[squid-users] using squid3 without certificate
Is there any news for using squid3 for caching https connections without install certificates in client browser manually ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/using-squid3-without-certificate-tp4678459.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid eat bandwidth
with my squid server i have 1 ethernet this squid box is connected with mikrotik routerOS this mikrotik have users conneted to it and in it i can redirect port 80 that come from users to squid server okay now i see that this squid take internet more than it give to users this mean it take bandwidth more than it give so it eat the bandwidth, another thing , if i stop the redirection for port 80, squid stop giving bandwidth to users and this is the true thing but the false thing is that squid keep taking bandwidth for abour hour, this mean that squid still serving files till it finish them and i dont use range_offset_limit at all, which this conf can make this problem -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-eat-bandwidth-tp4676641p4676696.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid eat bandwidth
if you stop and start squid yes bandwidth stop consuming, but any time you redirect users again the same problem come over, squid take bandwidth more than it give , and the opposite must be ... in the same time a lot of TCP_HIT in access.log . so ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-eat-bandwidth-tp4676641p4676656.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid eat bandwidth
this problem is strange , squid keep taking bandwidth for hours even if you stop the users to take from it, access.log show timedout. this is problem and not a joke -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-eat-bandwidth-tp4676641p4676653.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid eat bandwidth
oh really ? so remove the break from your car !! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-eat-bandwidth-tp4676641p4676652.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid eat bandwidth
when it finish eating the bandwidth then no thing show on access.log -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-eat-bandwidth-tp4676641p4676644.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid eat bandwidth
no range_offset_limit , i remove all of them also quick_abort min and max i put to 0 KB squid keep eating bandwidth and in access.log show TCP_HIT_TIMEDOUT and TCP_MISS_TIMEDOUT -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-eat-bandwidth-tp4676641p4676643.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid eat bandwidth
hello, always in traffic more than out traffic, also when i stop redirection traffic to squid squid keep eating bandwidth for few minutes, so what may be the problem is ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-eat-bandwidth-tp4676641.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] bump files
using squid v4 can we bump by extension files ?? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/bump-files-tp4676075.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] peek & splice
you must install certificate otherwise you must splice all you traffic -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/peek-splice-tp4676065p4676067.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] about sni
okay now i have this acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump splice all but all https connections is TCP_TUNNEL/200 i need only sni requests that cant be bumped to be TCP_TUNNEL/200 !!! and the other request must bumped and decrypt !! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/about-sni-tp4676005p4676022.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] about sni
so am using wrong conf, please can you help me to right conf to make sni work if cant be bumped ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/about-sni-tp4676005p4676007.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] about sni
What are the requirements for ssl::server_name to work with SNI (squid 3.5.12) ? In principle, I want to do this (from squid.conf): # get the public TLS metadata (includes SNI) ssl_bump peek all # block based on SNI matching acl blocked ssl::server_name .example.com ssl_bump terminate blocked # tunnel (no decrypting) for everything else ssl_bump splice all . Few questions regarding the pre-requisites for this to work: - It should not be necessary to install squids cert in the client, correct ? - squid.conf: Anything missing in next line (cert for squid ) ? http_port 3129 intercept ssl-bump - Anything else required ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/about-sni-tp4676005.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] cant bump ssl
i remove all sslproxy_* settings and the same problem, facebook on android cant be load contents like images and videos and it says 1451326656.959253 172.22.35.1 TAG_NONE/200 0 CONNECT 104.96.90.24:443 - ORIGINAL_DST/104.96.90.24 - 1 -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/cant-bump-ssl-tp4675201p4675296.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] cant bump ssl
hello, am using squid 3.5 why i cant bump ssl conection with android my squid conf is # SSL_BUMP_WHITE_LIST = 0 [squid_ssl/build/48] acl ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3 ssl_bump peek ssl_step1 # SNI Group fbcdn acl SNIGroup5 ssl::server_name_regex -i fbcdn\.net acl SNIGroup5 ssl::server_name_regex -i akamaihd\.net acl SNIGroup5 ssl::server_name_regex -i i\.ytimg\.com acl SNIGroup5 ssl::server_name_regex -i facebook\.com # 1 BUMP rules... ssl_bump bump ssl_step2 SNIGroup5 # 1 Splice rules... ssl_bump splice all sslproxy_version 0 sslproxy_options ALL sslproxy_cert_error allow all # Wont push the client to use udp 443 or udp 80 reply_header_access alternate-protocol deny all #- Wont push the client to use HSTS sent by the web site reply_header_access Strict-Transport-Security deny all # Squid normally listens to port 3128 https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/myCA.pem http_port 3129 http_port 3128 intercept sslcrtd_program /usr/lib/squid/ssl_crtd -s /etc/squid/ssl_db/certs/ -M 16MB sslcrtd_children 50 startup=40 idle=1 in access.log i see TAG_NONE -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/cant-bump-ssl-tp4675201.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] cant bump ssl
i cant understand ssl_bump rules for version 3.5 what i can do to bump this 3 domains fbcdn\.net akamaihd\.net i\.ytimg\.com -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/cant-bump-ssl-tp4675201p4675203.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] redirect 206 content
Hello, is there a way to redirect 206 contents to acl ? Thanks. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/redirect-206-content-tp4674501.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] YouTube Resolution Locker Plugin for Squid Proxy Cache 3.5.x
am just giving my test for you and its up to you to solve it or not, Thanks -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/YouTube-Resolution-Locker-Plugin-for-Squid-Proxy-Cache-3-5-x-tp4674463p4674500.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] YouTube Resolution Locker Plugin for Squid Proxy Cache 3.5.x
in debian when you do this cmd update-rc.d haarp defaults 98 it says root@debian:/etc/init.d# update-rc.d haarp defaults 98 update-rc.d: using dependency based boot sequencing insserv: warning: script 'haarp' missing LSB tags and overrides insserv: warning: script 'haarpclean' missing LSB tags and overrides this mean you need to add to this scripts at the top this lines. ### BEGIN INIT INFO # Provides: scriptname # Required-Start:$remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start daemon at boot time # Description: Enable service provided by daemon. ### END INIT INFO -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/YouTube-Resolution-Locker-Plugin-for-Squid-Proxy-Cache-3-5-x-tp4674463p4674486.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_REFRESH_MODIFIED
Dear Yuri, MR Amos is sure !! we will see a solution Dear Amos ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-REFRESH-MODIFIED-tp4674325p4674378.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_REFRESH_MODIFIED
Loool Joe, really are you going back to V2.7 ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-REFRESH-MODIFIED-tp4674325p4674362.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_REFRESH_MODIFIED
>>I've been trying to figure out how it happens for the last year or so. >>Apparently everybody (all three of you...) but not me can see it happening. >>The proxies I manage do not have it happen, and I can't seem to force it >>to happen either unless I unmount or delete the HDD cache directories >>while Squid is still running - which is when SWAPFAIL is the expected >>working beaviour. with basic squid.conf and fresh system, without any add, SWAPFAIL happen , sorry you are wrong this problem is not from three of us, but a lot of squid users dont post in this wiki, and a lot of squid users i know having the same issue. if it is not from squid then it is from what ? ReiserFS ? gdisk ? ext4 ? from what ? what you use ? which type ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-REFRESH-MODIFIED-tp4674325p4674369.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_REFRESH_MODIFIED
You are right Yuri, its like a proxy bypassed system .. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-REFRESH-MODIFIED-tp4674325p4674361.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] how to cache youtube videos
FredT is alright , some ppl cant cache youtube but some can do it its being more complex and complicated but even so every security can be hacked .. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/how-to-cache-youtube-videos-tp4674341p4674356.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_REFRESH_MODIFIED
what joe is going to tell us is that his HIT ratio decrease and he is seeing TCP_REFRESH_MODIFIED instead of tcp_hit when he used V4 this problem is right also with tcp swalfail miss with V3.4 these strange problems is not exists .. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-REFRESH-MODIFIED-tp4674325p4674338.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL3_READ_BYTES:sslv3 alert certificate unknown
yes thats right Yuri -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL3-READ-BYTES-sslv3-alert-certificate-unknown-tp4674186p4674190.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] range_offset_limit and idm
