Re: [squid-users] squid and quota check

[Robert Collins]

...

> Any comments are appreciated

A couple:
1) extend the in-squid user cache rather than creating a new one. See
authenticate.cc.

2) extend external acls to have a %QUOTAUSED% parameter, then you can
have a helper that accepts:
%LOGIN% %QUOTAUSED% and returns OK or ERR as in allow or fail.

That will be a lot easier to do.

Rob
-- 
GPG key available at: .



signature.asc
Description: This is a digitally signed message part

[squid-users] squid and quota check

[Piccoli, Lucio]

hi all,

i have implemented quota checking by parsing squid's acces.log and an using
an acl. However it seems that a better solution is possible. The main
problem being that parsing the access.log every 15minutes or so causing a
massive spike in CPU utilisation for several seconds. (To parse a 10Mb
access.log takes 3-5 CPU secs on a sun netra solaris 5.8) I have a read a
few other comments about having quota checking in squid, so i guess it might
be useful. My plan is rather raw at present but goes something like this.

1) Gather the quota statistics as it is being logged to accessLogLog(). Each
time the accessLogLog is called in client_side.c there will be another to
invocation to quota statistics.
2) This will be stored in memory as a value/name pair. 
3) The value being the incremented quota usage and the name being the user
name. 
4) At sometime later a signal is generated (from a crontab ) to dump the
contents of the quota statistics to a persistent form. The persistence will
involve an out of process helper (similar to the auth helpers). This will
enable custom mechanisms.
5) The checking for excess quota can be handled by the conventional ACL
mechanism which would be related to the quotstat.persistent().

The obvious consideration is that the invocation to the quotastat from
client_side.c must be quick and have a small resource footprint. The
quotstat.persistent() can be left free to the custom implementation.

Any comments are appreciated

thanks


-lucio piccoli
-
QCOM Australia Pty Ltd 
ph +61 7 3858 6256

Re: [squid-users] Prevent downloading of special types ofapplications

[Robert Collins]

On Tue, 2003-02-11 at 03:36, [EMAIL PROTECTED] wrote:
> Thanks a lot for your answer Robert. I now manage to apply filtering based on 
> the MIME type. 
> 
> However, since all embedded scripts do not have the MIME type application/x -
> oleobject (which is the MIME type they should have), I do not manage to avoid 
> downloading of activeX objects.
> 
> Does anyone has any idea on how to prevent downloading of ActiveX objects ?

Well, in general this is a hard problem.
You might consider blocking urls ending in .cab. Otherwise, see Henrik's
answer :].

Rob

-- 
GPG key available at: .



signature.asc
Description: This is a digitally signed message part

Re: [squid-users] ncsa_auth and number of users

[Joe Cooper]

HeadsUp Support wrote:

Hi all,

I am using ncsa_auth to authenticate my users and
everything is working fine. Is there any rule of thumb
as to the number of users it can handle? Are we
talking tens, hundreds, thousands or more.


Yes.

But more importantly, how long is a piece of string?

Seriously, I would expect an autenticated cache to serve up at least 2/3 
the number of outgoing requests/second it could serve without auth 
(those kinds of numbers have been discussed to death), and probably 
quite a bit more.  Authenticated use does lead to more client requests, 
but the initial challenge-request is quite light-weight.  The only way 
to know for sure would be to benchmark it yourself.

I seem to recall Kinkie has some big boxes doing heavy loads with NTLM 
authentication.  His numbers seemed to be inline with what I expect from 
a similarly equipped machine without authentication, so I reckon auth 
isn't a major performance sink, thought it certainly has some impact.
--
Joe Cooper <[EMAIL PROTECTED]>
Web caching appliances and support.
http://www.swelltech.com

[squid-users] squid.conf Qs

[Brad]

Is there a way to have squid reread its conf file without "HUP-ping" it
(which can cause a momentary loss of communication)?

Brad

RE: [squid-users] WCCPv2 status

[francisv]

Thanks for the correction Henrik :)

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, February 11, 2003 11:04 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] WCCPv2 status


A more correct question is:

Is anyone working on making a stable WCCPv2 patch suitable for
production use?

Regards
Henrik

[EMAIL PROTECTED] wrote:
> 
> Hi,
> 
> Anyone running a WCCPv2-patched 2.5STABLE1 machine? I tried the patch
(from
> devel.squid-cache.org) on one of our production machines but I couldn't
make
> it work. Any ideas?
> 
> ---
>  francis a. vidal [bitstop network services] | http://www.bnshosting.net
>  streaming media + web hosting   | http://www.bitstop.ph
>  v(02)330-2871,(02)330-2872; f(02)330-2873   | http://www.kuro.ph

Re: [squid-users] ntlm questions

[Henrik Nordstrom]

In all configurations you need some kind of http_access rules telling
what access rules you want to apply. If your http_access rules never
makes use of authentication (via a proxy_auth acl type or an external
acl type with %LOGIN in the format specification) then authentication
will not be required..


As for the wb_group question: Make sure that you copy the correct
headers from Samba to each of the winbind helpers, as the winbind
headers shipped with Squid only works with Samba-2.2.4 and 2.2.5... This
applies to all three native winbind helpers shipped with Squid

   helpers/basic_auth/wb_auth/
   helpers/ntlm_auth/wbntlm_auth/
   helpers/external_acl/wb_group/

Regards
Henrik

Simon Bryan wrote:
> 
> Hi all,
> 
> I am using Squid2.5STABLE1 on RH7.2, have successfully implemented ntlm
> authentication (after much grief related to getting Samba to compile
> properly). I was following another thread in this list about ntlm and not
> needing a proxy_auth line when using an external authenticator. Which turned
> out to be true, however it seems to also then allow non-authenticated use of
> the proxy! I see now that there are large numbers of lines in my logs where
> the 'user' is the machines IP address and the download is permitted.
> Previously they would be denied. Is this correct behaviour? I find I need:
> 
> acl password proxy_auth REQUIRED
> http_access deny all !password
> 
> for access to non-authenticated users to be denied. Or am I doing something
> dumb(again!)?
> 
> Also should I be able to use:
> acl staff external wb_group Teachers
> 
> in http_access rule like:
> 
> acl webmail dstdomain "/etc/dansguardian/blacklists/mail/domains"
> http_access allow webmail staff
> http_access deny webmail
> 
> cause it doesn't seem to work for me, the docs seem to indicate that it is
> possible. 'Teachers' is a group on the NT Server.
> 
> 
> 
> I believe the relevant lines of my conf file are below:
> 
> auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> 
> auth_param basic program /usr/local/bin/smb_auth -W OLMC_CD -U 10.192.0.11
> auth_param basic children 20
> auth_param basic realm Poxy server at OLMC
> auth_param basic credentialsttl 1 hours
> 
> external_acl_type wb_group %LOGIN /usr/local/squid/libexec/wb_group
> acl winauth external wb_group wwwusers
> acl staff external wb_group Teachers
> authenticate_ttl 1 hour
> authenticate_ip_ttl 300 seconds
> 
> # TIMEOUTS
> # ACCESS CONTROLS
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl cachemanager src 10.192.0.21
> acl SSL_ports port 443 563 4545
> acl Safe_ports port 21 70 80 81 82 88 210 563 1010 1025-65535 1082 4545
> acl CONNECT method CONNECT
> acl webdav method PROPFIND TRACE PURGE PROPPATCH MKCOL COPY MOVE LOCL UNLOCK
> acl password proxy_auth REQUIRED
> 
> http_access deny all !password
> 
> _
> Simon Bryan
> IT Manager
> OLMC Parramata
> ICQ#: 137562751
> _

Re: [squid-users] WCCPv2 status

[Henrik Nordstrom]

A more correct question is:

Is anyone working on making a stable WCCPv2 patch suitable for
production use?

