Re: [squid-users] Cannot get ACL to work

[erdosain9]

Hi.
What's your squid version??



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Cannot-get-ACL-to-work-tp4679502p4679520.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Web Whatsapp, Dropbox... problem

[erdosain9]

It is only my pc in the proxy. So , see the access.log is simple ... really ,
no more information than copied.

.either way, the website never finish loading 




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Web-Whatsapp-Dropbox-problem-tp4679299p4679519.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] cache github zip repositories

[Amos Jeffries]

On 15/09/2016 11:54 a.m., Hardik Dangar wrote:
> Hello,
> 
> I am trying to cache Github zip URL's so it can be effectively cached as a
> composer(php dependency management tool) uses them and in our local setup (
> we are about 40 developers on a Lan and it will really help us managing
> cache.). My squid version is 3.5.12 and our squid cache server is ubuntu
> 16.04. Here is squid.conf file we use,
> https://gist.github.com/hardikdangar/df31d5bce725eff66e06f3abd6e77600
> 
> Here is the part which I want to cache,
> say for example you want to download repo from GitHub then URL looks like
> https://github.com/hardikdangar/test/archive/master.zip
> but it redirects to the following,
> https://codeload.github.com/hardikdangar/test/zip/master
> 
> You can see the response parameters via redbot.org
> https://redbot.org/?uri=https%3A%2F%2Fcodeload.github.com%
> 2Fhardikdangar%2Ftest%2Fzip%2Fmaster
> 
>   HTTP/1.1 200 OK
> Content-Length: 929
> Access-Control-Allow-Origin: https://render.githubusercontent.com
> Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'
> Strict-Transport-Security: max-age=31536000
> Vary: Authorization,Accept-Encoding
> X-Content-Type-Options: nosniff
> X-Frame-Options: deny
> X-XSS-Protection: 1; mode=block
> ETag: "9ea9838812d6f7bc53763eb1577da04e2fa473d5"
> Content-Type: application/zip
> Content-Disposition: attachment; filename=test-master.zip
> X-Geo-Block-List:
> Date: Wed, 14 Sep 2016 23:24:44 GMT
> X-GitHub-Request-Id: 77092BF1:7F40:346461:57D9DC3C
> 
> Now if i do any change to above repository github does change ETAG and if i
> don't change anything then ETAG remains the same so i believe we should be
> able to cache those .zip files.
> 
> By default, squid does not cache codeload.github.com, to put it into cache,
> I added,
> refresh_pattern codeload.github.com 900 20% 4320 reload-into-ims
> 
> Now as per my understanding this should check etag as Last-Modified is not
> provided by github for each new request. This does cache the zip file but
> what happens is in next request even if i change the content and etag
> changes squid sends the cached file from its cache instead of downloading
> new file.
> 
> I have no clue why this happens. Can anyone help me figure out what's wrong
> here? why squid does not detect new etag when repository is updated? why it
> sends cache file even though there is new file available.
> 

Consider: how does Squid know the ETag has changed on the server?

What you know about things happening in RL is not what Squid knows.

I fact how do *you* know someone else did not commit a change during
that ~1 second it takes to look at the page and click the download button?
 Simply, you don't, and cannot until the new object has been fetched.

Likewise, Squid cannot know if the object is the same until it has
fetched a MISS from the server. Except that Squid does not look at the
previous page content, so it cannot even 'see' if there is a commit
listed there that might be different since whenever it got the previous
object.

There is no Cache-Control or Expires header indicating a specific
storage timeout or revalidation procedure. So refresh_pattern defaults
will be used. These responses will be cached for the refresh_pattern
'Min' duration (900 minutes) before being considered for revalidated.


NP 1: Synthesizing Last-Modified from the Date header is only just being
fixed in Squid the past few weeks, and some parts of it still to be
committed. So I would not expect that response to be revalidated, just
re-fetched fully in older Squid.


NP 2: The Vary header indicates that every person logged in gets a
differently cached response based on how their credentials are hashed on
each request (in Authorization tokens). So caching these objects will
not help much with many developers involved. It will be of most help for
the anonymous visitors where username is always a generic NIL value.