Facing the same problem, by default if i didnt use range_offset_limit , idm download the file with multiple mirros, all are 206 but cant be cached and hit when repeat the same url download. when i use range_offset_limit, idm download the file with 1 mirror, this will decrease the speed but it can be hit when repeat the same url download. so users have problems in this , they use idm because they need to download the file with multiple mirrors, and in the same time they need it to be hit when repeat the download file. there must be a way to cache idm downloads and make the download with multiple mirrors, right haa ? Thanks -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/range-offset-limit-and-idm-tp4673926p4673965.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] range_offset_limit with SSL connection
did any one try range_offset_limit with https url's ? squid crash and restart with assertion error ... same as ... http://squid-web-proxy-cache.1019090.n4.nabble.com/assertion-failed-comm-cc-178-quot-fd-table-conn-gt-fd-halfClosedReader-NULL-quot-tt4670979.html -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/range-offset-limit-with-SSL-connection-tp4673858.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] deny rep_mime_type
acl yt-loop dstdomain .googlevideo.com acl type-yt rep_mime_type text/plain store_miss deny yt-loop type-yt send_hit deny yt-loop type-yt -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/deny-rep-mime-type-tp4673816p4673857.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] deny rep_mime_type
hello , can we deny rep_mime_type for specific domain ? if yes then how if no then why thank you .. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/deny-rep-mime-type-tp4673816.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] deny rep_mime_type
sorry not deny but make it miss and not hit with store_miss send_hit -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/deny-rep-mime-type-tp4673816p4673829.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
we wish that somebody can build a good fingerprinting algorithm for pinning clients Thank you Alex -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/after-changed-from-3-4-13-to-3-5-8-sslbump-doesn-t-work-for-the-site-https-banking-postbank-de-tp4673245p4673516.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] remove old data manually
by default squid remove old data by this directive cache_swap_low 90 cache_swap_high 95 the question now, how i can remove these data manually ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/remove-old-data-manually-tp4673480.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5.5 bug 3279
update to the latest version -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-5-bug-3279-tp4671781p4673491.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
i dont know, but if connection cant bump .. if connection cant established , then squid bypass this connection directly ... this is how ... -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/after-changed-from-3-4-13-to-3-5-8-sslbump-doesn-t-work-for-the-site-https-banking-postbank-de-tp4673245p4673470.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Its Okay, i dont say that we want to bump pinned connection , why squid not automatically bypass pinned connection with out decryption ?? if this happen then all problems solved .. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/after-changed-from-3-4-13-to-3-5-8-sslbump-doesn-t-work-for-the-site-https-banking-postbank-de-tp4673245p4673468.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
this happen with me on all apple applications, and to make them work fine you must none bump for the ip's they used, it is the same problem, same log output as yours. Thanks. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/after-changed-from-3-4-13-to-3-5-8-sslbump-doesn-t-work-for-the-site-https-banking-postbank-de-tp4673245p4673443.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] need help for using squid
please post your squid.conf -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/need-help-for-using-squid-tp4673338p4673341.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] user agent
try without putting !brs in the second one and without putting !phone-brs in 1st one -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/user-agent-tp4673284p4673285.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] user agent
like what ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/user-agent-tp4673284p4673292.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] high volume of 'missing files' in cache....TCP_SWAPFAIL
Please Amos, this is a bug in 3.5.x in 3.4.x this problem is not exist, and i goes back to 3.4 just because of swapfail and losing a lot of data .. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/high-volume-of-missing-files-in-cache-TCP-SWAPFAIL-tp4673203p4673262.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] a lot of TCP_SWAPFAIL_MISS/200
yea joe i dont know why ppl dnt give this bug importance while it deduce a lot of hit ratio -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/a-lot-of-TCP-SWAPFAIL-MISS-200-tp4672011p4672636.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] assertion failed: comm.cc:178: fd_table[conn-fd].halfClosedReader != NULL
I'm not sure how to fix that. then who should i talk to.. you guys should dig in source and found out its important tks any should i ask outside ?? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/assertion-failed-comm-cc-178-fd-table-conn-fd-halfClosedReader-NULL-tp4670979p4672606.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] useragent.log
ok bro thanks, and whats about the cookies that the site used ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/useragent-log-tp4672505p4672537.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] useragent.log
this log format didnt work and no thing about useragent in access.log -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/useragent-log-tp4672505p4672508.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ecap and https
with this conf it work on the same site in http and not in https the site is youtube. #request_header_access Accept-Encoding deny all #loadable_modules /usr/local/lib/ecap_adapter_modifying.so #ecap_enable on #ecap_service ecapModifier respmod_precache \ #uri=ecap://e-cap.org/ecap/services/sample/modifying \ #victim=channels \ #replacement=aaa #adaptation_access ecapModifier allow all can you give a try ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ecap-and-https-tp4672396p4672468.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ecap and https
Dear Amos, you mean if the https is decrypted ? so yes it is decrypted and full url shown in access.log and not this adapter didnt work on https pages, it can edit content in http pages and not in https pages . -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ecap-and-https-tp4672396p4672462.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ecap and https
read the Documentation http://www.e-cap.org/Documentation -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ecap-and-https-tp4672396p4672409.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid 3.5.6 and ecap
after installing libecap and ecap_adapter and compile squid with --enable-ecap when i want to start squid i got this error [] Restarting Squid HTTP Proxy 3.X: squid/usr/sbin/squid: error while loading shared libraries: libecap.so.3: cannot open shared object file: No such file or directory failed! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-6-and-ecap-tp4672387.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5.6 and ecap
nano /etc/ld.so.conf Add /usr/local/lib ldconfig Solved -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-6-and-ecap-tp4672387p4672394.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] ecap and https
when we can use ecap with https contents ? Thanks. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ecap-and-https-tp4672396.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ecap and https
request_header_access Accept-Encoding deny all loadable_modules /usr/local/lib/ecap_adapter_modifying.so ecap_enable on ecap_service ecapModifier respmod_precache \ uri=ecap://e-cap.org/ecap/services/sample/modifying \ victim=bb \ replacement=aa adaptation_access ecapModifier allow all i use this conf to edit in https page content but no change happen -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ecap-and-https-tp4672396p4672400.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL connction failed due to SNI after content redirection
i have some thing like this issue ssl connection failed when using in mobile apps your patch dont solve the problem how i can tune what cause this problem ? thanks. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-connction-failed-due-to-SNI-after-content-redirection-tp4672339p4672369.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL connction failed due to SNI after content redirection
:~/squid-3.5.6-20150716-r13865# patch -p0 --verbose sni.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -- |--- src/ssl/PeerConnector.cc |+++ src/ssl/PeerConnector.cc -- Patching file src/ssl/PeerConnector.cc using Plan A... patch: malformed patch at line 16: debugs(83, 5, SNIserve sniServer); -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-connction-failed-due-to-SNI-after-content-redirection-tp4672339p4672366.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL connction failed due to SNI after content redirection
~/squid-3.5.6-20150716-r13865# patch -p0 --verbose sni.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -- |diff --git src/ssl/PeerConnector.cc src/ssl/PeerConnector.cc |index b4dfd8f..d307665 100644 |--- src/ssl/PeerConnector.cc |+++ src/ssl/PeerConnector.cc -- Patching file src/ssl/PeerConnector.cc using Plan A... Hunk #1 succeeded at 189. Hmm... Ignoring the trailing garbage. done -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-connction-failed-due-to-SNI-after-content-redirection-tp4672339p4672368.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5.5 - assertion failed
are you using range_offset_limit option ?? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-5-assertion-failed-tp4672353p4672354.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] a lot of TCP_SWAPFAIL_MISS/200
but this happen only with version 3.5 , and it increase after restarting squid or rebooting system this is bug in 3.5 and it decrease the HIT ratio , you dont think so ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/a-lot-of-TCP-SWAPFAIL-MISS-200-tp4672011p4672311.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] a lot of TCP_SWAPFAIL_MISS/200
yes am using AUFS cache_dir directive -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/a-lot-of-TCP-SWAPFAIL-MISS-200-tp4672011p4672316.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] FATAL: xcalloc: Unable to allocate 18446744073527142243 blocks of 1 bytes!
yes dear you are right -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/FATAL-xcalloc-Unable-to-allocate-18446744073527142243-blocks-of-1-bytes-tp4672309p4672314.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] FATAL: xcalloc: Unable to allocate 18446744073527142243 blocks of 1 bytes!