Regards
Henrik

[EMAIL PROTECTED] wrote:
> 
> Hi,
> 
> Anyone running a WCCPv2-patched 2.5STABLE1 machine? I tried the patch (from
> devel.squid-cache.org) on one of our production machines but I couldn't make
> it work. Any ideas?
> 
> ---
>  francis a. vidal [bitstop network services] | http://www.bnshosting.net
>  streaming media + web hosting   | http://www.bitstop.ph
>  v(02)330-2871,(02)330-2872; f(02)330-2873   | http://www.kuro.ph

Re: [squid-users] M$ ASF video format

[Henrik Nordstrom]

"Lightfoot.Michael" wrote:

> http://www.aph.gov.au/asfroot/hms8.asx
> 
> Neither of these are in squid's mime.conf file.  I assume that this is
> the reason nothing is happening and users are getting errors in their M$
> Media Player to the effect that it can't open the file.

Nope. mime.conf is only when Squid is acting as a HTTP server for ftp://
and/or gopher:// URL namespaces, not for proxying of http:// URLS (there
the origin server provides the mime types).

> 1044927430.544 88 x.x.x.x TCP_CLIENT_REFRESH_MISS/200 820 GET
> 
http://www.aph.gov.au/asfroot/hms8.asx -
> DEFAULT_PARENT/cyclops.comcare.gov.au video/x-ms-asf

A 820 bytes reply seems awfully small for beeing a video.

Are you sure these "asx" files are video files and not only video
description files?

Quick check: Defenitely video description files.


  Parliamentary Committee
  Parliament of Australia
  Copyright Commonwealth of Australia 1999
  

http://dmzvideo1.aph.gov.au/Video1hms8.asf"/>

http://dmzvideo2.aph.gov.au/Video2hms8.asf"/>
  



This means that after this request the media player will try to get the
actual video, possibly using other protocols (mms:// looks suspicious
above..)


If I try to look into one of the http:// references above I get another
description back:

[Reference]
Ref1=http://DMZVideo1:80/Video1hms8.asf
Ref2=http://172.31.1.47:80/Video1hms8.asf


The first indicates the video server is somewhat misconfigured (using a
local hostname instead of a fully qualified name including domain).

And the second address is not reachable as it is a private IP address...
probably the internal IP address behind a NAT gateway or firewall..



Regards
Henrik

Re: [squid-users] ncsa_auth and number of users

[Henrik Nordstrom]

HeadsUp Support wrote:

> I am using ncsa_auth to authenticate my users and
> everything is working fine. Is there any rule of thumb
> as to the number of users it can handle? Are we
> talking tens, hundreds, thousands or more.

thousands or more, but if you have thousands or more users I would
recommend switching to LDAP or another external user database..  doing
password updates for thousands of users directly on the proxy box is not
a fun task..

Regards
Henrik

RE: [squid-users] Webalizer interpretation

[Jay Turner]

I use Webalizer in conjunction with Calamaris and Sarg.

Combining these three gives me a good spread of information.

Webalizer - Data throughput, accessed sites, pretty graphs
Calamaris - Cache specific stats like hit/miss results, object histograms
etc
Sarg - Excellent user level results like who went where when and for how
long etc

Regards
Jay

-Original Message-
From: Simon Bryan [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 11 February 2003 10:38 AM
To: Squid-Users
Subject: [squid-users] Webalizer interpretation


Hi all,
I am using Webalizer on my web servers to analyze the logs and I like the
look of it. However when I apply it to my Squid logs I am not sure I am
getting the information I want, cache-hits in MB, downloads from the
internet in MB. Does Webalizer give me this info or is there a better one
for Squid that will do the graphical display of data (my superiors like it!)

_
Simon Bryan
IT Manager
OLMC Parramata
ICQ#: 137562751
_

[squid-users] Webalizer interpretation

[Simon Bryan]

Hi all,
I am using Webalizer on my web servers to analyze the logs and I like the
look of it. However when I apply it to my Squid logs I am not sure I am
getting the information I want, cache-hits in MB, downloads from the
internet in MB. Does Webalizer give me this info or is there a better one
for Squid that will do the graphical display of data (my superiors like it!)

_
Simon Bryan
IT Manager
OLMC Parramata
ICQ#: 137562751
_

[squid-users] ntlm questions

[Simon Bryan]

Hi all,

I am using Squid2.5STABLE1 on RH7.2, have successfully implemented ntlm
authentication (after much grief related to getting Samba to compile
properly). I was following another thread in this list about ntlm and not
needing a proxy_auth line when using an external authenticator. Which turned
out to be true, however it seems to also then allow non-authenticated use of
the proxy! I see now that there are large numbers of lines in my logs where
the 'user' is the machines IP address and the download is permitted.
Previously they would be denied. Is this correct behaviour? I find I need:

acl password proxy_auth REQUIRED
http_access deny all !password

for access to non-authenticated users to be denied. Or am I doing something
dumb(again!)?

Also should I be able to use:
acl staff external wb_group Teachers

in http_access rule like:

acl webmail dstdomain "/etc/dansguardian/blacklists/mail/domains"
http_access allow webmail staff
http_access deny webmail

cause it doesn't seem to work for me, the docs seem to indicate that it is
possible. 'Teachers' is a group on the NT Server.



I believe the relevant lines of my conf file are below:


auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/local/bin/smb_auth -W OLMC_CD -U 10.192.0.11
auth_param basic children 20
auth_param basic realm Poxy server at OLMC
auth_param basic credentialsttl 1 hours


external_acl_type wb_group %LOGIN /usr/local/squid/libexec/wb_group
acl winauth external wb_group wwwusers
acl staff external wb_group Teachers
authenticate_ttl 1 hour
authenticate_ip_ttl 300 seconds

# TIMEOUTS
# ACCESS CONTROLS
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl cachemanager src 10.192.0.21
acl SSL_ports port 443 563 4545
acl Safe_ports port 21 70 80 81 82 88 210 563 1010 1025-65535 1082 4545
acl CONNECT method CONNECT
acl webdav method PROPFIND TRACE PURGE PROPPATCH MKCOL COPY MOVE LOCL UNLOCK
acl password proxy_auth REQUIRED

http_access deny all !password

_
Simon Bryan
IT Manager
OLMC Parramata
ICQ#: 137562751
_

[squid-users] M$ ASF video format

[Lightfoot.Michael]

I have users who want to watch Australian parliamentary TV which is
accessible via HTTP.  They could successfully do this before squid was
installed in December.

The video format is video/x-ms-asf via URLs like:

http://www.aph.gov.au/asfroot/hms8.asx

Neither of these are in squid's mime.conf file.  I assume that this is
the reason nothing is happening and users are getting errors in their M$
Media Player to the effect that it can't open the file.

I am using squid 2.5STABLE1 snapshot from 18/11/2002.

Here is a log extract from our test proxy server (inside our firewall -
the parent shown is another squid 2.5 in our DMZ.)

1044927430.262 74 x.x.x.x TCP_MISS/200 5654 GET
http://www.aph.gov.au/live/MPlayer.asp? -
DEFAULT_PARENT/cyclops.comcare.gov.au text/html  
1044927430.425 29 x.x.x.x TCP_MISS/200 696 GET
http://www.aph.gov.au/live/Caption.asp? -
DEFAULT_PARENT/cyclops.comcare.gov.au text/html  
1044927430.544 88 x.x.x.x TCP_CLIENT_REFRESH_MISS/200 820 GET
http://www.aph.gov.au/asfroot/hms8.asx -
DEFAULT_PARENT/cyclops.comcare.gov.au video/x-ms-asf

At the third line Media Player opens with an error message to the effect
that it can't open the file (I assume the asx file above.)

