Re: [squid-users] Problems with websockets

[Alex Rousskov]

On 6/8/21 11:55 AM, Alex Irmel Oviedo Solis wrote:
> I have been trying to do it by placing the rules from line 86
> to line 91 in squid.conf

acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex "/etc/squid/acl.url.nobump"

ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all

I wonder if your acl.url.nobump regexes do not match step2 CONNECT URIs.
The current cache.log snippet does not show that detail. Consider
posting more detailed logs that show ACL matching attempts (e.g., "ALL,3
28,7"?).

Alex.


> El mar, 8 de jun. de 2021 a la(s) 10:45, Alex Rousskov
> (rouss...@measurement-factory.com
> ) escribió:
> 
> On 6/8/21 11:36 AM, Alex Irmel Oviedo Solis wrote:
> > Hello all, I'm having problems with squid 4.11 on RHEL 8.4. I was
> trying
> > to access to whatsapp with no luck, but I'm currently to test with
> > https://www.websocket.org/echo.html
> ,  the errors in both cases are
> 
> > http.cc(723) processReplyHeader: HTTP Server RESPONSE:
> > HTTP/1.1 400 WebSocket Upgrade Failure
> 
> Squid v4 does not fully support HTTP Upgrade (it drops it). You should
> splice connections to websocket services or use
> http_upgrade_request_protocols available in Squid v5.
> 
> HTH,
> 
> Alex.
> P.S. Thank you for providing detailed triage information!
> 
> 
> > My squid.conf is in https://paste.centos.org/view/b98e8510
> 
> > My cache.log is in https://paste.centos.org/view/a2b6ac81
> 
> > My access.lorg is in https://paste.centos.org/view/eef2180a
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> 
> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> 
> 
> -- 
> //"Una alegría compartida se transforma en doble alegría; una pena
> compartida, en media pena."//
> --> http://www.alexove.me 
> --> Celular (Movistar): +51-959-625-001
> --> Sigueme en Twitter: http://twitter.com/alexove_pe
> 
> --> Perfil: http://fedoraproject.org/wiki/user:alexove
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP Connection to parent failed

[Alex Rousskov]

On 6/8/21 7:43 AM, Frank Schichterich wrote:

> i am running multiple squid servers in our company. We have around 5k
> current connections per proxy during work hours.
> I recently switched two Server from Squid 3.5.28 to Squid 4.15.
> 
> The moment i did this my cache.log got filled with "TCP connection to
> parent-proxy.de/80 failed"
> entries. Approximately 50 entries per hour. But the proxy seems to run
> normally. 
> The proxies running with version 3.5.28 dont show any tcp connection
> errors (to the exact same parent proxy).

Squid v3 does not log a lot of things that newers Squids log. However,
the message in question is present in v3.5 as well, which increases the
probability (but does not guarantee) that you are dealing with a problem
that should be addressed rather than ignored.


> I don't have any information about the parent proxies. They are part of
> our "provider".


> Is there anything i can do / change?

Probably. I recommend these steps:

  1. Figure out _why_ these connections fail.
  2. Either fix the problem or quell the messages about it.

The first step probably requires analyzing debugging cache.logs and/or
packet traces to determine the reason behind those closures. It could be
idle connection timeouts, capacity limits, access control violations, or
even Squid bugs.


HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problems with websockets

[Alex Irmel Oviedo Solis]

precisely, I have been trying to do it by placing the rules from line 86 to
line 91 in squid.conf

El mar, 8 de jun. de 2021 a la(s) 10:45, Alex Rousskov (
rouss...@measurement-factory.com) escribió:

> On 6/8/21 11:36 AM, Alex Irmel Oviedo Solis wrote:
> > Hello all, I'm having problems with squid 4.11 on RHEL 8.4. I was trying
> > to access to whatsapp with no luck, but I'm currently to test with
> > https://www.websocket.org/echo.html,  the errors in both cases are
>
> > http.cc(723) processReplyHeader: HTTP Server RESPONSE:
> > HTTP/1.1 400 WebSocket Upgrade Failure
>
> Squid v4 does not fully support HTTP Upgrade (it drops it). You should
> splice connections to websocket services or use
> http_upgrade_request_protocols available in Squid v5.
>
> HTH,
>
> Alex.
> P.S. Thank you for providing detailed triage information!
>
>
> > My squid.conf is in https://paste.centos.org/view/b98e8510
> > My cache.log is in https://paste.centos.org/view/a2b6ac81
> > My access.lorg is in https://paste.centos.org/view/eef2180a
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


-- 
*"Una alegría compartida se transforma en doble alegría; una pena
compartida, en media pena."*
--> http://www.alexove.me 
--> Celular (Movistar): +51-959-625-001
--> Sigueme en Twitter: http://twitter.com/alexove_pe
--> Perfil: http://fedoraproject.org/wiki/user:alexove
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problems with websockets

[Alex Rousskov]

On 6/8/21 11:36 AM, Alex Irmel Oviedo Solis wrote:
> Hello all, I'm having problems with squid 4.11 on RHEL 8.4. I was trying
> to access to whatsapp with no luck, but I'm currently to test with
> https://www.websocket.org/echo.html,  the errors in both cases are

> http.cc(723) processReplyHeader: HTTP Server RESPONSE:
> HTTP/1.1 400 WebSocket Upgrade Failure

Squid v4 does not fully support HTTP Upgrade (it drops it). You should
splice connections to websocket services or use
http_upgrade_request_protocols available in Squid v5.

HTH,

Alex.
P.S. Thank you for providing detailed triage information!


> My squid.conf is in https://paste.centos.org/view/b98e8510
> My cache.log is in https://paste.centos.org/view/a2b6ac81
> My access.lorg is in https://paste.centos.org/view/eef2180a
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problems with websockets

[Alex Irmel Oviedo Solis]

Hello all, I'm having problems with squid 4.11 on RHEL 8.4. I was trying to
access to whatsapp with no luck, but I'm currently to test with
https://www.websocket.org/echo.html,  the errors in both cases are the same
(400 Bad Request).

My squid.conf is in https://paste.centos.org/view/b98e8510
My cache.log is in https://paste.centos.org/view/a2b6ac81
My access.lorg is in https://paste.centos.org/view/eef2180a

Thanks in advance

-- 
*"Una alegría compartida se transforma en doble alegría; una pena
compartida, en media pena."*
--> http://www.alexove.me 
--> Celular (Movistar): +51-959-625-001
--> Sigueme en Twitter: http://twitter.com/alexove_pe
--> Perfil: http://fedoraproject.org/wiki/user:alexove
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] tarpit, silent-drop vs. DDoS ?

[Alex Rousskov]

On 6/8/21 9:43 AM, Jim Freeman wrote:
> I've scoured docs and Google for DDoS/security mechanisms, and hope I
> have the lay of the land.
> 
> But I've not yet seen anything mentioned like HAProxy's
> tarpit/silent-drop mechanisms :
> https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#4.2-http-request%20tarpit
>  ... blocks the request without responding for a delay specified ...
> https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#4.2-http-request%20silent-drop
>  ... can resist much higher loads than "tarpit", and slow down
> stronger attackers. ...
> 
> Does anyone have these kinds of countermeasures in play with squid ?

Squid supports resetting the TCP connection instead of delivering an
error page (look for "TCP_RESET" and "ssl_bump terminate" in
squid.conf.documented). An artificial delay can be created by a simple
external ACL (and, if such delays are popular, we can add a new built-in
ACL type). In your particular use case, the http_access directive can
probably be used to tie TCP_RESET and delay logic together.

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid modification to only read client SNI without bumping.

[Alex Rousskov]

On 6/8/21 7:36 AM, squ...@treenet.co.nz wrote:

> The way I think to approach it though is to start with the
> configuration parser.

