[squid-users] multiple instances with different outgoing addresses and 2x external nics

[Drikus Brits]

 

HI Experts, 

I'm struggling to get squid to work the way i need it to. 

My setup : 

1x Server : Ubuntu 14
3x Interfaces : 1x Inside ( 192.168.100.10 ) 2x Outside connected to DSL
(1st = 10.0.0.2, 2nd 10.0.1.2)
2x default routes : 1x for each DSL link 

Management uses proxy address : 192.168.100.10 3128
All else uses address : 192.168.100.10 3129 

Both instances have their own configuration file and squid starts both
instances without issues. the mngt instance is configured to use
tcp_outgoing_address : 10.0.0.2 and all_else instance configured to use
tcp_outgoing_address : 10.0.1.2, but when i test a website that reveals
your outside IP, it always seems to only go out via the 1 DSL network
and not the other. 

If i remove the default route to DSL1, then both instances works via
DSL2. My thoughts was that if the outgoing_address is 10.0.0.2 it should
go out via DSL1 and if outgoing_address is 10.0.1.2 it should go via
DSL2. 

If it try to use an outgoing address that is not the IP of the
configured eth interface, then it complains about binding issues. 

I'm not using any firewalls of sorts to manipulate routing at this
stage. I really would prefer to use 1x VM (squid) instead of 2 seperate
VMs running squid... 

Any suggestions? 

Thanks ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Question about the url rewrite before proxy out

[squid-users]

> i am looking for a proxy which can "bounce" the request, which is not a 
> classic proxy.
>
> I want it works in this way.
> 
> e.g. a proxy is running a 192.168.1.1 
> and when i want to open http://www.yahoo.com, i just need call 
> http://192.168.1.1/www.yahoo.com
> the proxy can pickup the the host "http://www.yahoo.com"; from the URI, and 
> retrieve the info for me​, 
> so it need to get the new $host from $location, and remove the $host from the 
> $location before proxy pass it.
> it is doable via squid?

Yes it is doable (but unusual).  First you need to tell Squid which requests 
should be rewritten, then send them to a rewrite program to be transformed.  
Identify the domains like this:

acl rewrite-domains dstdomain .yahoo.com .google.com etc)

Then set up a URL rewriting program, and only allow it to process requests 
matching the rewrite-domains ACL, like this:

url_rewrite_program /tmp/rewrite-program.pl
url_rewrite_extras "%>ru"
url_rewrite_access allow rewrite-domains
url_rewrite_access deny all

The program itself can be anything.  A very simple example in Perl might look 
like this:

#!/usr/bin/perl
use strict;
$| = 1;

# Enter loop
while (my $thisline = <>) {
my @parts = split(/\s+/, $thisline);
my $url = $parts[0];
$url =~ s/http:\/\/(.*)/http:\/\/192.168.1.1\/$1/g;
print "OK rewrite-url=\"$url\"\n";
}

If you input http://www.yahoo.com/page.html, this will be transformed to 
http://192.168.1.1/www.google.com/page.html.  The helper just needs to print 
that out prepended by "OK rewrite-url=xxx".  More info at 
http://www.squid-cache.org/Doc/config/url_rewrite_program/

Of course, you will need something listening on 192.168.1.1 (Apache, nginx, 
whatever) that can deal with those rewritten requests.  That is an unusual way 
of getting requests to 192.168.1.1 though, because you are effectively putting 
the hostname component into the URL then sending it to a web service and 
expecting it to deal with that.

Another note.  If you have a cache_peer defined, you might need some config to 
force rewritten requests to be sent to 192.168.1.1 and not your cache peer.  In 
that case this should do the trick:

acl rewrite-host dst 192.168.1.1
always_direct allow rewrite-host

HtH.

Luke


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Question about the url rewrite before proxy out

[Bill Yuan]

​Hello,

i am looking for a proxy which can "bounce" the request, which is not a
classic proxy.

I want it works in this way.
e.g. a proxy is running a 192.168.1.1
and when i want to open www.yahoo.com, i just need call
http://192.168.1.1/www.yahoo.com
the proxy can pickup the the host "www.yahoo.com" from the URI, and
retrieve the info for me​,

so it need to get the new $host from $location, and remove the $host from
the $location before proxy pass it.

it is doable via squid?