Can anyone tell me whether I can simply add this to the mime.conf in a
similar way to the other video formats like AVI and MPEG or whether
there is another more fundamental problem with M$ video format.




Michael Lightfoot
Unix Consultant
ISG Host Systems
Comcare
+61 2 62750680


NOTICE: This e-mail message and attachments may contain confidential 
information. If you are not the intended recipient you should not use or 
disclose any information in the message or attachments. If received in 
error, please notify the sender by return email immediately.  Comcare 
does not waive any confidentiality or privilege.

[squid-users] ncsa_auth and number of users

[HeadsUp Support]

Hi all,

I am using ncsa_auth to authenticate my users and
everything is working fine. Is there any rule of thumb
as to the number of users it can handle? Are we
talking tens, hundreds, thousands or more.

Regards

Jeff Smith


__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

[squid-users] WCCPv2 status

[francisv]

Hi,

Anyone running a WCCPv2-patched 2.5STABLE1 machine? I tried the patch (from
devel.squid-cache.org) on one of our production machines but I couldn't make
it work. Any ideas?

---
 francis a. vidal [bitstop network services] | http://www.bnshosting.net
 streaming media + web hosting   | http://www.bitstop.ph
 v(02)330-2871,(02)330-2872; f(02)330-2873   | http://www.kuro.ph

Re: [squid-users] Accelerator-friendly applications: what am I doingwrong?

[Gianugo Rabellino]

Henrik Nordstrom wrote:


This is a forced refresh by the client:
Cache-Control: max-age=0

instructing the cache that it MUST verify with the backend if the
document really is fresh even if the cache thinks its copy is...

Did you press the Reload button in your browser? If you did, don't. 


Gosh. *Now* I feel like a complete idiot. Thanks for sorting me out, it 
works perfectly (and actually it was working perfectly from the start, 
it was just me being an ignorant lazy butt).

Time to re-re-reread RFC2616 once more...

Thanks again,

--
Gianugo Rabellino
Pro-netics s.r.l.
http://www.pro-netics.com

Re: [squid-users] Near Hits vs. Negative Hits

[Henrik Nordstrom]

near hits is refreshes where the server reported the cached content as
fresh (TCP_REFRESH_HIT in access.log).

this is NOT related to negative hits.

Regards
Henrik


mån 2003-02-10 klockan 19.57 skrev [EMAIL PROTECTED]:
> Hi Everyone,
> 
> I'm having trouble finding any information about Near Hits.  It's an
> option in the General Runtime section of the Cache Manager.  Under the 5
> min average section there is an item that reads
> client_http.nh_median_svc_time.  The Near Hits values seems to always
> equal the nh_median_svc_time, but I was under the impression that
> nh_median_svc_time was negative hits which I can find plenty of
> documentation.
> 
> If somebody could confirm for me that Near Hits is in fact Negative Hits I
> would really appreciate it.
> 
> George Loeppky
> NetSweeper Inc.
-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] Blocking Mirc and ICQ via Squid

[Henrik Nordstrom]

Most of these use the CONNECT method, and should be quite effective
filtered by the default CONNECT restrictions of the suggested default
squid.conf configuration..

If you find something that you want to block but is not blocked then a
good start is to take a look at what is logged in access.log when the
application is used. Then make an acl which matches the appropriate
pattern and block this, if a suitable pattern can be found.

Regards
Henrik

mån 2003-02-10 klockan 18.24 skrev Riccardo Fontana:
> HI,
> 
> I'm trying to create an ACL to prevent ICQ, Mirc and similar chat 
> clients from accessing Internet via HTTP protocol.
> 
> Can anyone give me a hint ?
> 
> Thanks
-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] Prevent downloading of special types ofapplications

[Henrik Nordstrom]

mån 2003-02-10 klockan 17.36 skrev [EMAIL PROTECTED]:
> Thanks a lot for your answer Robert. I now manage to apply filtering based on 
> the MIME type. 
> 
> However, since all embedded scripts do not have the MIME type application/x -
> oleobject (which is the MIME type they should have), I do not manage to avoid 
> downloading of activeX objects.
> 
> Does anyone has any idea on how to prevent downloading of ActiveX objects ?

Not without extensions like ICAP or the like..


Another option is to chain Squid to a active filtering proxy such as
junkbuster.

-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] Accelerator-friendly applications: what am Idoing wrong?

[Henrik Nordstrom]

mån 2003-02-10 klockan 16.04 skrev Gianugo Rabellino:

> Client is sending:
> 
> 
> GET /samples/hello-world/hello.html HTTP/1.0
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021212
> Accept: 
> 
>text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1?
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate,compress;q=0.9
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Via: 1.1 linux.local:3128 (squid/2.5.STABLE1)
> X-Forwarded-For: 127.0.0.1
> Host: localhost
> Cache-Control: max-age=0
> Connection: keep-alive

This is a forced refresh by the client:

Cache-Control: max-age=0


instructing the cache that it MUST verify with the backend if the
document really is fresh even if the cache thinks its copy is...

Did you press the Reload button in your browser? If you did, don't. 

-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] access.log

[Henrik Nordstrom]

No.

If it is a SMTP message then Squid is not involved.

It if is a web-mail message then Squid only sees that the client submits
"X amount of bytes to the server".

You can restrict how large pieces of information your users may submit
to websites. This is quite effective for stopping attachments of
documents in webmail and other information leaks.

Regards
Henrik

mån 2003-02-10 klockan 15.21 skrev Sandra Cüsters:
> Hello,
> can you say something about the squid logs?
> If I sent an email with appendage across the internet by an internet-email
> supplier (such gmx.net or web.de),  could I see a hint (the name) about this
> appendage in the log file?
> Thank you very much.
> 
> Sandra Cüsters
-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] mapping private address to public adress

[Henrik Nordstrom]

Please rephrase the question, providing more detail what it really is
you want to do.

Regards
Henrik

mån 2003-02-10 klockan 14.40 skrev Roos Leif:
> Hi,
> I wonder if anyone can help me with how I should configure the squid
> proxy if I want to mapping an private 10.1.1.1 address to public address
> 202.xxx.xxx.xxx.
> Best Regards  
> Leif Roos
-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] Redirect some URL traffic to another proxy?

[Henrik Nordstrom]

Either combine the acls into one larger acl listing the URL patterns
which you want to redirect to the peer, or split you access lines using
one acl per line... (A request cannot start with www and ppp at the same
time, and is why your current access lines fails)

Regards
Henrik


Mån 2003-02-10 klockan 14.37 skrev Roos Leif:
> Hi ,
> I wan't to redirect traffic to another proxy when I try to reach some
> specific URL that starts with www or ppp. Can any one help me with this.
> I have try to configure the squid proxy with following but it doesn't
> work so good.
> 
> cache_peer 192.168.1.1 parent 8080 0 no-query default
> acl www url_regex ^http://www.*
> acl ppp url_regex ^http://ppp.*
> cache_peer_access 192.168.1.1 allow www ppp
> never_direct allow www ppp
> 
> Best regards
> Leif Roos
-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] some questions

[Henrik Nordstrom]

mån 2003-02-10 klockan 13.57 skrev alp:

> a)does anybody have experience in using a lot of refresh-patterns? i wonder
> if it will have a big impact on the performance if squid has to check each
> object via lots of regular expressions, or am i wrong?

How many is "a lot"?

> b)there exists the null storage module. is it in any kind superior to using
> a cache_deny line in order to disable the cache completely?

Both play along together quite nicely..

if you have a "no_cache deny all", then you don't really have a need of
a cache directory and the "null" cache dir type comes in handy saving
you from having to create a cache directory..

Without no_cache the null cache_dir type only allows objects to be
cached in memory.