That starting point does not compute for me. We do need to agree on how
to configure this feature, but parsing any resulting Squid configuration
ought to be very straightforward. Perhaps you have meant "TLS
ClientHello parser", but Squid already has that.


> A simple peek-splice/terminate TLS traffic flow
> should not need certificates setup by admin.

Squid already does not generate/use certificates for splicing or
terminating connections. In splice-or-terminate use cases, the
certificates come into play only when delivery _errors_. A feature to
prevent bumping for error delivery (and remove any configuration
requirements for CA certificate) should be welcomed IMO.

Please drop squid-users if responding to this email.

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] tarpit, silent-drop vs. DDoS ?

[Jim Freeman]

I've scoured docs and Google for DDoS/security mechanisms, and hope I
have the lay of the land.

But I've not yet seen anything mentioned like HAProxy's
tarpit/silent-drop mechanisms :
https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#4.2-http-request%20tarpit
 ... blocks the request without responding for a delay specified ...
https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#4.2-http-request%20silent-drop
 ... can resist much higher loads than "tarpit", and slow down
stronger attackers. ...

Does anyone have these kinds of countermeasures in play with squid ?
[ I'm using squid 3.5.20 ]

Thanks,
...jfree
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid modification to only read client SNI without bumping.

[His Shadow]

Could you direct me to those scripts? Also, am I understanding
correctly that in this mode:
acl blocklist dstdomain ...

ssl_bump peek all
ssl_bump splice blocklist
ssl_bump terminate all

I will only need certs to display an error page from squid via ssl,
but unblocked domains should be just fine?
I think it should be
ssl_bump splice !blocklist
Since blocklist is the list of domains that needs blocking, so we
don't need to splice them. Oh, and one more thing, wouldn't dstdomain
match something that was sent in the CONNECT request itself, instead
of the SNI in the client hello if it is present?

-- 
HisShadow
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Internet is Slow Thru squid proxy server

[squid3]

On 2021-06-08 23:34, Avinash . wrote:

Dear team, I am using a squid proxy server for 100 + users, but
Internet speed is very slow, I try many method/option but still not
able to resolve the issue

Please find the attached config file & squidclient mgr: info file for
reference.



The mgr:info log says Squid started less than a minute ago and served 
149 requests total. That is not sufficient time nor traffic to tell how 
fast the proxy is.



Perhapse you should tell us what you have tried, and what results that 
produced (no matter how small a change).


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] TCP Connection to parent failed

[Frank Schichterich]

Hello Squid users,

i am running multiple squid servers in our company. We have around 5k
current connections per proxy during work hours.
I recently switched two Server from Squid 3.5.28 to Squid 4.15.

The moment i did this my cache.log got filled with "TCP connection to
parent-proxy.de/80 failed" entries. Approximately 50 entries per hour. But
the proxy seems to run normally.
The proxies running with version 3.5.28 dont show any tcp connection errors
(to the exact same parent proxy).

I don't have any information about the parent proxies. They are part of our
"provider".

Is there anything i can do / change?

Greetings Frank
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid modification to only read client SNI without bumping.

[squid3]

On 2021-06-08 22:51, His Shadow wrote:

Greetings. I've been trying to make a patch for squid,


Code changes should be discussed on the squid-dev mailing list.

FWIW, we (Squid devs) have already discussed this functionality change 
and I have a TODO list entry (far down sadly) of supporting your 
use-case. The way I think to approach it though is to start with the 
configuration parser. A simple peek-splice/terminate TLS traffic flow 
should not need certificates setup by admin.


If you want to pickup that TODO item please contact squid-dev to plan 
out the actual best approach with the other dev working on Squid crypto 
code.


Patch submission should be done by submitting a github PR targeted at 
our repository 'master' branch.




so that it
could read client hello on connect requests and set the SNI without
using ssl_bump, as that requires generating certificates and is too
complicated for my needs.


