Re: [squid-users] How to set up a reverse proxy using squid for a simplified scenario?

[Amos Jeffries]

On 11/02/18 09:39, Yuri wrote:
> Ah. My bad. Correctly Defence in depth:
> 
> https://en.wikipedia.org/wiki/Defense_in_depth_(computing)
> 
> 
> 11.02.2018 02:29, Yuri пишет:
>> No. This reason is obviously not strong enough. As by as requirement
>> configure firewalls also on servers - whenever they placed. Security in
>> depth - did you hear this term?
>>
>>
>> 11.02.2018 02:26, Peng Yu пишет:
 What is your reason for wanting "no restrictions"?
>>> The proxied servers are behind a firewall already, which protect them
>>> from any unwanted access. Is this reason strong enough to have no
>>> restrictions set?
>>>
> 

Indeed as Yuri said. Firewall rules are not enough.

The proxy is making connections from *inside* the network. A firewall at
the network edge cannot prevent, nor even see these.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] custom logfile_daemon causing FATAL error

[Alex Rousskov]

On 02/10/2018 05:51 PM, Michael D wrote:
> Greetings all, 
> 
> I have been attempting to write my own logfile_daemon for experimental
> purposes, but any daemon I provide causes "FATAL: I don't handle this
> error well". I also see "logfileHandleWrite:
> daemon:/var/log/squid/access.log: error writing ((32) Broken pipe)" with
> no other errors in the cache.log.

It sounds like your daemon quits without Squid permission. Logging
daemons should not do that because Squid considers such behavior a FATAL
error.


> I have read all possible docs about
> writing a custom logfile_daemon, but I have had no luck. For testing
> purposes my daemon is just a bash script that creates a file and pipes
> random text to it. The creation of the file/writing text to the file
> works fine, but soon after squid just dies. I have no help from the
> cache.log or squid.out.

Since you did not share your code, I have to ask: Does your shell script
actually read logging commands sent by Squid? Or does it simply quit
after writing some "random text" to some file? Squid expects the daemon
to run until the daemon reads EOF on stdin... The daemon does not have
to handle the commands it reads, but it has to keep reading them until EOF.

If you want to add debugging to your daemon, try writing write to stderr.

For the list of logging commands, please see
https://wiki.squid-cache.org/Features/LogModules#Daemon_Message_Protocol
a.k.a.
https://wiki.squid-cache.org/Features/AddonHelpers#Logging


HTH,

Alex.


> The only line I have added to my squid.conf is "logfile_daemon
> /etc/squid/hi.sh". This causes the fatal error. I have also tried
> explicitly setting my access_log directive as well "access_log
> daemon:/var/log/squid/access.log squid", but that still does not work.
> Thanks in advance.
> 
> -Mike
> 
> 
> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] custom logfile_daemon causing FATAL error

[Michael D]

Greetings all, 
I have been attempting to write my own logfile_daemon for experimental 
purposes, but any daemon I provide causes "FATAL: I don't handle this error 
well". I also see "logfileHandleWrite: daemon:/var/log/squid/access.log: error 
writing ((32) Broken pipe)" with no other errors in the cache.log. I have read 
all possible docs about writing a custom logfile_daemon, but I have had no 
luck. For testing purposes my daemon is just a bash script that creates a file 
and pipes random text to it. The creation of the file/writing text to the file 
works fine, but soon after squid just dies. I have no help from the cache.log 
or squid.out.
The only line I have added to my squid.conf is "logfile_daemon 
/etc/squid/hi.sh". This causes the fatal error. I have also tried explicitly 
setting my access_log directive as well "access_log 
daemon:/var/log/squid/access.log squid", but that still does not work. Thanks 
in advance.
-Mike
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to set up a reverse proxy using squid for a simplified scenario?