Okay sir, Thank you -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/FATAL-xcalloc-Unable-to-allocate-18446744073527142243-blocks-of-1-bytes-tp4672309p4672318.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] redirect TCP_NONE
in another meaning and with another way, why we cant make https request pass as tcp_tunnel and dont decrypt the connection if client not import certificate xD ?? at least the request will pass directly with out decryption -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/redirect-TCP-NONE-tp4672298p4672326.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] a lot of TCP_SWAPFAIL_MISS/200
top shows only 1 worker for squid .. top - 16:24:51 up 5 days, 3:22, 2 users, load average: 2.06, 1.18, 0.82 Tasks: 158 total, 2 running, 156 sleeping, 0 stopped, 0 zombie %Cpu(s): 1.7 us, 0.7 sy, 0.0 ni, 96.7 id, 0.3 wa, 0.0 hi, 0.6 si, 0.0 st KiB Mem: 32928480 total, 29039108 used, 3889372 free, 4273996 buffers KiB Swap: 9526268 total,0 used, 9526268 free, 10857212 cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 25178 proxy 20 0 8607m 8.2g 6912 R 17.9 26.1 2:29.69 squid 9187 unbound 20 0 72860 24m 1208 S 0.3 0.1 1:00.63 unbound 25247 root 20 0 000 S 0.3 0.0 0:00.04 kworker/0:2 25587 root 20 0 23320 1704 1180 R 0.3 0.0 0:00.05 top 1 root 20 0 10648 760 624 S 0.0 0.0 0:03.79 init 2 root 20 0 000 S 0.0 0.0 0:00.04 kthreadd 3 root 20 0 000 S 0.0 0.0 2:25.37 ksoftirqd/0 5 root 20 0 000 S 0.0 0.0 0:00.00 kworker/u:0 6 root rt 0 000 S 0.0 0.0 0:01.97 migration/0 7 root rt 0 000 S 0.0 0.0 0:03.82 watchdog/0 8 root rt 0 000 S 0.0 0.0 0:00.01 migration/1 10 root 20 0 000 S 0.0 0.0 0:05.54 ksoftirqd/1 12 root rt 0 000 S 0.0 0.0 0:00.69 watchdog/1 13 root rt 0 000 S 0.0 0.0 0:00.00 migration/2 15 root 20 0 000 S 0.0 0.0 0:02.05 ksoftirqd/2 16 root rt 0 000 S 0.0 0.0 0:00.63 watchdog/2 17 root rt 0 000 S 0.0 0.0 0:00.00 migration/3 19 root 20 0 000 S 0.0 0.0 0:01.93 ksoftirqd/3 20 root rt 0 000 S 0.0 0.0 0:00.61 watchdog/3 21 root rt 0 000 S 0.0 0.0 0:00.10 migration/4 23 root 20 0 000 S 0.0 0.0 0:00.29 ksoftirqd/4 24 root rt 0 000 S 0.0 0.0 0:00.93 watchdog/4 25 root rt 0 000 S 0.0 0.0 0:00.10 migration/5 27 root 20 0 000 S 0.0 0.0 0:00.22 ksoftirqd/5 28 root rt 0 000 S 0.0 0.0 0:00.96 watchdog/5 29 root rt 0 000 S 0.0 0.0 0:00.10 migration/6 31 root 20 0 000 S 0.0 0.0 0:00.22 ksoftirqd/6 32 root rt 0 000 S 0.0 0.0 0:00.80 watchdog/6 33 root rt 0 000 S 0.0 0.0 0:00.11 migration/7 35 root 20 0 000 S 0.0 0.0 0:00.22 ksoftirqd/7 36 root rt 0 000 S 0.0 0.0 0:00.79 watchdog/7 37 root 0 -20 000 S 0.0 0.0 0:00.00 cpuset 38 root 0 -20 000 S 0.0 0.0 0:00.00 khelper 39 root 20 0 000 S 0.0 0.0 0:00.00 kdevtmpfs 40 root 0 -20 000 S 0.0 0.0 0:00.00 netns 41 root 20 0 000 S 0.0 0.0 6:50.08 sync_supers 42 root 20 0 000 S 0.0 0.0 0:00.01 bdi-default 43 root 0 -20 000 S 0.0 0.0 0:00.00 kintegrityd -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/a-lot-of-TCP-SWAPFAIL-MISS-200-tp4672011p4672320.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] redirect TCP_NONE
am using Squid-3.5.5 and am still getting TCP_NONE and not TCP_TUNNEL automatically if packets not decrypted then what ! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/redirect-TCP-NONE-tp4672298p4672303.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] redirect TCP_NONE
i have an idea for solve problems with sites and app's that work on port 443 but cant establish connection with squid, i see that when this connection cant established the TCP_NONE appear in access.log, then why we cant use an option that when this tcp_none come on some app redirect it to TCP_TUNNEL and then it will bypassed and the connection will be established without decryption but at minimum it will work automatically without make to that ip ssl_bump none x.x.x.x who support me ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/redirect-TCP-NONE-tp4672298.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] a lot of TCP_SWAPFAIL_MISS/200
after upgrading to 3.5.5 i see in cache.log 2015/07/02 01:51:51 kid1| DiskThreadsDiskFile::openDone: (2) No such file or directory 2015/07/02 01:51:51 kid1| /cache01/2/16/AA/0016AA3B - ORIGINAL_DST/203.77.186.75 video/mp4 access.log TCP_SWAPFAIL_MISS/200 -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/a-lot-of-TCP-SWAPFAIL-MISS-200-tp4672011.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] assertion failed: comm.cc:178: fd_table[conn-fd].halfClosedReader != NULL
i copy from normal log to the assertion error\ is this enough or you need more ? Thanks Amos. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/assertion-failed-comm-cc-178-fd-table-conn-fd-halfClosedReader-NULL-tp4670979p4671959.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] assertion failed: comm.cc:178: fd_table[conn-fd].halfClosedReader != NULL
2015/06/30 10:09:38.432 kid1| Acl.cc(138) matches: checking always_direct 2015/06/30 10:09:38.432 kid1| Acl.cc(138) matches: checking always_direct#1 2015/06/30 10:09:38.432 kid1| Acl.cc(138) matches: checking fakespeed 2015/06/30 10:09:38.432 kid1| RegexData.cc(51) match: aclRegexData::match: checking 'https://r1---sn-4g57knls.googlevideo.com/videoplayback?mime=video/mp4key=yt5ms=aumt=1435651756mv=mupn=vXBl$ 2015/06/30 10:09:38.432 kid1| RegexData.cc(62) match: aclRegexData::match: looking for '(\.*(speedtest|espeed).*\/((latency|random.*|upload)\.(jpg|txt|php)))' 2015/06/30 10:09:38.432 kid1| Acl.cc(158) matches: checked: fakespeed = 0 2015/06/30 10:09:38.432 kid1| Acl.cc(158) matches: checked: always_direct#1 = 0 2015/06/30 10:09:38.432 kid1| Acl.cc(138) matches: checking always_direct#2 2015/06/30 10:09:38.432 kid1| Acl.cc(138) matches: checking bau1 2015/06/30 10:09:38.432 kid1| DomainData.cc(108) match: aclMatchDomainList: checking 'r1---sn-4g57knls.googlevideo.com' 2015/06/30 10:09:38.432 kid1| DomainData.cc(113) match: aclMatchDomainList: 'r1---sn-4g57knls.googlevideo.com' NOT found 2015/06/30 10:09:38.433 kid1| Acl.cc(158) matches: checked: bau1 = 0 2015/06/30 10:09:38.433 kid1| Acl.cc(158) matches: checked: always_direct#2 = 0 2015/06/30 10:09:38.433 kid1| Acl.cc(138) matches: checking always_direct#3 2015/06/30 10:09:38.433 kid1| Acl.cc(138) matches: checking betty1 2015/06/30 10:09:38.433 kid1| DomainData.cc(108) match: aclMatchDomainList: checking 'r1---sn-4g57knls.googlevideo.com' 2015/06/30 10:09:38.433 kid1| DomainData.cc(113) match: aclMatchDomainList: 'r1---sn-4g57knls.googlevideo.com' NOT found 2015/06/30 10:09:38.433 kid1| Acl.cc(158) matches: checked: betty1 = 0 2015/06/30 10:09:38.433 kid1| Acl.cc(158) matches: checked: always_direct#3 = 0 2015/06/30 10:09:38.433 kid1| Acl.cc(138) matches: checking always_direct#4 2015/06/30 10:09:38.433 kid1| Acl.cc(138) matches: checking all 2015/06/30 10:09:38.433 kid1| Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.11.20.1:15088/[::] ([::]:15088) vs [::]-[::]/[::] 2015/06/30 10:09:38.433 kid1| Ip.cc(539) match: aclIpMatchIp: '10.11.20.1:15088' found 2015/06/30 10:09:38.433 kid1| Acl.cc(158) matches: checked: all = 1 2015/06/30 10:09:38.433 kid1| Acl.cc(158) matches: checked: always_direct#4 = 1 2015/06/30 10:09:38.433 kid1| Acl.cc(158) matches: checked: always_direct = 1 2015/06/30 10:09:38.433 