from:"Massimo . Sala"

[squid-users] youtube video, caching, disabling QUIC

2015-12-31 Thread Massimo . Sala

When you request a video on Youtube, its web servers send two new HTTP 
headers to the browser :

alt-svc
alternate-protocol

suggesting to the browser to switch to the new protocol QUIC.


Unfortunately

1) QUIC, working over UDP, is not cacheable by squid 3.4

2) even if cacheable, IT admins have to upgrade many tools to support and 
account videos over QUIC ( proxy, firewall, bandwidth shaping, etc... )

See :
http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol


We want to disable QUIC, so the servers and browsers fallbacks to normal 
HTTP for videos.

---

I asked in another thread

3) support for Alternate-Protocol HTTP header.


Amos' answer :

As for #3, the Alternate-Protocol header patch is just automating these 
squid.conf settings, which you can use explicitly in any Squid version:

  acl AP rep_header_regex Alternate-Protocol .
  reply_header_access deny AP


With that syntax :

squid3 -k reconfigure

2015/12/31 14:34:21| FATAL: Invalid ACL type 'rep_header_regex'
FATAL: Bungled /etc/squid3/squid.conf line 43: acl AP rep_header_regex 
alternate-protocol .
Squid Cache (Version 3.4.8): Terminated abnormally.
CPU Usage: 0.016 seconds = 0.008 user + 0.008 sys
Maximum Resident Size: 37936 KB
Page faults with physical i/o: 0



Is it rep_header, not rep_header_regex ?

Is it reply_header_access with 3 parameters ?

From 
http://www.squid-cache.org/Versions/v3/3.4/cfgman/reply_header_access.html
Usage: reply_header_access header_name allow|deny [!]aclname ...


Which is the correct syntax to suppress in the replies these headers ?
alt-svc
alternate-protocol

best regards, Sala

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid3 / debian stable / please update to 3.4.14

2015-12-31 Thread Massimo . Sala

Hi Amos

>   Hi Massimo, why cc'ing squid-users? nothing this list can do about 
it.

Package update : I know, it is a topic for debian users and package 
maintainer, so strictly speaking it is off-topic.

youtube video, disabling QUIC : I think it will be of general interest, I 
switch to a new thread for it.

Two subjects in one Email, excuse me !

Many thanks, Sala

Amos Jeffries  
31/12/2015 10:43

To
massimo.s...@asl.bergamo.it
cc
lu...@debian.org,
Subject
Re: [squid-users] squid3 / debian stable / please update to 3.4.14

On 2015-12-30 03:26, massimo.s...@asl.bergamo.it wrote:
> ciao Luigi
> 
> I ask to update the distro to squid 3.4.14, the last stable version,
> released in august.
> 
> Rationale :
> 1) various bugs and memory leaks fixed;
> 2) security fix for CVE 2015 5400;
> 3) support for Alternate-Protocol HTTP header.
> 
> I need 3) to disable QUIC on youtube, otherwise squid3 cannot cache
> videos.
> 

Anyhow, the Debian 3.4.8-6 package has already been patched to contain 
the important fixes from later upstream 3.4 releases.
<
http://metadata.ftp-master.debian.org/changelogs/main/s/squid3/squid3_3.4.8-6+deb8u1_changelog
>

(that covers your #1 and #2 items)

All it lacks is the minor changes which AFAIK do not meet the criteria 
required for acceptance into the Debian stable distro.

If you need custom build with other features (such as HTTPS support), 
you are better off building the more up to date 3.5 version available 
from Stretch/Testing repository.

As for #3, the Alternate-Protocol header patch is just automating these 
squid.conf settings, which you can use explicitly in any Squid version:

  acl AP rep_header_regex Alternate-Protocol .
  reply_header_access deny AP

HTH
Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid3 / debian stable / please update to 3.4.14

2015-12-29 Thread Massimo . Sala

ciao Luigi

I ask to update the distro to squid 3.4.14, the last stable version, 
released in august.

