[squid-users] squid listen on UDP for * or 0.0.0.0

[Ahmad Alzaeem]

Hello Folks

,
Wondering why I see squid listening on UDP sockets. And how can I disable that 
behavior?


Here is a sample capture :

ss -lup

NCONN   00  
*:62408  *:*   
users:(("squid",pid=304626,fd=12))
UNCONN   00 
 *:62421  *:*   
users:(("squid",pid=89500,fd=7))
UNCONN   00 
 *:62439  *:*   
users:(("squid",pid=506816,fd=12))
UNCONN   00 
 *:62440  *:*   
users:(("squid",pid=889812,fd=12))
UNCONN   00 
 *:62441  *:*   
users:(("squid",pid=561342,fd=13))
UNCONN   00 
 *:62448  *:*   
users:(("squid",pid=90497,fd=7))
UNCONN   00 
 *:62467  *:*   
users:(("squid",pid=89345,fd=7))
UNCONN   00 
 *:62481  *:*   
users:(("squid",pid=48730,fd=13))
UNCONN   00 
 *:62491  *:*   
users:(("squid",pid=88914,fd=7))
UNCONN   00 
 *:62504  *:*   
users:(("squid",pid=74449,fd=7))
UNCONN   00 
 *:62505  *:*   
users:(("squid",pid=89517,fd=7))
UNCONN   00 
 *:62507  *:*   
users:(("squid",pid=89077,fd=7))
UNCONN   00 
 *:62534  *:*   
users:(("squid",pid=70608,fd=7))
UNCONN   00 
 *:62543  *:*   
users:(("squid",pid=63323,fd=7))
UNCONN   00 
 *:62582  *:*   
users:(("squid",pid=89292,fd=7))
UNCONN   00 
 *:62606  *:*   
users:(("squid",pid=89037,fd=7))
UNCONN   00 
 *:62635  *:*   
users:(("squid",pid=89569,fd=7))
UNCONN   00 
 *:62636  *:*   
users:(("squid",pid=305076,fd=13))
UNCONN   00 
 *:62683  *:*   
users:(("squid",pid=304108,fd=13))

Sometimes the DNS resolutions fail on the server due to port conflict with 
squid.
I think it wont be a problem if it listen to same squid IP , but listening to * 
( all sockets) will make an issues
Any way to figure out the issue above ?

BR

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] force squid to kill current connection after reconfigure

[Ahmad Alzaeem]

Hello Team ,
Sometimes we need to change the tcp_outgoing addresses acl .
We edit it and reconfigure squid , but the current connection still work on the 
old ips of tcp_outgoing until the browser is completely closed and reopened .
Is there a way we can kill old sessions/connections in the old  tcp_outgoing 
after applying reconfigure ?

Tried with server_persistent_connections off , but did not make a change .

Thanks



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.x on Centos8 not working

[Ahmad Alzaeem]

Hello Eliezer,
I reported many times that squid 4. x does not support delay pools and never 
got a patch or fix.

Squid5 is buggy and not stable and keeps crashing and with DNS  resolution it's 
not stable.


Squid 4 is stable but does not support delay pools.
Squid 3.5.x is stable and supports delay pools

That’s the summary.



From: squid-users  on behalf of 
ngtech1...@gmail.com 
Date: Monday, July 11, 2022 at 1:55 PM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] squid 3.x on Centos8 not working
Hey Ahmad,

I really don’t know what to say.
I am not using delay pools so I cannot say anything about that.

About DNS IPV4/IPV6 I am not sure what you are referring to.
Can you please refer me to the bug report on these?
It should be testable.
I have not seen anything about this in my environment until now so I am pretty 
confused.

Thanks,
Eliezer


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com<mailto:ngtech1...@gmail.com>
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/

From: Ahmad Alzaeem <0xf...@gmail.com>
Sent: Monday, 11 July 2022 22:53
To: ngtech1...@gmail.com; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid 3.x on Centos8 not working

None of squid4.x support delay pools .

Squid5.x is full of bugs with DNS IPV4/IPV6 Because of the eyeball feature.

Thanks


From: squid-users 
mailto:squid-users-boun...@lists.squid-cache.org>>
 on behalf of ngtech1...@gmail.com<mailto:ngtech1...@gmail.com> 
mailto:ngtech1...@gmail.com>>
Date: Monday, July 11, 2022 at 12:37 PM
To: squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org> 
mailto:squid-users@lists.squid-cache.org>>
Subject: Re: [squid-users] squid 3.x on Centos8 not working
Hey Ahmad,

What is preventing you from using 4.x or 5.x?

Eliezer


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com<mailto:ngtech1...@gmail.com>
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/

From: squid-users 
mailto:squid-users-boun...@lists.squid-cache.org>>
 On Behalf Of Ahmad Alzaeem
Sent: Tuesday, 28 June 2022 16:29
To: squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>
Subject: [squid-users] squid 3.x on Centos8 not working


Hello Folks ,

Trying to compile squid 3.x on Centos8 but have an errors below seems in SMBLIB 
.

Squid ver :
squid-3.5.28

GCC ver :

gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-redhat-linux
Configured with: ../configure --enable-bootstrap 
--enable-languages=c,c++,fortran,lto --prefix=/usr --mandir=/usr/share/man 
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla 
--enable-shared --enable-threads=posix --enable-checking=release 
--enable-multilib --with-system-zlib --enable-__cxa_atexit 
--disable-libunwind-exceptions --enable-gnu-unique-object 
--enable-linker-build-id --with-gcc-major-version-only 
--with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl 
--disable-libmpx --enable-offload-targets=nvptx-none --without-cuda-driver 
--enable-gnu-indirect-function --enable-cet --with-tune=generic 
--with-arch_32=x86-64 --build=x86_64-redhat-linux
Thread model: posix
gcc version 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)

we are using ./configure  with default flags  ,  and have the errors below :


make[2]: Entering directory '/root/squid-3.5.28/lib/rfcnb'
depbase=`echo rfcnb-io.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD 
-MP -MF $depbase.Tpo -c -o rfcnb-io.lo rfcnb-io.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c 
rfcnb-io.c  -fPIC -DPIC -o .libs/rfcnb-io.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c 
rfcnb-io.c -o rfcnb-io.o >/dev/null 2>&1
depbase=`echo rfcnb-util.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H 

Re: [squid-users] squid 3.x on Centos8 not working

[Ahmad Alzaeem]

None of squid4.x support delay pools .

Squid5.x is full of bugs with DNS IPV4/IPV6 Because of the eyeball feature.

Thanks


From: squid-users  on behalf of 
ngtech1...@gmail.com 
Date: Monday, July 11, 2022 at 12:37 PM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] squid 3.x on Centos8 not working
Hey Ahmad,

What is preventing you from using 4.x or 5.x?

Eliezer


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com<mailto:ngtech1...@gmail.com>
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/

From: squid-users  On Behalf Of 
Ahmad Alzaeem
Sent: Tuesday, 28 June 2022 16:29
To: squid-users@lists.squid-cache.org
Subject: [squid-users] squid 3.x on Centos8 not working


Hello Folks ,

Trying to compile squid 3.x on Centos8 but have an errors below seems in SMBLIB 
.

Squid ver :
squid-3.5.28

GCC ver :

gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-redhat-linux
Configured with: ../configure --enable-bootstrap 
--enable-languages=c,c++,fortran,lto --prefix=/usr --mandir=/usr/share/man 
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla 
--enable-shared --enable-threads=posix --enable-checking=release 
--enable-multilib --with-system-zlib --enable-__cxa_atexit 
--disable-libunwind-exceptions --enable-gnu-unique-object 
--enable-linker-build-id --with-gcc-major-version-only 
--with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl 
--disable-libmpx --enable-offload-targets=nvptx-none --without-cuda-driver 
--enable-gnu-indirect-function --enable-cet --with-tune=generic 
--with-arch_32=x86-64 --build=x86_64-redhat-linux
Thread model: posix
gcc version 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)

we are using ./configure  with default flags  ,  and have the errors below :


make[2]: Entering directory '/root/squid-3.5.28/lib/rfcnb'
depbase=`echo rfcnb-io.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD 
-MP -MF $depbase.Tpo -c -o rfcnb-io.lo rfcnb-io.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c 
rfcnb-io.c  -fPIC -DPIC -o .libs/rfcnb-io.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c 
rfcnb-io.c -o rfcnb-io.o >/dev/null 2>&1
depbase=`echo rfcnb-util.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo 
-MD -MP -MF $depbase.Tpo -c -o rfcnb-util.lo rfcnb-util.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo -MD -MP -MF .deps/rfcnb-util.Tpo -c 
rfcnb-util.c  -fPIC -DPIC -o .libs/rfcnb-util.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo -MD -MP -MF .deps/rfcnb-util.Tpo -c 
rfcnb-util.c -o rfcnb-util.o >/dev/null 2>&1
depbase=`echo session.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT session.lo -MD 
-MP -MF $depbase.Tpo -c -o session.lo session.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFI

Re: [squid-users] squid 3.x on Centos8 not working

[Ahmad Alzaeem]

ables -fstack-clash-protection -fcf-protection 
-Wa,--noexecstack -Wa,--generate-missing-build-notes=yes 
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN 
-DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT 
-DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM 
-DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM 
-DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG 
-DPURIFY -DDEVRANDOM="\"/dev/urandom\"" 
-DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-1.1"
Seeding source: os-specific
engines:  rdrand dynamic



openssl3 version -a
OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)
built on: Wed Mar 16 21:52:03 2022 UTC
platform: linux-x86_64
options:  bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe 
-Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS 
-fexceptions -fstack-protector-strong -grecord-gcc-switches 
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic 
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection 
-Wa,--noexecstack -Wa,--generate-missing-build-notes=yes 
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN 
-DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY 
-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"3.0.1-20220316\"" 
-DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-3"
MODULESDIR: "/usr/lib64/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0x7ffef3eb:0x21cbfbb



Thanks

From: squid-users  on behalf of Alex 
Rousskov 
Date: Monday, July 11, 2022 at 10:20 AM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] squid 3.x on Centos8 not working
On 7/11/22 09:38, Ahmad Alzaeem wrote:

> Anyone in the Dev team to help me out?

In most cases, folks should not be using Squid v3. It is not a supported
Squid version.

You may be able to get your Squid to build by avoiding the -Werror
compiler flag (e.g., by ./configuring Squid with
--disable-strict-error-checking).


HTH,

Alex.



> *From: *Ahmad Alzaeem <0xf...@gmail.com>
> *Date: *Tuesday, June 28, 2022 at 6:28 AM
> *To: *squid-users@lists.squid-cache.org 
> *Subject: *squid 3.x on Centos8 not working
>
> Hello Folks ,
>
> Trying to compile squid 3.x on Centos8 but have an errors below seems in
> SMBLIB .
>
> Squid ver :
>
> squid-3.5.28
>
> GCC ver :
>
> gcc -v
>
> Using built-in specs.
>
> COLLECT_GCC=gcc
>
> COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/8/lto-wrapper
>
> OFFLOAD_TARGET_NAMES=nvptx-none
>
> OFFLOAD_TARGET_DEFAULT=1
>
> Target: x86_64-redhat-linux
>
> Configured with: ../configure --enable-bootstrap
> --enable-languages=c,c++,fortran,lto --prefix=/usr
> --mandir=/usr/share/man --infodir=/usr/share/info
> --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared
> --enable-threads=posix --enable-checking=release --enable-multilib
> --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions
> --enable-gnu-unique-object --enable-linker-build-id
> --with-gcc-major-version-only --with-linker-hash-style=gnu
> --enable-plugin --enable-initfini-array --with-isl --disable-libmpx
> --enable-offload-targets=nvptx-none --without-cuda-driver
> --enable-gnu-indirect-function --enable-cet --with-tune=generic
> --with-arch_32=x86-64 --build=x86_64-redhat-linux
>
> Thread model: posix
>
> gcc version 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)
>
> we are using ./configure  with default flags  ,  and have the errors below :
>
> make[2]: Entering directory '/root/squid-3.5.28/lib/rfcnb'
>
> depbase=`echo rfcnb-io.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
>
> /bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H
> -I../.. -I../../include -I../../lib -I../../src -I../../include
> -I../../lib  -Wall -Wpointer-arith -Wwrite-strings -Wmissing-prototypes
> -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe -D_REENTRANT
> -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF $depbase.Tpo -c -o rfcnb-io.lo
> rfcnb-io.c &&\
>
> mv -f $depbase.Tpo $depbase.Plo
>
> libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include
> -I../../lib -I../../src -I../../include -I../../lib -Wall
> -Wpointer-arith -Wwrite-strings -Wmissing-prototypes
> -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe -D_REENTRANT
> -Wall -g -O2 -MT rfcnb-io.lo

Re: [squid-users] squid 3.x on Centos8 not working

[Ahmad Alzaeem]

Hello Folks ,
Anyone in the Dev team to help me out?

Thanks

From: Ahmad Alzaeem <0xf...@gmail.com>
Date: Tuesday, June 28, 2022 at 6:28 AM
To: squid-users@lists.squid-cache.org 
Subject: squid 3.x on Centos8 not working

Hello Folks ,

Trying to compile squid 3.x on Centos8 but have an errors below seems in SMBLIB 
.

Squid ver :
squid-3.5.28

GCC ver :

gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-redhat-linux
Configured with: ../configure --enable-bootstrap 
--enable-languages=c,c++,fortran,lto --prefix=/usr --mandir=/usr/share/man 
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla 
--enable-shared --enable-threads=posix --enable-checking=release 
--enable-multilib --with-system-zlib --enable-__cxa_atexit 
--disable-libunwind-exceptions --enable-gnu-unique-object 
--enable-linker-build-id --with-gcc-major-version-only 
--with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl 
--disable-libmpx --enable-offload-targets=nvptx-none --without-cuda-driver 
--enable-gnu-indirect-function --enable-cet --with-tune=generic 
--with-arch_32=x86-64 --build=x86_64-redhat-linux
Thread model: posix
gcc version 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)

we are using ./configure  with default flags  ,  and have the errors below :


make[2]: Entering directory '/root/squid-3.5.28/lib/rfcnb'
depbase=`echo rfcnb-io.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD 
-MP -MF $depbase.Tpo -c -o rfcnb-io.lo rfcnb-io.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c 
rfcnb-io.c  -fPIC -DPIC -o .libs/rfcnb-io.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c 
rfcnb-io.c -o rfcnb-io.o >/dev/null 2>&1
depbase=`echo rfcnb-util.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo 
-MD -MP -MF $depbase.Tpo -c -o rfcnb-util.lo rfcnb-util.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo -MD -MP -MF .deps/rfcnb-util.Tpo -c 
rfcnb-util.c  -fPIC -DPIC -o .libs/rfcnb-util.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo -MD -MP -MF .deps/rfcnb-util.Tpo -c 
rfcnb-util.c -o rfcnb-util.o >/dev/null 2>&1
depbase=`echo session.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT session.lo -MD 
-MP -MF $depbase.Tpo -c -o session.lo session.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT session.lo -MD -MP -MF .deps/session.Tpo -c 
session.c  -fPIC -DPIC -o .libs/session.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow 

[squid-users] squid 3.x on Centos8 not working

[Ahmad Alzaeem]

Hello Folks ,

Trying to compile squid 3.x on Centos8 but have an errors below seems in SMBLIB 
.