-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] Prevent downloading of special types of files

[Henrik Nordstrom]

mån 2003-02-10 klockan 13.22 skrev Robert Collins:

> Yes. You haven't allowed any other traffic.
> try:
> http_reply_access deny trusted_sites repdangerous_appli

Shouldnt this be
http_reply_access deny !trusted_sites repdangerous_appli


> http_reply_access allow all
> 
> Also, be sure to test trusted_sites in http_access as well - in squid
> 2.5 http_reply_access requires 'fast' acl checks, which means that DNS
> lookups cannot be done there. (This is fixed in 3.0)

Many thanks for the reply access/noblocking cleanups there. Did not
notice this in the cvs changelogs, but obviously is there and is looking
great.

Regards
Henrik

-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

RE: [squid-users] HTTP requests

[Henrik Nordstrom]

mån 2003-02-10 klockan 12.36 skrev Bilal:

> If a second request for another web page can be made via the same
> socket, how common is this occurrence?

Quite common. See the cachemgr statistics.

-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

[squid-users] Near Hits vs. Negative Hits

[squid]

Hi Everyone,

I'm having trouble finding any information about Near Hits.  It's an
option in the General Runtime section of the Cache Manager.  Under the 5
min average section there is an item that reads
client_http.nh_median_svc_time.  The Near Hits values seems to always
equal the nh_median_svc_time, but I was under the impression that
nh_median_svc_time was negative hits which I can find plenty of
documentation.

If somebody could confirm for me that Near Hits is in fact Negative Hits I
would really appreciate it.

George Loeppky
NetSweeper Inc.

[squid-users] Blocking Mirc and ICQ via Squid

[Riccardo Fontana]

HI,

I'm trying to create an ACL to prevent ICQ, Mirc and similar chat 
clients from accessing Internet via HTTP protocol.

Can anyone give me a hint ?

Thanks

Re: [squid-users] problems with ie 6 and proxy auth on squid

[Rob Poe]

It's a known problem.  Here's something that should be in this month's
squid-users archive...

 If you call Microsoft at 1-800-936-4900 and refer this KB article
 they will send you a link to the patch at NO charge.

 http://support.microsoft.com/default.aspx?id=kb;en-us;331906

[squid-users] Prevent downloading of special types of applications

[reymc]

Thanks a lot for your answer Robert. I now manage to apply filtering based on 
the MIME type. 

However, since all embedded scripts do not have the MIME type application/x -
oleobject (which is the MIME type they should have), I do not manage to avoid 
downloading of activeX objects.

Does anyone has any idea on how to prevent downloading of ActiveX objects ?

Thanks again for your collaboration !

Marie



> Hi all,
> 
> I am using Squid2.5 stable1 and I want to prevent the downloading of some 
types 
> of applications such as activeX (oleobject is the MIME type of an activeX 
> object).
> 
> Here is the configuration I used:
> 
> 
> 
> 
> acl trusted_sites srcdomain .microsoft.com
> acl repdangerous_appli rep_mime_type -i ^application/x -oleobject$
> 
> http_reply_access allow trusted_sites repdangerous_appli
> 
> 
> 
> Then, when I request for URL www.microsoft.com, I get an error 
message "Access 
> denied"
> 
> Does anyone know why ?

Yes. You haven't allowed any other traffic.
try:
http_reply_access deny trusted_sites repdangerous_appli
http_reply_access allow all

Also, be sure to test trusted_sites in http_access as well - in squid
2.5 http_reply_access requires 'fast' acl checks, which means that DNS
lookups cannot be done there. (This is fixed in 3.0)

Rob

---
This mail sent through Institut Eurecom Webmail : http://webmail.eurecom.fr

[squid-users] access.log

[Sandra Cüsters]

Hello,
can you say something about the squid logs?
If I sent an email with appendage (e.g. word files) across the internet by
an internet-email supplier (such gmx.net or web.de),  could I see a hint
(the name) about this appendage in the log file?
Thank you very much.

Sandra Cüsters

[squid-users] problems with ie 6 and proxy auth on squid

[Alex Sharaz]

Hi all,

I've got a small problem with  IE 6 and proxy authentication to a squid 2.5 
stable1 set of caches.

I should say at this point that mozilla, netscape 6.2/7.0/7.0.1 and phoenix 
0.5 all work correctly

Descn:-

I have 4 squid 2.5stable1 caches connected to a foundry serveriron load 
balancing box.

All my clients are configured to pick up an auto proxy config file from a 
server on our campus which basically says "if the remote URL is on our net 
go direct otherwise go via my caches". Access to the caches is via a 
virtual IP address set up on the serveriron which then load balances 
requests over the real servers.

Our outside world firewall is configured so that direct external access 
from client pcs is redirected to a local web page describing how to 
configure their browser to use our cache.

Configuring IE 6 to use our squid caches works fine without any form of 
proxy authentication. When I configure them to use proxy auth I get the 
following problem.

1). configure IE to have a home page outside our class b net.
2). configure client to use proxy service ( either virtual ip on foundry 
kit or real web cache address:3128 doesn't matter which)
3). configure client to delete all temp cache files on exit just to view 
problem and then exit browser
4). fire up browser
5). fill in authentication dialog box that appears because we are connected 
to a cache
6). Web page appears saying ie is unable to connect to remote site "server 
or DNS failure"
7). click on refresh button - remote web page appears.

The above had a home page on a remote site just to simplify things. If the 
home page is local and you then try and access a remote site the same thing 
happens.

The thing is that some clients work fine and some don't ... and I can't see 
what the difference is!!

has anyone seen any problems with IE authenticating to a squid  cache 
before?

any help appreciated

Alex
Sent using Mulberry 3.01a

[squid-users] Accelerator-friendly applications: what am I doing wrong?

[Gianugo Rabellino]

Hi,

I'm trying to make a web application (Apache Cocoon) as much 
proxy-friendly as possible, with the idea of being able to serve costly 
and almost static requests straight from a reverse proxy instead than 
directly from the application.

I've read RFC 2616, some tutorials and the Squid FAQs, but still there 
is something that doesn't work, either in my application or (even worse) 
in my understanding of the mechanics of caching.

Basically, from my application I'm setting a couple of proxy-friendly 
headers (expires and cache-control) in order to instruct the proxy to 
cache the result. From what I see by sniffing the traffic, the headers 
are correct. The squid log files, also, label the content as FRESH, so 
it seems that everything is working as expected.

Unfortunately this is not the case. I'm still getting  hits on my 
backend server on a 1:1 ratio (one hit on the reverse proxy means one 
hit on my backend server), together with TCP_MISSes on the Squid side 
which means that my server is not being offloaded at all (agreed, except 
for network bottlenecks).

What am I missing? I'm enclosing a snippet of the network conversation, 
as well as a relevant (well, to me at least, feel free to ask for more) 
excerpt from the log files:

Client is sending:


GET /samples/hello-world/hello.html HTTP/1.0
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021212
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1?
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate,compress;q=0.9
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Via: 1.1 linux.local:3128 (squid/2.5.STABLE1)
X-Forwarded-For: 127.0.0.1
Host: localhost
Cache-Control: max-age=0
Connection: keep-alive

The backend server consistently answers with:

HTTP/1.1 200 OK
Date: Mon, 10 Feb 2003 14:52:37 GMT
Server: Jetty/4.2.7 (Linux/2.4.19-4GB i386 java/1.4.1_01)
X-Cocoon-Version: 2.1-dev
Content-Type: text/html
Cache-Control: max-age=86400, public
Expires: Tue, 11 Feb 2003 14:52:38 GMT
Content-Length: 996
Connection: keep-alive

FYI: now is Mon Feb 10 14:54:11 GMT 2003 here, expires was set to one 
day, so everything seems right. Squid log (squid -k) says

2003/02/10 15:52:37| clientCacheHit: 
http://localhost:8890/samples/hello-world/hello.html, 1286 bytes
2003/02/10 15:52:37| 0x83ca2cc lookup for 49
2003/02/10 15:52:37| refreshCheck: 
'http://localhost:8890/samples/hello-world/hello.html'
2003/02/10 15:52:37| FRESH: expires 1044975130 >= check_time 1044888757
2003/02/10 15:52:37| Staleness = -1
2003/02/10 15:52:37| refreshCheck: Matched '. 0 20% 259200'
2003/02/10 15:52:37| refreshCheck: age = 27
2003/02/10 15:52:37|  check_time: Mon, 10 Feb 2003 14:52:37 GMT

Which suggests to me that once again everything is fine, yet:


1044888758.143435 127.0.0.1 TCP_MISS/200 1318 GET 
http://localhost:8890/samples/hello-world/hello.html - DIRECT/127.0.0.1 
text/html

And an access occurs on my backend server... gosh, why? :-/

I feel a bit stuck, and I have this strange feeling of having overlooked 
something really important, so please forgive my ignorance. With my 
dumbass hat handy, I wait for your help: fire at will.