kid1| Checklist.cc(61) markFinished: 0x2077cf098 answer ALLOWED for match 2015/06/30 10:09:38.433 kid1| cbdata.cc(426) cbdataInternalUnlock: 0x2038018=0 2015/06/30 10:09:38.433 kid1| Checklist.cc(161) checkCallback: ACLChecklist::checkCallback: 0x2077cf098 answer=ALLOWED 2015/06/30 10:09:38.433 kid1| cbdata.cc(492) cbdataReferenceValid: 0x38f7288 2015/06/30 10:09:38.433 kid1| cbdata.cc(426) cbdataInternalUnlock: 0x38f7288=0 2015/06/30 10:09:38.433 kid1| peer_select.cc(194) peerCheckAlwaysDirectDone: peerCheckAlwaysDirectDone: ALLOWED 2015/06/30 10:09:38.433 kid1| peer_select.cc(200) peerCheckAlwaysDirectDone: direct = DIRECT_YES (always_direct allow) 2015/06/30 10:09:38.433 kid1| cbdata.cc(492) cbdataReferenceValid: 0x7abd088 2015/06/30 10:09:38.433 kid1| peer_select.cc(441) peerSelectFoo: GET r1---sn-4g57knls.googlevideo.com 2015/06/30 10:09:38.433 kid1| cbdata.cc(492) cbdataReferenceValid: 0x207709228 2015/06/30 10:09:38.433 kid1| cbdata.cc(492) cbdataReferenceValid: 0x207709228 2015/06/30 10:09:38.433 kid1| cbdata.cc(492) cbdataReferenceValid: 0x207709228 2015/06/30 10:09:38.433 kid1| cbdata.cc(492) cbdataReferenceValid: 0x207709228 2015/06/30 10:09:38.433 kid1| cbdata.cc(492) cbdataReferenceValid: 0x207709228 2015/06/30 10:09:38.433 kid1| cbdata.cc(492) cbdataReferenceValid: 0x207709228 2015/06/30 10:09:38.433 kid1| cbdata.cc(492) cbdataReferenceValid: 0x207709228 2015/06/30 10:09:38.433 kid1| cbdata.cc(492) cbdataReferenceValid: 0x207709228 2015/06/30 10:09:38.433 kid1| cbdata.cc(492) cbdataReferenceValid: 0x207709228 2015/06/30 10:09:38.433 kid1| client_side.cc(4974) validatePinnedConnection: local=10.150.15.11:47595 remote=74.125.99.6:443 FD 132 flags=1 2015/06/30 10:09:38.433 kid1| peer_select.cc(940) peerAddFwdServer: peerAddFwdServer: adding DIRECT PINNED 2015/06/30 10:09:38.433 kid1| peer_select.cc(940) peerAddFwdServer: peerAddFwdServer: adding DIRECT HIER_DIRECT 2015/06/30 10:09:38.433 kid1| peer_select.cc(940) peerAddFwdServer: peerAddFwdServer: adding DIRECT PINNED 2015/06/30 10:09:38.433 kid1| peer_select.cc(940) peerAddFwdServer: peerAddFwdServer: adding DIRECT HIER_DIRECT 2015/06/30 10:09:38.433 kid1| cbdata.cc(492) cbdataReferenceValid: 0x7abd088 2015/06/30 10:09:38.433 kid1| peer_select.cc(258) peerSelectDnsPaths: Find IP destination for: http://cdn.youtube/id=o-ACQ6eJqVKCPZIUmKoUQvsHsrXismY31LLzsOB4swKbq-itag=135mime=video/mp4' via r1--$ 2015/06/30 10:09:38.433 kid1| ipcache.cc(501) ipcache_nbgethostbyname: ipcache_nbgethostbyname: Name 'r1---sn-4g57knls.googlevideo.com'. 2015/06/30 10:09:38.433 kid1|
Re: [squid-users] assertion failed: comm.cc:178: fd_table[conn-fd].halfClosedReader != NULL
dear friend, your conf make the same problem, and i dont have half_closed_clients in my conf ! and this is my configure option maybe the problem from it ... ./configure --prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid --localstatedir=/var --libdir=/usr/lib --includedir=/usr/include --datadir=/usr/share/squid --infodir=/usr/share/info --mandir=/usr/share/man --disable-dependency-tracking --disable-strict-error-checking --with-pthreads --with-aufs-threads=512 --enable-storeio=ufs,aufs --enable-removal-policies=lru,heap --with-aio --with-dl --disable-icmp --enable-icap-client --disable-wccp --enable-wccpv2 --enable-cache-digests --enable-http-violations --enable-linux-netfilter --enable-follow-x-forwarded-for --enable-zph-qos --with-default-user=proxy --with-logdir=/var/log/squid --with-pidfile=/var/run/squid.pid --with-swapdir=/var/spool/squid --enable-ltdl-convenience --with-filedescriptors=65536 --enable-ssl --enable-ssl-crtd --with-openssl --enable-snmp --disable-auth --disable-ipv6 --enable-arp-acl --enable-epoll --enable-referer-log --enable-truncate --disable-unlinkd --enable-useragent-log --enable-eui --enable-large-cache-files 'CFLAGS=-march=native -mtune=native -pipe -DNUMTHREADS=512' 'CXXFLAGS=-march=native -mtune=native -pipe -DNUMTHREADS=512' 'LDFLAGS=-Wl,--no-as-needed -ldl' 'CPPFLAGS=-I/usr/include/openssl' -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/assertion-failed-comm-cc-178-fd-table-conn-fd-halfClosedReader-NULL-tp4670979p4671924.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] assertion failed: comm.cc:178: fd_table[conn-fd].halfClosedReader != NULL
acl Y-TUBE dstdomain .googlevideo.com range_offset_limit -1 Y-TUBE this conf make the assertion bug, we need a solution am still waiting Amos Thanks. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/assertion-failed-comm-cc-178-fd-table-conn-fd-halfClosedReader-NULL-tp4670979p4671919.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_MISS/503
The requested URL could not be retrieved -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-MISS-503-tp4671863p4671864.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] TCP_MISS/503
some times http pages give squid error page in access.log i see TCP_MISS/503 what should be the problem? i checked iptables and squid.conf but seems every thing look fine ..!! thanks. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-MISS-503-tp4671863.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5.5 bug 3279
Yes sure, can you give me the link to download chudy patch ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-5-bug-3279-tp4671781p4671817.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] assertion failed: comm.cc:178: fd_table[conn-fd].halfClosedReader != NULL
i install 3.5 and still the same problem , this assertion error exist when i use acl partial dstdomain .googlevideo.com acl partial dstdomain .youtube.com acl partial dstdomain .mgccw.com range_offset_limit none partial -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/assertion-failed-comm-cc-178-fd-table-conn-fd-halfClosedReader-NULL-tp4670979p4671821.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5.5 bug 3279
hmm well this patch seems it solve the problem, squid have 15 min run till now ... -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-5-bug-3279-tp4671781p4671819.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] problem with some ssl services
for example the problem is in facebook app on iphone, i need to trace the ip's then none ssl bump to this ip to make the facebook app work, now am using 3.5, you said that it can be make this automatically ? but with which peak and splice conf ? need to give a try . Thanks amos -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/problem-with-some-ssl-services-tp4671733p4671820.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] assertion failed: comm.cc:178: fd_table[conn-fd].halfClosedReader != NULL
this patch didnt solve the problem :) -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/assertion-failed-comm-cc-178-fd-table-conn-fd-halfClosedReader-NULL-tp4670979p4671832.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5.5 bug 3279
This patch solve the problem, it can be used in next update. Thanks. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-5-bug-3279-tp4671781p4671830.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] assertion failed: comm.cc:178: fd_table[conn-fd].halfClosedReader != NULL