[Yuri]

Ah. My bad. Correctly Defence in depth:

https://en.wikipedia.org/wiki/Defense_in_depth_(computing)


11.02.2018 02:29, Yuri пишет:
> No. This reason is obviously not strong enough. As by as requirement
> configure firewalls also on servers - whenever they placed. Security in
> depth - did you hear this term?
>
>
> 11.02.2018 02:26, Peng Yu пишет:
>>> What is your reason for wanting "no restrictions"?
>> The proxied servers are behind a firewall already, which protect them
>> from any unwanted access. Is this reason strong enough to have no
>> restrictions set?
>>

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to set up a reverse proxy using squid for a simplified scenario?

[Yuri]

No. This reason is obviously not strong enough. As by as requirement
configure firewalls also on servers - whenever they placed. Security in
depth - did you hear this term?


11.02.2018 02:26, Peng Yu пишет:
>> What is your reason for wanting "no restrictions"?
> The proxied servers are behind a firewall already, which protect them
> from any unwanted access. Is this reason strong enough to have no
> restrictions set?
>

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to set up a reverse proxy using squid for a simplified scenario?

[Peng Yu]

> What is your reason for wanting "no restrictions"?

The proxied servers are behind a firewall already, which protect them
from any unwanted access. Is this reason strong enough to have no
restrictions set?

-- 
Regards,
Peng
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Yuri]

Yes, confirmed.

When I've replaced int m; and int d; to long m; and long d; - works like
charm.


11.02.2018 01:08, Yuri пишет:
> int m; declaration inside static bool parseBytesOptionValue(size_t *
> bptr, char const * value) ?
>
> If I set it long, as by as int d, seems ok.
>
>
> 11.02.2018 01:04, Alex Rousskov пишет:
>> On 02/10/2018 12:02 PM, Yuri wrote:
>>> 11.02.2018 00:59, Alex Rousskov пишет:
 On 02/10/2018 10:03 AM, Yuri wrote:

> What is correct syntax for -M option?
 The correct syntax is, roughly,

   -M [bytes|KB|MB|GB]
>>> Exactly with space between integer and units?
>> Without anything between integer and units. For example: 2GB
>>
>> Alex.

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Yuri]

int m; declaration inside static bool parseBytesOptionValue(size_t *
bptr, char const * value) ?

If I set it long, as by as int d, seems ok.


11.02.2018 01:04, Alex Rousskov пишет:
> On 02/10/2018 12:02 PM, Yuri wrote:
>>
>> 11.02.2018 00:59, Alex Rousskov пишет:
>>> On 02/10/2018 10:03 AM, Yuri wrote:
>>>
 What is correct syntax for -M option?
>>> The correct syntax is, roughly,
>>>
>>>   -M [bytes|KB|MB|GB]
>> Exactly with space between integer and units?
> Without anything between integer and units. For example: 2GB
>
> Alex.

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Alex Rousskov]

On 02/10/2018 12:02 PM, Yuri wrote:
> 
> 
> 11.02.2018 00:59, Alex Rousskov пишет:
>> On 02/10/2018 10:03 AM, Yuri wrote:
>>
>>> What is correct syntax for -M option?
>> The correct syntax is, roughly,
>>
>>   -M [bytes|KB|MB|GB]

> Exactly with space between integer and units?

Without anything between integer and units. For example: 2GB

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Yuri]

11.02.2018 00:59, Alex Rousskov пишет:
> On 02/10/2018 10:03 AM, Yuri wrote:
>
>> What is correct syntax for -M option?
> The correct syntax is, roughly,
>
>   -M [bytes|KB|MB|GB]
Exactly with space between integer and units?
>
> with "bytes" as the default unit.
>
> However, you found a bug in the parsing code: The helper mishandles
> values exceeding 2147483647 bytes (on most platforms) due to a signed
> integer overflow in helper's parseBytesOptionValue().
>
> Furthermore, I have not tested it, but I suspect there is at least one
> bug in the mainline parseBytesOptionValue() code as well. Both functions
> should be rewritten (even if the second one "works"), and the correct
> format should be documented (including size limits).
>
>
>> How to correctly specify -M with 2 Gb size?
> You cannot specify that size until the above-mentioned bug is fixed.
>
> Alex.