Regards
Bill
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] libevent

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
You are too few in number to provide something decent enough, and not
from the last century.

So, business as usual.

22.09.2016 3:54, Yuri Voinov пишет:
>
>
>
> 22.09.2016 3:52, Alex Rousskov пишет:
> > On 09/21/2016 03:01 PM, joe wrote:
> >> almost most of  internet app like dns and other  cache using it 
its the
> >> futur so why not squid
>
> > because nobody added libevent support to Squid.
>  including devs...
>
>
>
> >> it perform beter stability and speed
>
> > Better than what? And what makes you think that?
>
> > Most Squid performance and stability problems are not related to the
> > code that libevent can replace...
> Yes, the problems stem from the hands. Certainly. Not from libraries.
>
>
> > Alex.
>
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJX4wL1AAoJENNXIZxhPexGeMsH/2/4pC1J3Pmopw8gb5KJ8Fqb
r+1k6NyPYwxhgnqIYUK/bHlmfUsg4POS0r28pr+9BLX70ahuL4qAiJubCP2YxQM5
Gzl4O3h/N1eb6PgQsrWezV4yTQcluELY62WLhHUiBSQ6+patCGFygXgUDsmXlIWZ
mdHzknxFS3Ox2QoBYgCPT9U9xzKwZawP+Olo/TraiwqcKRbTa8RA79KQnO7dPkNR
8eXw6QJFV2ohG+cT2dPDTLgtJoNPqNqdTmsct9P0lFUGe8FYtzSm4kNakzVEsT5j
uOw405FWjULfHVZcocuEnWsSUz6mqBHhpXxKknSSoloSKKeV1lxhIIH506B3ZXY=
=w+47
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] libevent

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


22.09.2016 3:52, Alex Rousskov пишет:
> On 09/21/2016 03:01 PM, joe wrote:
>> almost most of  internet app like dns and other  cache using it  its the
>> futur so why not squid
>
> because nobody added libevent support to Squid.
 including devs...
>
>
>
>> it perform beter stability and speed
>
> Better than what? And what makes you think that?
>
> Most Squid performance and stability problems are not related to the
> code that libevent can replace...
Yes, the problems stem from the hands. Certainly. Not from libraries.
>
>
> Alex.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJX4wGZAAoJENNXIZxhPexGH7QH/1eDWC8GaX2j0A20eTRRVFiU
dGn7yeM/bc5zKQOLKXNDlIEgN8D9uy/YGSyHUt7fBe9nPZCj+antYUi09sPyvrEz
yDoRaDI6NJoObjzAbmlcxI3eF4TrAIp6NffpFJheLsTtL7sNIv2yUygOmKTkV/ka
afcN+DyfHnCmeuzasfXG+lPakA73Npq9fdJb2gxoz+hONhsdAODnnCkLuEW06Dqr
Ej6eWWFKIaRrf2cOOGSy0mdbN5mksU6u8z80dg5BCVMmB6rSdolzjYoMRjRlXMNr
5RdEwkM9P8tJCIQ5KTBvzKLkXyuM6tHe81y4F3yNpOd5dDu8AQqDBQTOuzzS4Bo=
=urzw
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] libevent

[Alex Rousskov]

On 09/21/2016 03:01 PM, joe wrote:
> almost most of  internet app like dns and other  cache using it  its the
> futur so why not squid

because nobody added libevent support to Squid.


> it perform beter stability and speed

Better than what? And what makes you think that?

Most Squid performance and stability problems are not related to the
code that libevent can replace...

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSO (kerberos)

[erdosain9]

Hi.
Kerberos authentication is working now .

This is my config

###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -d -s
HTTP/squid.example@example.lan
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl auth proxy_auth REQUIRED
http_access allow all auth

But, i want check the group of an authenticated users so i can apply acl to
them, etc.

What would be the syntax I could use ??

Thanks!!!



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/SSO-kerberos-tp4679470p4679640.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] libevent

[joe]

almost most of  internet app like dns and other  cache using it  its the
futur so why not squid  it perform beter stability and speed



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/libevent-tp4679637p4679639.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] libevent

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Joined.