Squid ver :
squid-3.5.28

GCC ver :

gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-redhat-linux
Configured with: ../configure --enable-bootstrap 
--enable-languages=c,c++,fortran,lto --prefix=/usr --mandir=/usr/share/man 
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla 
--enable-shared --enable-threads=posix --enable-checking=release 
--enable-multilib --with-system-zlib --enable-__cxa_atexit 
--disable-libunwind-exceptions --enable-gnu-unique-object 
--enable-linker-build-id --with-gcc-major-version-only 
--with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl 
--disable-libmpx --enable-offload-targets=nvptx-none --without-cuda-driver 
--enable-gnu-indirect-function --enable-cet --with-tune=generic 
--with-arch_32=x86-64 --build=x86_64-redhat-linux
Thread model: posix
gcc version 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)

we are using ./configure  with default flags  ,  and have the errors below :


make[2]: Entering directory '/root/squid-3.5.28/lib/rfcnb'
depbase=`echo rfcnb-io.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD 
-MP -MF $depbase.Tpo -c -o rfcnb-io.lo rfcnb-io.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c 
rfcnb-io.c  -fPIC -DPIC -o .libs/rfcnb-io.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c 
rfcnb-io.c -o rfcnb-io.o >/dev/null 2>&1
depbase=`echo rfcnb-util.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo 
-MD -MP -MF $depbase.Tpo -c -o rfcnb-util.lo rfcnb-util.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo -MD -MP -MF .deps/rfcnb-util.Tpo -c 
rfcnb-util.c  -fPIC -DPIC -o .libs/rfcnb-util.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo -MD -MP -MF .deps/rfcnb-util.Tpo -c 
rfcnb-util.c -o rfcnb-util.o >/dev/null 2>&1
depbase=`echo session.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT session.lo -MD 
-MP -MF $depbase.Tpo -c -o session.lo session.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT session.lo -MD -MP -MF .deps/session.Tpo -c 
session.c  -fPIC -DPIC -o .libs/session.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT session.lo -MD -MP -MF .deps/session.Tpo -c 
session.c -o session.o >/dev/null 2>&1
/bin/sh ../../libtool  --tag=CC   --mode=link gcc -Wall -Wpointer-arith 
-Wwrite-strings -Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow 
-Werror -pipe -D_REENTRANT -Wall -g -O2  -g 

Re: [squid-users] is there any squid 4.x version has delay_pools working?

[Ahmad Alzaeem]

Hello team and Alex .

Any updates on this ?
Any squid4.x support delay pools for now ?


I tried a lot and none of them support delay pools !!!

From: squid-users  on behalf of Alex 
Rousskov 
Date: Saturday, March 5, 2022 at 1:07 PM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] is there any squid 4.x version has delay_pools 
working?
On 3/5/22 13:43, Ahmad Alzaeem wrote:
> Hello ,
>
> No SSL Pump .
> we use CONNECTmethod.
> squid accepts the directive, but it has no real affect.
>
> the same config on 3.x worked fine.
>
> Im sure 100 % , none of squid 4.x worked with delay pools with me.

Sounds like Bug 4913 to me:
https://bugs.squid-cache.org/show_bug.cgi?id=4913

I do not know whether the latest summary there is still accurate, but I
know that the underlying code is (still) badly broken.

Alex.



>> On Feb 24, 2022, at 11:58 PM, Eliezer Croitoru wrote:
>>
>> Hey Ahmad,
>> Can you please give more details on the specific issue or issues you
>> have verified in 4.17?
>> What exactly doesn’t work in delay_pools? Plain HTTP download or
>> upload speed?
>> Is it only on HTTP or also on CONNECT or HTTPS or SSL-BUMP connections?
>> Eliezer
>>
>>   * I was thinking about creating a webinar about Squid ssl(TLS) bump
>>
>> 
>> Eliezer Croitoru
>> NgTech, Tech Support
>> Mobile: +972-5-28704261
>> Email:ngtech1...@gmail.com <mailto:ngtech1...@gmail.com>
>> *From:*squid-users > <mailto:squid-users-boun...@lists.squid-cache.org>>*On Behalf Of*Ahmad
>> Alzaeem
>> *Sent:*Friday, February 25, 2022 02:14
>> *To:*squid-users@lists.squid-cache.org
>> <mailto:squid-users@lists.squid-cache.org>
>> *Subject:*[squid-users] is there any squid 4.x version has delay_pools
>> working?
>> I tried many squid 4.x versions and none of them has delay_pools to work .
>> I have it to work on 3.x versions .
>> is there any specific 4.x version that ws tested with delay pools to
>> work ?
>> i would like to report it as bug at least in squid-4.17
>> <http://www.squid-cache.org/Versions/v4/squid-4.17-RELEASENOTES.html> which
>> i tested today .
>> Regards
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> <mailto:squid-users@lists.squid-cache.org>
>> http://lists.squid-cache.org/listinfo/squid-users
>> <http://lists.squid-cache.org/listinfo/squid-users>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] is there a way to tell squid to write external ip even that external ip not attached into the machine ?

[Ahmad Alzaeem]

Hello Eliezer
I thought it could be done by editing squid src file  like to skip inet address 
lookup .

Thanks


From: squid-users  on behalf of 
Eliezer Croitoru 
Date: Friday, May 13, 2022 at 8:21 AM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] is there a way to tell squid to write external ip 
even that external ip not attached into the machine ?
Hey Ahmad,

You should use a tproxy port with a PROXY protocol support and acls.
With these you can try to push traffic to the network from a local process that 
will write the right details to squid that will generate a fake source ip.

And since you have asked I assume you are not familiar enough with this kind of 
setup so it’s crucial you will understand what are doing
before trying and testing it since at might not work as you expect.

All The Bests,
Eliezer


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com<mailto:ngtech1...@gmail.com>

From: squid-users  On Behalf Of 
Ahmad Alzaeem
Sent: Friday, May 13, 2022 16:13
To: squid-users@lists.squid-cache.org; Amos Jeffries 
Subject: [squid-users] is there a way to tell squid to write external ip even 
that external ip not attached into the machine ?


Hello Guys ,
We are testing squid with a project such as we need squid to write and proceed 
with tcp_outgoing address address even its not attached to the machine by 
ifconfig or ip add  ?

After some tests we found that squid wont write the external Ip to be pushed 
out the network card interface if the ip address is not added to the machine .

Is there anyway to bypass this checkout and let squid ignore checking the 
external ips if attached or not attached ?
Not sure if from config or may be editing src files .


Many Thanks



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] is there a way to tell squid to write external ip even that external ip not attached into the machine ?

[Ahmad Alzaeem]

Hello Guys ,
We are testing squid with a project such as we need squid to write and proceed 
with tcp_outgoing address address even its not attached to the machine by 
ifconfig or ip add  ?

After some tests we found that squid wont write the external Ip to be pushed 
out the network card interface if the ip address is not added to the machine .

Is there anyway to bypass this checkout and let squid ignore checking the 
external ips if attached or not attached ?
Not sure if from config or may be editing src files .


Many Thanks



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid3/4 compilation error with Centos8/RH8

[Ahmad Alzaeem]

Hello Eliezer Croitoru ,
Thank you for your reply ,

Indeed I need to build it from source with custom compile flags .

Is there anyway to overcome the error I sent earlier ?


Thanks


From: squid-users  on behalf of 
Eliezer Croitoru 
Date: Monday, May 2, 2022 at 11:59 AM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] squid3/4 compilation error with Centos8/RH8
Try to use the next SRPM:
https://www.ngtech.co.il/repo/centos/8/SRPMS/squid-4.17-8.el8.src.rpm

Good Luck,


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com<mailto:ngtech1...@gmail.com>

From: squid-users  On Behalf Of 
Ahmad Alzaeem
Sent: Monday, May 2, 2022 21:25
To: squid-users@lists.squid-cache.org
Subject: [squid-users] squid3/4 compilation error with Centos8/RH8




Hello Team ,
I found I only was able to build squid 5.x on Centos8/RH8 –  (Not able to build 
3.x or 4.x )
I was able to build  squid 3.x and 4.x on RH7/Centos7 .

It seems Its libssl error or so based on compilation error below (not sure if 
need to upgrade or downgrade GCC)

//
cache_cf.o: In function `parseOneConfigFile(char const*, unsigned int)':
cache_cf.cc:(.text+0x805): undefined reference to `Debug::Start[abi:cxx11](int, 
int)'
cache_cf.cc:(.text+0xc2b): undefined reference to `Debug::Start[abi:cxx11](int, 
int)'
cache_cf.cc:(.text+0xd78): undefined reference to `Debug::Start[abi:cxx11](int, 
int)'
cache_cf.cc:(.text+0x10a4): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o: In function `parseConfigFileOrThrow(char const*)':
cache_cf.cc:(.text+0x1295): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o:cache_cf.cc:(.text+0x142e): more undefined references to 
`Debug::Start[abi:cxx11](int, int)' follow
cache_cf.o: In function `dump_acl(StoreEntry*, char const*, ACL*)':
cache_cf.cc:(.text+0x3bc5): undefined reference to 
`ACL::dumpOptions[abi:cxx11]()'
cache_cf.o: In function `parse_address(Ip::Address*)':
cache_cf.cc:(.text+0x3f7a): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o: In function `parse_acl_tos(acl_tos**)':
cache_cf.cc:(.text+0x432e): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o: In function `parse_http_header_access(HeaderManglers**)':
cache_cf.cc:(.text+0x49d7): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.cc:(.text+0x4a6d): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o: In function `parse_http_header_replace(HeaderManglers**)':
cache_cf.cc:(.text+0x4cc5): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o:cache_cf.cc:(.text+0x4d5b): more undefined references to 
`Debug::Start[abi:cxx11](int, int)' follow
client_side.o: In function `EVP_PKEY_up_ref':
client_side.cc:(.text.EVP_PKEY_up_ref[EVP_PKEY_up_ref]+0x34): undefined 
reference to `CRYPTO_add_lock'
client_side.o: In function `X509_up_ref':
client_side.cc:(.text.X509_up_ref[X509_up_ref]+0x34): undefined reference to 
`CRYPTO_add_lock'
anyp/.libs/libanyp.a(PortCfg.o): In function 
`Security::ServerOptions::sk_X509_NAME_free_wrapper::operator()(stack_st_X509_NAME*)':
PortCfg.cc:(.text._ZN8Security13ServerOptions25sk_X509_NAME_free_wrapperclEP18stack_st_X509_NAME[_ZN8Security13ServerOptions25sk_X509_NAME_free_wrapperclEP18stack_st_X509_NAME]+0x22):
 undefined reference to `sk_pop_free'
security/.libs/libsecurity.a(PeerOptions.o): In function 
`Security::PeerOptions::createBlankContext() const':
PeerOptions.cc:(.text+0x1896): undefined reference to `SSLv23_client_method'
security/.libs/libsecurity.a(ServerOptions.o): In function 
`Security::ServerOptions::createBlankContext() const':
ServerOptions.cc:(.text+0xb4a): undefined reference to `SSLv23_server_method'
security/.libs/libsecurity.a(ServerOptions.o): In function `X509_CRL_up_ref':
ServerOptions.cc:(.text.X509_CRL_up_ref[X509_CRL_up_ref]+0x36): undefined 
reference to `CRYPTO_add_lock'
security/.libs/libsecurity.a(Session.o): In function `tls_write_method(int, 
char const*, int)':
Session.cc:(.text+0x677): undefined reference to `SSL_state'
ssl/.libs/libsslsquid.a(support.o): In function 
`Ssl::MaybeSetupRsaCallback(std::shared_ptr&)':
support.cc:(.text+0x6c9): undefined reference to `SSL_CTX_set_tmp_rsa_callback'
ssl/.libs/libsslsquid.a(support.o): In function 
`Ssl::matchX509CommonNames(x509_st*, void*, int (*)(void*, asn1_string_st*))':
support.cc:(.text+0x855): undefined reference to `sk_num'
support.cc:(.text+0x872): undefined reference to `sk_value'
support.cc:(.text+0x8c2): undefined reference to `sk_pop_free'
support.cc:(.text+0x8eb): undefined reference to `sk_pop_free'
ssl/.libs/libsslsquid.a(support.o): In function `ssl_verify_cb(int, 
x509_store_ctx_st*)':
support.cc:(.text+0x19be): undefined ref

[squid-users] squid3/4 compilation error with Centos8/RH8

[Ahmad Alzaeem]

Hello Team ,
I found I only was able to build squid 5.x on Centos8/RH8 –  (Not able to build 
3.x or 4.x )
I was able to build  squid 3.x and 4.x on RH7/Centos7 .

It seems Its libssl error or so based on compilation error below (not sure if 
need to upgrade or downgrade GCC)

//
cache_cf.o: In function `parseOneConfigFile(char const*, unsigned int)':
cache_cf.cc:(.text+0x805): undefined reference to `Debug::Start[abi:cxx11](int, 
int)'
cache_cf.cc:(.text+0xc2b): undefined reference to `Debug::Start[abi:cxx11](int, 
int)'
cache_cf.cc:(.text+0xd78): undefined reference to `Debug::Start[abi:cxx11](int, 
int)'
cache_cf.cc:(.text+0x10a4): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o: In function `parseConfigFileOrThrow(char const*)':
cache_cf.cc:(.text+0x1295): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o:cache_cf.cc:(.text+0x142e): more undefined references to 
`Debug::Start[abi:cxx11](int, int)' follow
cache_cf.o: In function `dump_acl(StoreEntry*, char const*, ACL*)':
cache_cf.cc:(.text+0x3bc5): undefined reference to 
`ACL::dumpOptions[abi:cxx11]()'
cache_cf.o: In function `parse_address(Ip::Address*)':
cache_cf.cc:(.text+0x3f7a): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o: In function `parse_acl_tos(acl_tos**)':
cache_cf.cc:(.text+0x432e): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o: In function `parse_http_header_access(HeaderManglers**)':
cache_cf.cc:(.text+0x49d7): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.cc:(.text+0x4a6d): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o: In function `parse_http_header_replace(HeaderManglers**)':
cache_cf.cc:(.text+0x4cc5): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o:cache_cf.cc:(.text+0x4d5b): more undefined references to 
`Debug::Start[abi:cxx11](int, int)' follow
client_side.o: In function `EVP_PKEY_up_ref':
client_side.cc:(.text.EVP_PKEY_up_ref[EVP_PKEY_up_ref]+0x34): undefined 
reference to `CRYPTO_add_lock'
client_side.o: In function `X509_up_ref':
client_side.cc:(.text.X509_up_ref[X509_up_ref]+0x34): undefined reference to 
`CRYPTO_add_lock'
anyp/.libs/libanyp.a(PortCfg.o): In function 
`Security::ServerOptions::sk_X509_NAME_free_wrapper::operator()(stack_st_X509_NAME*)':
PortCfg.cc:(.text._ZN8Security13ServerOptions25sk_X509_NAME_free_wrapperclEP18stack_st_X509_NAME[_ZN8Security13ServerOptions25sk_X509_NAME_free_wrapperclEP18stack_st_X509_NAME]+0x22):
 undefined reference to `sk_pop_free'
security/.libs/libsecurity.a(PeerOptions.o): In function 
`Security::PeerOptions::createBlankContext() const':
PeerOptions.cc:(.text+0x1896): undefined reference to `SSLv23_client_method'
security/.libs/libsecurity.a(ServerOptions.o): In function 
`Security::ServerOptions::createBlankContext() const':
ServerOptions.cc:(.text+0xb4a): undefined reference to `SSLv23_server_method'
security/.libs/libsecurity.a(ServerOptions.o): In function `X509_CRL_up_ref':
ServerOptions.cc:(.text.X509_CRL_up_ref[X509_CRL_up_ref]+0x36): undefined 
reference to `CRYPTO_add_lock'
security/.libs/libsecurity.a(Session.o): In function `tls_write_method(int, 
char const*, int)':
Session.cc:(.text+0x677): undefined reference to `SSL_state'
ssl/.libs/libsslsquid.a(support.o): In function 
`Ssl::MaybeSetupRsaCallback(std::shared_ptr&)':
support.cc:(.text+0x6c9): undefined reference to `SSL_CTX_set_tmp_rsa_callback'
ssl/.libs/libsslsquid.a(support.o): In function 
`Ssl::matchX509CommonNames(x509_st*, void*, int (*)(void*, asn1_string_st*))':
support.cc:(.text+0x855): undefined reference to `sk_num'
support.cc:(.text+0x872): undefined reference to `sk_value'
support.cc:(.text+0x8c2): undefined reference to `sk_pop_free'
support.cc:(.text+0x8eb): undefined reference to `sk_pop_free'
ssl/.libs/libsslsquid.a(support.o): In function `ssl_verify_cb(int, 
x509_store_ctx_st*)':
support.cc:(.text+0x19be): undefined reference to `sk_pop_free'
ssl/.libs/libsslsquid.a(support.o): In function `ssl_free_CertChain(void*, 
void*, crypto_ex_data_st*, int, long, void*)':
support.cc:(.text+0x1ead): undefined reference to `sk_pop_free'
ssl/.libs/libsslsquid.a(support.o): In function `Ssl::Initialize()':
support.cc:(.text+0x2084): undefined reference to `SSL_get_ex_new_index'
support.cc:(.text+0x20b0): undefined reference to `SSL_CTX_get_ex_new_index'
support.cc:(.text+0x20df): undefined reference to `SSL_get_ex_new_index'
support.cc:(.text+0x210c): undefined reference to `SSL_get_ex_new_index'
support.cc:(.text+0x2139): undefined reference to `SSL_get_ex_new_index'
support.cc:(.text+0x2166): undefined reference to `SSL_get_ex_new_index'
support.cc:(.text+0x2193): undefined reference to `SSL_get_ex_new_index'
ssl/.libs/libsslsquid.a(support.o):support.cc:(.text+0x21c0): more undefined 
references to `SSL_get_ex_new_index' follow
ssl/.libs/libsslsquid.a(support.o): In function 
`sslGetUserCertificateChainPEM(ssl_st*)':
support.cc:(.text+0x

Re: [squid-users] squid5 Happy Eyeballs - Is it possible to enable IPV4 only or IPV6 only ?