HTH
Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] cache github zip repositories

[Hardik Dangar]

Hello,

I am trying to cache Github zip URL's so it can be effectively cached as a
composer(php dependency management tool) uses them and in our local setup (
we are about 40 developers on a Lan and it will really help us managing
cache.). My squid version is 3.5.12 and our squid cache server is ubuntu
16.04. Here is squid.conf file we use,
https://gist.github.com/hardikdangar/df31d5bce725eff66e06f3abd6e77600

Here is the part which I want to cache,
say for example you want to download repo from GitHub then URL looks like
https://github.com/hardikdangar/test/archive/master.zip
but it redirects to the following,
https://codeload.github.com/hardikdangar/test/zip/master

You can see the response parameters via redbot.org
https://redbot.org/?uri=https%3A%2F%2Fcodeload.github.com%
2Fhardikdangar%2Ftest%2Fzip%2Fmaster

  HTTP/1.1 200 OK
Content-Length: 929
Access-Control-Allow-Origin: https://render.githubusercontent.com
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'
Strict-Transport-Security: max-age=31536000
Vary: Authorization,Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
ETag: "9ea9838812d6f7bc53763eb1577da04e2fa473d5"
Content-Type: application/zip
Content-Disposition: attachment; filename=test-master.zip
X-Geo-Block-List:
Date: Wed, 14 Sep 2016 23:24:44 GMT
X-GitHub-Request-Id: 77092BF1:7F40:346461:57D9DC3C

Now if i do any change to above repository github does change ETAG and if i
don't change anything then ETAG remains the same so i believe we should be
able to cache those .zip files.

By default, squid does not cache codeload.github.com, to put it into cache,
I added,
refresh_pattern codeload.github.com 900 20% 4320 reload-into-ims

Now as per my understanding this should check etag as Last-Modified is not
provided by github for each new request. This does cache the zip file but
what happens is in next request even if i change the content and etag
changes squid sends the cached file from its cache instead of downloading
new file.

I have no clue why this happens. Can anyone help me figure out what's wrong
here? why squid does not detect new etag when repository is updated? why it
sends cache file even though there is new file available.

Thank you very much in advance for reading upto this point and have a good
day.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Web Whatsapp, Dropbox... problem

[Alex Rousskov]

On 09/14/2016 05:01 PM, erdosain9 wrote:

> acl step1 at_step SslBump1 
> acl excludeSSL ssl::server_name_regex web/.whatsapp/.com 
> 
> ssl_bump peek step1 
> ssl_bump splice excludeSSL 
> ssl_bump bump all 
> 
> I dont get nothing about web.whatsapp.com in access.log 

I suspect you just do not know how to find relevant access.log records.
The first logged CONNECT (that I would expect to see) will not have
web.whatsapp.com domain name, but will have one of its IP addresses.


> except this, a lot of time after i close the tab window of web browser...:
> 1473879972.435  37929 192.168.1.172 TCP_TUNNEL/200 1069 CONNECT
> web.whatsapp.com:443 - HIER_DIRECT/31.13.85.51 - 
> 
> Just that

That is not nothing! That is exactly what I would expect -- an
indication of a successfully established tunnel, splicing client and
server connections. Keep in mind that Squid logs transactions when they
are over, not when they start. A tunnel may last for hours or more...

I trust that you do not expect to see HTTP transactions (besides opening
CONNECT) that happen inside the tunnel. After splicing SSL connections,
Squid does not (and cannot) inspect what happens inside the resulting
tunnel.

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Web Whatsapp, Dropbox... problem

[erdosain9]

Hi, thanks


With

acl step1 at_step SslBump1 
acl excludeSSL ssl::server_name_regex web/.whatsapp/.com 

ssl_bump peek step1 
ssl_bump splice excludeSSL 
ssl_bump bump all 

I dont get nothing about web.whatsapp.com in access.log 
except this, a lot of time after i close the tab window of web browser...:
1473879972.435  37929 192.168.1.172 TCP_TUNNEL/200 1069 CONNECT
web.whatsapp.com:443 - HIER_DIRECT/31.13.85.51 - 

Just that


But if i change config to 

ssl_bump stare all 
ssl_bump bump all 

I get this Access.log. 