Rationale :
1) various bugs and memory leaks fixed;
2) security fix for CVE 2015 5400;
3) support for Alternate-Protocol HTTP header.

I need 3) to disable QUIC on youtube, otherwise squid3 cannot cache 
videos.

References :
https://packages.debian.org/jessie/squid3

ftp://ftp.fu-berlin.de/unix/www/squid/squid/squid-3.4-ChangeLog.txt
http://wiki.squid-cache.org/KnowledgeBase/Block QUIC protocol


Best regards, Massimo

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.4, dstdomain

2015-12-11 Thread Massimo . Sala

> Massimo

>> 2015/12/10 10:33:49| ERROR: '.addons.mozilla.org' is a subdomain of
>> 'addons.mozilla.org'



Francesco aka Kinkie

> No bug, it is really intentional: ".addons.mozilla.org" also matches
> "addons.mozilla.org" (without the dot).


Francesco, thank you for the explanation.

Is it possible to add it to the official docs ?

ciao, Massimo 
massimo.s...@asl.bergamo.it
Tel. 035/385.034
ASL Provincia di Bergamo | Sistemi Informativi Strategici

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid 3.4, dstdomain

2015-12-10 Thread Massimo . Sala

2015/12/10 10:33:49| ERROR: '.addons.mozilla.org' is a subdomain of 
'addons.mozilla.org'


I thought
addons.mozilla.org  blocks only these hostname

.addons.mozilla.org blocks all the sub-domains, like 
www.addons.mozilla.org etc.addons.mozilla.org


Which are the parsing rules of squid 3.4 ?

Does the first case block also the sub-domains ?


best regards, Sala

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] delay_pools from 3.1 to 3.4, media content

2015-12-10 Thread Massimo . Sala

Massimo :
>> acl acl_flussi_media rep_mime_type -i ^audio/
>> acl acl_flussi_media rep_mime_type -i ^video/

>> 2015/12/03 12:38:45 kid1| WARNING: acl_flussi_media ACL is used in 
>> context without an HTTP response. Assuming mismatch.



Amos :
> It means that *reply* header do not work when using *request* to decide
> what delay pool the transaction will use.

> It has never worked. The older Squid just did not tell you about the
> config problem.

> If you want traffic to be re-assigned to pools when the reply happens
> you need to upgrade to at least the Squid-4.0.3 (beta) release.



Amos, many thanks for your answer.


An example of ACLs to catch media content, e.g. :

acl acl_sites_media dstdomain .ask.fm .facebook.com .fbcdn.net 
.googlevideo.com .youtube.com
acl acl_types_media urlpath_regex -i \.asf$ \.avi$ \.flv$ \.mkv$ 
\.mov$ \.mp3$ \.mp4$ \.mpeg$ \.mpg$ \.qt$ \.swf$ \.vob$ \.wmv$


1) To apply the two ACLs to the same pool, which is the correct syntax ?

delay_access 1 allow acl_sites_media
delay_access 1 allow acl_types_media

or

delay_access 1 allow acl_sites_media acl_types_media


2)  Can you please add all of these stuff to the official docs ?


best regards, Sala
 
massimo.s...@asl.bergamo.it
Tel. 035/385.034
ASL Provincia di Bergamo | Sistemi Informativi Strategici

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.4, dstdomain

2015-12-10 Thread Massimo . Sala

Massimo
> 2015/12/10 10:33:49| ERROR: '.addons.mozilla.org' is a subdomain of
> 'addons.mozilla.org'


Kinkie :
>  it works exactly as you expect. "dstdomain addons.mozilla.org" does
> not block subdomains.



So why doesn't squid accept both rules ? a parsing bug ?

best regards, Massimo

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] delay syntax, speed and network

2015-12-10 Thread Massimo . Sala

1) speed syntax

example :

delay_parameters 1 -1/-1 128/128 128000/128000


The speed is bytes / sec.