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Alex Rousskov]

On 02/10/2018 10:03 AM, Yuri wrote:

> What is correct syntax for -M option?

The correct syntax is, roughly,

  -M [bytes|KB|MB|GB]

with "bytes" as the default unit.

However, you found a bug in the parsing code: The helper mishandles
values exceeding 2147483647 bytes (on most platforms) due to a signed
integer overflow in helper's parseBytesOptionValue().

Furthermore, I have not tested it, but I suspect there is at least one
bug in the mainline parseBytesOptionValue() code as well. Both functions
should be rewritten (even if the second one "works"), and the correct
format should be documented (including size limits).


> How to correctly specify -M with 2 Gb size?

You cannot specify that size until the above-mentioned bug is fixed.

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to set up a reverse proxy using squid for a simplified scenario?

[Amos Jeffries]

On 11/02/18 06:33, Peng Yu wrote:
> Hi,
> 
> I see the following blog about setting up a reverse proxy using squid.
> 
> http://derpturkey.com/squid-as-a-reverse-proxy/
> 
> But there seem to be more configurations than what I need.
> 
> For example, for the following line, I don't need to restrict the
> access to a specific domain.
> http_port 80 accel defaultsite=www.example.com

The above does not *restrict*. It sets a default value for Squid to use
when the Host header is missing from HTTP requests.


> 
> Instead, any access to the IP of the reverse proxy should be OK. In
> this sense, should I just use the following?
> 
> http_port 80 accel

You can if you want to. But be aware that any clients which omit the
Host header in their requests will be rejected by the proxy with an
error page.


> 
> Also, let's say I have two web servers server1 and server2 to be
> proxied. Since I don't use a domain, I am not sure how Step 3 should
> be adjusted.

By using other types of ACLs in an arrangement which meets your desired
mapping.

Please read the FAQ about how ACLs work. That includes a list of
different ACLs.



So far as you have stated that would be "cache_peer ... allow all".

Which is a very bad idea...

Be aware that the domain based config is itself a security layer to
prevent attackers and certain type of DoS reaching through the proxy to
attack the peers directly with bogus traffic. Using other types of ACLs,
particularly ones leading to "no restriction" like you describe make
your proxy and the origins all at risk for denial of service attacks.


What is your reason for wanting "no restrictions"?
 it could be that you actually need something very different to what you
are asking about.


> 
> I also do not want any restrictions to my reverse proxy. But I am not
> sure how Step 4 should be simplified.
> 
> Could anybody please let me know how to configure squid reverse proxy
> in my simplified scenario?

That tutorial is describing the simplest scenario possible with a
multiple peers in a reverse-proxy.

Yours is actually the more complicated scenario since you apparently
need some unusual ACL configuration.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] How to set up a reverse proxy using squid for a simplified scenario?

[Peng Yu]

Hi,

I see the following blog about setting up a reverse proxy using squid.

http://derpturkey.com/squid-as-a-reverse-proxy/

But there seem to be more configurations than what I need.

For example, for the following line, I don't need to restrict the
access to a specific domain.
http_port 80 accel defaultsite=www.example.com

Instead, any access to the IP of the reverse proxy should be OK. In
this sense, should I just use the following?

http_port 80 accel

Also, let's say I have two web servers server1 and server2 to be
proxied. Since I don't use a domain, I am not sure how Step 3 should
be adjusted.

I also do not want any restrictions to my reverse proxy. But I am not
sure how Step 4 should be simplified.

Could anybody please let me know how to configure squid reverse proxy
in my simplified scenario?

--
Regards,
Peng
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Can reverse_proxy be set as a rotating proxy?

[Amos Jeffries]

On 11/02/18 05:18, Peng Yu wrote:
> Hi,
> 
> I am not sure what the policy of reverse proxy is in squid. Using the
> notation in this figure, can squid on "proxy" be set to use "web
> servers" one after another for each request (i.e., rotating)? Thanks.
> 


see  for the set of
load balancing algorithms you can configure Squid to use when selecting
upstream peers. The round-robin algorithm is probably what you are wanting.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Yuri]

One more question.

