[squid-users] youtube video, caching, disabling QUIC
When you request a video on Youtube, its web servers send two new HTTP headers to the browser : alt-svc alternate-protocol suggesting to the browser to switch to the new protocol QUIC. Unfortunately 1) QUIC, working over UDP, is not cacheable by squid 3.4 2) even if cacheable, IT admins have to upgrade many tools to support and account videos over QUIC ( proxy, firewall, bandwidth shaping, etc... ) See : http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol We want to disable QUIC, so the servers and browsers fallbacks to normal HTTP for videos. --- I asked in another thread 3) support for Alternate-Protocol HTTP header. Amos' answer : As for #3, the Alternate-Protocol header patch is just automating these squid.conf settings, which you can use explicitly in any Squid version: acl AP rep_header_regex Alternate-Protocol . reply_header_access deny AP With that syntax : squid3 -k reconfigure 2015/12/31 14:34:21| FATAL: Invalid ACL type 'rep_header_regex' FATAL: Bungled /etc/squid3/squid.conf line 43: acl AP rep_header_regex alternate-protocol . Squid Cache (Version 3.4.8): Terminated abnormally. CPU Usage: 0.016 seconds = 0.008 user + 0.008 sys Maximum Resident Size: 37936 KB Page faults with physical i/o: 0 Is it rep_header, not rep_header_regex ? Is it reply_header_access with 3 parameters ? From http://www.squid-cache.org/Versions/v3/3.4/cfgman/reply_header_access.html Usage: reply_header_access header_name allow|deny [!]aclname ... Which is the correct syntax to suppress in the replies these headers ? alt-svc alternate-protocol best regards, Sala ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid3 / debian stable / please update to 3.4.14
Hi Amos > Hi Massimo, why cc'ing squid-users? nothing this list can do about it. Package update : I know, it is a topic for debian users and package maintainer, so strictly speaking it is off-topic. youtube video, disabling QUIC : I think it will be of general interest, I switch to a new thread for it. Two subjects in one Email, excuse me ! Many thanks, Sala Amos Jeffries31/12/2015 10:43 To massimo.s...@asl.bergamo.it cc lu...@debian.org, Subject Re: [squid-users] squid3 / debian stable / please update to 3.4.14 On 2015-12-30 03:26, massimo.s...@asl.bergamo.it wrote: > ciao Luigi > > I ask to update the distro to squid 3.4.14, the last stable version, > released in august. > > Rationale : > 1) various bugs and memory leaks fixed; > 2) security fix for CVE 2015 5400; > 3) support for Alternate-Protocol HTTP header. > > I need 3) to disable QUIC on youtube, otherwise squid3 cannot cache > videos. > Anyhow, the Debian 3.4.8-6 package has already been patched to contain the important fixes from later upstream 3.4 releases. < http://metadata.ftp-master.debian.org/changelogs/main/s/squid3/squid3_3.4.8-6+deb8u1_changelog > (that covers your #1 and #2 items) All it lacks is the minor changes which AFAIK do not meet the criteria required for acceptance into the Debian stable distro. If you need custom build with other features (such as HTTPS support), you are better off building the more up to date 3.5 version available from Stretch/Testing repository. As for #3, the Alternate-Protocol header patch is just automating these squid.conf settings, which you can use explicitly in any Squid version: acl AP rep_header_regex Alternate-Protocol . reply_header_access deny AP HTH Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid3 / debian stable / please update to 3.4.14
ciao Luigi I ask to update the distro to squid 3.4.14, the last stable version, released in august. Rationale : 1) various bugs and memory leaks fixed; 2) security fix for CVE 2015 5400; 3) support for Alternate-Protocol HTTP header. I need 3) to disable QUIC on youtube, otherwise squid3 cannot cache videos. References : https://packages.debian.org/jessie/squid3 ftp://ftp.fu-berlin.de/unix/www/squid/squid/squid-3.4-ChangeLog.txt http://wiki.squid-cache.org/KnowledgeBase/Block QUIC protocol Best regards, Massimo ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.4, dstdomain
> Massimo >> 2015/12/10 10:33:49| ERROR: '.addons.mozilla.org' is a subdomain of >> 'addons.mozilla.org' Francesco aka Kinkie > No bug, it is really intentional: ".addons.mozilla.org" also matches > "addons.mozilla.org" (without the dot). Francesco, thank you for the explanation. Is it possible to add it to the official docs ? ciao, Massimo massimo.s...@asl.bergamo.it Tel. 035/385.034 ASL Provincia di Bergamo | Sistemi Informativi Strategici ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid 3.4, dstdomain
2015/12/10 10:33:49| ERROR: '.addons.mozilla.org' is a subdomain of 'addons.mozilla.org' I thought addons.mozilla.org blocks only these hostname .addons.mozilla.org blocks all the sub-domains, like www.addons.mozilla.org etc.addons.mozilla.org Which are the parsing rules of squid 3.4 ? Does the first case block also the sub-domains ? best regards, Sala ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] delay_pools from 3.1 to 3.4, media content
