application/octet-stream > 1452459933.336 65061 10.172.208.108 TCP_MISS/206 1155440 GET > http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/svpk/2015/05/sqlserver2014sp1-kb3058865-x64-enu_2c84e2ebd0d3cb4980a3a1a80d79fd7520405626.exe > - HIER_DIRECT/150.101.195.217 application/octet-stream > 1452459998.406 65067 10.172.208.108 TCP_MISS/206 1022158 GET > http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/svpk/2015/05/sqlserver2014sp1-kb3058865-x64-enu_2c84e2ebd0d3cb4980a3a1a80d79fd7520405626.exe > - HIER_DIRECT/150.101.195.217 application/octet-stream > 1452460066.455 68046 10.172.208.108 TCP_MISS/206 2006058 GET > http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/svpk/2015/05/sqlserver2014sp1-kb3058865-x64-enu_2c84e2ebd0d3cb4980a3a1a80d79fd7520405626.exe > - HIER_DIRECT/150.101.195.200 application/octet-stream > 1452460134.536 68078 10.172.208.108 TCP_MISS/206 1575462 GET > http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/svpk/2015/05/sqlserver2014sp1-kb3058865-x64-enu_2c84e2ebd0d3cb4980a3a1a80d79fd7520405626.exe > - HIER_DIRECT/150.101.195.200 application/octet-stream > 1452460204.180 69643 10.172.208.108 TCP_MISS/206 1387948 GET > http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/svpk/2015/05/sqlserver2014sp1-kb3058865-x64-enu_2c84e2ebd0d3cb4980a3a1a80d79fd7520405626.exe > - HIER_DIRECT/150.101.195.217 application/octet-stream > > > here you can see multiple requests for the same file . A file which is 670 MB big. > > I am presuming 206 is a partial download - is that Windows or SQUID .. 206 is a Range reply. > I presume windows client Presumably the client made a Range request. WU tends to do that for large objects, and the repeated nature of the 206 with small parts of it is a relatively strong indicator that is going on. So ... > > So is it the byte range that gets cached. > Squid does not cache byte ranges. > if client a want 100 - 200 of file X > and client B wants 50 - 150.. will squid reuse whatever has been > downloaded of the 100-200 request by client B > > > any way I can for the requests to a single file - I could manually > download the file once, that would place it in the cache. > Exactly as the special notice at the end of section #1 in the SquidFaq/WindowsUpdate wiki page says. SP and similar huge updates (this one included) need to be treated specially. > > I have this in my config > # http://wiki.squid-cache.org/SquidFaq/WindowsUpdate > range_offset_limit 200 MB > maximum_object_size 200 MB > quick_abort_min -1 > > refresh_pattern -i > microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% > 43200 reload-into-ims > refresh_pattern -i > windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 > 80% 43200 reload-into-ims > refresh_pattern -i > windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% > 43200 reload-into-ims > > > guessing I have to bump up the 200M max to 800mb. Maybe. But IMHO use the ACLs tat range_offset_limit can take. > are the other values still okay ? Yes. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] kerberos authentication with a machine account doesn't work
Firstly, let me say that whatever you are using for a mail client makes reading/replying to your message difficult (see below for a small sample, I will clean up the rest as best I can)... I did manage to get this working, you did mention the correct solution right down the end of your message. On Thu, Jan 07, 2016 at 09:37:46AM +0100, L.P.H. van Belle wrote: > Hai, > > > Just in case it doesn't show - you have a lot of control-M characters through your message. > First whats your OS/squid and samba version, handy to know. > I did mention squid as being 3.5.12, OS is RHEL 6.7, samba was the built in RHEL version, 3.6.23. > And post your smb.conf please. > Well, just for posterity. [global] workgroup = AU server string = %h netbios name = %h pid directory = /var/run lock directory = /var/cache/samba log file = /var/log/samba/%m.log security = user passdb backend = tdbsam security = ADS client use spnego = yes realm = AU.BAESYSTEMS.COM server signing = auto domain master = no dns proxy = no kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab > > > Few things to check. > > /etc/krb5.keytab should have rights 600 (root:root) > And this was the problem but it should not, in my case, be as you stated. In fact, /etc/krb5.keytab needed to have rights 640 with ownership root:nobody. This is because the kerberos authenticator runs as the user nobody and needs access to the keytab. I am not so sure I like this situation because this does mean the nobody user