1473879403.950295 192.168.1.172 TCP_MISS/404 525 GET
https://web.whatsapp.com/404.appcache - HIER_DIRECT/31.13.85.51 text/html 
1473879404.110 58 192.168.1.172 TCP_MISS/200 647 GET
https://www.google.com/searchdomaincheck? - HIER_DIRECT/172.217.28.228
text/plain 
1473879405.340423 192.168.1.172 TCP_MISS/304 592 GET
https://web.whatsapp.com/serviceworker.js - HIER_DIRECT/31.13.85.51
application/javascript 
1473879407.051184 192.168.1.172 TCP_MISS/503 427 HEAD http://tsxvhgadd/
- HIER_NONE/- text/html 
1473879407.111243 192.168.1.172 TCP_MISS/503 427 HEAD
http://twngvdpnqgywgf/ - HIER_NONE/- text/html 
1473879407.113245 192.168.1.172 TCP_MISS/503 427 HEAD
http://jvmxcnnzacik/ - HIER_NONE/- text/html 
1473879409.275188 192.168.1.172 TAG_NONE/200 0 CONNECT
ssl.gstatic.com:443 - HIER_DIRECT/64.233.190.120 - 
1473879409.335 19 192.168.1.172 TCP_HIT/200 70267 GET
https://ssl.gstatic.com/safebrowsing/csd/client_model_v5_variation_0.pb -
HIER_NONE/- application/octet-stream 
1473879409.355  4 192.168.1.172 TCP_HIT/200 70267 GET
https://ssl.gstatic.com/safebrowsing/csd/client_model_v5_ext_variation_0.pb
- HIER_NONE/- application/octet-stream 
1473879409.568481 192.168.1.172 TAG_NONE/200 0 CONNECT
ssl.gstatic.com:443 - HIER_DIRECT/64.233.190.120 - 
1473879409.977305 192.168.1.172 TCP_MISS/200 584 GET
https://web.whatsapp.com/status.json - HIER_DIRECT/31.13.85.51 text/json 
1473879411.771 85 192.168.1.172 TCP_MISS/200 1807 GET
https://www.google.com.ar/_/chrome/newtab-serviceworker.js -
HIER_DIRECT/172.217.28.35 text/javascript 
1473879414.612321 192.168.1.172 TCP_MISS/200 584 GET
https://web.whatsapp.com/status.json - HIER_DIRECT/31.13.85.51 text/json 
1473879428.127301 192.168.1.172 TCP_MISS/200 584 GET
https://web.whatsapp.com/status.json - HIER_DIRECT/31.13.85.51 text/json 
1473879446.136333 192.168.1.172 TCP_MISS/200 584 GET
https://web.whatsapp.com/status.json - HIER_DIRECT/31.13.85.51 text/json 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Web-Whatsapp-Dropbox-problem-tp4679299p4679515.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Web Whatsapp, Dropbox... problem

[Alex Rousskov]

On 09/14/2016 12:56 PM, erdosain9 wrote:
> If i put 
> 
> acl step1 at_step SslBump1 
> acl excludeSSL ssl::server_name_regex web/.whatsapp/.com 
> 
> ssl_bump peek step1 
> ssl_bump splice excludeSSL 
> ssl_bump bump all 
> 
> I dont get nothing about web.whatsapp.com in access.log

What kind of CONNECT requests do you get logged in this case?


> But if i change config to
> 
> ssl_bump stare all
> ssl_bump bump all
> 
> I get this Access.log.
> 
> 
> 1473879403.629   1030 192.168.1.172 TAG_NONE/200 0 CONNECT
> web.whatsapp.com:443 - HIER_DIRECT/31.13.85.51 -

I would expect a logged CONNECT for the splicing case as well (assuming
splicing works). If Squid knows the server name (and a matching
excludeSSL implies that it does), then Squid should log it when logging
CONNECT after the spliced connections terminate.