Massimo : >> acl acl_flussi_media rep_mime_type -i ^audio/ >> acl acl_flussi_media rep_mime_type -i ^video/ >> 2015/12/03 12:38:45 kid1| WARNING: acl_flussi_media ACL is used in >> context without an HTTP response. Assuming mismatch. Amos : > It means that *reply* header do not work when using *request* to decide > what delay pool the transaction will use. > It has never worked. The older Squid just did not tell you about the > config problem. > If you want traffic to be re-assigned to pools when the reply happens > you need to upgrade to at least the Squid-4.0.3 (beta) release. Amos, many thanks for your answer. An example of ACLs to catch media content, e.g. : acl acl_sites_media dstdomain .ask.fm .facebook.com .fbcdn.net .googlevideo.com .youtube.com acl acl_types_media urlpath_regex -i \.asf$ \.avi$ \.flv$ \.mkv$ \.mov$ \.mp3$ \.mp4$ \.mpeg$ \.mpg$ \.qt$ \.swf$ \.vob$ \.wmv$ 1) To apply the two ACLs to the same pool, which is the correct syntax ? delay_access 1 allow acl_sites_media delay_access 1 allow acl_types_media or delay_access 1 allow acl_sites_media acl_types_media 2) Can you please add all of these stuff to the official docs ? best regards, Sala massimo.s...@asl.bergamo.it Tel. 035/385.034 ASL Provincia di Bergamo | Sistemi Informativi Strategici ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.4, dstdomain
Massimo > 2015/12/10 10:33:49| ERROR: '.addons.mozilla.org' is a subdomain of > 'addons.mozilla.org' Kinkie : > it works exactly as you expect. "dstdomain addons.mozilla.org" does > not block subdomains. So why doesn't squid accept both rules ? a parsing bug ? best regards, Massimo ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] delay syntax, speed and network
1) speed syntax example : delay_parameters 1 -1/-1 128/128 128000/128000 The speed is bytes / sec. Is it possible to use multipliers like K and M ? Is it possible to use units, like bps ( bit per sec ) ? It is wonderfoul to read : delay_parameters 1 -1/-1 10Mbps/10Mbps 1Mbps/1Mbps 2) network We have about 50 subnets, on different locations. It is a "hub" topology : all the subnets are linked via WANs to our central location, where there is the IT centre. From the IT centre we have the links to Internet, and the proxy server running squid ( forwarding, IT manager decision ). Our internal IP addressing is 10.0.0.0/8 10.1.0.0 for the first site, 10.2.0.0 the 2nd, etc ... Goals : overall proxy bandwidth limit : none each site limit : 10 Mbps each pc client limit : 1 Mbps My work-around is this, using class 3 for /16 networks : delay_class 1 3 delay_parameters 1 -1/-1 128/128 128000/128000 but it is a "fuzzy" fitting : each remote site is seen by squid as N smaller networks, so the overall site limit is N * 10 Mbps ... Is it possible to match my goals ? Or I request a new class, where we can specify the netmask. best regards, Sala massimo.s...@asl.bergamo.it Tel. 035/385.034 ASL Provincia di Bergamo | Sistemi Informativi Strategici ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] delay_pools from 3.1 to 3.4
Squid 3 as forwarding proxy, intranet LAN. We want to limit the bandwidth only for multimedia content. On 3.1.20 we have these lines into squid.conf : acl localnet src 10.0.0.0/8 acl acl_flussi_media rep_mime_type -i ^audio/ acl acl_flussi_media rep_mime_type -i ^video/ delay_pools 1 delay_class 1 1 delay_parameters 1 32/32 delay_access 1 allow acl_flussi_media delay_access 1 deny all http_access allow localnet http_access deny all Using the same lines on the new server, with squid 3.4.8, we got these warnings in cache.log : 2015/12/03 12:38:45 kid1| WARNING: acl_flussi_media ACL is used in context without an HTTP response. Assuming mismatch. What does it mean ? How to fix it ? best regards, Sala ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid 3.4, Zero-Sized Replies from Windows Server
We have a server with squid 3.4.8 as forward proxy ( clients have the proxy configured in the browsers ). Sometimes we have Zero-Sized Replies from Windows Servers as discussed here : https://squidproxy.wordpress.com/category/squid-3/ The proxy server is in the internal LAN. We want to adopt this work-around : disable BEAST mitigation by ssloptions=ALL in squid.conf (insecure) Does it work in forwarding mode ? http_port 3128 ssloptions=ALL best regards, Sala ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid docs, http_access manager : mismatch
I am reviewing our squid.conf about http_access manager http://www.squid-cache.org/Doc/config/http_access/ http_access allow localhost manager http://wiki.squid-cache.org/Features/CacheManager Cache manager Access Control in squid.conf http_access allow manager localhost Which is the correct syntax ? best regards, Sala ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users