[Ahmad Alzaeem]

Hello Alex ,
Thanks for the nice info .
I will consider what you said .


Thanks


From: Alex Rousskov 
Date: Monday, May 2, 2022 at 8:38 AM
To: Ahmad Alzaeem <0xf...@gmail.com>, Squid Users 

Subject: Re: [squid-users] squid5 Happy Eyeballs - Is it possible to enable 
IPV4 only or IPV6 only ?
On 5/1/22 23:49, Ahmad Alzaeem wrote:

> sometime the IPV4
> instance receive DNS resolution of the destination as IPV6 and the
> connection fails !!
>
> sometimes the IPV4 instance receive the DNS resolution of the
> destination as IPV6 and the connection fail .
>
> Is there any option we can do based on the environment above ?


Without Squid code modifications, your options are:

* Use a custom DNS resolver (configuration) that never sends IPv4
address records to an IPv6-only Squid. Use a custom DNS resolver
(configuration) that never sends IPv6 address records to an IPv4-only
Squid. Configure each Squid to use the right resolver (see dns_nameservers).

* Disable IPv6 support in IPv4-only Squid at ./configure time. This does
not help with the IPv6-only Squid and has other negative side effects. I
do not recommend this option.


 > Like maybe we disable eyeballs or preserving it while add an option
 > like DNS A records or DNS  records .

It would be possible to enhance Squid by adding a configuration option
that disables (certain) A or  queries, but proper modifications are
not trivial and nobody has done them yet:
https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F


Cheers,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid5 Happy Eyeballs - Is it possible to enable IPV4 only or IPV6 only ?

[Ahmad Alzaeem]

Hello Team ,

Testing squid5.x .
Still have a question in a case of running multiple instances (IPV4/IPV6) on 
same machine .
Such as •  One instance that run as IPV4 only while other instance run as IPV6 
only .

I found that squid5.x is ignoring dns_v4_first .
And based on the algorithm and how it works , sometime  the IPV4 instance 
receive DNS resolution of the destination as IPV6 and the connection fails !!

sometimes the IPV4 instance receive the DNS resolution of the destination as 
IPV6 and the connection fail .

Is there any option we can do based on the environment above ?
Like maybe we disable eyeballs or preserving it while add an option like DNS A 
records or DNS  records .

Thanks




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3-5 CPU optimization and best practise .

[Ahmad Alzaeem]

Hello Amos ,

Config file is based on IP auth and user/pass auth .
But I want to minimize the CPU hit of my config file as much as possible .

Version : Squid 5.3

###

squid.conf

acl RDP-Domain-controller src 77.90.230.0/24 77.90.228.0/24 77.90.225.0/24 
77.90.210.0/24 77.90.193.0/24 77.90.145.0/24 77.90.112.0/24 88.21.95.0/24 
88.21.94.0/24 88.21.76.0/24 88.21.75.0/24 88.21.72.0/24 88.21.36.0/24 
88.21.34.0/24 88.21.199.0/24 88.21.193.0/24 88.21.192.0/24 88.21.137.0/24 
88.21.135.0/24 88.21.132.0/24 88.21.131.0/24 88.21.129.0/24 88.21.128.0/24 
88.21.126.0/24 88.21.121.0/24 88.21.120.0/24 88.108.9.0/24 88.108.45.0/24
http_access allow RDP-Domain-controller

acl googleaccess dstdomain .google.com .google.ad .google.ae .google.com.af 
.google.com.ag .google.com.ai .google.al .google.am .google.co.ao 
.google.com.ar .google.as .google.at .google.com.au .google.az .google.ba 
.google.com.bd .google.be .google.bf .google.bg .google.com.bh .google.bi 
.google.bj .google.com.bn .google.com.bo .google.com.br .google.bs .google.bt 
.google.co.bw .google.by .google.com.bz .google.ca .google.cd .google.cf 
.google.cg .google.ch .google.ci .google.co.ck .google.cl .google.cm .google.cn 
.google.com.co .google.co.cr .google.com.cu .google.cv .google.com.cy 
.google.cz .google.de .google.dj .google.dk .google.dm .google.com.do .google.dz


acl FTP proto FTP
http_access deny FTP
http_access deny manager
#
acl URN proto URN
http_access deny URN
###
#
visible_hostname squid
###
# Lockdown Procedures
auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/squid_user
acl ncsa_users proxy_auth REQUIRED
auth_param basic children 50
auth_param basic realm login squid Login
http_access deny ncsa_users googleaccess
http_access allow ncsa_users
auth_param basic casesensitive on
#
cache_effective_user squid
cache_effective_group squid
##
server_persistent_connections off
client_persistent_connections off
cache deny all
###
http_port  66.4.223.238:45000 name=45000
http_port  66.4.223.238:45001 name=45001
http_port  66.4.223.238:45002 name=45002
http_port  66.4.223.238:45003 name=45003
#
acl user45000 myportname 45000
acl user45001 myportname 45001
acl user45002 myportname 45002
acl user45003 myportname 45003
#
tcp_outgoing_address 2a0f:3fc6:f1f1:459e:ba16:10cc:3d9f:6d8f user45000
tcp_outgoing_address 2a0f:3fc6:f1f1:459e:ca27:f465:986e:6dfc user45001
tcp_outgoing_address 2a0f:3fc6:f1f1:459e:27de:fec7:49fc:3113 user45002
tcp_outgoing_address 2a0f:3fc6:f1f1:459e:698a:d044:d39e:ffe7 user45003
tcp_outgoing_address 2a0f:3fc6:f1f1:459e:bc96:9e75:6653:76ac user45004






From: squid-users  on behalf of Amos 
Jeffries 
Date: Friday, April 1, 2022 at 1:51 AM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] Squid 3-5 CPU optimization and best practise .
FYI; CPU in Squid is primarily consumed by two things:


1) parsing and processing HTTP message headers.

The only thing you can do about this is detect and reject unwanted
traffic as early as possible.

Your OS firewall is obviously the early line of defense. Preventing
unwanted network ranges from reaching Squid listening ports saves Squid
from spending CPU cycles looking up details about those unwanted clients.

Then for clients who are potentially valid the default http_access rules
reject dangerous traffic quickly and efficiently. Make sure any custom
http_access rules are listed *after* those ones. Then see (2).



2) processing access controls (ACL checks).

To optimize this needs attention to what order ACLs are tested in versus
how complex they are to process.

How many CPU cycles are consumed managing any resources they or other
processes they trigger is also important.

If you want a free optimization review please post your full squid.conf
(just without the documentation comments and empty lines). Then we can
point out any performance tricks you may not yet be using.




Beyond those two you are getting into "advanced admin" levels of
performance optimization. Where YMMV, Alex has mentioned. Every network
is different so none of us can say a specific thing to do that will be
better for you.

HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3-5 CPU optimization and best practise .

[Ahmad Alzaeem]

Hello Alex ,
Thanks for your reply ,

I thought as long as squid is only as forward proxy only and no https , we may 
disable some built in squid features that is not required in my purpose for 
getting lower CPU consumption such as use minimum squid functions .

We don’t have any bottleneck in squid .
The only issue is when there is a very high traffic that will use the CPU at 
higher scale .
So my only goal is decrease squid CPU consumption as much as I can .

So I build local dns server to fasten the lookup , but still don’t see any rich 
topics online for my goal .


Thanks



From: squid-users  on behalf of Alex 
Rousskov 
Date: Thursday, March 31, 2022 at 8:59 AM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] Squid 3-5 CPU optimization and best practise .
On 3/31/22 11:04, Ahmad Alzaeem wrote:

> My main question is , is there any major changes in squid 5 that make it
> faster than squid 3 or squid 4 in terms of low CPU usage?

I do not recall any _major_ changes in that area, but the http_port
worker-queues option may be of interest to those looking for performance
optimizations.


> Is there any best practice I can use to lower the cpu usage or response
> time ?

YMMV, but I would start by using (the right number of) SMP workers with
cpu_affinity_map and worker-queues. More on that at
https://wiki.squid-cache.org/Features/SmpScale#How_to_configure_SMP_Squid_for_top_performance.3F

Beyond that, one would have to analyze your Squid performance to find
out performance bottleneck(s) and then try to eliminate them or reduce
their impact.


> Like Deny caching on the HDD or server_persistent_connections off
>   similar directives

Disabling persistent connections will make things _worse_ in many cases
but YMMV. Whether cache_dirs (and even shared memory cache) slow down or
speed up an average response depends on your environment -- measure and
adjust/remove accordingly.


HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3-5 CPU optimization and best practise .

[Ahmad Alzaeem]

Hello Team ,
I’m just making a research about the major changes in squid in terms of fast 
response and Low CPU compensation but I have not found more info on Wiki or 
what’s new .
https://wiki.squid-cache.org/Squid-5

The main usage is proxy with no ssl pump .
My main question is , is there any major changes in squid 5 that make it faster 
than squid 3 or squid 4 in terms of low CPU usage ?



Is there any best practice I can use to lower the cpu usage or response time ?
Like Deny caching on the HDD or server_persistent_connections off  similar 
directives





Thanks


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] is there any squid 4.x version has delay_pools working?

[Ahmad Alzaeem]

Hello ,

No SSL Pump .
we use CONNECTmethod.
squid accepts the directive, but it has no real affect.

the same config on 3.x worked fine.

Im sure 100 % , none of squid 4.x worked with delay pools with me.


Thanks 


> On Feb 24, 2022, at 11:58 PM, Eliezer Croitoru  wrote:
> 
> Hey Ahmad,
>  
> Can you please give more details on the specific issue or issues you have 
> verified in 4.17?
> What exactly doesn’t work in delay_pools? Plain HTTP download or upload speed?
> Is it only on HTTP or also on CONNECT or HTTPS or SSL-BUMP connections?
>  
> Eliezer
>  
> I was thinking about creating a webinar about Squid ssl(TLS) bump
>  
> 
> Eliezer Croitoru
> NgTech, Tech Support
> Mobile: +972-5-28704261
> Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com>
>  
> From: squid-users  On Behalf Of 
> Ahmad Alzaeem
> Sent: Friday, February 25, 2022 02:14
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] is there any squid 4.x version has delay_pools working?
>  
> I tried many squid 4.x versions and none of them has delay_pools to work .
> I have it to work on 3.x versions .
>  
> is there any specific 4.x version that ws tested with delay pools to work ?
>  
>  
> i would like to report it as bug at least in squid-4.17 
> <http://www.squid-cache.org/Versions/v4/squid-4.17-RELEASENOTES.html> which i 
> tested today .
>  
> Regards 
>  
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users 
> <http://lists.squid-cache.org/listinfo/squid-users>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] is there any squid 4.x version has delay_pools working?

[Ahmad Alzaeem]

I tried many squid 4.x versions and none of them has delay_pools to work .
I have it to work on 3.x versions .

is there any specific 4.x version that ws tested with delay pools to work ?


i would like to report it as bug at least in squid-4.17 
 which i 
tested today .

Regards 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid marking QOS and matching marks with linux iptables problem !

[Ahmad Alzaeem]

Here is debug result :



2020/05/25 12:04:58.043 kid1| 33,5| client_side.cc(1375) parseHttpRequest: 
Prepare absolute URL from 
2020/05/25 12:04:58.043 kid1| 33,5| client_side.cc(2106) clientParseRequests: 
local=45.150.17.10:3128 remote=50.254.22.18:62916 FD 540 flags=1: done parsing 
a request
2020/05/25 12:04:58.043 kid1| 33,3| Pipeline.cc(24) add: Pipeline 0x43d98a0 add 
request 1 0x41e43f0*4
2020/05/25 12:04:58.043 kid1| 33,5| Http1Server.cc(188) buildHttpRequest: 
normalize 1 Host header using analytics.yopify.com:443
2020/05/25 12:04:58.043 kid1| 33,3| client_side.cc(641) clientSetKeepaliveFlag: 
http_ver = HTTP/1.1
2020/05/25 12:04:58.043 kid1| 33,3| client_side.cc(642) clientSetKeepaliveFlag: 
method = CONNECT
2020/05/25 12:04:58.043 kid1| 33,3| http/Stream.h(141) mayUseConnection: This 
0x41e43f0 marked 1
2020/05/25 12:04:58.043 kid1| 50,3| comm.cc(946) comm_udp_sendto: 
comm_udp_sendto: Attempt to send UDP packet to 8.8.8.8:53 using FD 8 using Port 
55332
2020/05/25 12:04:58.043 kid1| 50,3| comm.cc(946) comm_udp_sendto: 
comm_udp_sendto: Attempt to send UDP packet to 8.8.8.8:53 using FD 8 using Port 
55332
2020/05/25 12:04:58.043 kid1| 33,3| client_side.cc(2119) clientParseRequests: 
Not parsing new requests, as this request may need the connection
2020/05/25 12:04:58.044 kid1| 33,5| AsyncJob.cc(154) callEnd: Http1::Server 
status out: [ job690]
2020/05/25 12:04:58.044 kid1| 33,5| AsyncCallQueue.cc(57) fireNext: leaving 
Server::doClientRead(local=45.150.17.10:3128 remote=50.254.22.18:62916 FD 540 
flags=1, data=0x43d9858)
2020/05/25 12:04:58.056 kid1| 17,3| FwdState.cc(1339) GetMarkingsToServer: from 
45.150.17.10 netfilter mark 0
2020/05/25 12:04:58.056 kid1| 50,3| comm.cc(350) comm_openex: comm_openex: 
Attempt open socket for: 45.150.17.10
2020/05/25 12:04:58.056 kid1| 50,3| comm.cc(393) comm_openex: comm_openex: 
Opened socket local=45.150.17.10 remote=[::] FD 542 flags=1 : family=2, type=1, 
protocol=6
2020/05/25 12:04:58.064 kid1| 33,4| client_side.cc(2510) httpAccept: 
local=45.150.17.10:3128 remote=50.254.22.18:62917 FD 543 flags=1: accepted
2020/05/25 12:04:58.064 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall 
ConnStateData::connStateClosed constructed, this=0x4024ec0 [call6687]
2020/05/25 12:04:58.064 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall 
Http1::Server::requestTimeout constructed, this=0x422ab40 [call6688]
2020/05/25 12:04:58.064 kid1| 33,4| Server.cc(90) readSomeData: 
local=45.150.17.10:3128 remote=50.254.22.18:62917 FD 543 flags=1: reading 
request...
2020/05/25 12:04:58.064 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall 
Server::doClientRead constructed, this=0x4025c50 [call6689]



I see mark 0 and mark 1 , Dont see any 0xd7 or so .