now has access to the machine kerberos keys not just the ones for the http SPN. > Run : klist -e -k /etc/krb5.keytab post the output. > I won't do this for brevity - the principals and encryption types were fine. I had already checked this as I stated in my original post. > > > Your SPN for squid must be HTTP/fqdn > > And not http/fqdn CAPS do matter here. > windows doesn't care, lower case actually worked fine for me in the end. If you do a kinit on the linux command line then you must match the case in the keytab. > > > Put the HTTP/fqdn spn in a separated file and put it in the squid dir. > > Chown and chmod it root:squid-user 440 > If you do this then when/if the machine account password changes then the SPN will be invalidated. Also you assume that the kerberos authenticator is being run as a user in the group squid-user which is not always the case. > > > Add it in your squid init script ( for debian i added it in > /etc/default/squid ( squid for 3.5.12 ) (squid3 for 3.4.8 ) > > KRB5_KTNAME=/etc/squid/keytab.PROXY1-HTTP > > export KRB5_KTNAME > For RHEL that is /etc/sysconfig/squid. > > The squid keytab should be like (manualy added on a different user in the AD, > special user for squid services.): > This is how we currently run. Security policies require the user account password to be changed regularly. This means a disruption to the squid services while we change the password, export the keytab and merge the entries into the proxy server keytab. > > install ntp and point it to you AD so time is always in sync. > Yes, time sync is important but pointing ntp at AD won't work properly. The inital ntpdate will work but the ongoing sync does not - AD doesn't do ntp. Much better if you sync AD time to a proper ntpd (unix/linux) > > > Or with everyting in one keytab file and make sure squid can read this keytab > file 640 root:squid !! : > Yes, this is what I did eventually though mine was root:nobody. > > I have a setup with a separated keytab file, i tested above and these work. > > ( tested on debian jessie, samba 4.1, squid 3.4.8, 3.5.10 and 3.5.12. ) > Yes, we have had a separate keytab file working for a long time on rhel with samba3 and our custom squid rpms. I wanted to avoid having to manage a separate AD user. > > A big advantave with the squid-service user. You kan add all you squid > hosts/services in that user. > > I have 1 user for this and 3 proxy servers. > It does mean that one password change invalidates the keytab on 3 proxies... > > Optionaly, start the auth progrom on command line, with the debugging > enabled. > Yes, that wasn't terribly usful in this case though and running negotiate_kerberos_auth_test as root and actually getting tickets was downright confusing. -- Brett Lymn This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies: BAE Systems Australia Limited - Australian Company Number 008 423 005 BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846 BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 228 864 Our registered office is Evans Building, Taranaki Road, Edinburgh Parks, Edinburgh, South Australia, 5111. If the identity of the s
[squid-users] MS Update
Hi I burnt up 172G of download in 24 hours with multi machines doing the download of the same file (MS SQL patch) I think I am running into the same issue So multiple machines are trying to do the download... Q) why don't they share the same download ! 1452459804.945 64052 10.172.208.108 TCP_MISS/206 1727799 GET http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/svpk/2015/05/sqlserver2014sp1-kb3058865-x64-enu_2c84e2ebd0d3cb4980a3a1a80d79fd7520405626.exe - HIER_DIRECT/150.101.195.217 application/octet-stream 1452459868.272 63326 10.172.208.108 TCP_MISS/206 1312208 GET http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/svpk/2015/05/sqlserver2014sp1-kb3058865-x64-enu_2c84e2ebd0d3cb4980a3a1a80d79fd7520405626.exe - HIER_DIRECT/150.101.195.217 application/octet-stream 1452459933.336 65061 10.172.208.108 TCP_MISS/206 1155440 GET http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/svpk/2015/05/sqlserver2014sp1-kb3058865-x64-enu_2c84e2ebd0d3cb4980a3a1a80d79fd7520405626.exe - HIER_DIRECT/150.101.195.217 application/octet-stream 1452459998.406 65067 10.172.208.108 TCP_MISS/206 1022158 GET http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/svpk/2015/05/sqlserver2014sp1-kb3058865-x64-enu_2c84e2ebd0d3cb4980a3a1a80d79fd7520405626.exe - HIER_DIRECT/150.101.195.217 application/octet-stream 1452460066.455 68046 10.172.208.108 TCP_MISS/206 2006058 GET