Is it possible to use multipliers like K and M ?

Is it possible to use units, like bps ( bit per sec ) ?


It is wonderfoul to read :

delay_parameters 1 -1/-1 10Mbps/10Mbps 1Mbps/1Mbps



2) network

We have about 50 subnets, on different locations.

It is a "hub" topology : all the subnets are linked via WANs to our 
central location, where there is the IT centre.

From the IT centre we have the links to Internet, and the proxy server 
running squid ( forwarding, IT manager decision ).


Our internal IP addressing is 10.0.0.0/8

10.1.0.0 for the first site, 10.2.0.0 the 2nd, etc ...


Goals :

overall proxy bandwidth limit : none
each site limit : 10 Mbps
each pc client limit : 1 Mbps


My work-around is this, using class 3 for /16 networks :

delay_class 1 3
delay_parameters 1 -1/-1 128/128 128000/128000

but it is a "fuzzy" fitting : each remote site is seen by squid as N 
smaller networks, so the overall site limit is N * 10 Mbps ...


Is it possible to match my goals ?

Or I request a new class, where we can specify the netmask.


best regards, Sala 
massimo.s...@asl.bergamo.it
Tel. 035/385.034
ASL Provincia di Bergamo | Sistemi Informativi Strategici

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] delay_pools from 3.1 to 3.4

2015-12-03 Thread Massimo . Sala

Squid 3 as forwarding proxy, intranet LAN.

We want to limit the bandwidth only for multimedia content.

On 3.1.20 we have these lines into squid.conf :

acl localnet src 10.0.0.0/8

acl acl_flussi_media rep_mime_type -i ^audio/
acl acl_flussi_media rep_mime_type -i ^video/

delay_pools 1
delay_class 1 1
delay_parameters 1 32/32
delay_access 1 allow acl_flussi_media
delay_access 1 deny all

http_access allow localnet
http_access deny all


Using the same lines on the new server, with squid 3.4.8, we got these 
warnings in cache.log :

2015/12/03 12:38:45 kid1| WARNING: acl_flussi_media ACL is used in 
context without an HTTP response. Assuming mismatch.


What does it mean ? How to fix it ?

best regards, Sala

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid 3.4, Zero-Sized Replies from Windows Server

2015-12-03 Thread Massimo . Sala

We have a server with squid 3.4.8 as forward proxy ( clients have the 
proxy configured in the browsers ).


Sometimes we have  Zero-Sized Replies from Windows Servers as discussed 
here :

https://squidproxy.wordpress.com/category/squid-3/

The proxy server is in the internal LAN. We want to adopt this work-around 
:

disable BEAST mitigation by ssloptions=ALL in squid.conf 
(insecure)


Does it work  in forwarding mode ?

http_port 3128 ssloptions=ALL


best regards, Sala


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid docs, http_access manager : mismatch

2015-12-03 Thread Massimo . Sala

I am reviewing our squid.conf about  http_access manager


http://www.squid-cache.org/Doc/config/http_access/

http_access allow localhost manager


http://wiki.squid-cache.org/Features/CacheManager

Cache manager Access Control in squid.conf
http_access allow manager localhost



Which is the correct syntax ?

best regards, Sala

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] youtube video, caching, disabling QUIC

Re: [squid-users] squid3 / debian stable / please update to 3.4.14

[squid-users] squid3 / debian stable / please update to 3.4.14

Re: [squid-users] squid 3.4, dstdomain

[squid-users] squid 3.4, dstdomain

Re: [squid-users] delay_pools from 3.1 to 3.4, media content

Re: [squid-users] squid 3.4, dstdomain

[squid-users] delay syntax, speed and network

[squid-users] delay_pools from 3.1 to 3.4

[squid-users] squid 3.4, Zero-Sized Replies from Windows Server

[squid-users] squid docs, http_access manager : mismatch

11 matches

Site Navigation

Mail list logo

Footer information