Thanks 

> On May 25, 2020, at 10:02 AM, Amos Jeffries  wrote:
> 
> [NP: it would help if you replied through the list instead of directly
> to me, even as a CC. Your messages keep getting diverted to spam folder. ]
> 
> On 25/05/20 4:26 am, Ahmad Alzaeem wrote:
>> Hi Amos , 
>> 
>> Sorry I'm confused a a bit …
>> 
>> Are my results expected not to work with below :
>> 
>> 
>> qos_flows mark local-hit=0xd7
>> qos_flows mark local-miss=0xd7
>> 
>> 
>> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
>> -A OUTPUT -m connmark --mark 0xd7 -j ACCEPT
>> 
>> ?
> 
> Squid should be MARK'ing packets with 0xd7.
> 
> Those iptables rules should match the packets MARK'ed with 0xd7.
> 
> Whether those statements are of any relevance depends on where your
> iptables rules are configured in relation to all other rules and chains
> your iptables is processing.
> 
> 
>> 
>> Do I need to edit squid/iptables ?
>> 
> 
> Probably iptables. But not enough info to say how.
> 
> 
> You asked about how to debug Squid MARK'ing earlier. What were the
> results of that? did you see Squid doing any marking?
> 
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users 
> <http://lists.squid-cache.org/listinfo/squid-users>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid marking QOS and matching marks with linux iptables problem !

[Ahmad Alzaeem]

Hi Amos , 

Sorry I'm confused a a bit …

Are my results expected not to work with below :


qos_flows mark local-hit=0xd7
qos_flows mark local-miss=0xd7


-A OUTPUT -m mark --mark 0xd7 -j ACCEPT
-A OUTPUT -m connmark --mark 0xd7 -j ACCEPT

?

Do I need to edit squid/iptables ?


Thanks 


> On May 21, 2020, at 3:03 AM, Ahmad Alzaeem <0xf...@gmail.com> wrote:
> 
> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
> -A OUTPUT -m connmark --mark 0xd4 -j ACCEPT

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid marking QOS and matching marks with linux iptables problem !

[Ahmad Alzaeem]

Tested on both OS below :

Centos 7.7  64 bits  & Centos 6.10


Same result , squid is not marking traffic .

Is there a way to run squid into debug mode and debug to see if its making DSCP 
or not ?



Thanks 



> On May 24, 2020, at 3:15 AM, Eliezer Croitoru  wrote:
> 
> What OS?
>  
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
>  
> From: Ahmad Alzaeem <mailto:0xf...@gmail.com>
> Sent: Saturday, May 23, 2020 11:40 PM
> To: Squid Users <mailto:squid-users@lists.squid-cache.org>
> Subject: Re: [squid-users] Squid marking QOS and matching marks with linux 
> iptables problem !
>  
> Hello Folks , any one in the mailing list can help me on the case ?
>  
> Thanks 
>  
>  
> > On May 21, 2020, at 3:03 AM, Ahmad Alzaeem <0xf...@gmail.com 
> > <mailto:0xf...@gmail.com>> wrote:
> > 
> > Hello Folks ,
> > 
> > Im trying to mark outgoing squid request based on Mark linux matching .
> > 
> > I added to squid conf :
> > 
> > qos_flows mark local-hit=0xd7
> > qos_flows mark local-miss=0xd7
> > 
> > -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
> > 
> > But on iptables there is no match with the mark 0xd7 
> > 
> > 
> > Im testing  marking with squid and matching with iptables  but its not 
> > matching , always statistics = 0 on linux iptables  That mean  its not 
> > matched .
> > 
> > Squid version is 4.8
> > Also squid was complied with '--enable-zph-qos’ flag 
> > 
> > So not sure if I need specific config for squid .
> > 
> > Following :
> > 
> > https://wiki.squid-cache.org/Features/QualityOfService 
> > <https://wiki.squid-cache.org/Features/QualityOfService>
> > 
> > Based on it we need kernel patch for TOS , but I dont need TOS ,  I just 
> > need Layer 3 DSP , Linux mark rule based .
> > 
> > 
> > i even tried to match traffic by mark and connmark and both did not help .
> > 
> > -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
> > -A OUTPUT -m connmark --mark 0xd4 -j ACCEPT
> > 
> > 
> > So both rules above was not able to pickup squid marking .
> > 
> > Any helping Team on this case ?
> > 
> > 
> > Thank you
>  
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users 
> <http://lists.squid-cache.org/listinfo/squid-users>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid marking QOS and matching marks with linux iptables problem !

[Ahmad Alzaeem]

Hello Folks , any one in the mailing list can help me on the case ?

Thanks 


> On May 21, 2020, at 3:03 AM, Ahmad Alzaeem <0xf...@gmail.com> wrote:
> 
> Hello Folks ,
> 
> Im trying to mark outgoing squid request based on Mark linux matching .
> 
> I added to squid conf :
> 
> qos_flows mark local-hit=0xd7
> qos_flows mark local-miss=0xd7
> 
> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
> 
> But on iptables there is no match with the mark 0xd7 
> 
> 
> Im testing  marking with squid and matching with iptables  but its not 
> matching , always statistics = 0 on linux iptables  That mean  its not 
> matched .
> 
> Squid version is 4.8
> Also squid was complied with '--enable-zph-qos’ flag 
> 
> So not sure if I need specific config for squid .
> 
> Following :
> 
> https://wiki.squid-cache.org/Features/QualityOfService
> 
> Based on it we need kernel patch for TOS , but I dont need TOS ,  I just need 
> Layer 3 DSP , Linux mark rule based .
> 
> 
> i even tried to match traffic by mark and connmark and both did not help .
> 
> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
> -A OUTPUT -m connmark --mark 0xd4 -j ACCEPT
> 
> 
> So both rules above was not able to pickup squid marking .
> 
> Any helping Team on this case ?
> 
> 
> Thank you

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid marking QOS and matching marks with linux iptables problem !

[Ahmad Alzaeem]

Hello Folks ,

Im trying to mark outgoing squid request based on Mark linux matching .

I added to squid conf :

qos_flows mark local-hit=0xd7
qos_flows mark local-miss=0xd7

-A OUTPUT -m mark --mark 0xd7 -j ACCEPT

But on iptables there is no match with the mark 0xd7 


Im testing  marking with squid and matching with iptables  but its not matching 
, always statistics = 0 on linux iptables  That mean  its not matched .

Squid version is 4.8
Also squid was complied with '--enable-zph-qos’ flag 

So not sure if I need specific config for squid .

Following :

https://wiki.squid-cache.org/Features/QualityOfService

Based on it we need kernel patch for TOS , but I dont need TOS ,  I just need 
Layer 3 DSP , Linux mark rule based .


i even tried to match traffic by mark and connmark and both did not help .

-A OUTPUT -m mark --mark 0xd7 -j ACCEPT
-A OUTPUT -m connmark --mark 0xd4 -j ACCEPT


So both rules above was not able to pickup squid marking .

Any helping Team on this case ?


Thank you 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with QOS marking

[Ahmad Alzaeem]

Following :

https://wiki.squid-cache.org/Features/QualityOfService 
<https://wiki.squid-cache.org/Features/QualityOfService>

Based on it we need kernel patch for TOS , but I dont need TOS ,  I just need 
Layer 3 DSP , Linux mark rule based .


Thanks 


> On May 20, 2020, at 1:19 AM, Ahmad Alzaeem <0xf...@gmail.com> wrote:
> 
> Hello Folks ,
> 
> Im trying to mark outgoing squid request based on Mark linux matching .
> 
> I added to squid conf :
> 
> qos_flows mark local-hit=0xd7
> qos_flows mark local-miss=0xd7
> 
> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
> 
> But on iptables there is no match with the mark d7 
> 
> 
> Im testing  marking with squid and matching with iptables  but its not 
> matching , always statistics = 0 on linux iptables  That mean  its not 
> matched .
> 
> Squid version is 4.8
> Also squid was complied with '--enable-zph-qos’ flag 
> 
> So not sure if I need specific config for squid .
> 
> Thanks 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid with QOS marking

[Ahmad Alzaeem]

Hello Folks ,

Im trying to mark outgoing squid request based on Mark linux matching .

I added to squid conf :

qos_flows mark local-hit=0xd7
qos_flows mark local-miss=0xd7

-A OUTPUT -m mark --mark 0xd7 -j ACCEPT

But on iptables there is no match with the mark d7 


Im testing  marking with squid and matching with iptables  but its not matching 
, always statistics = 0 on linux iptables  That mean  its not matched .

Squid version is 4.8
Also squid was complied with '--enable-zph-qos’ flag 

So not sure if I need specific config for squid .

Thanks 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is there an option to completely disable IPV4 outgoing address for Squid

[Ahmad Alzaeem]

Hello Amos ,
You are correct , but are plan is using IPV6 as possible .
As I said the IPV6 of dual stack as like 98 % IPV6 . 

My question is how squid or under which circumstances can go to IPV4 as long as 
IPV6 dual stack exist ? How come it used 98 % for FB  IPV6 destinations as an 
example and 2 % FB IPV4 destinations .

Is it random process or DNS answers type ?
 Also Have not found squid directives for this area .


Is there an option to tell squid use  DNS reply from DNS for certain 
websites always or even with certain squid process  ? And others non Dual stack 
use default case ?

Many Thanks .

> On Feb 20, 2020, at 7:31 AM, Amos Jeffries  wrote:
> 
> On 20/02/20 3:41 am, Ahmad Alzaeem wrote:
>> We just need IPV4-IPV6 conversation system to for an ISP that has ran out of 
>> ipv4 .
>> So we need to minimize IPV4 usage with them .
>> 
> 
> Stopping Squid from contacting IPv4 servers will not solve that problem
> in any significant way.
> 
> On the other hand using Squid in its default dual-stack form with one
> single IPv4 address. All clients can get full access to the HTTP web by
> having them contact Squid over whichever IP version they support and
> Squid does the IPv4 server part.
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is there an option to completely disable IPV4 outgoing address for Squid

[Ahmad Alzaeem]

We just need IPV4-IPV6 conversation system to for an ISP that has ran out of 
ipv4 .
So we need to minimize IPV4 usage with them .


Thanks 


> On Feb 19, 2020, at 5:33 PM, Alex Rousskov  
> wrote:
> 
> On 2/19/20 8:47 AM, Ahmad Alzaeem wrote:
> 
>> Is there an option for squid to use IPV6 for outgoing and always skip
>> IPV4 of websites resolving address ?
> 
> AFAIK, there is no such option. You might be able to fake it by denying
> requests on IPv4-destined connections (via Squid ACLs and/or at the OS
> level), in hope that requests on those denied connections will be
> reforwarded, but I would not recommend this clumsy approach.
> 
> However, it is easy to add a DNS forwarder that would immediately
> respond to all Squid A queries with an empty set of IPv4 addresses. If
> you cannot configure BIND/etc. to do that, then it would only take a few
> lines of code to write such a forwarder in Perl/etc. using existing DNS
> resolver libraries -- you do not need a generic forwarder; only
> something that can handle Squid queries...
> 
> What are you going to do with sites that have no IPv6 addresses?
> 
> Alex.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Is there an option to completely disable IPV4 outgoing address for Squid

[Ahmad Alzaeem]

Say we want to have Testing IPV4-IPV6 access for An ISP .
We want to access squid over IPV4 , 
DNS server ip on squid is 8.8.8.8

But we want dns queries only solved with IPV6 address so that squid don’t 
pickup any ipv4 destination for website .

I tried dns_v4_1st directive to be off but I had like 98 % of results with IPV6 
but still like 2 % results as IPV4 .
So as an example , if I say Facebook is IPV4/IPV6 .
I was able to get 98 % destination of FB as IPV6 , but very low results on IPV4 
ip addresses .

Is there an option for squid to use IPV6 for outgoing and always skip IPV4 of 
websites resolving address ?


Thanks 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] How to match website subdomains and all others root domains

[Ahmad Alzaeem]

Hello folks ,
How can I match all subdomains of google and all roots urls of google such as 

google.com 
google.co.uk 
Google.eu
google.us 

With an all ?



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] TCP incoming requests Traffic Normalization

[Ahmad Alzaeem]

Hello Folks .

I have about 10x sources or different ip addresses  and sending requests to 
squid  .

imagine we have 10 servers and sending burst in sometimes due to nature of 
Traffic  ….i have a sensitive APP on squid that must be equalized to handle 
only 50 req/sec . “ No more “

i just want to equalize all incoming requests which can be in some seconds 60  
, 40 , 90 , 100 , 50 to have steady 50 req/sec on squid equally and even if we 
need to delay some packs  its ok , just keep squid handle 50 req/sec  of those 
incoming requests no  more .

i know squid can limit connections and Drop connections above threshold , but i 
need only to discipline and Buffer and try to decrease dropped requests as 
possible and normalize all incoming requests to be steady 50 req/sec inside 
squid whatever there is burst outside or higher than 50 .

So again just need to apply that on “ new requests “ not on already “ 
established “ connections .

Let me know Guys if squid can do something like that or we need 3rd party 
outside squid .


Kind regards 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid log responce time %6tr or %tr ?

[Ahmad Alzaeem]

Hello Team ,

based on wiki :
http://www.squid-cache.org/Doc/config/logformat/ 

tr is responce time , but im confused on why default response time configured 
as %6tr not %tr 

#
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is Squid 4.9 gone?

[Ahmad Alzaeem]

Perfect Amos 🙏

Sent from my iPhone

> On Dec 20, 2019, at 11:35 AM, Amos Jeffries  wrote:
> 
> On 20/12/19 9:03 pm, netadmin wrote:
>> 
>> At the address:
>> http://www.squid-cache.org/Versions/
>> the latest version appears as 4.8 although I am running 4.9!
>> What happened to version 4.9?
> 
> 
> I'm not entirely certain what happened there. I suspect it was just an
> oversight on my part not copying the files from the release directory to
> the web server. That has now been corrected.
> 
> As to why you could be running a version not available on the www site;
> Vendors pull their release code from any one (or several) different
> sources we provide them - our public git repository, FTP servers, or
> rsync servers.
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] debug headers between squid --> website

[Ahmad Alzaeem]

Can I do same  thing for https ?

Thanks 

Sent from my iPhone

> On Dec 2, 2019, at 10:03 PM, Alex Rousskov  
> wrote:
> 
> On 12/2/19 1:31 PM, Ahmad Alzaeem wrote:
> 
>> Is it possible to run it from squid ?
> 
> Packet catpure is usually better, especially for plain HTTP traffic, but
> you can also get raw HTTP headers in cache.log if you set debug_options
> in squid.conf to ALL,2
> 
> Alex.
> 
> 
>>>> On Dec 2, 2019, at 8:58 PM, Antony Stone 
>>>>  wrote:
>>> 
>>> On Monday 02 December 2019 at 18:34:31, Ahmad Alzaeem wrote:
>>> 
>>>> Hello Tem ,
>>>> 
>>>> How can i debug Headers that is between squid——> website request made
>>> 
>>> Run a packet sniffer (tcpdump, wireshark, tshark...) on the Squid server, 
>>> looking at the external interface (ie: the one pointing to the website/s).
>>> 
>>>> i need to see what squid send headers to website
>>>> and what website reply o squid .
>>> 
>>> So long as you're doing HTTP (as per your example) and not HTTPS, any 
>>> packet 
>>> sniffer and protocol analyser (wireshark is *very* good at this) will show 
>>> you 
>>> this quite easily.
>>> 
>>> 
>>> Antony.
>>> 
>>> -- 
>>> Atheism is a non-prophet-making organisation.
>>> 
>>>  Please reply to the list;
>>>please *don't* CC me.
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] debug headers between squid --> website

[Ahmad Alzaeem]

Thank you for that .

Is it possible to run it from squid ?