http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/svpk/2015/05/sqlserver2014sp1-kb3058865-x64-enu_2c84e2ebd0d3cb4980a3a1a80d79fd7520405626.exe - HIER_DIRECT/150.101.195.200 application/octet-stream 1452460134.536 68078 10.172.208.108 TCP_MISS/206 1575462 GET http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/svpk/2015/05/sqlserver2014sp1-kb3058865-x64-enu_2c84e2ebd0d3cb4980a3a1a80d79fd7520405626.exe - HIER_DIRECT/150.101.195.200 application/octet-stream 1452460204.180 69643 10.172.208.108 TCP_MISS/206 1387948 GET http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/svpk/2015/05/sqlserver2014sp1-kb3058865-x64-enu_2c84e2ebd0d3cb4980a3a1a80d79fd7520405626.exe - HIER_DIRECT/150.101.195.217 application/octet-stream here you can see multiple requests for the same file . I am presuming 206 is a partial download - is that Windows or SQUID .. I presume windows client So is it the byte range that gets cached. if client a want 100 - 200 of file X and client B wants 50 - 150.. will squid reuse whatever has been downloaded of the 100-200 request by client B any way I can for the requests to a single file - I could manually download the file once, that would place it in the cache. I have this in my config # http://wiki.squid-cache.org/SquidFaq/WindowsUpdate range_offset_limit 200 MB maximum_object_size 200 MB quick_abort_min -1 refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims guessing I have to bump up the 200M max to 800mb. are the other values still okay ? A ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid-4.0.4 beta is available
Kinkie please take a look at: http://bugs.squid-cache.org/show_bug.cgi?id=4403 Eliezer On 10/01/2016 20:06, Kinkie wrote: Hi eliezer, This looks like a broken or not completely installed libstdc++. Could you check that all packages mentioned at http://wiki.squid-cache.org/BuildFarm/CentosInstall are installed on your build system? On Sun, Jan 10, 2016 at 6:02 PM, Eliezer Croitoru wrote: I am having trouble building 4.0.4 on OpenSUSE leap. I have tried both manually and using the rpm build tools. The error in the rpmbuild logs at: http://ngtech.co.il/repo/opensuse/leap/logs/build5-4.0.4.log and the build log of the manual compilation are at: http://ngtech.co.il/repo/opensuse/leap/logs/conf1-4.0.4.log http://ngtech.co.il/repo/opensuse/leap/logs/build1-4.0.4.log The error output: make[3]: Entering directory '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers/basic_auth/NCSA' depbase=`echo basic_ncsa_auth.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\ /usr/local/bin/g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../../include-I. -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -Wno-deprecated-register -pipe -D_REENTRANT -g -O2 -march=native -std=c++11 -MT basic_ncsa_auth.o -MD -MP -MF $depbase.Tpo -c -o basic_ncsa_auth.o basic_ncsa_auth.cc &&\ mv -f $depbase.Tpo $depbase.Po basic_ncsa_auth.cc: In function ‘int main(int, char**)’: basic_ncsa_auth.cc:104:13: error: ‘cout’ is not a member of ‘std’ SEND_ERR(""); ^ basic_ncsa_auth.cc:104:42: error: ‘endl’ is not a member of ‘std’ SEND_ERR(""); ^ basic_ncsa_auth.cc:108:13: error: ‘cout’ is not a member of ‘std’ SEND_ERR(""); ^ basic_ncsa_auth.cc:108:42: error: ‘endl’ is not a member of ‘std’ SEND_ERR(""); ^ basic_ncsa_auth.cc:115:13: error: ‘cout’ is not a member of ‘std’ SEND_ERR("No such user"); ^ basic_ncsa_auth.cc:115:54: error: ‘endl’ is not a member of ‘std’ SEND_ERR("No such user"); ^ basic_ncsa_auth.cc:128:13: error: ‘cout’ is not a member of ‘std’ SEND_OK(""); ^ basic_ncsa_auth.cc:128:41: error: ‘endl’ is not a member of ‘std’ SEND_OK(""); ^ basic_ncsa_auth.cc:133:13: error: ‘cout’ is not a member of ‘std’ SEND_OK(""); ^ basic_ncsa_auth.cc:133:41: error: ‘endl’ is not a member of ‘std’ SEND_OK(""); ^ basic_ncsa_auth.cc:138:13: error: ‘cout’ is not a member of ‘std’ SEND_ERR("Password too long. Only 8 characters accepted."); ^ basic_ncsa_auth.cc:138:88: error: ‘endl’ is not a member of ‘std’ SEND_ERR("Password too long. Only 8 characters accepted."); ^ basic_ncsa_auth.cc:144:13: error: ‘cout’ is not a member of ‘std’ SEND_OK(""); ^ basic_ncsa_auth.cc:144:41: error: ‘endl’ is not a member of ‘std’ SEND_OK(""); ^ basic_ncsa_auth.cc:148:13: error: ‘cout’ is not a member of ‘std’ SEND_OK(""); ^ basic_ncsa_auth.cc:148:41: error: ‘endl’ is not a member of ‘std’ SEND_OK(""); ^ basic_ncsa_auth.cc:151:9: error: ‘cout’ is not a member of ‘std’ SEND_ERR("Wrong password"); ^ basic_ncsa_auth.cc:151:52: error: ‘endl’ is not a member of ‘std’ SEND_ERR("Wrong password"); ^ At global scope: cc1plus: error: unrecognized command line