Should not be too complicated. We have test scripts available that can 
generate fake cert and CA for the *_port config settings. Or snakeoil 
certs can be used.


Apart from the port settings what your patch does is just this:


 acl blocklist dstdomain ...

 ssl_bump peek all
 ssl_bump splice blocklist
 ssl_bump terminate all



Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Internet is Slow Thru squid proxy server

[Avinash .]

  Dear team, I am using a squid proxy server for 100 + users, but
Internet speed is very slow, I try many method/option but still not able to
resolve the issue

Please find the attached config file & squidclient mgr: info file for
reference.


-- 

Thanks and Regards,


Avinash

Officer IT

IndianOil LNG Pvt Ltd.,

Tel: 044 2796 4593

-- 
Disclaimer
The content of this e-mail is confidential and intended for the 
recipient specified in the message only. It is strictly forbidden to share 
any part of this message with a third party without the sender's written 
consent. 
The information in this electronic message and any attachments to 
this message are intended for the exclusive use of the recipient and may 
contain proprietary, confidential, or privileged information.
If you are 
not the intended recipient, you should not disseminate, distribute or copy 
this e-mail. Please notify the sender immediately and destroy all copies of 
this message and any attachments.

squidclient mgr:info
HTTP/1.1 200 OK
Server: squid/4.10
Mime-Version: 1.0
Date: Tue, 08 Jun 2021 10:41:24 GMT
Content-Type: text/plain;charset=utf-8
Expires: Tue, 08 Jun 2021 10:41:24 GMT
Last-Modified: Tue, 08 Jun 2021 10:41:24 GMT
X-Cache: MISS from iolpl-Virtual-Machine
X-Cache-Lookup: MISS from iolpl-Virtual-Machine:3128
Via: 1.1 iolpl-Virtual-Machine (squid/4.10)
Connection: close

Squid Object Cache: Version 4.10
Build Info: Ubuntu linux
Service Name: squid
Start Time: Tue, 08 Jun 2021 10:40:49 GMT
Current Time: Tue, 08 Jun 2021 10:41:24 GMT
Connection information for squid:
Number of clients accessing cache: (client_db off)
Number of HTTP requests received: 149
Number of ICP messages received: 0
Number of ICP messages sent: 0
Number of queued ICP replies: 0
Number of HTCP messages received: 0
Number of HTCP messages sent: 0
Request failure ratio: 0.00
Average HTTP requests per minute since start: 261.7
Average ICP messages per minute since start: 0.0
Select loop called: 18746 times, 1.823 ms avg
Cache information for squid:
Hits as % of all requests: 5min: 0.0%, 60min: 0.0%
Hits as % of bytes sent: 5min: -0.0%, 60min: -0.0%
Memory hits as % of hit requests: 5min: 0.0%, 60min: 0.0%
Disk hits as % of hit requests: 5min: 0.0%, 60min: 0.0%
Storage Swap size: 10544 KB
Storage Swap capacity: 0.3% used, 99.7% free
Storage Mem size: 216 KB
Storage Mem capacity: 0.0% used, 100.0% free
Mean Object Size: 24.93 KB
Requests given to unlinkd: 0
Median Service Times (seconds) 5 min 60 min:
HTTP Requests (All): 0.0 0.0
Cache Misses: 0.0 0.0
Cache Hits: 0.0 0.0
Near Hits: 0.0 0.0
Not-Modified Replies: 0.0 0.0
DNS Lookups: 0.0 0.0
ICP Queries: 0.0 0.0
Resource usage for squid:
UP Time: 34.168 seconds
CPU Time: 0.622 seconds
CPU Usage: 1.82%
CPU Usage, 5 minute avg: 0.00%
CPU Usage, 60 minute avg: 0.00%
Maximum Resident Size: 120752 KB
Page faults with physical i/o: 0
Memory accounted for:
Total accounted: 2809 KB
memPoolAlloc calls: 1157
memPoolFree calls: 27502
File descriptor usage for squid:
Maximum number of file descriptors: 4096
Largest file desc currently in use: 273
Number of file desc currently in use: 266
Files queued for open: 0
Available number of file descriptors: 3830
Reserved number of file descriptors: 100
Store Disk files open: 0
Internal Data Structures:
476 StoreEntries
53 StoreEntries with MemObjects
0 Hot Object Cache Items
423 on-disk objects___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid modification to only read client SNI without bumping.