Thanks 

Sent from my iPhone

> On Dec 2, 2019, at 8:58 PM, Antony Stone  
> wrote:
> 
> On Monday 02 December 2019 at 18:34:31, Ahmad Alzaeem wrote:
> 
>> Hello Tem ,
>> 
>> How can i debug Headers that is between squid——> website request made
> 
> Run a packet sniffer (tcpdump, wireshark, tshark...) on the Squid server, 
> looking at the external interface (ie: the one pointing to the website/s).
> 
>> i need to see what squid send headers to website
>> and what website reply o squid .
> 
> So long as you're doing HTTP (as per your example) and not HTTPS, any packet 
> sniffer and protocol analyser (wireshark is *very* good at this) will show 
> you 
> this quite easily.
> 
> 
> Antony.
> 
> -- 
> Atheism is a non-prophet-making organisation.
> 
>   Please reply to the list;
> please *don't* CC me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] debug headers between squid --> website

[Ahmad Alzaeem]

Hello Tem ,

How can i debug Headers that is between squid——> website request made 

say we have this simple topology 

pc ——squid —— website


—> As an example if i run curl  some website   from my device connecting to 
squid proxy .


$ curl -x  x.x.8.187:xx433 -U abc:abc ifconfig.io/ip  -vv
*   Trying 108.61.8.187...
* TCP_NODELAY set
* Connected to x.x.8.187 (x.x.8.187) port xx433 (#0)
* Proxy auth using Basic with user 'ben'
> GET http://ifconfig.io/ip HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Mon, 02 Dec 2019 17:30:42 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Set-Cookie: __cfduid=d639c4bd01a9f8c32f0de7cb09f40671575307842; expires=Wed, 
01-Jan-20 17:30:42 GMT; path=/; domain=.ifconfig.io; HttpOnly
< CF-Cache-Status: DYNAMIC
< Alt-Svc: h3-23=":443"; ma=86400
< Server: cloudflare
< CF-RAY: 53ef07bd8d28efed-EWR
< X-Cache: MISS from squid
< Via: 1.1 xyz (squid)
< Connection: keep-alive
< 
11.22.33.44
* Connection #0 to host x.x.8.187 left intact


i believe this is negotiation  above is from  pc <—> squid .


How can i see this kind of debug or header in case of squid— website level ?

i need to see what squid send headers to website 
and what website reply o squid .



Thanks 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Testing

[Ahmad Alzaeem]

Testing 123 .
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid irc channel help

[Ahmad Alzaeem]

Guys any one to help me to access irc channel on squid ?

 

http://en.irc2go.com/webchat/?net=freenode
 &room=squid

 

not working

 

cheers

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP-MISS 503 for wrong destination ip

[Ahmad Alzaeem]

Ok 


1. Have you fixed DNS so that clients are now resolving the correct addresses 
for destination servers?
No , the issues will not be solved and will always dns resolve the ip of 
websites to the ip address of squid ( http & https requestst with the wrong ds 
tip will hit squid)

Again , I want to solve this issue form squid

2. Are you performing NAT *only* on the machine where Squid is running?


Yes I have redirect rules  that redirect the http & https to the port that 
squid listen  .
So I have :
http_port 3128
http_port 10.159.144.206:11611 intercept

iptables :

ptables –t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 
10.159.144.206:11611
ptables –t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 
10.159.144.206:11611


Do you know where that IP address comes from?  Is your DNS still broken, is 
this the IP address of the Squid server, does it mean anythign at all in your 
network?

Some ips are locally and some ips are  outside  , so we have port forwarding 
well

For now , skip the outside users and focous in the inside users
The dns is separated server differ than squid , but both on same network 

The DNS is not broken , it will resolve some websites to ip address of squid 
and other websites will rslve to other ip , so again I don’t want to touch the 
DNS and I want to work on the current state

> So how to let squid bypass checking it ?

It's not a matter of bypassing Squid checking it - it's a matter of making it 
correct so that the checks do not fail.

Im open to let squid do it and let wrong dstp ips  forwarded well on squid .


> Is my way above wrong ?

I think so, but please answer the questions above so we can be more sure.

> U say we need proxy mode ??
> 
> How should I implement proxy mode since user will not put ip:port in 
> his browser

Use DHCP options and/or WPAD.

Assume ips are static ips on clients




Thanks again and im awaiting ur suggestions

cheers


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP-MISS 503 for wrong destination ip

[Ahmad Alzaeem]

Well , what I have done is :

I configured squid http_port xx and http_port xxy intercept

And uses iptables to redirect http & https to squid ports

But it don’t work and I have logs :

1448121527.423  10.1.1.1 TCP_MISS/503 4183 GET http://cnn.com/ - 
ORIGINAL_DST/10.159.144.206 text/html
1448121554.217  10.1.1.1 TCP_MISS/503 4771 GET http://cnn.com/ - 
ORIGINAL_DST/10.159.144.206 text/html
1448121555.574  10.1.1.1 TCP_MISS/503 4685 GET http://cnn.com/favicon.ico - 
ORIGINAL_DST/10.159.144.206 text/html


As u see the ds tip is wrong and its spoofed with 10.159.144.206

So how to let squid bypass checking it ?


Is my way above wrong ?


U say we need proxy mode ?? 

How should I implement proxy mode since user will not put ip:port in his browser

Thanks a lot for helping

cheers
-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Antony Stone
Sent: Tuesday, November 24, 2015 3:18 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] TCP-MISS 503 for wrong destination ip

On Tuesday 24 November 2015 at 13:13:17, Ahmad Alzaeem wrote:

> Guys I understand that
> 
> The question is being asked , can squid fix this issue or not?

Yes, provided you use it in configured-proxy mode, instead of intercept mode.


Antony.

> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] 
> On Behalf Of Antony Stone Sent: Tuesday, November 24, 2015 2:42 PM
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] TCP-MISS 503 for wrong destination ip
> 
> On Tuesday 24 November 2015 at 12:22:40, Ahmad Alzaeem wrote:
> > Hi Devs ,
> > 
> > I have a server that send to squid http/https with wrong destination 
> > ips
> 
> It has already been recommended that you fix your DNS so that it works 
> correctly / normally.
> 
> > So assume I want  to open google
> > 
> > The request hit the squid with https/http  packet with payload 
> > www.google.com <http://www.google.com>  with ds tip 10.0.0.1 not  
> > the real ds tip of google like 74.125.x.x
> 
> Is 10.0.0.1 the IP address of your Squid server?
> 
> > The question is being asked here is .
> > 
> > Is it possible to let squid to do another resolving again and chck 
> > the right dst ip (74.125.x.x) and reach it ?
> 
> Yes - turn off intercept mode, and point the client specifically at 
> Squid as a configured proxy.  The client will then not attempt a DNS 
> lookup for the destination server, but will simply send the entire 
> request to Squid for it to look up where to send the request.
> 
> 
> Regards,
> 
> 
> Antony.

--
BASIC is to computer languages what Roman numerals are to arithmetic.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP-MISS 503 for wrong destination ip

[Ahmad Alzaeem]

Guys I understand that 


The question is being asked , can squid fix this issue or not  ?


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Antony Stone
Sent: Tuesday, November 24, 2015 2:42 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] TCP-MISS 503 for wrong destination ip

On Tuesday 24 November 2015 at 12:22:40, Ahmad Alzaeem wrote:

> Hi Devs ,
> 
> I have a server that send to squid http/https with wrong destination 
> ips

It has already been recommended that you fix your DNS so that it works 
correctly / normally.

> So assume I want  to open google
> 
> The request hit the squid with https/http  packet with payload 
> www.google.com <http://www.google.com>  with ds tip 10.0.0.1 not  the 
> real ds tip of google like 74.125.x.x

Is 10.0.0.1 the IP address of your Squid server?

> The question is being asked here is .
> 
> Is it possible to let squid to do another resolving again and chck the 
> right dst ip (74.125.x.x) and reach it ?

Yes - turn off intercept mode, and point the client specifically at Squid as a 
configured proxy.  The client will then not attempt a DNS lookup for the 
destination server, but will simply send the entire request to Squid for it to 
look up where to send the request.


Regards,


Antony.

--
Atheism is a non-prophet-making organisation.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] TCP-MISS 503 for wrong destination ip

[Ahmad Alzaeem]

Hi Devs ,

 

I have a server that send to squid http/https with wrong destination ips 

So assume I want  to open google

 

 

The request hit the squid with https/http  packet with payload
www.google.com   with ds tip 10.0.0.1 not  the real
ds tip of google like 74.125.x.x

 

The question is being asked here is .

 

Is it possible to let squid to do another resolving again and chck the right
dst ip (74.125.x.x) and reach it ?

 

Or at least let squid skip looking @ the ds tip and look only at the payload
(google.com) and try to resolve it and operate ?

 

 

 

 

Is that possible on squid ?

 

 

thanks

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid intercept mode fo http & https

[Ahmad Alzaeem]

Amos , 
Is it possible to let squid blind to the ds tip and lookup  only  to the domain 
name in the packet ???

Awaiting ur reply 

Thank you 

-Original Message-
From: Ahmad Alzaeem [mailto:ahmed.za...@netstream.ps] 
Sent: Sunday, November 22, 2015 9:45 AM
To: 'Amos Jeffries'
Cc: 'squid-users@lists.squid-cache.org'
Subject: RE: [squid-users] squid intercept mode fo http & https

Amos , thank you so much for your kind reply  .

The topology is complex and I cant do it like setting up the gateway to be the 
squid and im forced to work on DNS .

Im just asking is it possible to work on that way with squid ?
Or
Its impossible to have it working ???

I have its werid and not popular , but im forced to do it on that  way .

So  again , can we use like redsocks or any redirector to help me in this issue 
?


If squid can work on that way , do I need to add more directives to let it work 
?

As I mentioned from logs it stuck and lookup for destination ip  ip :
1448121518.847  0 xx.79.120 TCP_MISS/503 4183 GET http://cnn.com/ - 
ORIGINAL_DST/10.159.144.206 text/html
1448121526.056  0 xx.79.120 TCP_MISS/503 399 HEAD http://cnn.com/ - 
ORIGINAL_DST/10.159.144.206 text/html


so if I was understanding well , I guess squid will work on the domain name not 
on the ip and I suppose it to work , but so far I don’t know why !

Thank you amos  again , I appreciate all ur help and the team support help , 
all of you were and still a nice helpers


cheers

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Sunday, November 22, 2015 3:51 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid intercept mode fo http & https

On 22/11/2015 5:56 a.m., Ahmad Alzaeem wrote:
> Thanks fot your reply .
> 
> I know that my DNS is weird .
> 
> But all I need is
> I have access to DNS server , but I don’t have access to pcs to give them 
> ip:port in their browsers .
> 
> So yes , im forced to work on that way .

You should not be. Have a read through
<http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers>. Notice that DNS 
weirdness is not mentioned anywhere, not even as a last-resort method.



> 
> And I want to filter my websites and the only way to go internet is using the 
> proxy .
> 
> So what do you suggest ?

Try the methods listed in that wiki page for WPAD/PAC auto-configuration (aka 
"transparent proxy configuration", notice that is a 3-word phrase).
That will catch a lot of the main-stream browsers.

When that is done set up your routers for *routing* the port 80/443 traffic 
through the Squid machine. With NAT (aka "transparent interception proxy", 
notice that is a different 3-word phrase)

No DNS required in any of that.

> 
> So again , the packet go to squid , but inside this packet the name of 
> websites and ds tip is the proxy ip.

Exactly. That is all Squid is given to work with.

> 
> What settings needed on squid to operate such as get the info from name and 
> skip dst ip ?
> 
>  If u look @ the log files u will understand my idea
> 

We already understand your idea. Others have had it before. The reason it is 
not popular is the extremely complicated nature of the multiple pieces of high 
performance high-uptime hardware required just to keep it from falling over 
and/or hitting the side effects you have seen so far, and many others you have 
not even got close to reaching yet. When things go wrong the clients also need 
an individual reset to clear their internal DNS caches.

Route packets to Squid (no DNS) just like normally routed packets if Squid were 
a border gateway, then NAT or TPROXY intercept into the proxy itself on the 
same machine. FAR more robust.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid intercept mode fo http & https

[Ahmad Alzaeem]

Amos , thank you so much for your kind reply  .

The topology is complex and I cant do it like setting up the gateway to be the 
squid and im forced to work on DNS .

Im just asking is it possible to work on that way with squid ?
Or
Its impossible to have it working ???

I have its werid and not popular , but im forced to do it on that  way .

So  again , can we use like redsocks or any redirector to help me in this issue 
?


If squid can work on that way , do I need to add more directives to let it work 
?

As I mentioned from logs it stuck and lookup for destination ip  ip :
1448121518.847  0 xx.79.120 TCP_MISS/503 4183 GET http://cnn.com/ - 
ORIGINAL_DST/10.159.144.206 text/html
1448121526.056  0 xx.79.120 TCP_MISS/503 399 HEAD http://cnn.com/ - 
ORIGINAL_DST/10.159.144.206 text/html


so if I was understanding well , I guess squid will work on the domain name not 
on the ip and I suppose it to work , but so far I don’t know why !

Thank you amos  again , I appreciate all ur help and the team support help , 
all of you were and still a nice helpers


cheers

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Sunday, November 22, 2015 3:51 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid intercept mode fo http & https

On 22/11/2015 5:56 a.m., Ahmad Alzaeem wrote:
> Thanks fot your reply .
> 
> I know that my DNS is weird .
> 
> But all I need is
> I have access to DNS server , but I don’t have access to pcs to give them 
> ip:port in their browsers .
> 
> So yes , im forced to work on that way .

You should not be. Have a read through
<http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers>. Notice that DNS 
weirdness is not mentioned anywhere, not even as a last-resort method.



> 
> And I want to filter my websites and the only way to go internet is using the 
> proxy .
> 
> So what do you suggest ?

Try the methods listed in that wiki page for WPAD/PAC auto-configuration (aka 
"transparent proxy configuration", notice that is a 3-word phrase).
That will catch a lot of the main-stream browsers.

When that is done set up your routers for *routing* the port 80/443 traffic 
through the Squid machine. With NAT (aka "transparent interception proxy", 
notice that is a different 3-word phrase)

No DNS required in any of that.

> 
> So again , the packet go to squid , but inside this packet the name of 
> websites and ds tip is the proxy ip.

Exactly. That is all Squid is given to work with.

> 
> What settings needed on squid to operate such as get the info from name and 
> skip dst ip ?
> 
>  If u look @ the log files u will understand my idea
> 

We already understand your idea. Others have had it before. The reason it is 
not popular is the extremely complicated nature of the multiple pieces of high 
performance high-uptime hardware required just to keep it from falling over 
and/or hitting the side effects you have seen so far, and many others you have 
not even got close to reaching yet. When things go wrong the clients also need 
an individual reset to clear their internal DNS caches.

Route packets to Squid (no DNS) just like normally routed packets if Squid were 
a border gateway, then NAT or TPROXY intercept into the proxy itself on the 
same machine. FAR more robust.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid intercept mode fo http & https

[Ahmad Alzaeem]

Thanks fot your reply .

I know that my DNS is weird .

But all I need is
I have access to DNS server , but I don’t have access to pcs to give them 
ip:port in their browsers .

So yes , im forced to work on that way .

And I want to filter my websites and the only way to go internet is using the 
proxy .

So what do you suggest ?

So again , the packet go to squid , but inside this packet the name of websites 
and ds tip is the proxy ip.

What settings needed on squid to operate such as get the info from name and 
skip dst ip ?

 If u look @ the log files u will understand my idea

Thanks a lot for reply

cheers

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Antony Stone
Sent: Saturday, November 21, 2015 7:22 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid intercept mode fo http & https

On Saturday 21 November 2015 at 17:02:56, Ahmad Alzaeem wrote:

> Hi Guys I have a squid runnng in intercept mode

Okay...

> I have a dns to resolve all the websites to the ip of proxy

Which instructions / documentation did you follow saying that was a good idea?

> I want the proxy to be able to operate normally

Then, set up your DNS server normally as well :)

> and don't look @ the destination ip since all packet will have the 
> destination ip as the ip of proxy

I think you have the wrong idea of what "intercept mode" means.

> I want  the proxy to operate based on the domain name.

So, just route the packets to the proxy (with the *correct* destination IP
address) as per all the guidelines you can find on the Internet showing how to 
do this, and Squid will do the rest.