option "-Wno-deprecated-register" [-Werror] cc1plus: all warnings being treated as errors Makefile:814: recipe for target 'basic_ncsa_auth.o' failed make[3]: *** [basic_ncsa_auth.o] Error 1 make[3]: Leaving directory '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers/basic_auth/NCSA' Makefile:517: recipe for target 'all-recursive' failed make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers/basic_auth' Makefile:517: recipe for target 'all-recursive' failed make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers' Makefile:569: recipe for target 'all-recursive' failed make: *** [all-recursive] Error 1 ##END OF OUTPUT I have tried to understand the issue and I found out that it might be because of the usage of gcc and not g++ and I have tried to use CXX=g++ in order to test the issue but it doesn't help. On the same machine I have built 3.5.13 without any issues. If I can add more information on the build node just let me know. Thanks, Eliezer On 10/01/2016 08:15, Amos Jeffries wrote: The Squid HTTP Proxy team is very pleased to announce th
[squid-users] SSLBUMP Issue
I am getting the following error. Would anyone know the reason? Error negotiating SSL connection on FD 37: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number My sslbump config is http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/ssl_cert/squidCA.pem ssl_bump server-first all ssl_bump peek all ssl_bump terminate all Thanks in advance ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid-4.0.4 beta is available
On 10/01/2016 20:06, Kinkie wrote: Hi eliezer, This looks like a broken or not completely installed libstdc++. Could you check that all packages mentioned at http://wiki.squid-cache.org/BuildFarm/CentosInstall are installed on your build system? Hey Kinkie, I was suspecting that it might be related to libstdc++ so what I did was: - verify my installed packages which are at: http://paste.ngtech.co.il/pe1jxv3po - compile 4.0.3 (success) - run an example hello world program with g++ and gcc (g++ built gcc won't) - based in the failure of gcc I tried to force(on squid) the usage of g++ instead of gcc which resulted with the same erro So it seems that some revision between 4.0.3(14423) to 4.0.4(14485) caused this issue. I can try to minimize the revisions between the 63 of them and see what happens unless someone has a better idea about the issue. Eliezer ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid-4.0.4 beta is available
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Don't think so. As Eliezer said, 3.5 built at the same box. In my case the same - 3.5 built successfully, but 4.0.4 is not. 11.01.16 0:06, Kinkie пишет: > Hi eliezer, >This looks like a broken or not completely installed libstdc++. > Could you check that all packages mentioned at > http://wiki.squid-cache.org/BuildFarm/CentosInstall are installed on > your build system? > > On Sun, Jan 10, 2016 at 6:02 PM, Eliezer Croitoru wrote: >> I am having trouble building 4.0.4 on OpenSUSE leap. >> I have tried both manually and using the rpm build tools. >> The error in the rpmbuild logs at: >> http://ngtech.co.il/repo/opensuse/leap/logs/build5-4.0.4.log >> and the build log of the manual compilation are at: >> http://ngtech.co.il/repo/opensuse/leap/logs/conf1-4.0.4.log >> http://ngtech.co.il/repo/opensuse/leap/logs/build1-4.0.4.log >> >> The error output: >> make[3]: Entering directory >> '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers/basic_auth/NCSA' >> depbase=`echo basic_ncsa_auth.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\ >> /usr/local/bin/g++ -DHAVE_CONFIG_H -I../../.. -I../../../include >> -I../../../lib -I../../../src -I../../../include-I. -Wall >> -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror >> -Wno-deprecated-register -pipe -D_REENTRANT -g -O2 -march=native -std=c++11 >> -MT basic_ncsa_auth.o -MD -MP -MF $depbase.Tpo -c -o basic_ncsa_auth.o >> basic_ncsa_auth.cc &&\ >> mv -f $depbase.Tpo $depbase.Po >> basic_ncsa_auth.cc: In function ‘int main(int, char**)’: >> basic_ncsa_auth.cc:104:13: error: ‘cout’ is not a member of ‘std’ >> SEND_ERR(""); >> ^ >> basic_ncsa_auth.cc:104:42: error: ‘endl’ is not a member of ‘std’ >> SEND_ERR(""); >> ^ >> basic_ncsa_auth.cc:108:13: error: ‘cout’ is not a member of ‘std’ >> SEND_ERR(""); >> ^ >> basic_ncsa_auth.cc:108:42: error: ‘endl’ is not a member of ‘std’ >> SEND_ERR(""); >> ^ >> basic_ncsa_auth.cc:115:13: error: ‘cout’ is not a member of ‘std’ >> SEND_ERR("No such user"); >> ^ >> basic_ncsa_auth.cc:115:54: error: ‘endl’ is not a member of ‘std’ >> SEND_ERR("No such user"); >> ^ >> basic_ncsa_auth.cc:128:13: error: ‘cout’ is not a member of ‘std’ >> SEND_OK(""); >> ^ >> basic_ncsa_auth.cc:128:41: error: ‘endl’ is not a member of ‘std’ >> SEND_OK(""); >> ^ >> basic_ncsa_auth.cc:133:13: error: ‘cout’ is not a member of ‘std’ >> SEND_OK(""); >> ^ >> basic_ncsa_auth.cc:133:41: error: ‘endl’ is not a member of ‘std’ >> SEND_OK(""); >> ^ >> basic_ncsa_auth.cc:138:13: error: ‘cout’ is not a member of ‘std’ >> SEND_ERR("Password too long. Only 8 characters accepted."); >> ^ >> basic_ncsa_auth.cc:138:88: error: ‘endl’ is not a member of ‘std’ >> SEND_ERR("Password too long. Only 8 characters accepted."); >> >> ^ >> basic_ncsa_auth.cc:144:13: error: ‘cout’ is not a member of ‘std’ >> SEND_OK(""); >> ^ >> basic_ncsa_auth.cc:144:41: error: ‘endl’ is not a member of ‘std’ >> SEND_OK(""); >> ^ >> basic_ncsa_auth.cc:148:13: error: ‘cout’ is not a member of ‘std’ >> SEND_OK(""); >> ^ >> basic_ncsa_auth.cc:148:41: error: ‘endl’ is not a member of ‘std’ >> SEND_OK(""); >> ^ >> basic_ncsa_auth.cc:151:9: error: ‘cout’ is not a member of ‘std’ >> SEND_ERR("Wrong password"); >> ^ >> basic_ncsa_auth.cc:151:52: error: ‘endl’ is not a member of ‘std’ >> SEND_ERR("Wrong password"); >> ^ >> At global scope: >> cc1plus: error: unrecognized command line option "-Wno-deprecated-register" >> [-Werror] >> cc1plus: all warnings being treated as errors >> Makefile:814: recipe for target 'basic_ncsa_auth.o' failed >> make[3]: *** [basic_ncsa_auth.o] Error 1 >> make[3]: Leaving directory >> '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers/basic_auth/NCSA' >> Makefile:517: recipe for target 'all-recursive' failed >> make[2]: *** [all-recursive] Error 1 >> make[2]: Leaving directory >> '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers/basic_auth' >> Makefile:517: recipe for target 'all-recursive' failed >> make[1]: *** [all-recursive] Error 1 >> make[1]: Leaving directory '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers' >> Makefile:569: recipe for target 'all-recursive' failed >> make: *** [all-recursive] Error 1 >> ##END OF OUTPUT >> >> I have tried to understand the issue and I found out that it might be >> because of the usage of gc
Re: [squid-users] Squid-4.0.4 beta is available
Hi eliezer, This looks like a broken or not completely installed libstdc++. Could you check that all packages mentioned at http://wiki.squid-cache.org/BuildFarm/CentosInstall are installed on your build system? On Sun, Jan 10, 2016 at 6:02 PM, Eliezer Croitoru wrote: > I am having trouble building 4.0.4 on OpenSUSE leap. > I have tried both manually and using the rpm build tools. > The error in the rpmbuild logs at: > http://ngtech.co.il/repo/opensuse/leap/logs/build5-4.0.4.log > and the build log of the manual compilation are at: > http://ngtech.co.il/repo/opensuse/leap/logs/conf1-4.0.4.log > http://ngtech.co.il/repo/opensuse/leap/logs/build1-4.0.4.log > > The error output: > make[3]: Entering directory > '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers/basic_auth/NCSA' > depbase=`echo basic_ncsa_auth.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\ > /usr/local/bin/g++ -DHAVE_CONFIG_H -I../../.. -I../../../include > -I../../../lib -I../../../src -I../../../include-I. -Wall > -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror > -Wno-deprecated-register -pipe -D_REENTRANT -g -O2 -march=native -std=c++11 > -MT basic_ncsa_auth.o -MD -MP -MF $depbase.Tpo -c -o basic_ncsa_auth.o > basic_ncsa_auth.cc &&\ > mv -f $depbase.Tpo $depbase.Po > basic_ncsa_auth.cc: In function ‘int main(int, char**)’: > basic_ncsa_auth.cc:104:13: error: ‘cout’ is not a member of ‘std’ > SEND_ERR(""); > ^ > basic_ncsa_auth.cc:104:42: error: ‘endl’ is not a member of ‘std’ > SEND_ERR(""); > ^ > basic_ncsa_auth.cc:108:13: error: ‘cout’ is not a member of ‘std’ > SEND_ERR(""); > ^ > basic_ncsa_auth.cc:108:42: error: ‘endl’ is not a member of ‘std’ > SEND_ERR(""); > ^ > basic_ncsa_auth.cc:115:13: error: ‘cout’ is not a member of ‘std’ > SEND_ERR("No such user"); > ^ > basic_ncsa_auth.cc:115:54: error: ‘endl’ is not a member of ‘std’ > SEND_ERR("No such user"); > ^ > basic_ncsa_auth.cc:128:13: error: ‘cout’ is not a member of ‘std’ > SEND_OK(""); > ^ > basic_ncsa_auth.cc:128:41: error: ‘endl’ is not a member of ‘std’ > SEND_OK(""); > ^ > basic_ncsa_auth.cc:133:13: error: ‘cout’ is not a member of ‘std’ > SEND_OK(""); > ^ > basic_ncsa_auth.cc:133:41: error: ‘endl’ is not a member of ‘std’ > SEND_OK(""); > ^ > basic_ncsa_auth.cc:138:13: error: ‘cout’ is not a member of ‘std’ > SEND_ERR("Password