[His Shadow]

Greetings. I've been trying to make a patch for squid, so that it
could read client hello on connect requests and set the SNI without
using ssl_bump, as that requires generating certificates and is too
complicated for my needs. Here's the patch I've come up with. It seems
to be working, but I'm getting a bunch of connections in CLOSE_WAIT
state after using it under load. I can't seem to reproduce it locally,
but I bet I don't know something, or did something wrong. Can anyone
code check this patch, please? Also, not sure if it's the correct
place to post this. The patch is applicable to the latest release in
4.x series - 4.15.

-- 
HisShadow
diff --git a/src/SquidConfig.h b/src/SquidConfig.h
index b696ffc..e5fbc2d 100644
--- a/src/SquidConfig.h
+++ b/src/SquidConfig.h
@@ -365,6 +365,7 @@ public:
 acl_access *sendHit;
 acl_access *storeMiss;
 acl_access *stats_collection;
+acl_access *banned_domains;
 #if SQUID_SNMP
 
 acl_access *snmp;
diff --git a/src/cf.data.pre b/src/cf.data.pre
index 4aef432..3250545 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -10157,4 +10157,13 @@ DOC_START
 		server_pconn_for_nonretriable allow SpeedIsWorthTheRisk
 DOC_END
 
+NAME: banned_domains
+TYPE: acl_access
+DEFAULT: none
+DEFAULT_DOC: Banned domains.
+LOC: Config.accessList.banned_domains
+DOC_START
+	Banned domains.
+DOC_END
+
 EOF
diff --git a/src/client_side.h b/src/client_side.h
index 9fe8463..a1b861e 100644
--- a/src/client_side.h
+++ b/src/client_side.h
@@ -120,6 +120,8 @@ public:
  */
 void setAuth(const Auth::UserRequest::Pointer , const char *cause);
 #endif
+/// TLS client delivered SNI value. Empty string if none has been received.
+SBuf tlsClientSni_;
 
 Ip::Address log_addr;
 
@@ -413,8 +415,6 @@ private:
 unsigned short tlsConnectPort; ///< The TLS server port number as passed in the CONNECT request
 SBuf sslCommonName_; ///< CN name for SSL certificate generation
 
-/// TLS client delivered SNI value. Empty string if none has been received.
-SBuf tlsClientSni_;
 SBuf sslBumpCertKey; ///< Key to use to store/retrieve generated certificate
 
 /// HTTPS server cert. fetching state for bump-ssl-server-first
diff --git a/src/tunnel.cc b/src/tunnel.cc
index 217e947..6a015ca 100644
--- a/src/tunnel.cc
+++ b/src/tunnel.cc
@@ -79,6 +79,7 @@ public:
 static void ReadServer(const Comm::ConnectionPointer &, char *buf, size_t len, Comm::Flag errcode, int xerrno, void *data);
 static void WriteClientDone(const Comm::ConnectionPointer &, char *buf, size_t len, Comm::Flag flag, int xerrno, void *data);
 static void WriteServerDone(const Comm::ConnectionPointer &, char *buf, size_t len, Comm::Flag flag, int xerrno, void *data);
+static void CloseConnections(const Comm::ConnectionPointer &, char *buf, size_t len, Comm::Flag flag, int xerrno, void *data);
 