> So far I have the squid listenting on port 11611 interept mode and I 
> have traffic 80 , 443 hit the linux proxy server

You need to perform NAT on the same box as Squid is running on, to redirect 
packets from their original IP address, to the IP of Squid, and it will work.

Undo the weirdness you've created with DNS.

> Now I cant open either http or https .

I can only say "I'm not surprised."  You've told the clients to connect to 
Squid as a web server.  Squid finds its own IP as the destination, and gives up.

> Squid.conf :
> 
> dns_nameservers 8.8.8.8

I strongly recommend you to set up a local caching name server, and point both 
your clients, and Squid, at it.

> visible_hostname seerver.server

Have you cut and pasted this configuration file, or (mis-)typed it?

> acl localnet src xxx.0.0/16 xxx.0.0/16 192.168.0.0/16# RFC1918 possible
> internal network

You have public IPs on your internal network?

Unusual, but plausible...  I'm just checking to make sure I understand your 
network correctly.

> # Squid normally listens to port 3128
> 
> #http_port 443 intercept
> 
> http_port 10.159.144.206:11611 intercept

So, the Squid server has a private IP - this makes it all the more unusual that 
you seem to have public IPs on your internal network.

> iptables settings :
> 
> iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT 
> --to-destination 10.159.144.206:11611

That looks fine for a standard intercept setup.

> any help ?

Undo your DNS strangeness and let us know if it starts working.


Regards,


Antony.

--
"There is no reason for any individual to have a computer in their home."

 - Ken Olsen, President of Digital Equipment Corporation (DEC, later consumed 
by Compaq, later merged with HP)

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid intercept mode fo http & https

[Ahmad Alzaeem]

Hi Guys I have a squid runnng in intercept mode 

I have a dns to resolve all the websites to the ip of proxy 

I want the proxy to be able to operate nornmally and don't look @ the
destination ip since all packet will have the destination ip as the ip of
proxy

 

I want  the proxy to operate based on the domain name .

 

So far I have the squid listenting on port 11611 interept mode and I have
traffic 80 , 443 hit the linux proxy server

 

Now I cant open either http or https .

 

Here is my settings below  :

 

 

Here is squid logs :

1448121483.753 xx.79.120 TCP_MISS/503 399 HEAD http://cnn.com/ -
ORIGINAL_DST/10.159.144.206 text/html

1448121485.740  0 xxx.79.120 TCP_MISS/503 4183 GET http://cnn.com/ -
ORIGINAL_DST/10.159.144.206 text/html

1448121518.483  0 xx.79.120 TCP_MISS/503 399 HEAD http://cnn.com/ -
ORIGINAL_DST/10.159.144.206 text/html

1448121518.847  0 xx.79.120 TCP_MISS/503 4183 GET http://cnn.com/ -
ORIGINAL_DST/10.159.144.206 text/html

1448121526.056  0 xx.79.120 TCP_MISS/503 399 HEAD http://cnn.com/ -
ORIGINAL_DST/10.159.144.206 text/html

1448121527.423  0 xx.79.120 TCP_MISS/503 4183 GET http://cnn.com/ -
ORIGINAL_DST/10.159.144.206 text/html

1448121554.217  0 xx.79.120 TCP_MISS/503 4771 GET http://cnn.com/ -
ORIGINAL_DST/10.159.144.206 text/html

1448121555.574  0 xx.79.120 TCP_MISS/503 4685 GET
http://cnn.com/favicon.ico - ORIGINAL_DST/10.159.144.206 text/html

 

 

root@ip-10-159-144-206:~# ifconfig

eth0  Link encap:Ethernet  HWaddr 22:00:0b:f9:70:59  

  inet addr:10.159.144.206  Bcast:10.159.144.255
Mask:255.255.255.192

  inet6 addr: fe80::2000:bff:fef9:7059/64 Scope:Link

  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

  RX packets:69462 errors:0 dropped:0 overruns:0 frame:0

  TX packets:27158 errors:0 dropped:0 overruns:0 carrier:0

  collisions:0 txqueuelen:1000 

  RX bytes:77163635 (77.1 MB)  TX bytes:8280045 (8.2 MB)

 

 

Squid.conf :

 

root@ip-10-159-144-206:~# cat /etc/squid/squid.conf

dns_nameservers 8.8.8.8



visible_hostname seerver.server

#

# Recommended minimum configuration:

#

 

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

acl localnet src 172.16.0.0/12  # RFC1918 possible internal network

acl localnet src xxx.0.0/16 xxx.0.0/16 192.168.0.0/16# RFC1918 possible
internal network

acl localnet src fc00::/7   # RFC 4193 local private network range

acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
machines

 

acl SSL_ports port 443

acl Safe_ports port 80  # http

acl Safe_ports port 21  # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70  # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

 

#

# Recommended minimum Access Permission configuration:

#

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

 

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

 

# Only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager

 

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

 

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

 

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost

http_port 3128

# And finally deny all other access to this proxy

http_access allow all

 

# Squid normally listens to port 3128

#http_port 443 intercept

http_port 10.159.144.206:11611 intercept

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /var/cache/squid 100 16 256

 

# Leave coredumps in the first cache dir

coredump_dir /var/cache/squid

 

#

# Add any of your own refresh_pattern entries above these.

#

refresh_pattern ^ftp:   144020% 10080

refresh_pattern ^gopher:14400%  1440

refresh_pattern -i (/cgi-bin/|\?) 0 0%  0

refresh_pattern .   0   20% 4320

 

iptables settings :

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.159.144.206:11611

 

 

any help ?

 

cheers

___
squid-users m

[squid-users] squid delay pool websites execlude

[Ahmad Alzaeem]

HI

 

I HAVE delay pool configured to limit speed to 512 per ip in the network

 

But I have some websites that I want to execlude the limit from it in the
pool and keep speed as opened in this webistes :

Say http://www.faasoft.com/downloads/f-video-converter.exe  I want to remove
this website from  being affected in the pool 

 

I tried my self , but still downloading to this website is about 60 K which
is 512

 

 

Here is my config below of my trial

 

 

cheers

 

 



acl xpxp dstdomain .faasoft.com

 

acl only512kusers src 172.23.101.0/24

delay_pools 1

delay_class 1 2

delay_access 1 allow only512kusers

delay_parameters 1 6250/6250 62500/62500

delay_access  1  allow  only512kusers !xpxp

###

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid http & https intercept based on DNS server

[Ahmad Alzaeem]

Sorry , didn’t understand , could you explain more ??

cheers

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of James Lay
Sent: Thursday, November 12, 2015 12:29 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid http & https intercept based on DNS server

On 2015-11-11 12:23, Ahmad Alzaeem wrote:
> Hi guys
> 
> I want to ask a question
> 
> Assume I have a dns server that resolve all the names to the ip of 
> squid
> 
> So we will have  all websites go to squid
> 
> The question is being asked here is :
> 
> If I used squid in intercept mode
> 
> Will I be able to handle http & https traffic without adding cert and 
> CA in the clients browsers' ??
> 
> Again
> 
> Will I have issues with Https in  certs ?
> 
> cheers
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

No.  Certain clients don't even use DNS, but a hardcoded IP (I'm looking at you 
TextNow).

James
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid http & https intercept based on DNS server

[Ahmad Alzaeem]

Hi guys

I want to ask a question

 

Assume I have a dns server that resolve all the names to the ip of squid

 

So we will have  all websites go to squid

 

The question is being asked here is :

 

If I used squid in intercept mode

 

 

Will I be able to handle http & https traffic without adding cert and CA in
the clients browsers' ??

 

 

Again

 

Will I have issues with Https in  certs ?

 

 

cheers

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] cache peer only forward http , not https !!!

[Ahmad Alzaeem]

Bro you were awsome !

 

Thank you it worked

 

I appreciate your help a lot

 

I wish there is feedback in mailing list to give you 5/5 stars

:)

 

cheers

 

From: Yuri Voinov [mailto:yvoi...@gmail.com] 
Sent: Wednesday, November 11, 2015 1:04 PM
To: Ahmad Alzaeem
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] cache peer only forward http , not https !!!

 

You need to locate URLs which must be forward to parent.

If this is all URL's, config must looks like this:

never_direct allow all
cache_peer  parent  0 no-query no-digest default
cache_peer_access 127.0.0.1 allow all

And, finally, you must use Squid 3.5.x. Thit will not be work on 3.4.x.

11.11.15 14:39, Ahmad Alzaeem пишет:

Here is what I mean 

[2.2.2-RELEASE][r...@pfsense.mne <mailto:r...@pfsense.mne> ]/root: tail -f 
/var/squid/logs/access.log 

1447234509.328   9718 172.23.101.251 TCP_MISS/200 1448 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_DIRECT/54.192.55.248 -

1447234514.482   9622 172.23.101.251 TCP_MISS/200 1448 CONNECT 
shavar.services.mozilla.com:443 - HIER_DIRECT/54.187.101.179 -

1447234519.858  59952 172.23.101.251 TCP_MISS/503 0 CONNECT www.youtube.com:443 
<http://www.youtube.com:443>  - HIER_NONE/- -

1447234560.135  71105 172.23.101.251 TCP_MISS/503 0 CONNECT 
incoming.telemetry.mozilla.org:443 - HIER_NONE/- -

1447234569.644  70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -

1447234569.644  70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -

1447234569.644  70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -

1447234575.091  60607 172.23.101.251 TCP_MISS/503 0 CONNECT 
shavar.services.mozilla.com:443 - HIER_NONE/- -

1447234605.998  76379 172.23.101.251 TCP_MISS/503 0 CONNECT 
self-repair.mozilla.org:443 - HIER_NONE/- -

1447234651.018  75705 172.23.101.251 TCP_MISS/503 0 CONNECT 
safebrowsing.google.com:443 - HIER_NONE/- -

 

cheers

 

From: Yuri Voinov [mailto:yvoi...@gmail.com] 
Sent: Wednesday, November 11, 2015 12:49 AM
To: Ahmad Alzaeem
Cc: squid-users@lists.squid-cache.org; 'Amos Jeffries'
Subject: Re: [squid-users] cache peer only forward http , not https !!!

 


-BEGIN PGP SIGNED MESSAGE- 
Hash: SHA256 
 
Are you see in access.log ip:443 CONNECT records?

I.e., does your HTTPS traffic incoming to Squid?

11.11.15 1:45, Ahmad Alzaeem пишет:
> Hi I don’t have ssl pump




  >




  >  




  >




  > All my users user ip:port to have internet




  >




  >  




  >




  >  




  >




  > I already have ISA windows server and it works with http and

  https




  >




  >  




  >




  > Im wondering why all complexity needed for peer https 




  >




  > !!!




  >




  >  




  >




  >  




  >




  > Anyway hnere is squid.conf




  >




  >  




  >




  > # This file is automatically generated by pfSense




  >




  > # Do not edit manually !




  >




  >  




  >




  > http_port 172.23.101.253:3128




  >




  > icp_port 0




  >




  > dns_v4_first on




  >




  > pid_filename /var/run/squid/squid.pid




  >




  > cache_effective_user proxy




  >




  > cache_effective_group proxy




  >




  > error_default_language en




  >




  > icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons




  >




  > visible_hostname mne




  >




  > cache_mgr aza...@mne.ps <mailto:aza...@mne.ps>   <mailto:aza...@mne.ps> 
<mailto:aza...@mne.ps> 
 

 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] cache peer only forward http , not https !!!

[Ahmad Alzaeem]

Here is what I mean 

[2.2.2-RELEASE][r...@pfsense.mne]/root: tail -f /var/squid/logs/access.log 

1447234509.328   9718 172.23.101.251 TCP_MISS/200 1448 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_DIRECT/54.192.55.248 -

1447234514.482   9622 172.23.101.251 TCP_MISS/200 1448 CONNECT 
shavar.services.mozilla.com:443 - HIER_DIRECT/54.187.101.179 -

1447234519.858  59952 172.23.101.251 TCP_MISS/503 0 CONNECT www.youtube.com:443 
- HIER_NONE/- -

1447234560.135  71105 172.23.101.251 TCP_MISS/503 0 CONNECT 
incoming.telemetry.mozilla.org:443 - HIER_NONE/- -

1447234569.644  70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -

1447234569.644  70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -

1447234569.644  70033 172.23.101.251 TCP_MISS/503 0 CONNECT 
tiles-cloudfront.cdn.mozilla.net:443 - HIER_NONE/- -

1447234575.091  60607 172.23.101.251 TCP_MISS/503 0 CONNECT 
shavar.services.mozilla.com:443 - HIER_NONE/- -

1447234605.998  76379 172.23.101.251 TCP_MISS/503 0 CONNECT 
self-repair.mozilla.org:443 - HIER_NONE/- -

1447234651.018  75705 172.23.101.251 TCP_MISS/503 0 CONNECT 
safebrowsing.google.com:443 - HIER_NONE/- -

 

cheers

 

From: Yuri Voinov [mailto:yvoi...@gmail.com] 
Sent: Wednesday, November 11, 2015 12:49 AM
To: Ahmad Alzaeem
Cc: squid-users@lists.squid-cache.org; 'Amos Jeffries'
Subject: Re: [squid-users] cache peer only forward http , not https !!!

 


-BEGIN PGP SIGNED MESSAGE- 
Hash: SHA256 
 
Are you see in access.log ip:443 CONNECT records?

I.e., does your HTTPS traffic incoming to Squid?

11.11.15 1:45, Ahmad Alzaeem пишет:
> Hi I don’t have ssl pump



  >



  >  



  >



  > All my users user ip:port to have internet



  >



  >  



  >



  >  



  >



  > I already have ISA windows server and it works with http and

  https



  >



  >  



  >



  > Im wondering why all complexity needed for peer https 



  >



  > !!!



  >



  >  



  >



  >  



  >



  > Anyway hnere is squid.conf



  >



  >  



  >



  > # This file is automatically generated by pfSense



  >



  > # Do not edit manually !



  >



  >  



  >



  > http_port 172.23.101.253:3128



  >



  > icp_port 0



  >



  > dns_v4_first on



  >



  > pid_filename /var/run/squid/squid.pid



  >



  > cache_effective_user proxy



  >



  > cache_effective_group proxy



  >



  > error_default_language en



  >



  > icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons



  >



  > visible_hostname mne



  >



  > cache_mgr aza...@mne.ps <mailto:aza...@mne.ps>   <mailto:aza...@mne.ps> 
<mailto:aza...@mne.ps> 
 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] cache peer only forward http , not https !!!

[Ahmad Alzaeem]

Hi I don’t have ssl pump

 

All my users user ip:port to have internet

 

 

I already have ISA windows server and it works with http and https

 

Im wondering why all complexity needed for peer https 

!!!

 

 

Anyway hnere is squid.conf

 

# This file is automatically generated by pfSense

# Do not edit manually !

 

http_port 172.23.101.253:3128

icp_port 0

dns_v4_first on

pid_filename /var/run/squid/squid.pid

cache_effective_user proxy

cache_effective_group proxy

error_default_language en

icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons

visible_hostname mne

cache_mgr aza...@mne.ps <mailto:aza...@mne.ps> 

access_log /var/squid/logs/access.log

cache_log /var/squid/logs/cache.log

cache_store_log none

netdb_filename /var/squid/logs/netdb.state

pinger_enable off

pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger

 

logfile_rotate 2

debug_options rotate=2

shutdown_lifetime 3 seconds

# Allow local network(s) on interface(s)

acl localnet src  172.23.101.0/24

forwarded_for off

via off

httpd_suppress_version_string on

uri_whitespace strip

 

acl dynamic urlpath_regex cgi-bin ?

cache deny dynamic

 

cache_mem 64 MB

maximum_object_size_in_memory 256 KB

memory_replacement_policy heap GDSF

cache_replacement_policy heap LFUDA

minimum_object_size 0 KB

maximum_object_size 4 MB

cache_dir ufs /var/squid/cache 100 16 256

offline_mode off

cache_swap_low 90

cache_swap_high 95

cache allow all

 

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:1440  20%  10080

refresh_pattern ^gopher:  1440  0%  1440

refresh_pattern -i (/cgi-bin/|?) 0  0%  0

refresh_pattern .0  20%  4320

 

 

#Remote proxies

 

 

# Setup some default acls

# From 3.2 further configuration cleanups have been done to make things easier 
and safer. The manager, localhost, and to_localhost ACL definitions are now 
built-in.