used the latest squid 3.5.5 and still the same assertion error where is the patch for this bug ?? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/assertion-failed-comm-cc-178-fd-table-conn-fd-halfClosedReader-NULL-tp4670979p4671827.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5.5 bug 3279
New LWP 524] [New LWP 766] [New LWP 676] [New LWP 507] [New LWP 819] [New LWP 849] [New LWP 730] [New LWP 641] [New LWP 651] warning: Can't read pathname for load map: Input/output error. [Thread debugging using libthread_db enabled] Using host libthread_db library /lib/x86_64-linux-gnu/libthread_db.so.1. Core was generated by `(squid-1) -YC -f /etc/squid/squid.conf'. Program terminated with signal 6, Aborted. #0 0x7f9251235165 in raise () from /lib/x86_64-linux-gnu/libc.so.6 (gdb) backtrace #0 0x7f9251235165 in raise () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x7f92512383e0 in abort () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x7f925122e311 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6 #3 0x00778559 in ?? () #4 0x7ffebcde45a0 in ?? () #5 0x005e5cd9 in CountHist () #6 0x7ffebcde4600 in ?? () #7 0x0001d223f458 in ?? () #8 0x7ffebcde47e0 in ?? () #9 0x00100066cb42 in ?? () #10 0x7ffebcde4610 in ?? () #11 0x0001 in ?? () #12 0x7ffebcde4660 in ?? () #13 0x0076c504 in ?? () #14 0x7d00 in ?? () #15 0x00010800 in ?? () #16 0x0001d223f458 in ?? () #17 0x00010006 in ?? () #18 0x in ?? () (gdb) frame 3 #3 0x00778559 in ?? () (gdb) print mem_obj-endOffset() No symbol mem_obj in current context. (gdb) THIS IS THE OUTPUT OF gdb /usr/lib/debug/usr/sbin/squid3 /var/spool/squid/core -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-5-bug-3279-tp4671781p4671812.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5.5 bug 3279
i cant understand you , what you want from me to do exactly ? we need to solve this problem am using debian 7 ./configure --prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid --localstatedir=/var --libdir=/usr/lib --includedir=/usr/include --datadir=/usr/share/squid --infodir=/usr/share/info --mandir=/usr/share/man --disable-dependency-tracking --disable-strict-error-checking --with-pthreads --with-aufs-threads=512 --enable-storeio=ufs,aufs --enable-removal-policies=lru,heap --with-aio --with-dl --disable-icmp --enable-icap-client --disable-wccp --enable-wccpv2 --enable-cache-digests --enable-http-violations --enable-linux-netfilter --enable-follow-x-forwarded-for --enable-zph-qos --with-default-user=proxy --with-logdir=/var/log/squid --with-pidfile=/var/run/squid.pid --with-swapdir=/var/spool/squid --enable-ltdl-convenience --with-filedescriptors=65536 --enable-ssl --enable-ssl-crtd --with-openssl --enable-snmp --disable-auth --disable-ipv6 --enable-arp-acl --enable-epoll --enable-referer-log --enable-truncate --disable-unlinkd --enable-useragent-log --enable-eui --enable-large-cache-files 'CFLAGS=-march=native -mtune=native -pipe -DNUMTHREADS=512' 'CXXFLAGS=-march=native -mtune=native -pipe -DNUMTHREADS=512' 'LDFLAGS=-Wl,--no-as-needed -ldl' 'CPPFLAGS=-I/usr/include/openssl' -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-5-bug-3279-tp4671781p4671806.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5.5 bug 3279
test test waiting you amos -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-5-bug-3279-tp4671781p4671789.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid 3.5.5 bug 3279
2015/06/18 13:47:25 kid1| WARNING: 1 swapin MD5 mismatches 2015/06/18 13:47:25 kid1| Could not parse headers from on disk object 2015/06/18 13:47:25 kid1| BUG 3279: HTTP reply without Date: 2015/06/18 13:47:25 kid1| StoreEntry-key: CD091412B485DCA6E9B1F7BAE5533671 2015/06/18 13:47:25 kid1| StoreEntry-next: 0x112ad5e38 2015/06/18 13:47:25 kid1| StoreEntry-mem_obj: 0x388fef0 2015/06/18 13:47:25 kid1| StoreEntry-timestamp: -1 2015/06/18 13:47:25 kid1| StoreEntry-lastref: 1434649645 2015/06/18 13:47:25 kid1| StoreEntry-expires: -1 2015/06/18 13:47:25 kid1| StoreEntry-lastmod: -1 2015/06/18 13:47:25 kid1| StoreEntry-swap_file_sz: 0 2015/06/18 13:47:25 kid1| StoreEntry-refcount: 1 2015/06/18 13:47:25 kid1| StoreEntry-flags: DISPATCHED,PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/06/18 13:47:25 kid1| StoreEntry-swap_dirn: -1 2015/06/18 13:47:25 kid1| StoreEntry-swap_filen: -1 2015/06/18 13:47:25 kid1| StoreEntry-lock_count: 3 2015/06/18 13:47:25 kid1| StoreEntry-mem_status: 0 2015/06/18 13:47:25 kid1| StoreEntry-ping_status: 2 2015/06/18 13:47:25 kid1| StoreEntry-store_status: 1 2015/06/18 13:47:25 kid1| StoreEntry-swap_status: 0 2015/06/18 13:47:25 kid1| assertion failed: store.cc:1885: isEmpty() 2015/06/18 13:47:29 kid1| Set Current Directory to /var/spool/squid 2015/06/18 13:47:29 kid1| Starting Squid Cache version 3.5.5-20150610-r13846 for x86_64-unknown-linux-gnu... -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-5-bug-3279-tp4671781.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] problem with some ssl services
i upgrade to 3.5.5 and i use this conf always_direct allow all acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl exclude_acl ssl::server_name .yahoo.com .gmail.com .googlemail.com s.yimg.com .yahooapis.com .akamaihd.net .fbcdn.net .facebook.com .google.com ssl_bump peek step1 all ssl_bump splice step2 exclude_acl ssl_bump stare step2 all ssl_bump bump step3 all sslproxy_cert_error allow all but still the same problem -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/problem-with-some-ssl-services-tp4671733p4671777.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] problem with some ssl services
what peak and splice conf should i use to make it work fine ? am still using 3.4, i will upgrade to 3.5 -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/problem-with-some-ssl-services-tp4671733p4671736.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] problem with some ssl services
In some applications on mobiles, (ANDROID , APPLE) there is problem with ssl connections from squid. like GOOGLE PLAY app, facebook app, some games app, the app will not open when i redirect traffic to squid , but when i make torch on the traffic and i got the ip that are not passed, and then i put this ip in ssl none bump then the app work. this happen weekly, every week i need to bypass none ssl bump new ip's to make these app's working fine, what cause this problem and how we can not face it ? Thanks . -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/problem-with-some-ssl-services-tp4671733.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Installing certificate on Andriod to use with SSL-bump
To be clear, I see the phone use port 443 to setup a secure session. However it rejects the certificate (as it should) and terminates the session with no data being passed. I can install my certificate on the phone, but will the android OS use that certificate for all services or only for browser sessions? yes the certificate will work for all services on the ondroid OS . but you will get warning message that your mobile maybe monitored by 3rd party. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Installing-certificate-on-Andriod-to-use-with-SSL-bump-tp4671645p4671732.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid stop working without any error