22.09.2016 2:46, joe пишет:
> is there a support for libevent in squid ???
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/libevent-tp4679637.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJX4vU9AAoJENNXIZxhPexGhWoH/jg9C8MvbZn6Kxb6NJA6pCeX
eDTDpwxXsfUDip1NA+XWnMMG46dQFTyd2NBiBjx/XEyUimnThG2Csg91bgTi0QXJ
UFlQ/8SeYGB+iSh95UpwPL05peifqYh3kMPSnihCpmdWtIirabiG4E1o9gQt+qL0
A9xnkzgiTQrps3pq/u9/8HRGFd7axcAjgJcHoAeizdrB8G4hL48ds09qMbkWpwLh
9PpSp7vWgbQwBDeJy2Kz3sgKPPWOz1OAZKkLar8PjekT+dz1lJ2swdgUn7kk9Zhs
GKiXRIoqVJq9tK9HJTYrNr3gqSO1brb6gCF8727O3seB3S9rGRWFA7pR8CsKKMQ=
=PiRT
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] libevent

[joe]

is there a support for libevent in squid ???



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/libevent-tp4679637.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid for proxy server on Google Compute Engine?

[Amos Jeffries]

On 21/09/2016 4:09 p.m., Chuong Hoang wrote:
> Hi guys, thanks for reading this! I’m new so sorry if this is a dumb
> question! But I've been finding the answer for 3 days but still no
> sign of light.
> 
> I’ve already posted the problem on GCE discussion group- this link:
> https://groups.google.com/forum/#!topic/gce-discussion/xwlHYhFTUtU
> 
> To make it clear, I also restate the problem here: Been working on
> this for 2 days and still cannot find the way out :(
> 
> Below is my setup for testing, which basically supports all
> http_access through port 
> 
> -squid.conf file:
> 
> http_port  http_access allow all -Open port  for incoming
> HTTP data by gcloud command (which returned "allowed")

What other rules do you have in your squid.conf file?

How are these two lines placed in relation to all the others that should
be there? Order is important.

> 
> gcloud compute firewall-rules create allow-tcp --description
> "Incoming-http-allowed." --allow tcp: --format json With the
> setup above, I can telnet to the IP with port . However, when
> querying to some http links with browser (Safari/Chrome), I always
> get this message
> 
> The following error was encountered while trying to retrieve the URL:
> http://google.com/ 
> 
> Access Denied.
> 
> Access control configuration prevents your request from being allowed
> at this time. Please contact your service provider if you feel this
> is incorrect.
> 
> Your cache administrator is webmaster. I also tried other ports
> (3128, 8000, 80) but no help I also tried to force the port to listen
> IPv4 addresses with something like http_port 0.0.0.0:
>  and still not working Someone please help me
> out of this mess :( Much appreciated!
> 
> P/S: I connect to the squid proxy though my Macbook (OS Sierra) with
> Web Proxy (HTTP) enabled in Network Preferences.
> 
> This is some logs from cache.log, which probably indicates that my
> conf file is fraud. client_side.cc(777) swanSong:
> local=10.xxx.0.2: remote=113.xxx.xxx.113:54856 flags=1 -
> 10.xxx.0.2 is GCE's internal IP - 113.xxx.xxx.113 is my computer's
> external IP

The log line shows correct IPs for the client connection - remote being
the client IP and local the Squid machines IP.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: Squid ssl bumping. Ssl bumping not working on sites with ssl GOST cypher certificate

[Amos Jeffries]

On 22/09/2016 1:41 a.m., Сергин Александр wrote:
> Hi, can you please explain me, does squid support ssl bumping with site
> signed with GOST certificate?
> 

The crypto details in squid.conf are almost always passed directly to
the crypto library. So Squid supports what the library does. I don't
know enough about the GOST ciphers to know if there is anything unusual
needed from Squid.


> I have OpenSSL 1.0.2d 9 Jul 2015
> 
> openssl engine
> (dynamic) Dynamic engine loading support
> *(gost) Reference implementation of GOST engine*
> 

That would indicate the answer is yes, unless something unusual is needed.