TIA,

--
Gianugo Rabellino
Pro-netics s.r.l.
http://www.pro-netics.com

Re: [squid-users] access.log

[Marc Elsen]

Sandra Cüsters wrote:
> 
> Hello,
> can you say something about the squid logs?
> If I sent an email with appendage across the internet by an internet-email
> supplier (such gmx.net or web.de),  could I see a hint (the name) about this
> appendage in the log file?

 Don't understand the question specifically.
 It also depends on the remote application probably.

 Squid.conf has a directive 
  
 strip_query_terms

 which is on by default.

 If set to off, then query terms in url's will be shown in the access
log.
 This could include private info, in this case, your remote e-mail
 address on that site and or the person you are sending e-mail to.

 M.

> Thank you very much.
> 
> Sandra Cüsters

-- 

 'Time is a consequence of Matter thus
 General Relativity is a direct consequence of QM
 (M.E. Mar 2002)

[squid-users] access.log

[Sandra Cüsters]

Hello,
can you say something about the squid logs?
If I sent an email with appendage across the internet by an internet-email
supplier (such gmx.net or web.de),  could I see a hint (the name) about this
appendage in the log file?
Thank you very much.

Sandra Cüsters

Re: [squid-users] mapping private address to public adress

[Marc Elsen]

Roos Leif wrote:
> 
> Hi,
> I wonder if anyone can help me with how I should configure the squid
> proxy if I want to mapping an private 10.1.1.1 address to public address
> 202.xxx.xxx.xxx.

 You are talking about 'IP problems'.
 Squid is a network application, it has no access to that part
 of the networking stack.

 Firewalling tools & solutions should be used here.

 M.

> Best Regards
> Leif Roos

-- 

 'Time is a consequence of Matter thus
 General Relativity is a direct consequence of QM
 (M.E. Mar 2002)

[squid-users] mapping private address to public adress

[Roos Leif]

Hi,
I wonder if anyone can help me with how I should configure the squid
proxy if I want to mapping an private 10.1.1.1 address to public address
202.xxx.xxx.xxx.
Best Regards  
Leif Roos

[squid-users] Redirect some URL traffic to another proxy?

[Roos Leif]

Hi ,
I wan't to redirect traffic to another proxy when I try to reach some
specific URL that starts with www or ppp. Can any one help me with this.
I have try to configure the squid proxy with following but it doesn't
work so good.

cache_peer 192.168.1.1 parent 8080 0 no-query default
acl www url_regex ^http://www.*
acl ppp url_regex ^http://ppp.*
cache_peer_access 192.168.1.1 allow www ppp
never_direct allow www ppp

Best regards
Leif Roos

[squid-users] some questions

[alp]

hi,

i have some questions:

a)does anybody have experience in using a lot of refresh-patterns? i wonder
if it will have a big impact on the performance if squid has to check each
object via lots of regular expressions, or am i wrong?

b)there exists the null storage module. is it in any kind superior to using
a cache_deny line in order to disable the cache completely?

thx in advance,
alp

Re: [squid-users] Prevent downloading of special types of files

[Robert Collins]

On Mon, 2003-02-10 at 23:12, [EMAIL PROTECTED] wrote:
> Hi all,
> 
> I am using Squid2.5 stable1 and I want to prevent the downloading of some types 
> of applications such as activeX (oleobject is the MIME type of an activeX 
> object).
> 
> Here is the configuration I used:
> 
> 
> 
> 
> acl trusted_sites srcdomain .microsoft.com
> acl repdangerous_appli rep_mime_type -i ^application/x -oleobject$
> 
> http_reply_access allow trusted_sites repdangerous_appli
> 
> 
> 
> Then, when I request for URL www.microsoft.com, I get an error message "Access 
> denied"
> 
> Does anyone know why ?

Yes. You haven't allowed any other traffic.
try:
http_reply_access deny trusted_sites repdangerous_appli
http_reply_access allow all

Also, be sure to test trusted_sites in http_access as well - in squid
2.5 http_reply_access requires 'fast' acl checks, which means that DNS
lookups cannot be done there. (This is fixed in 3.0)

Rob
-- 
GPG key available at: .



signature.asc
Description: This is a digitally signed message part

[squid-users] Logging of users that that access my cache

[Abdul-Azeez]

Hi all,
I am using squid2.5STABLE1
I used to see error logs of users that attempt to access my cache and
corresponding reasons why access was denied.

But ever since I rebuilt my squid s/w, I stopped seeing such messages.
What do I have to configure during compilation time?

Abdul

AW: [squid-users] cache refresh

[Rost, Werner]

 bin/squidclient  for Squid 2.4
 bin/client   for Squid 2.5

> Mit freundlichen Grüßen / regards
> Werner Rost
> 
> -
> ZF Boge GmbH
> Werner Rost
> IT
> Friesdorfer Str. 175
> D-53175 Bonn
> 
> 
> phone:+49/228/3825 420
> fax:  +49/228/3825 398
> [EMAIL PROTECTED]
> 
> www.boge-vibrationcontrol.com/
> -
> 


-Ursprüngliche Nachricht-
Von: MASOOD AHMAD [mailto:[EMAIL PROTECTED]]
Gesendet am: Montag, 10. Februar 2003 12:33
An: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Betreff: Re: [squid-users] cache refresh

Dear Paras,

you can find a file squidclient in your squid bin
directory ...

you can delete specific URL or page like that

squidclient -m PURGE  http://acb.com 

or

squidclient -m PURGE  http://acb.com/page.html

Best Regards,

Masood Ahmad Shah
System Administrator
Fibre Net
--- Paras pradhan <[EMAIL PROTECTED]> wrote:
> hi all
> 
> 
> i have squid running fine and good. but got one
> problem.
> 
> can i deelte particluar domain's cache from the
> cache?? let's say: i want
> to delete the acb.com from cache.\
> 
> i am having refresh prob.i am getting the old page
> again and again and
> again from the cache. how do i remove that and which
> is the best algo for
> cache. i have more than 100 users htting my cache
> server at peak hours.
> 
> Thanks.
> 
> 
> Paras pradhan
> Systems Dept.
> Bajranet PVT LTD
> Kathmandu
> Nepal.
> 
> 


__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

[squid-users] Prevent downloading of special types of files

[reymc]

Hi all,

I am using Squid2.5 stable1 and I want to prevent the downloading of some types 
of applications such as activeX (oleobject is the MIME type of an activeX 
object).

Here is the configuration I used:




acl trusted_sites srcdomain .microsoft.com
acl repdangerous_appli rep_mime_type -i ^application/x -oleobject$

http_reply_access allow trusted_sites repdangerous_appli



Then, when I request for URL www.microsoft.com, I get an error message "Access 
denied"

Does anyone know why ?