in cache.log i found this, 2015/05/15 21:06:41 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 11185: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2015/05/15 21:06:41 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 14703: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2015/05/15 21:06:41 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 14416: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2015/05/15 21:06:41 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 12458: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2015/05/15 21:06:41 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 10336: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2015/05/15 21:06:41 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 597: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2015/05/15 21:06:41 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 6053: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2015/05/15 21:06:41 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 13730: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2015/05/15 21:06:41 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 11108: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2015/05/15 21:06:41 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 8037: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2015/05/15 21:06:41 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 14745: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) 2015/05/15 21:06:41 kid1| ctx: enter level 0: 'http://storeid.cdn.fbcdn/p100x100/10348376_806835629388827_6352898774493962027_n.png' 2015/05/15 21:06:41 kid1| Closing HTTP port 0.0.0.0:3129 2015/05/15 21:06:41 kid1| Closing HTTP port 0.0.0.0:3128 2015/05/15 21:06:41 kid1| Closing HTTPS port 0.0.0.0:3127 2015/05/15 21:06:41 kid1| storeDirWriteCleanLogs: Starting... 2015/05/15 21:06:41 kid1| 65536 entries written so far. 2015/05/15 21:06:41 kid1|131072 entries written so far. 2015/05/15 21:06:41 kid1|196608 entries written so far. 2015/05/15 21:06:41 kid1|262144 entries written so far. 2015/05/15 21:06:41 kid1|327680 entries written so far. 2015/05/15 21:06:41 kid1|393216 entries written so far. 2015/05/15 21:06:41 kid1|458752 entries written so far. 2015/05/15 21:06:42 kid1|524288 entries written so far. 2015/05/15 21:06:42 kid1|589824 entries written so far. 2015/05/15 21:06:42 kid1|655360 entries written so far. 2015/05/15 21:06:42 kid1|720896 entries written so far. 2015/05/15 21:06:42 kid1|786432 entries written so far. after rebuilding squid stop working , when i start it again it work for couple of hours then the same ... and in the end of cache.log i found this 2015/05/15 22:09:39 kid1| Rebuilding storage in /cache05/4 (dirty log) 2015/05/15 22:09:39 kid1| Rebuilding storage in /cache06/1 (dirty log) 2015/05/15 22:09:39 kid1| Rebuilding storage in /cache06/2 (dirty log) 2015/05/15 22:09:39 kid1| Rebuilding storage in /cache06/3 (dirty log) 2015/05/15 22:09:39 kid1| Rebuilding storage in /cache06/4 (dirty log) 2015/05/15 22:09:39 kid1| Rebuilding storage in /cache07/1 (dirty log) 2015/05/15 22:09:39 kid1| Rebuilding storage in /cache07/2 (dirty log) 2015/05/15 22:09:39 kid1| Rebuilding storage in /cache07/3 (dirty log) 2015/05/15 22:09:39 kid1| Rebuilding storage in /cache07/4 (dirty log) 2015/05/15 22:09:39 kid1| Rebuilding storage in /cache08/1 (dirty log) 2015/05/15 22:09:39 kid1| Rebuilding storage in /cache08/2 (dirty log) 2015/05/15 22:09:39 kid1| Rebuilding storage in /cache08/3 (dirty log) 2015/05/15 22:09:39 kid1| Rebuilding storage in /cache08/4 (dirty log) 2015/05/15 22:09:39 kid1| Using Least Load store dir selection 2015/05/15 22:09:39 kid1| Set Current Directory to /var/spool/squid 2015/05/15 22:09:39 kid1| Finished loading MIME types and icons. and no backtrace report found ... -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-stop-working-without-any-error-tp4671242.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Youtube redirection loop?
you are right, but this patch still work with me. i dont know if we can find better solution for this like you said by acl -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Youtube-redirection-loop-tp4671084p4671179.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Number of clients accessing cache: 0
root@issa:~# squidclient -h 127.0.0.1 -p 3128 mgr:info |grep Number of Sending HTTP request ... done. Number of clients accessing cache: 0 Number of HTTP requests received: 6498250 Number of ICP messages received:0 Number of ICP messages sent:0 Number of queued ICP replies: 0 Number of HTCP messages received: 0 Number of HTCP messages sent: 0 Number of file desc currently in use: 1927 -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Number-of-clients-accessing-cache-0-tp4671102p4671105.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] assertion failed: comm.cc:178: fd_table[conn-fd].halfClosedReader != NULL
but am not ready now to use 3.5.4 can i use this patch on 3.4 without any problem ? Thanks Amos. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/assertion-failed-comm-cc-178-fd-table-conn-fd-halfClosedReader-NULL-tp4670979p4671104.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] assertion failed: comm.cc:178: fd_table[conn-fd].halfClosedReader != NULL
Thanks you amos for giving time, but about this part : for looping 302 on youtube acl text-html rep_mime_type text/html acl http302 http_status 302 store_miss deny text-html store_miss deny http302 send_hit deny text-html send_hit deny http302 i use this config with patch file to make youtube not making loop 302 and then videos will not open and give tv old screen with error accrued , --- src/client_side_request.cc 2014-03-09 06:40:56.0 -0300 +++ src/client_side_request.cc 2014-04-21 02:53:11.277155130 -0300 @@ -545,6 +545,16 @@ } debugs(85, 3, HERE validate IP clientConn-local non-match from Host: IP ia-in_addrs[i]); } + +if (true) { +unsigned short port = clientConn-local.port(); +debugs(85, 3, HERE [anti-forgery] Host-non-matched remote IP ( clientConn-local ) was replaced with the first Host resolved IP ( ia-in_addrs[0] : clientConn-local.port() )); +clientConn-local = ia-in_addrs[0]; +clientConn-local.port(port); +http-request-flags.hostVerified = true; +http-doCallouts(); +return; +} } debugs(85, 3, HERE FAIL: validate IP clientConn-local possible from Host:); hostHeaderVerifyFailed(local IP, any domain IP); --- src/Server.cc +++ src/Server.cc @@ -31,6 +31,7 @@ */ #include squid.h +#include acl/FilledChecklist.h #include acl/Gadgets.h #include base/TextException.h #include comm/Connection.h @@ -174,6 +175,8 @@ // give entry the reply because haveParsedReplyHeaders() expects it there entry-replaceHttpReply(theFinalReply, false); // but do not write yet haveParsedReplyHeaders(); // update the entry/reply (e.g., set timestamps) +if (EBIT_TEST(entry-flags, ENTRY_CACHABLE) blockCaching()) +entry-release(); entry-startWriting(); // write the updated entry to store return theFinalReply; @@ -533,6 +536,24 @@ currentOffset = partial ? theFinalReply-content_range-spec.offset : 0; } +/// whether to prevent caching of an otherwise cachable response +bool +ServerStateData::blockCaching() +{ +if (const Acl::Tree *acl = Config.accessList.storeMiss) { +// This relatively expensive check is