 /// Starts reading peer response to our CONNECT request.
 void readConnectResponse();
@@ -177,6 +178,10 @@ public:
 SBuf preReadServerData;
 time_t startTime; ///< object creation time, before any peer selection/connection attempts
 
+SBuf tlsData;
+size_t tlsBodySize, tlsAlreadyRead, tlsHeaderLeftToRead;
+bool tlsFirstByteChecked;
+
 void copyRead(Connection , IOCB *completion);
 
 /// continue to set up connection to a peer, going async for SSL peers
@@ -224,6 +229,7 @@ public:
 void readConnectResponseDone(char *buf, size_t len, Comm::Flag errcode, int xerrno);
 void copyClientBytes();
 void copyServerBytes();
+void copyAlert();
 };
 
 static const char *const conn_established = "HTTP/1.1 200 Connection established\r\n\r\n";
@@ -872,11 +878,13 @@ static void
 tunnelStartShoveling(TunnelStateData *tunnelState)
 {
 assert(!tunnelState->waitingForConnectExchange());
+if (!tunnelState->tlsData.isEmpty()) {
+tunnelState->tlsData.consume();
+}
 *tunnelState->status_ptr = Http::scOkay;
 if (tunnelState->logTag_ptr)
 *tunnelState->logTag_ptr = LOG_TCP_TUNNEL;
 if (cbdataReferenceValid(tunnelState)) {
-
 // Shovel any payload already pushed into reply buffer by the server response
 if (!tunnelState->server.len)
 tunnelState->copyServerBytes();
@@ -895,6 +903,248 @@ tunnelStartShoveling(TunnelStateData *tunnelState)
 }
 }
 
+static bool isSNICompatible(SBuf ) {
+if (((uint8_t)header[0] & 0x80) && header[2] == 1) {
+return false;
+}
+
+if (header[1] < 3) {
+return false;
+}
+return true;
+}
+
+void
+TunnelStateData::CloseConnections(const Comm::ConnectionPointer &, char *, size_t, Comm::Flag, int, void *data) {
+TunnelStateData *tunnelState = (TunnelStateData *)data;
+CbcPointer safetyLock(tunnelState);
+
+if (Comm::IsConnOpen(tunnelState->client.conn))
+tunnelState->client.conn->close();
+
+if (Comm::IsConnOpen(tunnelState->server.conn))
+tunnelState->server.conn->close();
+}
+
+// 

Re: [squid-users] about Kerberos Auth and LDAP Auth

[squid3]

On 2021-06-08 16:05, m k wrote:

hi all,

Thank you for always helping me with my difficulties.
With your help I am able to complete the proxy. Please help me again
this time.

I want to configure my squid authentication as follows.

Try single sign-on for squid with Kerberos authentication.

Squid will try authentication with LDAP.



Please be aware these are three very different *types* of thing.

 * "Single-Sign On" is just means that the client re-sends the *same 
credentials* to all types of service. Any auth type can be "single-sign 
on" if the client supports it, and this has nothing to do with the 
service(s).


 * Kerberos is an authentication mechanism.

 * LDAP is a database management protocol (like SQL).



Unfortunately, when Kerberos authentication fails, it retries Kerberos
authentication.
I want squid to work so that if Kerberos authentication fails, it will
try LDAP authentication next.


"LDAP authentication" does not mean what you think.

What squid.conf settings do you have?


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Limiting Connections & MySQL through SSH Tunnel

[squid3]

On 2021-06-08 00:04, Grails UK wrote:

Hello,
I hope you are well. I have two questions:

1. Is there any easy way to limit concurrent connections by a single
squid user or the local IP the client connected to.


What are you trying to achieve that make you think of doing that?




2. Our MySQL database is currently only accessible from our local
server on PythonAnywhere and any external access has to be done via an
SSH Tunnel, is there any way to SSH tunnel when using the
basic_db_auth or log_db_daemon?


Getting TCP/IP data to travel over SSH protocol tunnels is a OS routing 
detail.




Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users