Re: [squid-users] Squid scales up tcp traffic to adsl users
This may be normal. A proxy cache like Squid moves objects closer to the clients, reduces upstream traffic and multiplexes transactions. All of which increase the traffic bandwidth efficiency. Allowing clients to receive their downloaded content faster, and thus users can browse through more pages faster.This type of user traffic increase can be just the result of users doing more.Notice that the WAN/eth0 traffic has decreased by ~30% despite this LAN increase.You can check the Hit Ratio in squid mgr:info report lines up with the increased efficiency. Cheers, Amos Original message From: Ben GozDate: Mon, 25 Dec 2023, 04:11Hi,This is basically the network topology that I'm using: adsl <--> vrf <--> [squid/icap machine] <--> vrf <--> When traffic goes via squid I see that eth1 (The one closes to adsl users) is very high this is from sar output:Average: IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s %ifutilAverage: lo 4191.83 4191.83 16976.00 16976.00 0.00 0.00 0.00 0.00Average: eth0 2921.48 1224.57 3432.46 485.77 0.00 0.00 0.00 0.28Average: eth1 7558.70 11544.74 920.91 14447.44 0.00 0.00 0.00 1.18When traffic doesn't go via squid this is the output:Average: IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s %ifutilAverage: lo 19.10 19.10 2.25 2.25 0.00 0.00 0.00 0.00Average: eth0 3666.40 2133.70 4608.70 409.59 0.00 0.00 0.00 0.38Average: eth1 2213.40 3741.10 424.38 4613.08 0.00 0.00 0.00 0.38I'm can't tell for sure that this is related but I saw several times the kernel prints:TCP: out of memory -- consider tuning tcp_memThe squid version I'm using is:/usr/local/squid/sbin/squid -vSquid Cache: Version 6.5-VCSService Name: squidThis binary uses OpenSSL 3.0.2 15 Mar 2022. configure options: '--with-large-files' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-icap-client' '--enable-linux-netfilter' '--disable-ident-lookups'And I turned off persistence from client, icap and server sessions.What could be the problem?Thanks,Ben ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] e-CAP future development
Not sure what you are expecting to see. libecap just contains an API for passing HTTP message pieces between applications. HTTP high-level message structure has not changed since 2014. There is no reason for libecap to have changed.Amos___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Globally new in Squid since 2012
That is a question with a very long answer. You are best reading the release notes (at least the titles from index of major changes), latest document for each Squid-3.x, 4 and 5 release series.You can find those on the website under As for GUI, I'm not sure what you have been told. The only UI tool I am aware of being made by the "core dev team" is by Francesco and myself. That is a demonstration prototype of what modern Squid CacheManager API is capable of. Downstream vendors like Apple have created other GUI tools, but they don't count as from "the Squid dev team" per se.Amos Original message From: Pavel Prokhorov Date: Sat, 5 Nov 2022, 00:04To: squid-users@lists.squid-cache.orgSubject: [squid-users] Globally new in Squid since 2012Good afternoon!Gentlemen, could You briefly explain: what is globally new in Squid since 2012 (when I last configures proxies)?Someone told me that now there are some gui tools for managing etc from the developers themselves and other amazing features (not from 3d companies)??Sorry if offtopic.-- Best regards, Pavel Prokhorov mailto:cybers...@gmx.com___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] override the "combined" logformat
The built-in log formats have a specification for what each column contains and are hard coded to comply with that. You cannot "override" them.What you should do is make up your own name for custom formats. Like you did with "test".Amos___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid caching webpages now days?
Leonardo, it sounds like your decades ago decision was before squid gained full HTTP/1.1 caching ability. 1.0-only abilities are almost useless today.Are you at least still using memory cache? That is squid configured without cache_dir but also without "cache deny" rule.Amos Original message From: Leonardo Rodrigues Date: Mon, 2 Aug 2021, 06:50To: squid-users@lists.squid-cache.orgSubject: Re: [squid-users] Squid caching webpages now days?Em 31/07/2021 22:48, Periko Support escreveu:> Hello guys.>> With today's ISP's speed increasing, does squid cache (caching web> pages) now days is a good option?>> I have some customers that want to setup a cache server, but I have> doubts about how much traffic will be save, with most of the web sites> running under https.>> I use squid+sg acl features.>> But for me, caching is not a bandwidth saving tool anymore.> Of course, my experience is just MY experience and others might be completly different ones :) Speaking for myself, and for some small to medium sized customer networks I manage, caching is disabled for more than a decade now. Squid is still VERY useful for applying controls and loggings, but not caching.-- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it___squid-users mailing listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid caching webpages now days?