> 
> *openssl ciphers | grep GOST*
> 
> *GOST2001-GOST89-GOST89:GOST94-GOST89-GOST89*
> 
> /opt/squid/sbin/squid -v
> Squid Cache: Version 3.5.19
> Service Name: squid
> configure options:  'CFLAGS=-march=i686 -g -O2' 'CXXFLAGS=-march=i686 -g
> -O2' '--prefix=/opt/squid-3.5.19-4' '--enable-async-io=32'
> '--enable-storeio=ufs,aufs,rock,diskd' '--enable-disk-io'
> '--enable-removal-policies=heap,lru' '--enable-useragent-log'
> '--enable-referer-log' '--enable-arp-acl' '--with-openssl'
> '--enable-forw-via-db' '--enable-cache-digests' '--enable-linux-netfilter'
> '--enable-basic-auth=all' '--enable-ntlm-auth=all'
> '--enable-ntlm-fail-open' '--enable-negotiate-auth=all'
> '--enable-external-acl-helpers' '--with-filedescriptors=32768'
> '--with-large-files' '--enable-delay-pools' '--enable-ssl-crtd'
> '--disable-static' '--with-logdir=/var/log/squid'
> '--with-pidfile=/var/run/squid.pid'
> '--with-swapdir=/var/data/squid/cache' '--disable-arch-native'
> 
> SSL bumping with dynamic certificates working well but when I try to go to
> site with GOST certificate,
> I see error -
> 
> The system returned:
> 
> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
> 
> Handshake with SSL server failed: error:0609E09C:digital envelope
> routines:PKEY_SET_TYPE:unsupported algorithm
> 
> 
> Please explain me this Error please
> 

The error is produced by OpenSSL. It means one endpoint of the
Squid<->server connection has a crypto library that does not support one
of the cipher algorithms the other endpoint is requiring.

This is different from simply not being able to agree on a matching set
of ciphers to use. One of the ciphers is actively non-supported for the
use to which it is being attempted.

It could be the cipher (server not supporting GOST?), a checksum hash
(RC4, DES, SHA1 are frequently forbidden these days), or something else.

NP: That is the limit of what I know about this error sorry. Good luck
finding a fix.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Parameter to define quantity of clients in Proxy Reverse

[Amos Jeffries]

On 22/09/2016 5:34 a.m., Antony Stone wrote:
> On Wednesday 21 Sep 2016 at 17:03, Roberto Carna wrote:
> 
>> Dear, just a brief question:
>>
>> I have Squid 3.4.8 on Debian running in reverse proxy mode, and I need
>> to know if there is any parameter in squid.conf that I have to adjust
>> in order to define the quantity of clients I will accept.
> 
> No.
> 
>> Or is the same if the squid receives 10 or 1.000.000 petitions at the
>> same time??? (My hardware is big enough, this is not my problem).
> 
> Squid will handle as many simulataneous connections as your hardware, 
> operating system, and network connection can support.
> 
> It's just the same as your web server - it'll handle as many connection 
> requests as it can; there's nothing to configure to specify how many to 
> accept.
> 

True. Though sometimes the operating system FD limits need to be
increased. This is usually the case for reverse-proxy setups that are
expecting large volumes of traffic.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Parameter to define quantity of clients in Proxy Reverse

[Antony Stone]

On Wednesday 21 Sep 2016 at 17:03, Roberto Carna wrote:

> Dear, just a brief question:
> 
> I have Squid 3.4.8 on Debian running in reverse proxy mode, and I need
> to know if there is any parameter in squid.conf that I have to adjust
> in order to define the quantity of clients I will accept.

No.

> Or is the same if the squid receives 10 or 1.000.000 petitions at the
> same time??? (My hardware is big enough, this is not my problem).

Squid will handle as many simulataneous connections as your hardware, 
operating system, and network connection can support.

It's just the same as your web server - it'll handle as many connection 
requests as it can; there's nothing to configure to specify how many to 
accept.


Antony.

-- 
There are two possible outcomes:

 If the result confirms the hypothesis, then you've made a measurement.
 If the result is contrary to the hypothesis, then you've made a discovery.