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] windows update not working squid 3.5.2

[Eliezer Croitoru]

Hey Ahmad,

 

Try the new version of ms-updates from:

http://ngtech.co.il/ms-updates-store/

http://www1.ngtech.co.il/wpe/?page_id=301

 

Since you are using an armX based system.

>From my point of view on things I do not see the difference between other 
>traffic to MS updates.

Windows Updates are HTTP requests and responses which are identical to other 
objects.

When a proxy or a service starts to see these things with "new" perspective my 
assumption is that something with either RAM or CPU or DISK is wrong and couple 
simple objects will clear out things about the proxy state.


What I need is a testing use case from the squid world jargon.

Are you using an Intercept proxy?

If so what type of Interception? Tproxy or Intercept?

What objects did you tried until now? Only Windows Updates?

Do you have a dump of these requests?(you can use 
http://wiki.squid-cache.org/KnowledgeBase/DebugSections)

The dumps should be using section 11 ie: debug_options ALL,1 11,6

With these dumps we need the corresponding access.log.

These should be enough to think about things and maybe re-test them.

Also What OS are you using?

 

Eliezer

 



  Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



 

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of --Ahmad--
Sent: Tuesday, September 6, 2016 8:08 PM
To: Yuri Voinov
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] windows update not working squid 3.5.2

 

/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - 
ORIGINAL_DST/8.253.13.30 application/octet-stream
1473181228.768   1202 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.70.206 application/octet-stream
1473181229.117   1159 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.70.206 application/octet-stream
1473181229.265984 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181229.525   1207 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181230.066   1314 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.70.206 application/octet-stream
1473181230.147913 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181230.166   1659 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.13.30 application/octet-stream
1473181230.438   1233 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.30 application/octet-stream
1473181230.461   1569 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181230.621   1023 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181231.143   1219 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181231.166   1212 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181231.528   1131 192.168.0.10 TCP_MISS/206 1049142 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181231.601   1416 192.168.0.10 TCP_MISS/206 1049146 GET 

Re: [squid-users] Web Whatsapp, Dropbox... problem

[erdosain9]

Hi.
If i put 

acl step1 at_step SslBump1 
acl excludeSSL ssl::server_name_regex web/.whatsapp/.com 

ssl_bump peek step1 
ssl_bump splice excludeSSL 
ssl_bump bump all 

I dont get nothing about web.whatsapp.com in access.log

But if i change config to

ssl_bump stare all
ssl_bump bump all

I get this Access.log.