What is correct syntax for -M option? I'm just in doubt. Helper eats -M
5MB, but not -M 1024MB, however eats -M 1 GB.

root @ lemanruss /patch/tmp #
/usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M 2GB
/usr/local/squid/libexec/security_file_certgen: Error when parsing -M
options value
root @ lemanruss /patch/tmp #
/usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M 2 GB
^C
root @ lemanruss /patch/tmp #
/usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M 2GB
/usr/local/squid/libexec/security_file_certgen: Error when parsing -M
options value
root @ lemanruss /patch/tmp #
/usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M 5MB
^C
root @ lemanruss /patch/tmp #
/usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M 5GB
/usr/local/squid/libexec/security_file_certgen: Error when parsing -M
options value
root @ lemanruss /patch/tmp #
/usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M 5 MB
^C
root @ lemanruss /patch/tmp #
/usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M 1024MB
/usr/local/squid/libexec/security_file_certgen: Error when parsing -M
options value
root @ lemanruss /patch/tmp #
/usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M
1024 MB
^C

How to correctly specify -M with 2 Gb size?


10.02.2018 22:39, Yuri пишет:
>
> 10.02.2018 22:36, Alex Rousskov пишет:
>> On 02/10/2018 09:23 AM, Yuri wrote:
>>
>>> I can set -M in according FS size, using for store SSL DB, correct?
>> Yes, -M limits the sum of sizes of all (serialized) certificates stored
>> in the helper database. The helper tries to account for the filesystem
>> block size, but I doubt its calculations are very precise.
> Tks for clarifying :)
> Got it. Will correct my configs :-)
>>
>>> dynamic_cert_mem_cache_size is http(s)_port option?
>> Yes, it is. If the needed dynamically-generated certificate is found in
>> the dynamic certificate memory cache, then Squid does not ask the helper
>> to generate that certificate. This in-Squid RAM cache stores raw (not
>> serialized) certificates. As you know, Squid does not compute the size
>> of raw (not serialized) certificates correctly, resulting in bug #4005
>> issues: https://bugs.squid-cache.org/show_bug.cgi?id=4005
> Aha, and in this case helper speed is critical and using helper storage
> on ramdisk will very useful
>> Alex.

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Yuri]

10.02.2018 22:36, Alex Rousskov пишет:
> On 02/10/2018 09:23 AM, Yuri wrote:
>
>> I can set -M in according FS size, using for store SSL DB, correct?
> Yes, -M limits the sum of sizes of all (serialized) certificates stored
> in the helper database. The helper tries to account for the filesystem
> block size, but I doubt its calculations are very precise.
Tks for clarifying :)
Got it. Will correct my configs :-)
>
>
>> dynamic_cert_mem_cache_size is http(s)_port option?
> Yes, it is. If the needed dynamically-generated certificate is found in
> the dynamic certificate memory cache, then Squid does not ask the helper
> to generate that certificate. This in-Squid RAM cache stores raw (not
> serialized) certificates. As you know, Squid does not compute the size
> of raw (not serialized) certificates correctly, resulting in bug #4005
> issues: https://bugs.squid-cache.org/show_bug.cgi?id=4005
Aha, and in this case helper speed is critical and using helper storage
on ramdisk will very useful
>
> Alex.

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Alex Rousskov]

On 02/10/2018 09:23 AM, Yuri wrote:

> I can set -M in according FS size, using for store SSL DB, correct?

Yes, -M limits the sum of sizes of all (serialized) certificates stored
in the helper database. The helper tries to account for the filesystem
block size, but I doubt its calculations are very precise.


> dynamic_cert_mem_cache_size is http(s)_port option?