ISP speed has no effect on traffic cacheability.HTTPS does have some effect depending on how much of the clients traffic is using it and whether decryption at the proxy is used.Everybody's experience with caching is slightly different. For some it is useful, others not as much. Generally speaking it has some use so long as Hits are more than 0.Amos Original message From: Periko Support Date: Sun, 1 Aug 2021, 13:48To: squid-users@lists.squid-cache.orgSubject: [squid-users] Squid caching webpages now days?Hello guys.With today's ISP's speed increasing, does squid cache (caching webpages) now days is a good option?I have some customers that want to setup a cache server, but I havedoubts about how much traffic will be save, with most of the web sitesrunning under https.I use squid+sg acl features.But for me, caching is not a bandwidth saving tool anymore.Does caching still a good option with squid?Regards!!!___squid-users mailing listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] wildcard for numbers in url whitelisting
You will need to change to ssl::server_name_regex ACL type to use regex patterns.Also, take care that all values are valid regex pattern and characters which are special in regex are properly escaped. Eg the dots.Amos___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] manual proxy configuration ...
You enter the IP address or hostname of the squid machine into the browser "proxy settings" for manual configuration.Amos___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid clamav configure options
Squid-4 is a stable release series. That means we go out of our way to ensure UI (eg build and squid.conf) does not change behaviour. So yes all *squid* settings should work the same between those versions.c-icap and squidclamav are third party software. You should not need to change them just to update squid.Amos___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] https_port not correctly sending ssl cert information?
The main issue you are having is that the old version had no TLS/1.3 support. The newer squid have some, but not enough for what you are doing.Switching the build from GnuTLS to OpenSSL may work a little better. But without details of your config it is hard to be certain.Amos Original message From: Dan Steen Date: Wed, 12 May 2021, 10:06To: squid-users@lists.squid-cache.orgSubject: [squid-users] https_port not correctly sending ssl cert information?Hi!,I've recently been trying to update my version of squid from 4.0.20 to something more modern (4.13), but I'm having issues with my TLS enabled proxy not returning certificates correctly (it seems). Specifically, when I try and run the following curl (url replaced to protect the innocent): curl -vvI --proxy https://test.example.com:5000 https://google.comI get the following result:* Trying 167.99.53.100:5000...* Connected to test.example.com port 5000* ALPN, offering http/1.1* successfully set certificate verify locations:* CAfile: /etc/ssl/certs/ca-certificates.crt* CApath: none* TLSv1.3 (OUT), TLS handshake, Client hello (1):* TLSv1.3 (IN), TLS handshake, Server hello (2):* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):* TLSv1.3 (IN), TLS handshake, Certificate (11):* TLSv1.3 (OUT), TLS alert, unknown CA (560):* SSL certificate problem: unable to get local issuer certificate* Closing connection 0curl: (60) SSL certificate problem: unable to get local issuer certificateThis is different then what I get for my old 4.0.20 server:* Connected to test.example.com port 3128 (#0)* successfully set certificate verify locations:* CAfile: /etc/ssl/certs/ca-certificates.crt* CApath: none* TLSv1.3 (OUT), TLS handshake, Client hello (1):* TLSv1.3 (IN), TLS handshake, Server hello (2):* TLSv1.2 (IN), TLS handshake, Certificate (11):* TLSv1.2 (IN), TLS handshake, Server key exchange (12):* TLSv1.2 (IN), TLS handshake, Server finished (14):* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):* TLSv1.2 (OUT), TLS handshake, Finished (20):* TLSv1.2 (IN), TLS handshake, Finished (20):* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384* Proxy certificate:* subject: CN=*.example.com* start date: Apr 5 21:02:06 2021 GMT* expire date: May 7 21:02:06 2022 GMT* issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2* SSL certificate verify ok.But the config and certs are exactly the same! I've pasted the config, output of squid -v, and cert information here: https://gist.github.com/dansteen/c28343fd025c713bcfba8368ce2b728bOne difference between the two that I noticed is that the old version is compiled with --with-openssl and --enable-ssl and -enable-ssl-crtd, and the new version only has --with-gnutls. Would that be the issue? I appreciate the help!Thanks!Dan Steen___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] allow update domain and block everything else
There is a built-in ACL called "all" which does what you defined for the regex "blacklist" to do.As for sessions. No Squid follows HTTP which is stateless. You can configure it though. setup an ext_session_acl helper for active mode sessions that start when a 302 response comes back. you should have some other ACL to separately whitelist the sites normally blocked, but can open with a session.Amos___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] icap server name lookup