1473879403.629   1030 192.168.1.172 TAG_NONE/200 0 CONNECT
web.whatsapp.com:443 - HIER_DIRECT/31.13.85.51 -
1473879403.878164 192.168.1.172 TAG_NONE/200 0 CONNECT
fonts.gstatic.com:443 - HIER_DIRECT/64.233.186.94 -
1473879403.950295 192.168.1.172 TCP_MISS/404 525 GET
https://web.whatsapp.com/404.appcache - HIER_DIRECT/31.13.85.51 text/html
1473879404.110 58 192.168.1.172 TCP_MISS/200 647 GET
https://www.google.com/searchdomaincheck? - HIER_DIRECT/172.217.28.228
text/plain
1473879405.340423 192.168.1.172 TCP_MISS/304 592 GET
https://web.whatsapp.com/serviceworker.js - HIER_DIRECT/31.13.85.51
application/javascript
1473879407.051184 192.168.1.172 TCP_MISS/503 427 HEAD http://tsxvhgadd/
- HIER_NONE/- text/html
1473879407.111243 192.168.1.172 TCP_MISS/503 427 HEAD
http://twngvdpnqgywgf/ - HIER_NONE/- text/html
1473879407.113245 192.168.1.172 TCP_MISS/503 427 HEAD
http://jvmxcnnzacik/ - HIER_NONE/- text/html
1473879409.275188 192.168.1.172 TAG_NONE/200 0 CONNECT
ssl.gstatic.com:443 - HIER_DIRECT/64.233.190.120 -
1473879409.335 19 192.168.1.172 TCP_HIT/200 70267 GET
https://ssl.gstatic.com/safebrowsing/csd/client_model_v5_variation_0.pb -
HIER_NONE/- application/octet-stream
1473879409.355  4 192.168.1.172 TCP_HIT/200 70267 GET
https://ssl.gstatic.com/safebrowsing/csd/client_model_v5_ext_variation_0.pb
- HIER_NONE/- application/octet-stream
1473879409.568481 192.168.1.172 TAG_NONE/200 0 CONNECT
ssl.gstatic.com:443 - HIER_DIRECT/64.233.190.120 -
1473879409.977305 192.168.1.172 TCP_MISS/200 584 GET
https://web.whatsapp.com/status.json - HIER_DIRECT/31.13.85.51 text/json
1473879411.771 85 192.168.1.172 TCP_MISS/200 1807 GET
https://www.google.com.ar/_/chrome/newtab-serviceworker.js -
HIER_DIRECT/172.217.28.35 text/javascript
1473879414.612321 192.168.1.172 TCP_MISS/200 584 GET
https://web.whatsapp.com/status.json - HIER_DIRECT/31.13.85.51 text/json
1473879428.127301 192.168.1.172 TCP_MISS/200 584 GET
https://web.whatsapp.com/status.json - HIER_DIRECT/31.13.85.51 text/json
1473879446.136333 192.168.1.172 TCP_MISS/200 584 GET
https://web.whatsapp.com/status.json - HIER_DIRECT/31.13.85.51 text/json



Thanks!



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Web-Whatsapp-Dropbox-problem-tp4679299p4679512.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Introducing delay to HTTP 407 responses

[Amos Jeffries]

On 14/09/2016 12:18 p.m., squid-us...@filter.luko.org wrote:
> Hi Squid users,
> 
> Seeking advice on how to slow down 407 responses to broken Apple & MS
> clients, which seem to retry at very short intervals and quickly fill the
> access.log with garbage.  The problem is very similar to this:
> 
> http://www.squid-cache.org/mail-archive/squid-users/201404/0326.html
> 

The outcome of that was a 'ext_delayer_acl helper in Squid-3.5



It works slightly differently to what was being discussed in the thread.
see the man page for details on how to configure it.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] windows update not working squid 3.5.2

[Eliezer Croitoru]

Hey Ahmad,

 

First use some paste like pastebin to share you configuration file since it's 
not well formatted in the email.

Once I will have this I can take a look at the file and try to understand what 
you might try to do.

Also I have seen you are not using StoreID at all and you are intercepting 
traffic and not using the proxy as a forward proxy.

Have you tried to test squid caching using curl or wget compared to the 
original windows update client?

 

I can try to guide you with this but your config file doesn't make any sense at 
all to me.


Eliezer

 



  Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



 

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of --Ahmad--
Sent: Tuesday, September 6, 2016 8:08 PM
To: Yuri Voinov
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] windows update not working squid 3.5.2

 

/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - 
ORIGINAL_DST/8.253.13.30 application/octet-stream
1473181228.768   1202 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.70.206 application/octet-stream
1473181229.117   1159 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.70.206 application/octet-stream
1473181229.265984 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181229.525   1207 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181230.066   1314 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.70.206 application/octet-stream
1473181230.147913 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181230.166   1659 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.13.30 application/octet-stream
1473181230.438   1233 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.30 application/octet-stream
1473181230.461   1569 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181230.621   1023 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181231.143   1219 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181231.166   1212 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181231.528   1131 192.168.0.10 TCP_MISS/206 1049142 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181231.601   1416 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.13.30 application/octet-stream
1473181231.784938 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181232.102   1565 192.168.0.10 TCP_MISS/206 1049142 GET 

Re: [squid-users] c-icap load balancing

[Alex Rousskov]

On 09/13/2016 07:02 PM, yanghe wrote:
> I want to implement the c-icap cluster.the
> traffic averagely distribute to each c-icap.