# acl localhost src 127.0.0.1/32

acl allsrc src all

acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 
1025-65535 

acl sslports port 443 563  

 

# From 3.2 further configuration cleanups have been done to make things easier 
and safer. The manager, localhost, and to_localhost ACL definitions are now 
built-in.

#acl manager proto cache_object

 

acl purge method PURGE

acl connect method CONNECT

 

# Define protocols used for redirects

acl HTTP proto HTTP

acl HTTPS proto HTTPS

http_access allow manager localhost

 

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !safeports

http_access deny CONNECT !sslports

 

# Always allow localhost connections

# From 3.2 further configuration cleanups have been done to make things easier 
and safer.

# The manager, localhost, and to_localhost ACL definitions are now built-in.

# http_access allow localhost

 

request_body_max_size 0 KB

 

 

 

 

delay_access 1 allow allsrc

 

# Reverse Proxy settings

 

 

# Custom options before auth

dns_nameservers 8.8.8.8 10.12.0.33

cache_peer 10.12.0.32  parent 80 0 no-query no-digest no-tproxy proxy-only

 

# Setup allowed acls

# Allow local network(s) on interface(s)

http_access allow localnet

# Default block all to be sure

http_access deny allsrc

 

 

 

cheers

 

From: Yuri Voinov [mailto:yvoi...@gmail.com] 
Sent: Tuesday, November 10, 2015 9:43 PM
To: Ahmad Alzaeem
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] cache peer only forward http , not https !!!

 


-BEGIN PGP SIGNED MESSAGE- 
Hash: SHA256 
 
I think, we need to take a look on your squid.conf first.

10.11.15 23:18, Ahmad Alzaeem пишет:
> Thank you , 



  >



  >  



  >



  > Can you just guide me for the https peer directive plz ?



  >



  > I can take care of https intercept



  >



  >  



  >



  > So with http , we have directive cache_peer 10.12.0.32 

  parent 8080  0 no-query no-digest



  >



  >  



  >



  > As ok



  >



  >  



  >



  > Now what about https directive ?



  >



  > Can u help me



  >



 >  



  >



  > Thanks a lot a lot a lot for your help



  >



  >  



  >



  > cheers



  >



  >  



  >



  >  



  >



  > From: squid-users

  [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of

  Yuri Voinov



  > Sent: Tuesday, November 10, 2015 8:49 PM



  > To: squid-users@lists.squid-cache.org 
<mailto:squid-users@lists.squid-cache.org> 



  > Subject: Re: [squid-users] cache peer only forward http , not

  https !!!



  >



  >  



  >



  >



  > 1. You need to configure Squid with SSL Bump to capture HTTPS

      traffic.



  > 2. You need to co

Re: [squid-users] cache peer only forward http , not https !!!

[Ahmad Alzaeem]

Thank you , 

 

Can you just guide me for the https peer directive plz ?

I can take care of https intercept

 

So with http , we have directive cache_peer 10.12.0.32  parent 8080  0 no-query 
no-digest

 

As ok

 

Now what about https directive ?

Can u help me

 

Thanks a lot a lot a lot for your help

 

cheers

 

 

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Yuri Voinov
Sent: Tuesday, November 10, 2015 8:49 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] cache peer only forward http , not https !!!

 


-BEGIN PGP SIGNED MESSAGE- 
Hash: SHA256 
 
1. You need to configure Squid with SSL Bump to capture HTTPS traffic.
2. You need to configure forwarded requests with splice/no bump. :)

10.11.15 22:42, Ahmad Alzaeem пишет:
> Hi Guys I want proxy  and I

  want it to forward http & https to remote proxy



  >



  >  



  >



  > Does the command below enogh ?



  >



  >  



  >



  > cache_peer 10.12.0.32  parent 8080  0 no-query no-digest

  no-tproxy



  > proxy-only
No.
>



  >



  >  



  >



  > or I need to add other line for https ??
No.
>



  >



  >  



  >



  > BTW the command line above work only for http not for https 
Sure.
>



  >



  >  



  >



  > Any help ?

*** DISCLAMER: THIS IS MY OWN CONFIG SNIPPET. DON'T BLIND COPY-N-PASTE IT IN 
YOUR ENVIRONMENT! ***

# Privoxy+Tor acl
acl tor_url dstdom_regex "C:/Squid/etc/squid/url.tor"

# SSL bump rules
sslproxy_cert_error allow all
acl DiscoverSNIHost at_step SslBump1
ssl_bump peek DiscoverSNIHost
acl NoSSLIntercept ssl::server_name_regex -i "C:/Squid/etc/squid/url.nobump"
acl NoSSLIntercept ssl::server_name_regex -i "C:/Squid/etc/squid/url.tor"
ssl_bump splice NoSSLIntercept
ssl_bump bump all

# Privoxy+Tor access rules
never_direct allow tor_url

# Local Privoxy is cache parent
cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default

cache_peer_access 127.0.0.1 allow tor_url
cache_peer_access 127.0.0.1 deny all

As you can see, this is just example. The idea described with first two lines 
of my answer above.
This snippet works for torified sites described in tor_url acl.
NB: I do not guarantee this will work on your environment!

>



  >



  >  



  >



  >  



  >



  >



 >



  >



  > ___



  > squid-users mailing list



  > squid-users@lists.squid-cache.org 
<mailto:squid-users@lists.squid-cache.org> 



  > http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE- 
Version: GnuPG v2 
 
iQEcBAEBCAAGBQJWQi4dAAoJENNXIZxhPexG0SEH/jjiJogO+BkgsjCLjt394UQ6 
0qniwV6kBg9daS/3AWrLE3VizP8LnsHwLo3EQi/hdcuY0QPZUwablWt0emGlkZ/w 
EnUUeyuZwqV9EP2z+I3apwg49E9vVV/dv6+HJSkorj0ibMlTPvdT4nMKr/zywnp7 
fLmyQ8Gfn418g8+SHcQvouHFGRRecLjLi/B9OjdsT29O0tpH628Spv5+JYBzGrqh 
FulBz6tzRLpE8W3JHMJjSXEuXbjeI8F2TVPd23g0TeBQaNMKAJwR9qPiYBgBJBhW 
9Wk45ccPcwFHxZJgVZCkfj0SHVvnNX3A7tCwldQNFh9DveKtobRJTntMGqljwWI= 
=dgIc 
-END PGP SIGNATURE- 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] cache peer only forward http , not https !!!

[Ahmad Alzaeem]

Hi Guys I want proxy  and I want it to forward http & https to remote proxy

 

Does the command below enogh ?

 

cache_peer 10.12.0.32  parent 8080  0 no-query no-digest no-tproxy
proxy-only

 

or I need to add other line for https ??

 

BTW the command line above work only for http not for https 

 

Any help ?

 

 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] cache peer problem with Https only !!

[Ahmad Alzaeem]

Hi im using pfsense with cache peer

 

Squid version is 3.4.10

 

I have peer proxy on port 80 and I can use it with http and https

Now if I use pfsense in the middle and let pfsense go to remote proxy
(10.12.0.32  port 80 )

 

And I get internt from the pfsense proxy 

 

 

I only have http websites working !!!

 

But https websites don't work

 

Any help ?

 

Here is my pfsnese config :

 

 

# This file is automatically generated by pfSense

# Do not edit manually !

 

http_port 172.23.101.253:3128

icp_port 0

dns_v4_first on

pid_filename /var/run/squid/squid.pid

cache_effective_user proxy

cache_effective_group proxy

error_default_language en

icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons

visible_hostname mne

cache_mgr aza...@mne.ps

access_log /var/squid/logs/access.log

cache_log /var/squid/logs/cache.log

cache_store_log none

netdb_filename /var/squid/logs/netdb.state

pinger_enable off

pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger

 

logfile_rotate 2

debug_options rotate=2

shutdown_lifetime 3 seconds

# Allow local network(s) on interface(s)

acl localnet src  172.23.101.0/24

forwarded_for off

via off

httpd_suppress_version_string on

uri_whitespace strip

 

acl dynamic urlpath_regex cgi-bin ?

cache deny dynamic

 

cache_mem 64 MB

maximum_object_size_in_memory 256 KB

memory_replacement_policy heap GDSF

cache_replacement_policy heap LFUDA

minimum_object_size 0 KB

maximum_object_size 4 MB

cache_dir ufs /var/squid/cache 100 16 256

offline_mode off

cache_swap_low 90

cache_swap_high 95

cache allow all

 

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:1440  20%  10080

refresh_pattern ^gopher:  1440  0%  1440

refresh_pattern -i (/cgi-bin/|?) 0  0%  0

refresh_pattern .0  20%  4320

 

 

#Remote proxies

 

 

# Setup some default acls

# From 3.2 further configuration cleanups have been done to make things
easier and safer. The manager, localhost, and to_localhost ACL definitions
are now built-in.

# acl localhost src 127.0.0.1/32

acl allsrc src all

acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127
1025-65535 

acl sslports port 443 563  

 

# From 3.2 further configuration cleanups have been done to make things
easier and safer. The manager, localhost, and to_localhost ACL definitions
are now built-in.

#acl manager proto cache_object

 

acl purge method PURGE

acl connect method CONNECT

 

# Define protocols used for redirects

acl HTTP proto HTTP

acl HTTPS proto HTTPS

http_access allow manager localhost

 

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !safeports

http_access deny CONNECT !sslports

 

# Always allow localhost connections

# From 3.2 further configuration cleanups have been done to make things
easier and safer.

# The manager, localhost, and to_localhost ACL definitions are now built-in.

# http_access allow localhost

 

request_body_max_size 0 KB

 

 

 

 

delay_access 1 allow allsrc

 

# Reverse Proxy settings

 

 

# Custom options before auth

dns_nameservers 8.8.8.8 10.12.0.33

cache_peer 10.12.0.32  parent 80 0 no-query no-digest no-tproxy proxy-only

 

# Setup allowed acls

# Allow local network(s) on interface(s)

http_access allow localnet

# Default block all to be sure

http_access deny allsrc

 

 

 

 

cheers

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] normal squid , can we cahce fcebook vidoes ?

[Ahmad Alzaeem]

Thanks amos ,
What about if it was for ISP and the ssl pump is impossible since it will break 
the privacy and will  need user end user agreement to pass the websites  .


Im asking regarding facebook since its 100 % https
And asking about youtube videos  since its 100 % https

I don’t know how companies like cachevideis & cachemara still offer videos 
caching so far  ??



-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Friday, October 16, 2015 1:50 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] normal squid , can we cahce fcebook vidoes ?

On 16/10/2015 5:15 a.m., Ahmad Alzaeem wrote:
> Hello Guys
> 
> 
> In the past , the videos were http in youtube & facebook
> 
> Im asking simple question here 
> 

> Is it possible for me as a normal squid user to be able to cache youtube &
> facebook vidoes in https ?
> 

That depends on whether the Squid you are using has HTTPS decryption
capabilities (SSL-Bump) built.

> 
> I hear that the old companies that were caching youtube in the pas still
> working now !!!
> 
> Im wondering If that correct

Possibly. But their methods will not be the same as it was in the past.
YT content should be prefectly cacheable. But its devs have decided to
fight against letting HTTP working properly for the YT site.

> 
> 
> Im asking here , why squid don't have projects to develop youtube & facebook
> caching
> 

"Squid" is a proxy for general Internet usage. Hard-coding into it
logics to cache one specific website, which may change at any time and
break that code, it is not appropriate.

There are still people offering Squid extensions that do YT caching.
They have kind of gone underground again once it became clear that every
time anyone documented in public how to cache the videos YT developers
would suddenly change how the system worked and break that method of
caching.

FYI: SquidVideosBooster is one product that offers video caching
extensions to Squid if you are looking for one. You will need to combine
it with ssl-bump usage.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] normal squid , can we cahce fcebook vidoes ?

[Ahmad Alzaeem]

Hello Guys

 

In the past , the videos were http in youtube & facebook

 

Im asking simple question here 

 

Is it possible for me as a normal squid user to be able to cache youtube &
facebook vidoes in https ?

 

I hear that the old companies that were caching youtube in the pas still
working now !!!

Im wondering If that correct

 

 

Im asking here , why squid don't have projects to develop youtube & facebook
caching

 

thankx

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with SMP registeration time out when i use 10K opened sessions

[Ahmad Alzaeem]

Thankx amos that was great  ...

Many many many thanks for you  .


Last thing , if I use basic_ncsa_auth for the 10 K ports

Do you think it will have a lot of cpu consumption ?

I want the ncsa auth , but im not sure if it take a lot of cpu 

Waiting ur suggestion

Thankx again

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Wednesday, September 30, 2015 3:46 AM
To: Ahmad Alzaeem
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid with SMP registeration time out when i use 10K 
opened sessions

Scalable Multi-Process (SMP) Squid is multi-process.

What you are doing here is running 5x collections (instances) of Squid 
processes (plural!).

squid1.conf
 cpu_affinity_map process_numbers=1,2 cores=1,1

squid2.conf
  cpu_affinity_map process_numbers=1,2 cores=2,2

squid3.conf
cpu_affinity_map process_numbers=1,2 cores=3,3

squid4.conf
cpu_affinity_map process_numbers=1,2 cores=4,4

You have now run out of cores on the machine. So perhapse splitting into
5 instances was not a great idea. Split the ports into groups of 2500 instead.

Although a 4-core machine is very tiny to be running the kind of workload 
10,000 listening ports can be expected to receive. Sorry I assumed (wrongly) 
that to be needing 10k ports you had hardware like a 8/16/32-core machine for 
processing it.

Amos


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with SMP registeration time out when i use 10K opened sessions

[Ahmad Alzaeem]

Amos , when I run process # 1 by 

Squid -n squi1

I see process # 1 mapped to core 3

When I run instance # 2 by 

Squid -n squid2

I see 
2015/09/29 19:03:14 kid1| WARNING: 'cpu_affinity_map' has non-existing process 
number(s)

That mean all processes are run as process # 1 !!!

This is my issue I have

Why all processes run as process # 1 ??

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Ahmad Alzaeem
Sent: Tuesday, September 29, 2015 9:33 PM
To: 'Amos Jeffries'
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid with SMP registeration time out when i use 10K 
opened sessions

Hi amos I did , but can u tell me why that happened ??
Look @ my cpu cores for squid when it has high traffic :

  1  [*100.0%] Tasks: 29, 4 
thr; 6 running 
  2  [   0.0%] Load 
average: 2.53 0.86 0.36 
  3  [   0.0%] Uptime: 2 
days, 07:21:15
  4  [*  0.7%]
  Mem[#*   569/3950MB]
  Swp[0/255MB]

  PID USER  PRI  NI  VIRT   RES   SHR S CPU% MEM%   TIME+  Command  
  
12350 squid  20   0  261M 77512 12488 R 20.0  1.9  4:04.68 (squid-1) -n 
squid1
12367 squid  20   0  265M 80736 12548 R 20.0  2.0  4:31.87 (squid-1) -n 
squid3
12360 squid  20   0  259M 74840 12468 R 20.0  1.9  4:04.30 (squid-1) -n 
squid2  
12384 squid  20   0  276M 92584 12532 R 20.0  2.3  5:35.10 (squid-1) -n 
squid4
12478 squid  20   0  259M 74724 12468 R 20.0  1.8  3:56.48 (squid-1) -n 
squid5
16650 root   20   0  110M  3324  2524 R  0.0  0.1  0:02.83 htop 
  



As you see , the 5 instances has about same loading , but it seems  the cpu 
mapping is not working ok !!!