 - Enrico Fermi

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Parameter to define quantity of clients in Proxy Reverse

[Roberto Carna]

Dear, just a brief question:

I have Squid 3.4.8 on Debian running in reverse proxy mode, and I need
to know if there is any parameter in squid.conf that I have to adjust
in order to define the quantity of clients I will accept.

Or is the same if the squid receives 10 or 1.000.000 petitions at the
same time??? (My hardware is big enough, this is not my problem).

Special thanks,

Roberto
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.21 - High CPU (100%)

[Alex Rousskov]

On 09/21/2016 07:53 AM, Jasper Van Der Westhuizen wrote:
> I have been having some problems with Squid using
> 100% CPU at times which impacts my users browsing experience. 

Sustained 100% CPU load at ~100/s rates with regular traffic on
reasonable hardware is a sign (albeit not a proof!) of a Squid bug
(including long searches and similar optimization problems).


> During the last time I had a proxy servers CPU reach 100% I ran a
> cachemgr export and below is an extract.

Next time this happens, consider getting a stack trace or two from the
process showing sustained 100% CPU utilization. It is possible to do
that without killing the processes (at least on Linux). I do not have
step-by-step instructions, but you can find them. Make sure you run (or
at least use for getting the stack trace?) an unstripped Squid binary,
preferably built with --disable-optimizations.

If the place where Squid gets stuck is known, somebody may volunteer to
fix the corresponding code.


Good luck,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Ignoring DNS Lookup errors in ACLs?

[Alex Rousskov]

On 09/21/2016 03:13 AM, Ralf Hildebrandt wrote:
> Is there any way of making DNS Lookup errors in ACLs a warning only?

Only by modifying the code I am afraid. And we probably cannot do that
by default because it can be a security risk in some environments.

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.5.21 - High CPU (100%)

[Jasper Van Der Westhuizen]

Hi all


In my environment I have two Squid clusters that comprise of 4 VM's each, load 
balanced over a F5 LB. I will refer to them as cluster A (client facing) and 
cluster B(edge proxies). Depending on the destination, the traffic is routed 
from cluster A via ISP 1 or to cluster B via ISP 2. I have been having some 
problems with Squid using 100% CPU at times which impacts my users browsing 
experience. This would happen on both clusters, even after upgrading to the 
latest 3.5.21 build.


I also recently saw the following errors in the cache logs:

2016/09/20 14:37:02 kid1| DiskThreadsDiskFile::openDone: (2) No such file or 
directory


After some reading up it looks like files were removed without Squid knowing 
about it. My cache director was on a EXT3 FS with journaling enabled. To try 
and address a possible disk access/speed issue I disabled journaling on the LV.

I have also done some optimizing from a OS point of view.


In order to get the CPU utilization down, a simple squid -k reconfigure will be 
enough. Not a full restart.


During the last time I had a proxy servers CPU reach 100% I ran a cachemgr 
export and below is an extract.