Marie


---
This mail sent through Institut Eurecom Webmail : http://webmail.eurecom.fr

RE: [squid-users] HTTP requests

[Bilal]

> > > Is it possible for a user to request URL B, and this URL is
handled 
> > > via the same socket as URL A was? How does Squid take care of
this?
> 
> >  That is irrelevant. In TCP two seperate connection to a remote
> >  box can not use the same socket.

> Not fully. The connection may be persistent, in which case the second
request is processed after the first on the same TCP connection. If
multiple  
> requests are sent over the same TCP connection after each other then
HTTP specifies that the replies are sent back in the same order.

If a second request for another web page can be made via the same
socket, how common is this occurrence?

Thanks
B

Re: [squid-users] cache refresh

[MASOOD AHMAD]

Dear Paras,

you can find a file squidclient in your squid bin
directory ...

you can delete specific URL or page like that

squidclient -m PURGE  http://acb.com 

or

squidclient -m PURGE  http://acb.com/page.html

Best Regards,

Masood Ahmad Shah
System Administrator
Fibre Net
--- Paras pradhan <[EMAIL PROTECTED]> wrote:
> hi all
> 
> 
> i have squid running fine and good. but got one
> problem.
> 
> can i deelte particluar domain's cache from the
> cache?? let's say: i want
> to delete the acb.com from cache.\
> 
> i am having refresh prob.i am getting the old page
> again and again and
> again from the cache. how do i remove that and which
> is the best algo for
> cache. i have more than 100 users htting my cache
> server at peak hours.
> 
> Thanks.
> 
> 
> Paras pradhan
> Systems Dept.
> Bajranet PVT LTD
> Kathmandu
> Nepal.
> 
> 


__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

[squid-users] 2003/02/10 10:27:53| idnsRead: FD 4 recvfrom: (10054) WSAECONNRESET, Connection reset by peer.

[Jeroen Steenhuis (Dutch Plating Power BV)]

Hello !

My log is flooding with the following error message :

2003/02/10 10:27:53| idnsRead: FD 4 recvfrom: (10054) WSAECONNRESET,
Connection reset by peer.

What can i do about it??

Best regards, Jeroen

[squid-users] Cache Mgr Corrupted ?

[Ben White]

Hi,

How can I be sure that my cachemgr.cgi is corrupted ? 
For months, I am unable to access my cachemgr.cgi via
webmin.  After entering my password and ID, all I get
was "Error-Bad Header".  I have re-installed webmin,
but this problem does not go away. I hv read the squid
FAQ, but doesn't help much. My cachemgr.cgi was fine
with squid 2.4, but not 2.5.

Despite this problem, my squid proxy is still
functioning OK.

Anyone can help me ?


__
Do You Yahoo!?
Play for a chance to win a trip to Sydney!
http://sg.mobile.yahoo.com

Re: [squid-users] Problem with parent proxy and no DNS (FATAL:Could not find any nameservers.)

[Mike Cudmore]

Hi,

you need to set cache peer as well



Regards
Mike Cudmore
GSI & Intranet Connectivity Team

>>> "Jeroen Steenhuis (Dutch Plating Power BV)"
<[EMAIL PROTECTED]> 02/10/03 08:38am >>>
Hello !

I've got a problem running squid, with no DNS servers alvailable. Squid
must
send request thru a parent proxy (this is the only way to get
information
from the internet).

I searched the internet, but didn't found information to get squid
running,
also not in the squid FAQ  

My Squid.Conf contains :

http_port 80
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern .   0   20% 4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
#acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl localnetwork src 192.0.0.0/255.255.255.0

http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

http_access allow localnetwork

http_access deny all

http_reply_access allow all

icp_access allow all

visible_hostname 192.0.0.11

prefer_direct off

never_direct allow all

So, it seems to me it must work, but it doesn't :

C:\squid\sbin>squid -D
WARNING: Cannot write log file: c:/squid/var/logs/cache.log
c:/squid/var/logs/cache.log: No such file or directory
 messages will be sent to 'stderr'.
2003/02/10 09:27:17| WARNING: Closing open FD2
2003/02/10 09:27:17| Starting Squid Cache version
2.5.STABLE1.NT-CVS
for i686-pc
-winnt...
2003/02/10 09:27:17| Running on Windows 2000
2003/02/10 09:27:17| Process ID 12920
2003/02/10 09:27:17| With 2048 file descriptors available
2003/02/10 09:27:17| With 512 CRT stdio descriptors available
2003/02/10 09:27:17| Windows sockets initialized
2003/02/10 09:27:17| DNS Socket created at 0.0.0.0, port 4289,
FD 3
FATAL: Could not find any nameservers.
   Please check your TCP-IP settings or /etc/resolv.conf
file
   or use the 'dns_nameservers' option in squid.conf.
Squid Cache (Version 2.5.STABLE1.NT-CVS): Terminated
abnormally.
CPU Usage: 0.060 seconds = 0.020 user + 0.040 sys
Maximum Resident Size: 1728 KB
Page faults with physical i/o: 432

abnormal program termination

What must i do? I'm out of options...

Thank You !

Best regards,

Jeroen


PLEASE NOTE: THE ABOVE MESSAGE WAS RECEIVED FROM THE INTERNET.

On entering the GSI, this email was scanned for viruses by the
Government Secure Intranet (GSI) virus scanning service supplied
exclusively by Cable & Wireless in partnership with MessageLabs.

GSI users see http://www.gsi.gov.uk/main/new2002notices.htm for further
details. In case of problems, please call your organisational IT
helpdesk.


*
This E-mail and any files transmitted with it are private and
intended solely for the use of the individual or entity to whom
they are addressed.  If you are not the intended recipient,
the E-mail and any files have been transmitted to you in error
and any copying, distribution or other use of the information
contained in them is strictly prohibited.

Nothing in this E-mail message amounts to a contractual
or other legal commitment on the part of the Government
unless confirmed by a communication signed on behalf of
the Secretary of State.

The Department's computer systems may be monitored 
and communications carried on them recorded, to secure 
the effective operation of the system and for other lawful
purposes.
*

Re: [squid-users] proxi_hierarchies

[Henrik Nordstrom]

Emilio Casbas wrote:

> >Give use enough detail to understand whats going on.
> >What access denied message do you get?
> 
> Specific from the server in Inet.


If the error message is generated by the server in Inet and is not a
Squid error message then I would guess the problem is with the
configuration of this server, maybe not allowing requests from one of
your Squid servers or such problem. It could also be related to NTLM/"MS
Integrated Logon" authentication if the server is a MS IIS server and
requires the user to authenticate.

What exact error message is you getting?

Squid error messages all have a signature at the bottom telling when the
error message was generated, by which Squid server, running what version
of Squid.

Note: If you are using MSIE then it is quite likely you have to disable
"Show friendly HTTP error messages" in the Advanced Internet Options to
actually see error messages.. a "nice" invention of Microsoft to protect
users from the "ugly" error messages generated by the Internet greatly
reducing their capabilities to actually understand why they get an error
or their abilities to efficiently ask for help to resolve the error..

Regards
Henrik

[squid-users] cache refresh

[Paras pradhan]

hi all


i have squid running fine and good. but got one problem.

can i deelte particluar domain's cache from the cache?? let's say: i want
to delete the acb.com from cache.\

i am having refresh prob.i am getting the old page again and again and
again from the cache. how do i remove that and which is the best algo for
cache. i have more than 100 users htting my cache server at peak hours.

Thanks.


Paras pradhan
Systems Dept.
Bajranet PVT LTD
Kathmandu
Nepal.

Re: [squid-users] Problem with parent proxy and no DNS (FATAL: Could not find any nameservers.)

[Henrik Nordstrom]

Squid insists on having a DNS server configured, but does not actually
need to use one in such configurations.