I did add the command
process_numbers=1,2,3 ,4,5cores=1,2,3,4,5

to each instance of squid !!

what coud me doing wrongh ?

or how to test if there process got the cpu mapping as ok or not

thanks a lot 

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz]
Sent: Monday, September 28, 2015 11:59 PM
To: Ahmad Alzaeem
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid with SMP registeration time out when i use 10K 
opened sessions

On 28/09/2015 7:24 p.m., Ahmad Alzaeem wrote:
> Hi amos
> 
> I have 10 K
> 
> I DIVIDED them to 5 files
> 
> Each file has 2 K
> And each file has its own cache.log file /visible name etc
> 
> The question im asking is :
> 
> Do I need to put the  directive in  cpu_affinity_map
> process_numbers=1,2,3 ,4,5cores=1,2,3,4,5 In squid.conf ??
> 
> Or I need to go to each separated file  of each instance and provide 
> command there

Each separated instance file needs a different mapping to use your 15+ CPU 
cores.

Think about it: you are dividing cores up between Squid instances.

Amos


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with SMP registeration time out when i use 10K opened sessions

[Ahmad Alzaeem]

Hi amos I did , but can u tell me why that happened ??
Look @ my cpu cores for squid when it has high traffic :

  1  [*100.0%] Tasks: 29, 4 
thr; 6 running 
  2  [   0.0%] Load 
average: 2.53 0.86 0.36 
  3  [   0.0%] Uptime: 2 
days, 07:21:15
  4  [*  0.7%]
  Mem[#*   569/3950MB]
  Swp[0/255MB]

  PID USER  PRI  NI  VIRT   RES   SHR S CPU% MEM%   TIME+  Command  
  
12350 squid  20   0  261M 77512 12488 R 20.0  1.9  4:04.68 (squid-1) -n 
squid1
12367 squid  20   0  265M 80736 12548 R 20.0  2.0  4:31.87 (squid-1) -n 
squid3
12360 squid  20   0  259M 74840 12468 R 20.0  1.9  4:04.30 (squid-1) -n 
squid2  
12384 squid  20   0  276M 92584 12532 R 20.0  2.3  5:35.10 (squid-1) -n 
squid4
12478 squid  20   0  259M 74724 12468 R 20.0  1.8  3:56.48 (squid-1) -n 
squid5
16650 root   20   0  110M  3324  2524 R  0.0  0.1  0:02.83 htop 
  



As you see , the 5 instances has about same loading , but it seems  the cpu 
mapping is not working ok !!!

I did add the command 
process_numbers=1,2,3 ,4,5cores=1,2,3,4,5

to each instance of squid !!

what coud me doing wrongh ?

or how to test if there process got the cpu mapping as ok or not

thanks a lot 

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Monday, September 28, 2015 11:59 PM
To: Ahmad Alzaeem
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid with SMP registeration time out when i use 10K 
opened sessions

On 28/09/2015 7:24 p.m., Ahmad Alzaeem wrote:
> Hi amos
> 
> I have 10 K
> 
> I DIVIDED them to 5 files
> 
> Each file has 2 K
> And each file has its own cache.log file /visible name etc
> 
> The question im asking is :
> 
> Do I need to put the  directive in  cpu_affinity_map 
> process_numbers=1,2,3 ,4,5cores=1,2,3,4,5 In squid.conf ??
> 
> Or I need to go to each separated file  of each instance and provide 
> command there

Each separated instance file needs a different mapping to use your 15+ CPU 
cores.

Think about it: you are dividing cores up between Squid instances.

Amos


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with SMP registeration time out when i use 10K opened sessions

[Ahmad Alzaeem]

Hi amos

I have 10 K

I DIVIDED them to 5 files

Each file has 2 K
And each file has its own cache.log file /visible name etc

The question im asking is :

Do I need to put the  directive in  cpu_affinity_map process_numbers=1,2,3 
,4,5cores=1,2,3,4,5
In squid.conf ??

Or I need to go to each separated file  of each instance and provide command 
there


Thanks a lot 

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Monday, September 28, 2015 3:24 AM
To: Ahmad Alzaeem
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid with SMP registeration time out when i use 10K 
opened sessions

On 27/09/2015 9:56 p.m., Ahmad Alzaeem wrote:
> Hi Amos ,
> I think it got it woring with multi instance I let each instance load 
> some ports and each instance has its only kid1 process.
> 
> But im asking now where to do the cpu mapping ?
> 
> Is it done in squid.conf ?
> 
> Or for each separated instance conf file ?
> 
> Is my formula below  correct ?
> 
> cpu_affinity_map process_numbers=1,2,3 cores=1,2,3
> 

That would be it yes. Just with different core numbers mapped/tied for each 
instance.

Amos


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with SMP registeration time out when i use 10K opened sessions

[Ahmad Alzaeem]

Forgot to mention im using 3.5.9 squid version

thanks

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Ahmad Alzaeem
Sent: Sunday, September 27, 2015 11:57 AM
To: 'Amos Jeffries'
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid with SMP registeration time out when i use 10K 
opened sessions

Hi Amos ,
I think it got it woring with multi instance I let each instance load some 
ports and each instance has its only kid1 process.

But im asking now where to do the cpu mapping ?

Is it done in squid.conf ?

Or for each separated instance conf file ?

Is my formula below  correct ?

cpu_affinity_map process_numbers=1,2,3 cores=1,2,3


thank you so much 

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Ahmad Alzaeem
Sent: Saturday, September 26, 2015 10:53 PM
To: 'Amos Jeffries'
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid with SMP registeration time out when i use 10K 
opened sessions

Hi Amos , thanks for reply 

Regarding to your description

If I have 10K ips with 10k listening ports ..

Will each squid process handle 10 K ?
Or I need to distribute the ips/ports to each process ???

cheers

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz]
Sent: Friday, September 25, 2015 12:44 AM
To: Ahmad Alzaeem
Subject: Re: [squid-users] squid with SMP registeration time out when i use 10K 
opened sessions

On 25/09/2015 9:27 a.m., Ahmad Alzaeem wrote:
> Hi amos
> I have alredy 5.2

3.5.9 is the latest security release.

> 
> All squid traffic go to one of cpus and it load it 100 % I don’t care 
> caching or other thing
> 
> All I need is to load like 20K ports and be balanced to the cores

You wont get balance on the cores. They actually work *better* when unbalanced. 
It makes the core L2/L3 RAM cache work with closer to optimal contents.

With 3.5.7 or later run several Squid with:

 squid -n squid1
 squid -n squid2
 squid -n squid3
 ...

The "${service_name}" variable in suqid.conf will become that "squid1", squid2" 
"squid3", etc

You need to make your squid.conf contain:
 include /etc/squid/${service_name}-ports.conf
 pid_filename /var/run/squid/${service_name}.pid
 cache_log /var/log/squid/${service_name}-cache.log

... and so on for the other directives listed in 
<http://wiki.squid-cache.org/MultipleInstances>

Make the squid1-ports.conf etc config files listing your http_port's and a 
unique_hostname for each Squid instance. Maybe access_log as well.

Also set cpu_affinity for each instance to tie them to different cores.

Amos


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with SMP registeration time out when i use 10K opened sessions

[Ahmad Alzaeem]

Hi Amos , 
I think it got it woring with multi instance
I let each instance load some ports and each instance has its only kid1 process.

But im asking now where to do the cpu mapping ?

Is it done in squid.conf ?

Or for each separated instance conf file ?

Is my formula below  correct ?

cpu_affinity_map process_numbers=1,2,3 cores=1,2,3


thank you so much 

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Ahmad Alzaeem
Sent: Saturday, September 26, 2015 10:53 PM
To: 'Amos Jeffries'
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid with SMP registeration time out when i use 10K 
opened sessions

Hi Amos , thanks for reply 

Regarding to your description

If I have 10K ips with 10k listening ports ..

Will each squid process handle 10 K ?
Or I need to distribute the ips/ports to each process ???

cheers

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz]
Sent: Friday, September 25, 2015 12:44 AM
To: Ahmad Alzaeem
Subject: Re: [squid-users] squid with SMP registeration time out when i use 10K 
opened sessions

On 25/09/2015 9:27 a.m., Ahmad Alzaeem wrote:
> Hi amos
> I have alredy 5.2

3.5.9 is the latest security release.

> 
> All squid traffic go to one of cpus and it load it 100 % I don’t care 
> caching or other thing
> 
> All I need is to load like 20K ports and be balanced to the cores

You wont get balance on the cores. They actually work *better* when unbalanced. 
It makes the core L2/L3 RAM cache work with closer to optimal contents.

With 3.5.7 or later run several Squid with:

 squid -n squid1
 squid -n squid2
 squid -n squid3
 ...

The "${service_name}" variable in suqid.conf will become that "squid1", squid2" 
"squid3", etc

You need to make your squid.conf contain:
 include /etc/squid/${service_name}-ports.conf
 pid_filename /var/run/squid/${service_name}.pid
 cache_log /var/log/squid/${service_name}-cache.log

... and so on for the other directives listed in 
<http://wiki.squid-cache.org/MultipleInstances>

Make the squid1-ports.conf etc config files listing your http_port's and a 
unique_hostname for each Squid instance. Maybe access_log as well.

Also set cpu_affinity for each instance to tie them to different cores.

Amos


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with SMP registeration time out when i use 10K opened sessions

[Ahmad Alzaeem]

Hi Amos , thanks for reply 

Regarding to your description

If I have 10K ips with 10k listening ports ..

Will each squid process handle 10 K ?
Or I need to distribute the ips/ports to each process ???

cheers

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Friday, September 25, 2015 12:44 AM
To: Ahmad Alzaeem
Subject: Re: [squid-users] squid with SMP registeration time out when i use 10K 
opened sessions

On 25/09/2015 9:27 a.m., Ahmad Alzaeem wrote:
> Hi amos
> I have alredy 5.2

3.5.9 is the latest security release.

> 
> All squid traffic go to one of cpus and it load it 100 % I don’t care 
> caching or other thing
> 
> All I need is to load like 20K ports and be balanced to the cores

You wont get balance on the cores. They actually work *better* when unbalanced. 
It makes the core L2/L3 RAM cache work with closer to optimal contents.

With 3.5.7 or later run several Squid with:

 squid -n squid1
 squid -n squid2
 squid -n squid3
 ...

The "${service_name}" variable in suqid.conf will become that "squid1", squid2" 
"squid3", etc

You need to make your squid.conf contain:
 include /etc/squid/${service_name}-ports.conf
 pid_filename /var/run/squid/${service_name}.pid
 cache_log /var/log/squid/${service_name}-cache.log

... and so on for the other directives listed in 
<http://wiki.squid-cache.org/MultipleInstances>

Make the squid1-ports.conf etc config files listing your http_port's and a 
unique_hostname for each Squid instance. Maybe access_log as well.

Also set cpu_affinity for each instance to tie them to different cores.

Amos


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with SMP registeration time out when i use 10K opened sessions

[Ahmad Alzaeem]

Hi alex

Thanks for answering me

As I told you

If I use 2k ips with 2 worker , squid works ok If I use 10kbports without SMP , 
squid is ok

With 10K  + 2 workers , we have reg timeout

I have already added that key  u mentioned below which is :

net.local.dgram.recvspace = 1262144
But I have
When I do sysctl -p
I have 

error: "net.local.dgram.recvspace" is an unknown key



any other tricks I can change with squid ???

I can use ur version 3.3.11 to increase timeout and handle more listening ports.

But I have other idea

What about I do "if else" option

Like if process # 1 , I give it ports 3K If process # 2 , I give it 3 K And so 
on will that success ??

Awaiting ur reply about the patch and how using it

Many thankx

-Original Message-
From: Alex Rousskov [mailto:rouss...@measurement-factory.com]
Sent: Thursday, September 24, 2015 7:10 PM
To: squid-users@lists.squid-cache.org
Cc: Ahmad Alzaeem
Subject: Re: [squid-users] squid with SMP registeration time out when i use 10K 
opened sessions

On 09/24/2015 08:54 AM, Ahmad Alzaeem wrote:

> If I run it with no SMP 1 listenting ports  , it works ok and 
> problem
> 
> If I run squid with 1  listening port with 2 workers èkid timeout 
> registeration

> 2015/09/24 14:51:25 kid2| Closing HTTP port [::]:29995
> 2015/09/24 14:51:25 kid2| Closing HTTP port [::]:29996
> 2015/09/24 14:51:25 kid2| Closing HTTP port [::]:29997
> 2015/09/24 14:51:25 kid2| Closing HTTP port [::]:29998
> 2015/09/24 14:51:25 kid2| Closing HTTP port [::]:2
> 2015/09/24 14:51:25 kid2| Closing HTTP port [::]:3
...
> FATAL: kid2 registration timed out

> do we need to increase timeout ?? since it take long time to load the 
> the ips.


The existing SMP http_port sharing algorithm needs lots of UDS buffer space to 
share lots of ports. You may be able to get your configuration working by 
allocating lots of UDS buffer space (sysctl net.local.dgram.recvspace and 
such), but it may turn out to be impossible for 10K ports. If there is not 
enough UDS buffer space, increasing timeout will not help.


The attached patch for Squid v3.3.11 changes the port sharing algorithm to 
minimize memory usage (at the expense of registration time). Please see the 
patch preamble for technical details. The patch worked with 3K ports (24 
workers * 128 http_ports each); the registration lasted less than 5 seconds.

I do not recall whether we have tested the patch with 10K ports -- you may need 
to increase the hard-coded kid registration timeout to handle 10K ports with a 
patched Squid.

Sorry, I do not have a patch for other Squid versions at this time.


HTH,

Alex.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid with SMP registeration time out when i use 10K opened sessions

[Ahmad Alzaeem]

Hi support .

Im using my squid as proxy for IPV6

 

I can use 2000 ips with 2 workers and no problem

 

The problem is

If I run it with no SMP 1 listenting ports  , it works ok and problem

If I run squid with 1  listening port with 2 workers ==>kid timeout
registeration

If I run it with no SMP , it works ok and problem

 

If I run it with smp WITH 2 workers 

I have registration timeout

 

2015/09/24 14:51:25 kid2| Closing HTTP port [::]:29995

2015/09/24 14:51:25 kid2| Closing HTTP port [::]:29996

2015/09/24 14:51:25 kid2| Closing HTTP port [::]:29997

2015/09/24 14:51:25 kid2| Closing HTTP port [::]:29998

2015/09/24 14:51:25 kid2| Closing HTTP port [::]:2

2015/09/24 14:51:25 kid2| Closing HTTP port [::]:3

2015/09/24 14:51:25 kid2| storeDirWriteCleanLogs: Starting...

2015/09/24 14:51:25 kid2|   Finished.  Wrote 0 entries.

2015/09/24 14:51:25 kid2|   Took 0.00 seconds (  0.00 entries/sec).

FATAL: kid2 registration timed out

===

 

I already removed  expanded the options

Here is my options :

 

 

 

]# ls -l /var/run/squid

total 0

srwxr-x--- 1 squid squid 0 Sep 24 14:23 squid-coordinator.ipc

srwxr-x--- 1 squid squid 0 Sep 24 14:47 squid-kid-1.ipc

srwxr-x--- 1 squid squid 0 Sep 24 14:51 squid-kid-2.ipc

[root@li970-79 ~]#

 

 

 

Here is wt I have :

[root@li970-79 ~]# squid -v

Squid Cache: Version 3.5.2

Service Name: squid

configure options:  '--prefix=/usr' '--includedir=/include'
'--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
'--enable-cachemgr-hostname=Ahmad-Allzaeem' '--localstartedir=/var'
'--libexecdir=/lib/squid' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules' '--srcdir=.'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-b@sic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam
,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smfb_lm'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-efsi'
'--disable-translation' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=1311072'
'--with-large-files' '--with-default-user=squid' '--enable-linux-netfilter'
'--enable-ltdl-convenience' '--enable-ssl' '--enable-ssl-crtd'
'--enable-arp-acl' 'CXXFLAGS=-DMAXTCPLISTENPORTS=2' '--with-openssl'
'--enable-snmp' '--with-included-ltdl' '--disable-arch-native

 

 

 

any help Guys ??

 

do we need to increase timeout ?? since it take long time to load the the
ips.

 

 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users