sample_start_time = 1474463096.261275 (Wed, 21 Sep 2016 13:04:56 GMT)
sample_end_time = 1474463396.382713 (Wed, 21 Sep 2016 13:09:56 GMT)
client_http.requests = 101.722157/sec
client_http.hits = 6.623985/sec
client_http.errors = 18.505842/sec
client_http.kbytes_in = 4718.936473/sec
client_http.kbytes_out = 4148.813921/sec
client_http.all_median_svc_time = 0.898576 seconds
client_http.miss_median_svc_time = 0.321543 seconds
client_http.nm_median_svc_time = 0.008653 seconds
client_http.nh_median_svc_time = 0.220042 seconds
client_http.hit_median_svc_time = 0.013867 seconds
server.all.requests = 78.671488/sec
server.all.errors = 0.00/sec
server.all.kbytes_in = 7963.083264/sec
server.all.kbytes_out = 4704.282405/sec
server.http.requests = 31.533902/sec
server.http.errors = 0.00/sec
server.http.kbytes_in = 4451.098225/sec
server.http.kbytes_out = 45.414950/sec
server.ftp.requests = 0.00/sec
server.ftp.errors = 0.00/sec
server.ftp.kbytes_in = 0.00/sec
server.ftp.kbytes_out = 0.00/sec
server.other.requests = 47.137586/sec
server.other.errors = 0.00/sec
server.other.kbytes_in = 3511.981707/sec
server.other.kbytes_out = 4658.870787/sec
icp.pkts_sent = 0.00/sec
icp.pkts_recv = 0.00/sec
icp.queries_sent = 0.00/sec
icp.replies_sent = 0.00/sec
icp.queries_recv = 0.00/sec
icp.replies_recv = 0.00/sec
icp.replies_queued = 0.00/sec
icp.query_timeouts = 0.00/sec
icp.kbytes_sent = 0.00/sec
icp.kbytes_recv = 0.00/sec
icp.q_kbytes_sent = 0.00/sec
icp.r_kbytes_sent = 0.00/sec
icp.q_kbytes_recv = 0.00/sec
icp.r_kbytes_recv = 0.00/sec
icp.query_median_svc_time = 0.00 seconds
icp.reply_median_svc_time = 0.00 seconds
dns.median_svc_time = 0.002783 seconds
unlink.requests = 0.00/sec
page_faults = 0.029988/sec
select_loops = 260.427914/sec
select_fds = 4391.065859/sec
average_select_fd_period = 0.00/fd
median_select_fds = 1.00
swap.outs = 6.204155/sec
swap.ins = 2.312397/sec
swap.files_cleaned = 0.00/sec
aborted_requests = 2.962134/sec
syscalls.disk.opens = 8.253326/sec
syscalls.disk.closes = 16.216769/sec
syscalls.disk.reads = 24.953232/sec
syscalls.disk.writes = 998.445836/sec
syscalls.disk.seeks = 0.00/sec
syscalls.disk.unlinks = 1.426089/sec
syscalls.sock.accepts = 74.449863/sec
syscalls.sock.sockets = 59.052763/sec
syscalls.sock.connects = 59.052763/sec
syscalls.sock.binds = 0.00/sec
syscalls.sock.closes = 137.934165/sec
syscalls.sock.reads = 2467.637783/sec
syscalls.sock.writes = 1735.070988/sec
syscalls.sock.recvfroms = 24.050265/sec
syscalls.sock.sendtos = 14.464145/sec
cpu_time = 295.754484 seconds
wall_time = 300.121438 seconds
cpu_usage = 98.544938%





Here is one some time later after running a suid -k reconfigure.


Cache Manager 
menu







sample_start_time = 1474465618.601004 (Wed, 21 Sep 2016 13:46:58 GMT)
sample_end_time = 1474465918.604173 (Wed, 21 Sep 2016 13:51:58 GMT)
client_http.requests = 72.862564/sec
client_http.hits = 1.216654/sec
client_http.errors = 3.693294/sec
client_http.kbytes_in = 904.270448/sec
client_http.kbytes_out = 3676.207834/sec
client_http.all_median_svc_time = 0.649683 seconds
client_http.miss_median_svc_time = 0.177113 seconds
client_http.nm_median_svc_time = 0.00 seconds
client_http.nh_median_svc_time = 0.034266 seconds
client_http.hit_median_svc_time = 0.009754 seconds
server.all.requests = 72.545900/sec
server.all.errors = 0.00/sec
server.all.kb

[squid-users] Squid SSL Bumping and GOST ciper error.

[Сергин Александр]

Best Regards,
Hi, can you please explain me, does squid support ssl bumping with site
signed with GOST certificate?

I have OpenSSL 1.0.2d 9 Jul 2015

openssl engine
(dynamic) Dynamic engine loading support
*(gost) Reference implementation of GOST engine*