Configure squid.conf with

# Fool Squid to think there is a DNS server
dns_nameservers 127.0.0.1


Then make sure you do not use any DNS dependent ACL types, and always
make use of never_direct allow all...


Regards
Henrik


"Jeroen Steenhuis (Dutch Plating Power BV)" wrote:
> 
> Hello !
> 
> I've got a problem running squid, with no DNS servers alvailable. Squid must
> send request thru a parent proxy (this is the only way to get information
> from the internet).
> 
> I searched the internet, but didn't found information to get squid running,
> also not in the squid FAQ
> 
> My Squid.Conf contains :
> 
> http_port 80
> hierarchy_stoplist cgi-bin ?
> 
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> 
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> 
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern .   0   20% 4320
> 
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> #acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl localnetwork src 192.0.0.0/255.255.255.0
> 
> http_access allow manager localhost
> http_access deny manager
> # Deny requests to unknown ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> 
> http_access allow localnetwork
> 
> http_access deny all
> 
> http_reply_access allow all
> 
> icp_access allow all
> 
> visible_hostname 192.0.0.11
> 
> prefer_direct off
> 
> never_direct allow all
> 
> So, it seems to me it must work, but it doesn't :
> 
> C:\squid\sbin>squid -D
> WARNING: Cannot write log file: c:/squid/var/logs/cache.log
> c:/squid/var/logs/cache.log: No such file or directory
>  messages will be sent to 'stderr'.
> 2003/02/10 09:27:17| WARNING: Closing open FD2
> 2003/02/10 09:27:17| Starting Squid Cache version 2.5.STABLE1.NT-CVS
> for i686-pc
> -winnt...
> 2003/02/10 09:27:17| Running on Windows 2000
> 2003/02/10 09:27:17| Process ID 12920
> 2003/02/10 09:27:17| With 2048 file descriptors available
> 2003/02/10 09:27:17| With 512 CRT stdio descriptors available
> 2003/02/10 09:27:17| Windows sockets initialized
> 2003/02/10 09:27:17| DNS Socket created at 0.0.0.0, port 4289, FD 3
> FATAL: Could not find any nameservers.
>Please check your TCP-IP settings or /etc/resolv.conf file
>or use the 'dns_nameservers' option in squid.conf.
> Squid Cache (Version 2.5.STABLE1.NT-CVS): Terminated abnormally.
> CPU Usage: 0.060 seconds = 0.020 user + 0.040 sys
> Maximum Resident Size: 1728 KB
> Page faults with physical i/o: 432
> 
> abnormal program termination
> 
> What must i do? I'm out of options...
> 
> Thank You !
> 
> Best regards,
> 
> Jeroen

Re: [squid-users] proxi_hierarchies

[Emilio Casbas]

Robert Collins wrote:


On Fri, 2003-02-07 at 22:23, Emilio Casbas wrote:
 

Hi all.

I get the "Access Denied" message from server, the configuration is:

[users] -->  [proxy squid] -->  [filter squid] -->  [cache squid] 
--->  inet (server with trouble)
   (parent)
   (parent)

When I try to access to server from the users (with the option to use 
[proxy squid] in Mozilla),  I do see that the request
is invalid (Access Denied),  if I configure in Mozilla the [filter 
squid],  works fine.
I think what the trouble is when the request pass accros the more two 
proxis.
The partial solution is to configure in filter squid for that the domain 
whit the problem always direct but I don't like these solution.
Any suggestions ?
   



Give use enough detail to understand whats going on.
What access denied message do you get?


Specific from the server in Inet.


What proxy is sending the deny?


The neighboring,  I done vary configuration, for example

[ I ] -->  [proxy squid] -->  [filter squid] -->  [cache squid] --> inet (server with trouble)

The proxy squid send the deny


I think what the trouble was the filter, then I try this:

[ I ] -->  [proxy squid] -->  [cache squid] -->  [cache squid] --> inet (server with trouble)

and the proxy squid send the deny.
Any configuration whit more than 2 proxis fail. Because i done this


[ I ] -->  [proxy squid] -->  [cache squid] --> inet (server with trouble)


[ I ] -->  [filter squid] -->  [cache squid] --> inet (server with trouble)

and work fine.

 

What acl (and it's definition) is causing the deny?

There isn't acl for this request


What are the routing rules on the squids?
in any case, work fine. only fail for this request


Are any of them running with TCP interception?
No.

Are any of them running as rproxies?
No.

Rob


Thanks
Emilio.
---

Re: [squid-users] Resource temporarily unavailable (more info) hmm working !?

[Arno_STREULI]

Ok, I did check my /etc/system config
and I increase the value for shared memory and messages queue.
So now it works, hope it's gona stay up for a while.
Since I dont relay understand How I sould setup this value, I will see

# shared memory modif
set shmsys:shminfo_shmmax=2097152
set shmsys:shminfo_shmmni=40960
set shmsys:shminfo_shmseg=4096

# Message queue
set msgsys:msginfo_msgmni=4096
set msgsys:msginfo_msgssz=64
set msgsys:msginfo_msgseg=75
set msgsys:msginfo_msgmnb=8192
set msgsys:msginfo_msgtql=307200

#set msgsys:msginfo_msgmax=2048

Thanks for the trick

Regards,

Arno




**
DISCLAIMER - E-MAIL
---
The information contained in this E-Mail is intended for the named
recipient(s). It may  contain certain  privileged and confidential
information, or  information  which  is  otherwise  protected from
disclosure. If  you  are  not the intended recipient, you must not
copy,distribute or take any action in reliance on this information
**

Re: [squid-users] forward by IP and URL

[Henrik Nordstrom]

George Dominguez wrote:
> 
> Hello,
> 
> Can someone help me in constricting an ACL that would perform the
> following:
> 
> if an IP is from an IP range and destined to a specific URL then forward
> the request to another proxy


Just combine a src and a dstdomain acl in your cache_peer_access and
never_direct directives..

Regards
Henrik

Re: [squid-users] Resource temporarily unavailable

[Henrik Nordstrom]

See the Squid FAQ on required host configuration for using diskd.

This message is seen if you haven't retuned your host to support
sufficient amount of messages in kernel message queues.

Regards
Henrik


[EMAIL PROTECTED] wrote:
> 
> Hi,
> This morning i've got the following error message in my cache.log :
> 
> 2003/02/10 07:51:48| Store logging disabled
> > 2003/02/10 07:51:48| Rebuilding storage in /cache (DIRTY)
> 2003/02/10 07:51:48| Using Least Load store dir selection
> 2003/02/10 07:51:48| Set Current Directory to /usr/local/squid/var
> 2003/02/10 07:51:48| Loaded Icons.
> 2003/02/10 07:51:48| Initializing SmartFilter
> 2003/02/10 07:51:48| SmartFilter Info: SmartFilter Version: 3.1.1.02
> 2003/02/10 07:51:48| SmartFilter Info: SmartFilter API version: 3.1.3
> 2003/02/10 07:51:48| SmartFilter: Created communication thread
> 2003/02/10 07:51:48| SmartFilter: SmartFilter init: Warning: There was at least
> 1 invalid url in the site.txt file. SmartFilter initialized.
> 2003/02/10 07:51:48| Accepting HTTP connections at 0.0.0.0, port 8080, FD 83.
> 2003/02/10 07:51:48| Accepting SNMP messages on port 3401, FD 84.
> 2003/02/10 07:51:48| WCCP Disabled.
> 2003/02/10 07:51:48| Ready to serve requests.
> 2003/02/10 07:52:16| Store rebuilding is  2.2% complete
> > 2003/02/10 07:52:29| storeDiskdSend: msgsnd: (11) Resource temporarily
> unavailable
> > 2003/02/10 07:52:29| storeDiskdSend OPEN: (11) Resource temporarily
> unavailable
> > 2003/02/10 07:52:29| storeDiskdSend: msgsnd: (11) Resource temporarily
> unavailable
> 
> What does that mean, and how can I fix it ?
> This error messages wont let me surf anymore.
> 
> Thanks,
> 
> Arno
> 
> **
> DISCLAIMER - E-MAIL
> ---
> The information contained in this E-Mail is intended for the named
> recipient(s). It may  contain certain  privileged and confidential
> information, or  information  which  is  otherwise  protected from
> disclosure. If  you  are  not the intended recipient, you must not
> copy,distribute or take any action in reliance on this information
> **

Re: [squid-users] Resource temporarily unavailable (more info)

[Henrik Nordstrom]

[EMAIL PROTECTED] wrote:
> 
> Oups sorry:
> Ultra entreprise 250 512MB ram,  Solaris 8, squid 2.5-STABLE1
> 
> I did all the configuration I suppose to do (following the FAQ, and the system
> was working fine since a week.
> I try to reboot the system, but the first request give me this error.
> 
> The problem appear today, not before

Triple check your kernel parameters. The error should be there.