not in StoreEntry::checkCachable: +// That method lacks HttpRequest and may be called too many times. +ACLFilledChecklist ch(acl, originalRequest(), NULL); +ch.reply = const_castHttpReply*(entry-getReply()); // ACLFilledChecklist API bug +HTTPMSGLOCK(ch.reply); +if (ch.fastCheck() != ACCESS_ALLOWED) { // when in doubt, block +debugs(20, 3, store_miss prohibits caching); +return true; +} +} +return false; +} + HttpRequest * ServerStateData::originalRequest() { --- src/Server.h +++ src/Server.h @@ -131,6 +131,8 @@ /// Entry-dependent callbacks use this check to quit if the entry went bad bool abortOnBadEntry(const char *abortReason); +bool blockCaching(); + #if USE_ADAPTATION void startAdaptation(const Adaptation::ServiceGroupPointer group, HttpRequest *cause); void adaptVirginReplyBody(const char *buf, ssize_t len); --- src/SquidConfig.h +++ src/SquidConfig.h @@ -375,6 +375,8 @@ acl_access *AlwaysDirect; acl_access *ASlists; acl_access *noCache; +acl_access *sendHit; +acl_access *storeMiss; acl_access *stats_collection; #if SQUID_SNMP --- src/cf.data.pre +++ src/cf.data.pre @@ -4843,18 +4843,97 @@ NAME: cache no_cache TYPE: acl_access DEFAULT: none -DEFAULT_DOC: Allow caching, unless rules exist in squid.conf. +DEFAULT_DOC: By default, this directive is unused and has no effect. LOC: Config.accessList.noCache DOC_START - A list of ACL elements which, if matched and denied, cause the request to - not be satisfied from the cache and the reply to not be cached. - In other words, use this to force certain objects to never be cached. - - You must use the words 'allow' or 'deny' to indicate whether items - matching the ACL should be allowed or denied into the cache. + Requests denied by this directive will not be served from the cache + and their responses will not be stored in the cache. This directive + has no effect on other transactions and on already cached responses. This clause supports both fast and slow acl types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. + + This and the two other similar caching directives listed below are + checked at different transaction processing stages, have different + access to response information, affect different cache operations, + and differ in slow ACLs support: + + * cache: Checked before Squid makes a hit/miss determination. + No access to reply information! + Denies both serving a hit and storing a miss. +
[squid-users] about Incorrect X509 server certificate valdidation
You mention this part : Severity: The bug is important because it allows remote servers to bypass client certificate validation. Some attackers may also be able to use valid certificates for one domain signed by a global Certificate Authority to abuse an unrelated domain. you mean that there is a way to use certificate that signed by a global certificate authority (Trusted CA) ? if yes then we can use it and then no need to import our self certificate in client browser to force it as trusted ? Thanks. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/about-Incorrect-X509-server-certificate-valdidation-tp4671042.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] FATAL: xcalloc: Unable to allocate 18446744073468065319 blocks of 1 bytes!
Squid Cache (Version 3.4.12): Terminated abnormally. CPU Usage: 0.036 seconds = 0.012 user + 0.024 sys Maximum Resident Size: 101264 KB Page faults with physical i/o: 0 2015/05/01 12:20:04 kid1| Set Current Directory to /var/spool/squid 2015/05/01 12:20:04 kid1| Starting Squid Cache version 3.4.12 for x86_64-unknown-linux-gnu... 2015/05/01 12:20:04 kid1| Process ID 31971 2015/05/01 12:20:04 kid1| Process Roles: worker 2015/05/01 12:20:04 kid1| With 65535 file descriptors available 2015/05/01 12:20:04 kid1| Initializing IP Cache... 2015/05/01 12:20:04 kid1| DNS Socket created at 0.0.0.0, FD 7 2015/05/01 12:20:04 kid1| Adding nameserver 10.150.15.2 from /etc/resolv.conf 2015/05/01 12:20:04 kid1| helperOpenServers: Starting 40/50 'ssl_crtd' processes 2015/05/01 12:20:04 kid1| helperOpenServers: Starting 1/1 'rewriter.pl' processes 2015/05/01 12:20:04 kid1| helperOpenServers: Starting 1/1 'storeid.pl' processes 2015/05/01 12:20:04 kid1| Logfile: opening log /var/log/squid/access.log 2015/05/01 12:20:04 kid1| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/access.log' FATAL: xcalloc: Unable to allocate 18446744073468065319 blocks of 1 bytes! Squid Cache (Version 3.4.12): Terminated abnormally. CPU Usage: 0.032 seconds = 0.012 user + 0.020 sys Maximum Resident Size: 101280 KB Page faults with physical i/o: 0 root@issa:~/squid-3.4.12# gdb /usr/sbin/squid /var/spool/squid/core GNU gdb (GDB) 7.4.1-debian Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/sbin/squid...(no debugging symbols found)...done. [New LWP 31710] warning: Can't read pathname for load map: Input/output error. [Thread debugging using libthread_db enabled] Using host libthread_db library /lib/x86_64-linux-gnu/libthread_db.so.1. Core was generated by `(squid-1) -YC -f /etc/squid/squid.conf'. Program terminated with signal 6, Aborted. #0 0x7f9ccb14c165 in raise () from /lib/x86_64-linux-gnu/libc.so.6 (gdb) backtrace #0 0x7f9ccb14c165 in raise () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x7f9ccb14f3e0 in abort () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x00628612 in fatal_dump(char const*) () #3 0x0085dc4d in xcalloc () #4 0x005bdb06 in cacheDigestInit(CacheDigest*, int, int) () #5 0x005bdc5f in cacheDigestCreate(int, int) () #6 0x006e9779 in storeDigestInit() () #7 0x006e071d in storeInit() () #8 0x0069ab1a in mainInitialize() () #9 0x0069b572 in SquidMain(int, char**) () #10 0x0069adbf in SquidMainSafe(int, char**) () #11 0x0069ad9c in main () Squid Cache: Version 3.4.12 configure options: '--prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid' '--localstatedir=/var' '--libdir=/usr/lib' '--includedir=/usr/include' '--datadir=/usr/share/squid' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--disable-dependency-tracking' '--disable-strict-error-checking' '--with-pthreads' '--with-aufs-threads=512' '--enable-storeio=ufs,aufs' '--enable-removal-policies=lru,heap' '--with-aio' '--with-dl' '--disable-icmp' '--enable-icap-client' '--disable-wccp' '--enable-wccpv2' '--enable-cache-digests' '--enable-http-violations' '--enable-linux-netfilter' '--enable-follow-x-forwarded-for' '--enable-zph-qos' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-swapdir=/var/spool/squid' '--enable-ltdl-convenience' '--with-filedescriptors=65536' '--enable-ssl' '--enable-ssl-crtd' '--with-openssl' '--enable-snmp' '--disable-auth' '--disable-ipv6' '--enable-arp-acl' '--enable-epoll' '--enable-referer-log' '--enable-truncate' '--disable-unlinkd' '--enable-useragent-log' '--enable-eui' '--enable-large-cache-files' 'CFLAGS=-march=native -mtune=native -pipe -DNUMTHREADS=512' 'CXXFLAGS=-march=native -mtune=native -pipe -DNUMTHREADS=512' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=-I/usr/include/openssl' -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/FATAL-xcalloc-Unable-to-allocate-18446744073468065319-blocks-of-1-bytes-tp4671004.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] FATAL: xcalloc: Unable to allocate 18446744073468065319 blocks of 1 bytes!