*openssl ciphers | grep GOST*

*GOST2001-GOST89-GOST89:GOST94-GOST89-GOST89*

/opt/squid/sbin/squid -v
Squid Cache: Version 3.5.19
Service Name: squid
configure options:  'CFLAGS=-march=i686 -g -O2' 'CXXFLAGS=-march=i686 -g
-O2' '--prefix=/opt/squid-3.5.19-4' '--enable-async-io=32'
'--enable-storeio=ufs,aufs,rock,diskd' '--enable-disk-io'
'--enable-removal-policies=heap,lru' '--enable-useragent-log'
'--enable-referer-log' '--enable-arp-acl' '--with-openssl'
'--enable-forw-via-db' '--enable-cache-digests' '--enable-linux-netfilter'
'--enable-basic-auth=all' '--enable-ntlm-auth=all'
'--enable-ntlm-fail-open' '--enable-negotiate-auth=all'
'--enable-external-acl-helpers' '--with-filedescriptors=32768'
'--with-large-files' '--enable-delay-pools' '--enable-ssl-crtd'
'--disable-static' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid'
'--with-swapdir=/var/data/squid/cache' '--disable-arch-native'

SSL bumping with dynamic certificates working well but when I try to go to
site with GOST certificate,
I see error -

The system returned:

(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Handshake with SSL server failed: error:0609E09C:digital envelope
routines:PKEY_SET_TYPE:unsupported algorithm


Please explain me this Error please
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Fwd: Squid ssl bumping. Ssl bumping not working on sites with ssl GOST cypher certificate

[Сергин Александр]

Hi, can you please explain me, does squid support ssl bumping with site
signed with GOST certificate?

I have OpenSSL 1.0.2d 9 Jul 2015

openssl engine
(dynamic) Dynamic engine loading support
*(gost) Reference implementation of GOST engine*


*openssl ciphers | grep GOST*

*GOST2001-GOST89-GOST89:GOST94-GOST89-GOST89*

/opt/squid/sbin/squid -v
Squid Cache: Version 3.5.19
Service Name: squid
configure options:  'CFLAGS=-march=i686 -g -O2' 'CXXFLAGS=-march=i686 -g
-O2' '--prefix=/opt/squid-3.5.19-4' '--enable-async-io=32'
'--enable-storeio=ufs,aufs,rock,diskd' '--enable-disk-io'
'--enable-removal-policies=heap,lru' '--enable-useragent-log'
'--enable-referer-log' '--enable-arp-acl' '--with-openssl'
'--enable-forw-via-db' '--enable-cache-digests' '--enable-linux-netfilter'
'--enable-basic-auth=all' '--enable-ntlm-auth=all'
'--enable-ntlm-fail-open' '--enable-negotiate-auth=all'
'--enable-external-acl-helpers' '--with-filedescriptors=32768'
'--with-large-files' '--enable-delay-pools' '--enable-ssl-crtd'
'--disable-static' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid'
'--with-swapdir=/var/data/squid/cache' '--disable-arch-native'

SSL bumping with dynamic certificates working well but when I try to go to
site with GOST certificate,
I see error -

The system returned:

(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Handshake with SSL server failed: error:0609E09C:digital envelope
routines:PKEY_SET_TYPE:unsupported algorithm


Please explain me this Error please
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ignoring DNS Lookup errors in ACLs?

[Ralf Hildebrandt]

Is there any way of making DNS Lookup errors in ACLs a warning only?

2016/09/19 13:00:14| aclIpParseIpData: Bad host/IP: 'cfmww-v-it-17.charite.de' 
in 'cfmww-v-it-17.charite.de', flags=0 : (-2) Name or service not known
2016/09/19 13:00:14| Not currently OK to rewrite swap log.
2016/09/19 13:00:14| storeDirWriteCleanLogs: Operation aborted. FATAL: Bungled 
/etc/squid3/squid.conf line 1694: acl teamviewer-allow src 
"/etc/squid3/teamviewer.acl"


-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSO and Squid, SAML 2.0 ?

[FredB]

> Hi Fred,
>   I assume that by "implicit" you mean "transparent" or
> "interception". Short answer, not possible: there is nothing to
> anchor
> cookies to. It could be possible to fake it by having an auxiliary
> website doing standard SAML and feeding a database of associations
> userid-ip. It will fail to account for cases where multiple users
> share the same IP, but that doesn't stop many vendors from caliming
> they do "transparent authentication".
> 


Hi Kinkie,

No, sorry, I mean explicit (not transparent) 
And yes, I have some multiple users with the same IP 

Regards 

Fred
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users