Regards
Henrik

[squid-users] Problem with parent proxy and no DNS (FATAL: Could not find any nameservers.)

[Jeroen Steenhuis (Dutch Plating Power BV)]

Hello !

I've got a problem running squid, with no DNS servers alvailable. Squid must
send request thru a parent proxy (this is the only way to get information
from the internet).

I searched the internet, but didn't found information to get squid running,
also not in the squid FAQ  

My Squid.Conf contains :

http_port 80
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern .   0   20% 4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
#acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl localnetwork src 192.0.0.0/255.255.255.0

http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

http_access allow localnetwork

http_access deny all

http_reply_access allow all

icp_access allow all

visible_hostname 192.0.0.11

prefer_direct off

never_direct allow all

So, it seems to me it must work, but it doesn't :

C:\squid\sbin>squid -D
WARNING: Cannot write log file: c:/squid/var/logs/cache.log
c:/squid/var/logs/cache.log: No such file or directory
 messages will be sent to 'stderr'.
2003/02/10 09:27:17| WARNING: Closing open FD2
2003/02/10 09:27:17| Starting Squid Cache version 2.5.STABLE1.NT-CVS
for i686-pc
-winnt...
2003/02/10 09:27:17| Running on Windows 2000
2003/02/10 09:27:17| Process ID 12920
2003/02/10 09:27:17| With 2048 file descriptors available
2003/02/10 09:27:17| With 512 CRT stdio descriptors available
2003/02/10 09:27:17| Windows sockets initialized
2003/02/10 09:27:17| DNS Socket created at 0.0.0.0, port 4289, FD 3
FATAL: Could not find any nameservers.
   Please check your TCP-IP settings or /etc/resolv.conf file
   or use the 'dns_nameservers' option in squid.conf.
Squid Cache (Version 2.5.STABLE1.NT-CVS): Terminated abnormally.
CPU Usage: 0.060 seconds = 0.020 user + 0.040 sys
Maximum Resident Size: 1728 KB
Page faults with physical i/o: 432

abnormal program termination

What must i do? I'm out of options...

Thank You !

Best regards,

Jeroen

Re: [squid-users] Resource temporarily unavailable (more info)

[Marc Elsen]

[EMAIL PROTECTED] wrote:
> 
> Oups sorry:
> Ultra entreprise 250 512MB ram,  Solaris 8, squid 2.5-STABLE1
> 
> I did all the configuration I suppose to do (following the FAQ, and the system
> was working fine since a week.
> I try to reboot the system, but the first request give me this error.
> 
> The problem appear today, not before

 Ok, hopefully more expert help will 'come in'.
 I am not using diskd or solaris myself.
  
 I only know that kernel params. may need tweaking for
 diskd to operate successfully.

 Regards.

 M.

> 
> Arno
> 
> **
> DISCLAIMER - E-MAIL
> ---
> The information contained in this E-Mail is intended for the named
> recipient(s). It may  contain certain  privileged and confidential
> information, or  information  which  is  otherwise  protected from
> disclosure. If  you  are  not the intended recipient, you must not
> copy,distribute or take any action in reliance on this information
> **

-- 

 'Time is a consequence of Matter thus
 General Relativity is a direct consequence of QM
 (M.E. Mar 2002)

Re: [squid-users] Resource temporarily unavailable (more info)

[Arno_STREULI]

Oups sorry:
Ultra entreprise 250 512MB ram,  Solaris 8, squid 2.5-STABLE1

I did all the configuration I suppose to do (following the FAQ, and the system
was working fine since a week.
I try to reboot the system, but the first request give me this error.

The problem appear today, not before

Arno




**
DISCLAIMER - E-MAIL
---
The information contained in this E-Mail is intended for the named
recipient(s). It may  contain certain  privileged and confidential
information, or  information  which  is  otherwise  protected from
disclosure. If  you  are  not the intended recipient, you must not
copy,distribute or take any action in reliance on this information
**

Re: [squid-users] Resource temporarily unavailable (more info)

[Marc Elsen]

[EMAIL PROTECTED] wrote:
> 
> Hi,
> 
> I try to issue a squid -z (Don't know what else to do)
> and here is some info that come on the cahe.log (this time the cache was clean)
> 
> 003/02/10 08:26:00| Rebuilding storage in /cache (CLEAN)
> 2003/02/10 08:26:00| Using Least Load store dir selection
> 2003/02/10 08:26:00| Set Current Directory to /usr/local/squid/var
> 2003/02/10 08:26:00| Loaded Icons.
> 2003/02/10 08:26:00| Initializing SmartFilter
> 2003/02/10 08:26:00| SmartFilter Info: SmartFilter Version: 3.1.1.02
> 2003/02/10 08:26:00| SmartFilter Info: SmartFilter API version: 3.1.3
> 2003/02/10 08:26:00| SmartFilter: Created communication thread
> 2003/02/10 08:26:00| SmartFilter: SmartFilter init: Warning: There was at least
> 1 invalid url in the site.txt file. SmartFilter initialized.
> 2003/02/10 08:26:00| Accepting HTTP connections at 0.0.0.0, port 8080, FD 83.
> 2003/02/10 08:26:00| Accepting SNMP messages on port 3401, FD 84.
> 2003/02/10 08:26:00| WCCP Disabled.
> 2003/02/10 08:26:00| Ready to serve requests.
> 2003/02/10 08:26:26| Store rebuilding is  2.2% complete
> .
> .
> .
> 2003/02/10 08:26:32| storeDiskdSend OPEN: (11) Resource temporarily unavailable
> 2003/02/10 08:26:41| Store rebuilding is 95.8% complete
> 2003/02/10 08:26:41| storeDiskdSend: msgsnd: (11) Resource temporarily unavailab
> le
> 2003/02/10 08:26:41| assertion failed: diskd/store_io_diskd.c:494: "++send_error
> s < 100"
> 
> After that the squid die and restart over and over !

 Which version of SQUID are you using ?
 On which os/platform/version ?

 Anyways , you may need to adapt kernel params. for your OS related
 to shared memory and message queues  
 resources  (which are components used by diskd).

 See the FAQ on diskd for starters.

 M.


> 
> Thanks,
> 
> Arno
> 
> **
> DISCLAIMER - E-MAIL
> ---
> The information contained in this E-Mail is intended for the named
> recipient(s). It may  contain certain  privileged and confidential
> information, or  information  which  is  otherwise  protected from
> disclosure. If  you  are  not the intended recipient, you must not
> copy,distribute or take any action in reliance on this information
> **

-- 

 'Time is a consequence of Matter thus
 General Relativity is a direct consequence of QM
 (M.E. Mar 2002)