Unfortunately, Squid does not support true load balancing of ICAP and
eCAP services directly. It would be a welcomed feature[1].

However, there is a workaround: Use "random" ACLs in your
adaptation_access rules to select each service at random, with the same
probability. There are production deployments using that workaround to
approximate load balancing effects. When implementing this, be careful
not to fall into a common trap of mistaking an individual
adaptation_access rule match probability with the service selection
probability[2].

[1]
http://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F

[2]
http://lists.squid-cache.org/pipermail/squid-users/2016-August/012217.html


HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Introducing delay to HTTP 407 responses

[Eliezer Croitoru]

Hey Luke,

Try to use the next line instead:
external_acl_type delay ttl=1 negative_ttl=0 cache=0 %SRC %SRCPORT %URI 
/tmp/delay.pl

And see what happens.
I do not know why the helper is not delaying but if you have a specific logic I 
can convert one of my scripts to support concurrency and do this delay.

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of squid-us...@filter.luko.org
Sent: Wednesday, September 14, 2016 3:18 AM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Introducing delay to HTTP 407 responses

Hi Squid users,

Seeking advice on how to slow down 407 responses to broken Apple & MS
clients, which seem to retry at very short intervals and quickly fill the
access.log with garbage.  The problem is very similar to this:

http://www.squid-cache.org/mail-archive/squid-users/201404/0326.html

However the config below doesn't seem to slow down the response:

acl delaydomains dstdomain .live.net .apple.com
acl authresponse http_status 407
external_acl_type delay ttl=0 negative_ttl=0 cache=0 %SRC /tmp/delay.pl
acl delay external delay
http_reply_access deny delaydomains authresponse delay
http_reply_access allow all

The helper is never asked by Squid to process the request.  Just wondering
if http_status ACLs can be used in http_reply_access?

My other thinking, if this isn't possible, was to mark 407 responses with
clientside_tos so they could be delayed/throttled with tc or iptables.  Ie,

acl authresponse http_status 407
clientside_tos 0x20 authresponse

However, auth response packets don't get the desired tos markings.  Instead
the following message appears in cache.log:

2016/09/13 11:35:43 kid1| WARNING: authresponse ACL is used in context
without an HTTP response. Assuming mismatch.

After reviewing
http://lists.squid-cache.org/pipermail/squid-users/2016-May/010630.html it
seems like this has cropped up before.  The suggestion in that thread was to
exclude 407 responses from the access log.  Fortunately this works.  But I'm
wondering if there is a way to introduce delay into the 407 response itself?
Partly to minimise load associated with serving broken clients, and also to
maintain logging of actual intrusion attempts.  Any suggestions?

Luke


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] c-icap load balancing

[Amos Jeffries]

On 14/09/2016 1:02 p.m., yanghe wrote:
> I hope to confirm whether the c-icap can achieve cluster and load balancing.

That is not anything to do with Squid.

Squid is simply a client application that connects to a URI presented by
whatever C-ICAP service you setup. How that service works is its own
business.


FWIW: if you can't contact the C-ICAP author through the C-ICAP
softwares contact point you could try asking on squid-dev mailing list
where he is more likely to see your request.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Web Whatsapp, Dropbox... problem

[Amos Jeffries]

On 14/09/2016 9:14 a.m., Chico Venancio wrote:
> Not really,
> As I understand it it is a websocket, that when proxied starts its
> handshake with a connect request so it can be "understood" by proxies such
> as squid.