when i decrease cache_dir , error disappear , but i need to use them all since my dir's being full ... -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/FATAL-xcalloc-Unable-to-allocate-18446744073468065319-blocks-of-1-bytes-tp4671004p4671006.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] assertion failed: comm.cc:178: fd_table[conn-fd].halfClosedReader != NULL
squid.conf you can see it all , and the answer on your question is no i dont have . # should be allowed acl localnet src 10.11.20.0/24 acl localnet src 10.150.15.0/24 # ACL for rewriter acl fakespeed url_regex -i \.*(speedtest|espeed).*\/((latency|random.*|upload)\.(jpg|txt|php)).* acl rewriter-link url_regex -i ^http.*(google|googlesyndication)\.com\/(pagead|js)\/(bg|js)\/.*\.js # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # - cache_peer 10.11.20.100 parent 80 0 cache_peer_access 10.11.20.100 allow fakespeed cache_peer_access 10.11.20.100 deny all # OPTIONS INFLUENCING REQUEST FORWARDING # - never_direct allow fakespeed never_direct deny all always_direct deny fakespeed # add on squid.conf to remove ads acl ads-block url_regex -i /etc/squid/ads.block http_access deny ads-block http_reply_access deny ads-block acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager ##Redirect some sites to storeid # Windows update acls acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com # Windows update methods acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com # Windows updates rules http_access allow CONNECT wuCONNECT localnet http_access allow CONNECT wuCONNECT localhost http_access allow windowsupdate localnet http_access allow windowsupdate localhost acl store_rewrite_list url_regex -i fbcdn\/.*(jpg|gif|png|swf) acl store_rewrite_list url_regex -i (akamaihd|fbcdn|facebook)\.(net|com)\/.* acl store_rewrite_list url_regex -i attachment\.fbsbx\.com acl store_rewrite_list url_regex -i fbcdn-dragon-a\.akamaihd\.net acl store_rewrite_list url_regex -i socialpointgames\.com acl store_rewrite_list url_regex -i miniclipcdn\.com acl store_rewrite_list url_regex -i syntasia\.hs\.llnwd\.net\/[a-z][0-9]+\/baseballheroes\/.* acl store_rewrite_list url_regex -i \.google\-analytics\.com acl store_rewrite_list url_regex -i google\-analytics\.com acl store_rewrite_list url_regex -i video\.google\.com\/ThumbnailServer acl store_rewrite_list url_regex -i (youtube|google).*(videoplayback|liveplay) acl store_rewrite_list url_regex -i youtube.*(ptracking|stream_204|player_204|gen_204).* acl store_rewrite_list url_regex -i (youtube|google|googlevideo).*videoplayback.* acl store_rewrite_list url_regex -i c\.android\.clients\.google\.com acl store_rewrite_list url_regex -i phobos\.apple\.com acl store_rewrite_list url_regex -i \.apple\.com acl store_rewrite_list url_regex -i \/speedtest\/.*(jpg|txt|png|swf) acl store_rewrite_list url_regex -i speedtest.*\/.*(jpg|txt|png|swf) acl store_rewrite_list url_regex -i \.youjizz\.com\/.*(3gp|mpg|flv|mp4) acl store_rewrite_list url_regex -i \.phncdn\.com\/.*(mp4|flv|3gp|mpg|wmv) acl store_rewrite_list url_regex -i \.cdn13\.com\/.*(flv|mp3|mp4|3gp|wmv) acl store_rewrite_list url_regex -i \.filehippo\.com\/.* acl store_rewrite_list url_regex -i filehippo\.com\/.* acl store_rewrite_list url_regex -i dl\.sourceforge\.net\/project\/.* acl store_rewrite_list url_regex -i googlevideo\.com acl store_rewrite_list url_regex -i reverbnation\.com acl store_rewrite_list url_regex -i c2lo\.reverbnation\.com\/audio_player\/ec_stream_song\/.* acl store_rewrite_list url_regex -i (4shared|4shared\-china)\.com acl store_rewrite_list url_regex -i
Re: [squid-users] installing squid 3.5.3
it works and this error gone -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/installing-squid-3-5-3-tp4670920p4670936.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid cache Monitoring
you can use monitorix -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-cache-Monitoring-tp4670937p4670938.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] BUG 3556: FD 1563 is not an open socket.
what i should do i upgraded to 3.5.3 because of this error assertion failed: comm.cc:178: fd_table[conn-fd].halfClosedReader != NULL and now i face this error 2015/04/26 14:07:39 kid1| assertion failed: comm.cc:887: F-type != FD_FILE -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/BUG-3556-FD-1563-is-not-an-open-socket-tp4670923p4670926.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] loop 302
hello, after caching dynamic youtube i got loop 302 or some videos, is there any patch for this issue,? thanks -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/loop-302-tp4670917.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] loop 302
--- src/Server.cc +++ src/Server.cc @@ -31,6 +31,7 @@ */ #include squid.h +#include acl/FilledChecklist.h #include acl/Gadgets.h #include base/TextException.h #include comm/Connection.h @@ -174,6 +175,8 @@ // give entry the reply because haveParsedReplyHeaders() expects it there entry-replaceHttpReply(theFinalReply, false); // but do not write yet haveParsedReplyHeaders(); // update the entry/reply (e.g., set timestamps) +if (EBIT_TEST(entry-flags, ENTRY_CACHABLE) blockCaching()) +entry-release(); entry-startWriting(); // write the updated entry to store return theFinalReply; @@ -533,6 +536,24 @@ currentOffset = partial ? theFinalReply-content_range-spec.offset : 0; } +/// whether to prevent caching of an otherwise cachable response +bool +ServerStateData::blockCaching() +{ +if (const Acl::Tree *acl = Config.accessList.storeMiss) { +// This relatively expensive check is not in StoreEntry::checkCachable: +// That method lacks HttpRequest and may be called too many times. +ACLFilledChecklist ch(acl, originalRequest(), NULL); +ch.reply = const_castHttpReply*(entry-getReply()); // ACLFilledChecklist API bug +HTTPMSGLOCK(ch.reply); +if (ch.fastCheck() != ACCESS_ALLOWED) { // when in doubt, block +debugs(20, 3, store_miss prohibits caching); +return true; +} +} +return false; +} + HttpRequest * ServerStateData::originalRequest() { --- src/Server.h +++ src/Server.h @@ -131,6 +131,8 @@ /// Entry-dependent callbacks use this check to quit if the entry went bad bool abortOnBadEntry(const char *abortReason); +bool blockCaching(); + #if USE_ADAPTATION void startAdaptation(const Adaptation::ServiceGroupPointer group, HttpRequest *cause); void adaptVirginReplyBody(const char *buf, ssize_t len); --- src/SquidConfig.h +++ src/SquidConfig.h @@ -375,6 +375,8 @@ acl_access *AlwaysDirect; acl_access *ASlists; acl_access *noCache; +acl_access *sendHit; +acl_access *storeMiss; acl_access *stats_collection; #if SQUID_SNMP --- src/cf.data.pre +++ src/cf.data.pre @@ -4843,18 +4843,97 @@ NAME: cache no_cache TYPE: acl_access DEFAULT: none -DEFAULT_DOC: Allow caching, unless rules exist in squid.conf. +DEFAULT_DOC: By default, this directive is unused and has no effect. LOC: Config.accessList.noCache DOC_START - A list of ACL elements which, if matched and denied, cause the request to - not be satisfied from the cache and the reply to not be cached. - In other words, use this to force certain objects to never be cached. - - You must use the words 'allow' or 'deny' to indicate whether items - matching the ACL should be allowed or denied into the cache. + Requests denied by this directive will not be served from the cache + and their responses will not be stored in the cache. This directive + has no effect on other transactions and on already cached responses. This clause supports both fast and slow acl types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. + + This and the two other similar caching directives listed below are + checked at different transaction processing stages, have different + access to response information, affect different cache operations, + and differ in slow ACLs support: + + * cache: Checked before Squid makes a hit/miss determination. + No access to reply information! + Denies both serving a hit and storing a miss. + Supports both fast and slow ACLs. + * send_hit: Checked after a hit was detected. + Has access to reply (hit) information. + Denies serving a hit only. + Supports fast ACLs only. + * store_miss: Checked before storing a cachable miss. + Has access to reply (miss) information. + Denies storing a miss only. + Supports fast ACLs only. + + If you are not sure which of the three directives to use, apply the + following decision logic: + + * If your ACL(s) are of slow type _and_ need response info, redesign. + Squid does not support that particular combination at this time. +Otherwise: + * If your directive ACL(s) are of slow type, use cache; and/or + * if your directive ACL(s) need no response info, use cache. +Otherwise: + * If you do not want the response cached, use store_miss; and/or + * if you do not want a hit on a cached response, use send_hit. +DOC_END + +NAME: send_hit +TYPE: acl_access +DEFAULT: none +DEFAULT_DOC: By default, this directive is unused and has no effect. +LOC: Config.accessList.sendHit +DOC_START + Responses denied by this directive will not be served from the cache + (but may still be cached, see store_miss). This