too long. Only 8 characters accepted."); > ^ > basic_ncsa_auth.cc:138:88: error: ‘endl’ is not a member of ‘std’ > SEND_ERR("Password too long. Only 8 characters accepted."); > > ^ > basic_ncsa_auth.cc:144:13: error: ‘cout’ is not a member of ‘std’ > SEND_OK(""); > ^ > basic_ncsa_auth.cc:144:41: error: ‘endl’ is not a member of ‘std’ > SEND_OK(""); > ^ > basic_ncsa_auth.cc:148:13: error: ‘cout’ is not a member of ‘std’ > SEND_OK(""); > ^ > basic_ncsa_auth.cc:148:41: error: ‘endl’ is not a member of ‘std’ > SEND_OK(""); > ^ > basic_ncsa_auth.cc:151:9: error: ‘cout’ is not a member of ‘std’ > SEND_ERR("Wrong password"); > ^ > basic_ncsa_auth.cc:151:52: error: ‘endl’ is not a member of ‘std’ > SEND_ERR("Wrong password"); > ^ > At global scope: > cc1plus: error: unrecognized command line option "-Wno-deprecated-register" > [-Werror] > cc1plus: all warnings being treated as errors > Makefile:814: recipe for target 'basic_ncsa_auth.o' failed > make[3]: *** [basic_ncsa_auth.o] Error 1 > make[3]: Leaving directory > '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers/basic_auth/NCSA' > Makefile:517: recipe for target 'all-recursive' failed > make[2]: *** [all-recursive] Error 1 > make[2]: Leaving directory > '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers/basic_auth' > Makefile:517: recipe for target 'all-recursive' failed > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers' > Makefile:569: recipe for target 'all-recursive' failed > make: *** [all-recursive] Error 1 > ##END OF OUTPUT > > I have tried to understand the issue and I found out that it might be > because of the usage of gcc and not g++ and I have tried to use CXX=g++ in > order to test the issue but it doesn't help. > On the same machine I have built 3.5.13 without any issues. > > If I can add more information on the build node just let me know. > > Thanks, > Eliezer > > On 10/01/2016 08:15, Amos Jeffries wrote: >> >> The Squid HTT
Re: [squid-users] Squid-4.0.4 beta is available
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 http://bugs.squid-cache.org/show_bug.cgi?id=4403 10.01.16 23:02, Eliezer Croitoru пишет: > I am having trouble building 4.0.4 on OpenSUSE leap. > I have tried both manually and using the rpm build tools. > The error in the rpmbuild logs at: http://ngtech.co.il/repo/opensuse/leap/logs/build5-4.0.4.log > and the build log of the manual compilation are at: > http://ngtech.co.il/repo/opensuse/leap/logs/conf1-4.0.4.log > http://ngtech.co.il/repo/opensuse/leap/logs/build1-4.0.4.log > > The error output: > make[3]: Entering directory '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers/basic_auth/NCSA' > depbase=`echo basic_ncsa_auth.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\ > /usr/local/bin/g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../../include-I. -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -Wno-deprecated-register -pipe -D_REENTRANT -g -O2 -march=native -std=c++11 -MT basic_ncsa_auth.o -MD -MP -MF $depbase.Tpo -c -o basic_ncsa_auth.o basic_ncsa_auth.cc &&\ > mv -f $depbase.Tpo $depbase.Po > basic_ncsa_auth.cc: In function ‘int main(int, char**)’: > basic_ncsa_auth.cc:104:13: error: ‘cout’ is not a member of ‘std’ > SEND_ERR(""); > ^ > basic_ncsa_auth.cc:104:42: error: ‘endl’ is not a member of ‘std’ > SEND_ERR(""); > ^ > basic_ncsa_auth.cc:108:13: error: ‘cout’ is not a member of ‘std’ > SEND_ERR(""); > ^ > basic_ncsa_auth.cc:108:42: error: ‘endl’ is not a member of ‘std’ > SEND_ERR(""); > ^ > basic_ncsa_auth.cc:115:13: error: ‘cout’ is not a member of ‘std’ > SEND_ERR("No such user"); > ^ > basic_ncsa_auth.cc:115:54: error: ‘endl’ is not a member of ‘std’ > SEND_ERR("No such user"); > ^ > basic_ncsa_auth.cc:128:13: error: ‘cout’ is not a member of ‘std’ > SEND_OK(""); > ^ > basic_ncsa_auth.cc:128:41: error: ‘endl’ is not a member of ‘std’ > SEND_OK(""); > ^ > basic_ncsa_auth.cc:133:13: error: ‘cout’ is not a member of ‘std’ > SEND_OK(""); > ^ > basic_ncsa_auth.cc:133:41: error: ‘endl’ is not a member of ‘std’ > SEND_OK(""); > ^ > basic_ncsa_auth.cc:138:13: error: ‘cout’ is not a member of ‘std’ > SEND_ERR("Password too long. Only 8 characters accepted."); > ^ > basic_ncsa_auth.cc:138:88: error: ‘endl’ is not a member of ‘std’ > SEND_ERR("Password too long. Only 8 characters accepted."); > > ^ > basic_ncsa_auth.cc:144:13: error: ‘cout’ is not a member of ‘std’ > SEND_OK(""); > ^ > basic_ncsa_auth.cc:144:41: error: ‘endl’ is not a member of ‘std’ > SEND_OK(""); > ^ > basic_ncsa_auth.cc:148:13: error: ‘cout’ is not a member of ‘std’ > SEND_OK(""); > ^ > basic_ncsa_auth.cc:148:41: error: ‘endl’ is not a member of ‘std’ > SEND_OK(""); > ^ > basic_ncsa_auth.cc:151:9: error: ‘cout’ is not a member of ‘std’ > SEND_ERR("Wrong password"); > ^ > basic_ncsa_auth.cc:151:52: error: ‘endl’ is not a member of ‘std’ > SEND_ERR("Wrong password"); > ^ > At global scope: > cc1plus: error: unrecognized command line option "-Wno-deprecated-register" [-Werror] > cc1plus: all warnings being treated as errors > Makefile:814: recipe for target 'basic_ncsa_auth.o' failed > make[3]: *** [basic_ncsa_auth.o] Error 1 > make[3]: Leaving directory '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers/basic_auth/NCSA' > Makefile:517: recipe for target 'all-recursive' failed > make[2]: *** [all-recursive] Error 1 > make[2]: Leaving directory '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers/basic_auth' > Makefile:517: recipe for target 'all-recursive' failed > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers' > Makefile:569: recipe for target 'all-recursive' failed > make: *** [all-recursive] Error 1 > ##END OF OUTPUT > > I have tried to understand the issue and I found out that it might be because of the usage of gcc and not g++ and I have tried to use CXX=g++ in order to test the issue but it doesn't help. > On the same machine I have built 3.5.13 without any issues. > > If I can add more information on the build node just let me know. > > Thanks, > Eliezer > > On 10/01/2016 08:15, Amos Jeffries wrote: >> The Squid HTTP Proxy team is very pleased to announce the availability >> of the Squid-4.0.4 release! >> >> >> This release is a beta release resolving some issues found in
Re: [squid-users] Squid-4.0.4 beta is available
I am having trouble building 4.0.4 on OpenSUSE leap. I have tried both manually and using the rpm build tools. The error in the rpmbuild logs at: http://ngtech.co.il/repo/opensuse/leap/logs/build5-4.0.4.log and the build log of the manual compilation are at: http://ngtech.co.il/repo/opensuse/leap/logs/conf1-4.0.4.log http://ngtech.co.il/repo/opensuse/leap/logs/build1-4.0.4.log The error output: make[3]: Entering directory '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers/basic_auth/NCSA' depbase=`echo basic_ncsa_auth.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\ /usr/local/bin/g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../../include-I. -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -Wno-deprecated-register -pipe -D_REENTRANT -g -O2 -march=native -std=c++11 -MT basic_ncsa_auth.o -MD -MP -MF $depbase.Tpo -c -o basic_ncsa_auth.o basic_ncsa_auth.cc &&\ mv -f $depbase.Tpo $depbase.Po basic_ncsa_auth.cc: In function ‘int main(int, char**)’: basic_ncsa_auth.cc:104:13: error: ‘cout’ is not a member of ‘std’ SEND_ERR(""); ^ basic_ncsa_auth.cc:104:42: error: ‘endl’ is not a member of ‘std’ SEND_ERR(""); ^ basic_ncsa_auth.cc:108:13: error: ‘cout’ is not a member of ‘std’ SEND_ERR(""); ^ basic_ncsa_auth.cc:108:42: error: ‘endl’ is not a member of ‘std’ SEND_ERR(""); ^ basic_ncsa_auth.cc:115:13: error: ‘cout’ is not a member of ‘std’ SEND_ERR("No such user"); ^ basic_ncsa_auth.cc:115:54: error: ‘endl’ is not a member of ‘std’ SEND_ERR("No such user"); ^ basic_ncsa_auth.cc:128:13: error: ‘cout’ is not a member of ‘std’ SEND_OK(""); ^ basic_ncsa_auth.cc:128:41: error: ‘endl’ is not a member of ‘std’ SEND_OK(""); ^ basic_ncsa_auth.cc:133:13: error: ‘cout’ is not a member of ‘std’ SEND_OK(""); ^ basic_ncsa_auth.cc:133:41: error: ‘endl’ is not a member of ‘std’ SEND_OK(""); ^ basic_ncsa_auth.cc:138:13: error: ‘cout’ is not a member of ‘std’ SEND_ERR("Password too long. Only 8 characters accepted."); ^ basic_ncsa_auth.cc:138:88: error: ‘endl’ is not a member of ‘std’ SEND_ERR("Password too long. Only 8 characters accepted."); ^ basic_ncsa_auth.cc:144:13: error: ‘cout’ is not a member of ‘std’ SEND_OK(""); ^ basic_ncsa_auth.cc:144:41: error: ‘endl’ is not a member of ‘std’ SEND_OK(""); ^ basic_ncsa_auth.cc:148:13: error: ‘cout’ is not a member of ‘std’ SEND_OK(""); ^ basic_ncsa_auth.cc:148:41: error: ‘endl’ is not a member of ‘std’ SEND_OK(""); ^ basic_ncsa_auth.cc:151:9: error: ‘cout’ is not a member of ‘std’ SEND_ERR("Wrong password"); ^ basic_ncsa_auth.cc:151:52: error: ‘endl’ is not a member of ‘std’ SEND_ERR("Wrong password"); ^ At global scope: cc1plus: error: unrecognized command line option "-Wno-deprecated-register" [-Werror] cc1plus: all warnings being treated as errors Makefile:814: recipe for target 'basic_ncsa_auth.o' failed make[3]: *** [basic_ncsa_auth.o] Error 1 make[3]: Leaving directory '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers/basic_auth/NCSA' Makefile:517: recipe for target 'all-recursive' failed make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers/basic_auth' Makefile:517: recipe for target 'all-recursive' failed make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory '/home/rpm/rpmbuild/SOURCES/squid-4.0.4/helpers' Makefile:569: recipe for target 'all-recursive' failed make: *** [all-recursive] Error 1 ##END OF OUTPUT I have tried to understand the issue and I found out that it might be because of the usage of gcc and not g++ and I have tried to use CXX=g++ in order to test the issue but it doesn't help. On the same machine I have built 3.5.13 without any issues. If I can add more information on the build node just let me know. Thanks, Eliezer On 10/01/2016 08:15, Amos Jeffries wrote: The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.0.4 release! This release is a beta release resolving some issues found in the prior Squid releases. The major changes to be aware of: * Several regression bugs fixed - Bug 4393: compile fails on OS X - Bug 4392: assertion CbcPointer.h:159: 'c' via tunnelServerClosed or tunnelClientClosed * Some minor squid.conf additions - cache_peer support for Kerberos credentials cach
Re: [squid-users] Intercepting BITS_POST
On 10/01/2016 8:27 p.m., Saravanan Coimbatore wrote: > Hi Amos, > > MSFT uses a handshake mechanism to sync files between enterprise and > Cloud. We use squid with icap plugins to analyze data. > > The handshake is BITS_POST which is based on HTTP 1.1. When we > enabled the icap plugin, the request was not going through. We were > getting OTHER_METHOD response. Aha, thanks. > We debugged this and fixed it where we > added BITS_POST as a valid method/verb in Squid. We will be > submitting this change for review to squid team. That is not a change likely to get accepted, because BITS_POST is not a standard method. It is both proprietary and custom extension method. What we will be looking for is a fix that solves it for all other such methods as well. The Squid parser needs to be correctly handling the method as an OTHER_METHOD object with a custom string as the actual on-wire representation (not "OTHER_METHOD"). Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl-bump and accel
On 10/01/2016 10:26 p.m., Nir Krakowski wrote: > 1. You're forgetting I only refer specific traffic using /etc/hosts to > squid. You missed my point. 1) clientConn is where the traffic *came from*. Not where it is going to. 2) Host: header verification is only relevant to MITM (intercept/tproxy port) traffic. Patching it at all is wrong for accel port traffic. And the patch you published is more than just dangerous when used on an MITM proxy. 3) ssl-bump is not supported on accel ports: - http_port accel does not accept CONNECT, so nothing to bump. - https_port accel initializes its server TLS context differently to ssl-bump, so the context created is bad for bumping. - https_port accel decrypts the TLS using different code than ssl-bump > 2. What do you suggest ? I want to use the SNI as the direction of the > traffic, not the forwarded IP address. "accel" mode traffic uses the URL for server selection. Both the forwarded IP address and the SNI are irrelevant and ignored. Think of it like this: If you take an apple and paint it to look like an apple. All you have done is make it poisonous to eat. Not cease being an apple. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl-bump and accel
1. You're forgetting I only refer specific traffic using /etc/hosts to squid. 2. What do you suggest ? I want to use the SNI as the direction of the traffic, not the forwarded IP address. On Sun, Jan 10, 2016 at 6:30 AM, Amos Jeffries wrote: > On 9/01/2016 7:48 a.m., Nir Krakowski wrote: > > This is what needs to be done to get it to work in squid >3.5 in function > > ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const > > Dns::LookupDetails &dns): > > > > Hell NO > > clientConn is the state data about the TCP connection the message > arrived on. HTTP and SSL-Bump in no way alter the reality of what > src/dst IPs those TCP packets contain. > > There may be a bug needing a fix, but it absolutely is not that patch. > > > By applying that patch you are allowing a remote sender to both bypass > all your Squid protections, and any network firewall security you may > have external to Squid. While simultaneously recording in your Squid > logs any value of its choosing for the destination IPs of its attack > traffic. > > Amos > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users