Correct. Squid will open the TCP tunnel and (if succesful) send an HTTP
200 OK response to the client to let it know it can send opaque data
through it. For this client it would be WebSocket connection frames.


erdosain9's original post quoted Chrome output and some unrelated lines
from access.log (Google != WhatsApp). So we don't know anything from
that excapt WhatsApp connections have a problem, ... like the thread
subject says.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Cannot get ACL to work

[Amos Jeffries]

On 14/09/2016 5:43 p.m., Jason Leshchyshyn wrote:
> Ugh, I am trying to get Squid to deny access to a particular AD group, but 
> when I enable the rule, then it denys everyone. 
> 
> 
> This is what I have in squid.conf 
> 
> 
> 
> 
> 
> 
> # NTLM 
> 
> auth_param ntlm program /usr/bin/ntlm_auth 
> --helper-protocol=squid-2.5-ntlmssp 
> 
> auth_param ntlm children 15 
> 
> auth_param ntlm keep_alive on 
> 
> 
> 
> # Limit access for Factory users 
> 
> external_acl_type nt_group %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl 
> 
> acl FactoryDeny external nt_group sec_deny_internet 
> 
> http_access deny FactoryDeny 
> 

Move all that below the "deny !auth" line. One would expect clients to
login before group checking. Order is important.


> 
> acl auth proxy_auth REQUIRED 
> 
> http_access deny !auth 
> 
> http_access allow auth 
> 
> 
> 
> 
> 
> -=- 
> I have verified the ext_wbinfo_group_acl works: 
> 
> 
> 
> 
> 
> [root@fac-proxy squid]# ./ext_wbinfo_group_acl -d 
> 
> Debugging mode ON. 
> 
> user sec_vpn_users 
> 
> Got user sec_vpn_users from squid 

This is irrelevant sec_vpn_users is not a group in the config above.

> 
> user sec_deny_internet 
> 
> Got user sec_deny_internet from squid 
> 
> User: -user- 
> 
> Group: -sec_deny_internet- 
> 
> SID: -S-1-5-21-1978138449-291607360-3720246513-18148- 
> 
> GID: -1677721- 
> 
> Sending ERR to squid 
> 

Meaning the "deny FactoryDeny" is false (no deny action) when the
username is "user".


> 
> Because this is a production server there's a bunch of traffic on it so I 
> can't catch too much of the log, but this is what I can see with debugging 
> turned on: 
> 
> 
> 
> 
> 
> 
> 2016/09/13 23:22:32.552 kid1| Acl.cc(336) matches: ACLList::matches: checking 
> FactoryDeny 
> 
> 
> 2016/09/13 23:22:32.552 kid1| Acl.cc(319) checklistMatches: 
> ACL::checklistMatches: checking 'FactoryDeny' 
> 
> 
> 2016/09/13 23:22:32.552 kid1| Acl.cc(321) checklistMatches: 
> ACL::ChecklistMatches: result for 'FactoryDeny' is -1 
> 

Login credentials are unknown (-1). Authentication needs to be performed
and the ACLs checked again.


> 
> 2016/09/13 23:22:32.552 kid1| Acl.cc(343) matches: FactoryDeny failed. 
> 
> 
> 2016/09/13 23:22:32.552 kid1| Acl.cc(354) matches: FactoryDeny result is 
> false 
> 
> 
> 
> If the result is false then the deny should be false and it should continue 
> to the next rule, right? 
> 

Normally yes, but authentication is involved here and that makes it a
bit more complex.

Since the external_acl_type uses %LOGIN and responds with -1, that is a
signal that the false actually means Squid is to generate the 407/401
response to make authentication happen. The http_access action is not
known yet, and wont be until the client presents some credentials.


The suggestion above to place the authentication above the group lookup
simplifies things again by ensuring that auth has already happened and
this special-case situation with %LOGIN does not happen very often.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Rock store status

[FredB]

Hello Alex and thank you for the explanations, I forgot but of course the test 
is running on same hardware and same full caches (2 sata drives 15k rpm 123 Gb 
of caches each)

I will return to diskd now, because the point 2 is annoying for me, but rock 
seems very promising for me
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Lost of all squid cache

[Eduardo Carneiro]

SOLVED!

I've isolated the cache and created another instance for users to use.
Deleted swap.state (made a backup before) and restarted the squid service.
It took a long time to rebuild the cache, but it worked.

Thank you all for your help.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Lost-of-all-squid-cache-tp4679466p4679503.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users