Yes, it is. If the needed dynamically-generated certificate is found in
the dynamic certificate memory cache, then Squid does not ask the helper
to generate that certificate. This in-Squid RAM cache stores raw (not
serialized) certificates. As you know, Squid does not compute the size
of raw (not serialized) certificates correctly, resulting in bug #4005
issues: https://bugs.squid-cache.org/show_bug.cgi?id=4005

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Yuri]

10.02.2018 22:18, Alex Rousskov пишет:
> On 02/10/2018 06:43 AM, Yuri wrote:
>
>> security_file_certgen uses memory cache to buffer slow
>> disk IO for certificates DB.
> It does not.
Ahhaaa, I just misunderstanding options
>
>
>> If we're put cert DB onto ramdisk (in fact,
>> in RAM), so we're can easy reduce helper -M value.
> security_file_certgen -M is the helper database size, not the
> buffer/cache size.
Ah. Got it. I.e., I can set -M in according FS size, using for store SSL
DB, correct?
>
> The buffer/cache you might be thinking about is inside Squid, not inside
> the helper. See dynamic_cert_mem_cache_size. dynamic_cert_mem_cache_size
> is not related to -M.
Tks, Alex. But wait,

dynamic_cert_mem_cache_size

is http(s)_port option?

>
>
> HTH,
>
> Alex.

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to hide client info?

[Yuri]

How Cache-Control related to hide client info?

10.02.2018 21:49, Peng Yu пишет:
> If I don't use the proxy, I will have the following.
>
> The proxied result has '"Cache-Control": "max-age=259200"'. To disable
> it, should I use ignore-cc. Could you show me how to configure squid
> to not send '"Cache-Control": "max-age=259200"'? Thanks.
>
> $ wget -qO- http://httpbin.org/get
> {
>   "args": {},
>   "headers": {
> "Accept": "*/*",
> "Accept-Encoding": "identity",
> "Connection": "close",
> "Host": "httpbin.org",
> "User-Agent": "Wget/1.16.3 (darwin13.4.0)"
>   },
>   "origin": "",
>   "url": "http://httpbin.org/get;
> }
>
>
> On Sat, Feb 10, 2018 at 9:23 AM, Yuri  wrote:
>> Opening squid.conf.documented:
>>
>> #  TAG: forwarded_foron|off|transparent|truncate|delete
>> #If set to "on", Squid will append your client's IP address
>> #in the HTTP requests it forwards. By default it looks like:
>> #
>> #X-Forwarded-For: 192.1.2.3
>> #
>> #If set to "off", it will appear as
>> #
>> #X-Forwarded-For: unknown
>> #
>> #If set to "transparent", Squid will not alter the
>> #X-Forwarded-For header in any way.
>> #
>> #If set to "delete", Squid will delete the entire
>> #X-Forwarded-For header.
>> #
>> #If set to "truncate", Squid will remove all existing
>> #X-Forwarded-For entries, and place the client IP as the sole entry.
>> #Default:
>> # forwarded_for on
>>
>>
>> 10.02.2018 21:04, Peng Yu пишет:
>>> Hi,
>>>
>>> I use squid to set a proxy. But the following output shows my local ip
>>> address besides the squid proxy ip. Is there a way to let httpbin.org
>>> only be aware of the squid_proxy but not my local ip?
>>>
>>> $ http_proxy=squid_proxy:3128 wget -qO- http://httpbin.org/get
>>> {
>>>   "args": {},
>>>   "headers": {
>>> "Accept": "*/*",
>>> "Accept-Encoding": "identity",
>>> "Cache-Control": "max-age=259200",
>>> "Connection": "close",
>>> "Host": "httpbin.org",
>>> "User-Agent": "Wget/1.16.3 (darwin13.4.0)"
>>>   },
>>>   "origin": ", ",
>>>   "url": "http://httpbin.org/get;
>>> }
>>>
>>>
>> --
>> *
>> * C++20 : Bug to the future *
>> *
>>
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Can reverse_proxy be set as a rotating proxy?