I suspect this is the lookup issue you already found, but with added complication of the dotless name preventing even the delayed lookup working.You can confirm that by adding the .local TLD or whichever your network uses internally to the names (with hosts file entry). It should then behave same as the delayed lookup issue.Amos___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] chromium based browsers don't play a video, when sslbump is enabled
The config you have is doing client-first bumping (bump at step). It happens before the real cert or server details are available. As such any number of TLS features or extensions may be missing (or added) by squid that indicate problems to the browser.If you can use a config the peek/stare/splice at the step 1-2 and bump only at step it may work better.If you require this config, or have issues even with a step bump you will need to trace the TLS details being negotiated on both squid-browser and squid-server connections.Amos Original message From: Dieter Bloms Date: Thu, 21 Jan 2021, 00:25To: squid-users@lists.squid-cache.orgSubject: [squid-users] chromium based browsers don't play a video, when sslbump is enabledHello,I use squid 4.13 with enabled sslbump.Chromium based browsers like chrome and edge don't play this videohttps://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4The firefox browser and the old internet explorer have no problems.When I disable sslbumping for this destination the chromium basedbrowsers work as well.Here are some parts of my config:--snip--http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pemsslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MBsslcrtd_children 32 startup=10 idle=3tls_outgoing_options capath=/etc/ssl/certs min-version=1.2tls_outgoing_options cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1acl nobumping dstdomain "/etc/squid/nohttpsscan.domains"ssl_bump splice nobumpingssl_bump bump all--snip--with wget or curl I can download the mp4 file in both cases (with and without sslbump)Can anybody try to view the video in a chromium based browser with enabled sslbump ?Thank you very much.-- Regards Dieter--I do not get viruses because I do not use MS software.If you use Outlook then please do not put my email address in youraddress-book so that WHEN you get a virus it won't use my address in theFrom field.___squid-users mailing listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid doesn't notice AD group changes
The issue is many layers of caching and interdependent data.Once the auth backend system is producing the right output the group helper cache needs to expire, then lookups by that helper will be correct.Then all the tcp connections holding onto that users credentials need to close. Only once all that happens will there be no user+group1 link to confuse.If any of the old tcp connections remain open they cache the old credentials which were linked to the old group1. New tcp connections will be linked to their cached username state.In modern squid the kerberos auth helper gives squid the list of groups at the same time as username. So there is no external ACL helper and its caching to get things mixed up. You should use the note ACL type to check those group SSIDs.At worst you may still have to wait for tcp connections closure part.Amos___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Making destination IP available in ICAP REQMOD request
As you have found. There is no destination IP at REQMOD time. Even if squid were to do a lookup it does not know the outcome of the routing decision in order to select which IP to send REQMOD. Especially if REQMOD is the source of that decision.A normal (forward) proxy has only a server host name (aka URI domain) to work with until the server connection is about to be opened. The REQMOD can be passed that name, but needs to account for *any* of the IPs it finds for that (or none) might be used.Interception proxy try to connect to the same server IP as the client was using. But may not need a server connection at all if cache storage or collapsed forwarding catches the transaction.Amos___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] distinguish between IPv4 and IPv6
The dst ACL type accepts the special value of "ipv4". You can use that and the "!" operator to split traffic. However, please be aware dst is not very reliable until *after* the outgoing connection has been created, and we are still finding some access checks that do not use it correctly. YMMV.Amos Original message From: "Walter H."Date: Tue, 12 Jan 2021, 03:19Hello,is there a way, that I can do something likeif ( dst is IPv4 ) go directif ( dst is IPv6 ) use parent proxy xxxThe reason for my question, I'm using a IPv6-in-IPv4 tunnel,and it would make sense to forward all traffic going to IPv6 to squid running on tunnel end;Thanks,Walter___squid-users mailing listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