[Peng Yu]

Hi,

I am not sure what the policy of reverse proxy is in squid. Using the
notation in this figure, can squid on "proxy" be set to use "web
servers" one after another for each request (i.e., rotating)? Thanks.

https://upload.wikimedia.org/wikipedia/commons/6/67/Reverse_proxy_h2g2bob.svg

-- 
Regards,
Peng
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Alex Rousskov]

On 02/10/2018 06:43 AM, Yuri wrote:

> security_file_certgen uses memory cache to buffer slow
> disk IO for certificates DB.

It does not.


> If we're put cert DB onto ramdisk (in fact,
> in RAM), so we're can easy reduce helper -M value.

security_file_certgen -M is the helper database size, not the
buffer/cache size.

The buffer/cache you might be thinking about is inside Squid, not inside
the helper. See dynamic_cert_mem_cache_size. dynamic_cert_mem_cache_size
is not related to -M.


HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to hide client info?

[Yuri]

Opening squid.conf.documented:

#  TAG: forwarded_for    on|off|transparent|truncate|delete
#    If set to "on", Squid will append your client's IP address
#    in the HTTP requests it forwards. By default it looks like:
#
#        X-Forwarded-For: 192.1.2.3
#
#    If set to "off", it will appear as
#
#        X-Forwarded-For: unknown
#
#    If set to "transparent", Squid will not alter the
#    X-Forwarded-For header in any way.
#
#    If set to "delete", Squid will delete the entire
#    X-Forwarded-For header.
#
#    If set to "truncate", Squid will remove all existing
#    X-Forwarded-For entries, and place the client IP as the sole entry.
#Default:
# forwarded_for on


10.02.2018 21:04, Peng Yu пишет:
> Hi,
>
> I use squid to set a proxy. But the following output shows my local ip
> address besides the squid proxy ip. Is there a way to let httpbin.org
> only be aware of the squid_proxy but not my local ip?
>
> $ http_proxy=squid_proxy:3128 wget -qO- http://httpbin.org/get
> {
>   "args": {},
>   "headers": {
> "Accept": "*/*",
> "Accept-Encoding": "identity",
> "Cache-Control": "max-age=259200",
> "Connection": "close",
> "Host": "httpbin.org",
> "User-Agent": "Wget/1.16.3 (darwin13.4.0)"
>   },
>   "origin": ", ",
>   "url": "http://httpbin.org/get;
> }
>
>

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] How to hide client info?

[Peng Yu]

Hi,

I use squid to set a proxy. But the following output shows my local ip
address besides the squid proxy ip. Is there a way to let httpbin.org
only be aware of the squid_proxy but not my local ip?

$ http_proxy=squid_proxy:3128 wget -qO- http://httpbin.org/get
{
  "args": {},
  "headers": {
"Accept": "*/*",
"Accept-Encoding": "identity",
"Cache-Control": "max-age=259200",
"Connection": "close",
"Host": "httpbin.org",
"User-Agent": "Wget/1.16.3 (darwin13.4.0)"
  },
  "origin": ", ",
  "url": "http://httpbin.org/get;
}


-- 
Regards,
Peng
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Yuri]

10.02.2018 13:30, Amos Jeffries пишет:
> On 10/02/18 12:55, Yuri wrote:
>> Amos,
>>
>> how do you think - if I'll put SSL db (usually places in
>> /var/lib/ssl_db) on ramdisk, does this give some gain for bump performance?
>>
> I expect so, but do not use bumping myself so cannot say for certain.
Ok, will do tests.
>
>> How reasonable to do that?
>>
>> Also, I think, doing that,  I can reduce in memory cache size for
>> security_file_certgen helper.
>>
>> How do you think?
> I don't think it will have any effect on that. The size of the DB
> content does not related to *where* it is stored.
No-no. I mean, security_file_certgen uses memory cache to buffer slow
disk IO for certificates DB. If we're put cert DB onto ramdisk (in fact,
in RAM), so we're can easy reduce helper -M value. Correct?
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users