[squid-users] Auth Help

[NetSnake]

Hi, all
   Where are the auth module in Squid 2.5.STABLE2?  

NetSnake
[EMAIL PROTECTED]
　　2003-03-26

Re: [squid-users] hotmail problem

[Marc Elsen]

Raja R wrote:
> 
> Hi ,
> I am posting this qtn again as I did not get any reply..pls. help me..I have
> a strange problem with HOTMAIL. The page says DONE before it fully loads
> the page with No Display. I am using squid 2.5 stable 1 . I think the squid
> is sending Finish too fast, before actually loading the page.
> I am facing this problem only with hotmail . Allowed connections to 443
> (https) also in the config as hotmail requires it...but still no luck..ANy
> pointers ?

  I have no problem at all, using hotmail thru 2.5Stable1 and
2.5Stable2.

  On what OS are you using squid (version etc) ?

  Are you using transp. proxying ?

  Verify problem, preferrably with different browsers :

   Mozilla - Netscape - IE (e.g.).

  To exclude that in the problem analysis path, you are not confronted
  with a browser issue.

  M.

> 
> Regards,
> Raja.

-- 

 'Time is a consequence of Matter thus
 General Relativity is a direct consequence of QM
 (M.E. Mar 2002)

[squid-users] Problems with NTLM in Squid2.5.STABLE2

[Alexander Kiselev]

Hi all,

just installed the lastest version of Squid (2.5.STABLE2) and Samba (2.2.8).
Installed and configured as described in FAQ
(http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5) for authorization
the users in NT domain via NTLM and basic methods using Samba's winbind
daemon.

My PC logged into NT domain. When i started IExplorer6, after two-three
requests i've got a password prompt window.
Then i started a "wb_ntlmauth" helper with debug "-d" option and found that
when a password prompt pop up, the following messages appeared in log file:

++
(wb_ntlmauth)[18075](wb_ntlm_auth.c:240): Checking user 'DOMAIN\USER1'
lmhash len =24, have_nthash=0, nthash len=24
(wb_ntlmauth)[18075](wb_ntlm_auth.c:246): winbindd result: 1
(wb_ntlmauth)[18075](wb_ntlm_auth.c:60): sending 'NA DOMAIN\USER1 auth
failure because: Authentication Failure (NT_STATUS_WRONG_PASSWORD)' to squid
++

This happens sometimes and i can't determine the reason of that. In
Squid.2.5.STABLE1 + Samba 2.2.5 all works without any problems with the same
configuration.

--
Cheers,
Alex

Re: [squid-users] header_access design problem?

[Gerhard Wiesinger]

On Wed, 26 Mar 2003, Henrik Nordstrom wrote:

> Gerhard Wiesinger wrote:
> >
> > Hello!
> >
> > I'm trying to get the header_access feature to work (squid 2.5.STABLE2).
> > It works well except the following:
> >
> > 1.) header_access works for Request headers well, but Response headers are
> > cutted to!!!
>
> Yes. This is intentional.
>

Would you accept a patch or is someone working on different config for
request and response?

BTW: Was it the same behaviour as in previous versions? (especially
2.4.STABLE x)

> > 2.) Adding an currently unknown header (e.g. Depth for WebDAV) requires
> > source compilation and modification. Also adding other new headers should
> > be much more easier. (e.g. config). Maybe there should be a warning
> > message, but filtering should be done correctly.
>
> This is a known problem with Squid. If you want to filter new headers
> you currently either need to use paranoid mode only allowing what should
> be allowed, or modify the source.
>
> A patch correcting this is welcome if it bothers you.
>

OK, i will have a look at it.

> Regards
> Henrik
>

Ciao,
Gerhard

[squid-users] identify the name of an uploaded file

[Messner, Alexander]

Hi all,

yesterday I´ve already questioned:
is there a posibility in the logs to identify the name of an uploaded file?
Websweeper for Windows can do this - can this Squid?

Mit freundlichen Grüssen :-)
Alexander Messner
---
Graffinity Pharmaceuticals AG
Im Neuenheimer Feld 518-519  ---  D-69120 Heidelberg
Tel: 06221/6510-152 --- Fax: 06221/6510-111
mailto: [EMAIL PROTECTED] --- http://www.graffinity.com
 


**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.graffinity.com
**

[squid-users] how median_svc_time calculated?

[atit jariwala]

I am using SQUID 2.5 stable1
i want to know:
1) how median_svc_time is calculated for HTTP Requests?
2) how Near Hits for HTTP Requests are calculated...?
3) how Not-Modified Replies are calculated?

regards
=atit

[squid-users] mrtg and squid.

[Mauro]

Hallo.
I use linux debian with kernel 2.4.20 and squid 2.4 stable6.
Someone use the program MRTG for squid statistics? 
I've notice that the values from mrtg and cachemgr.cgi are different.
Regards.

Mauro

[squid-users] Squid as SSL ReverseProxy - SSL Gateway or however you wanna call it

[sebastian . nell]

Hi!

I have been reading through this mailing list quite a while and have
stumbled over a lot of
Posts concerning  Squid and SSL but not an answer to what I really need.
What I need is a SSL Connection on both sides of Squid

Client < -SSL > Squid < - SSL - > Internal Server

I know that this question has been ask quite often and there where People
who said
it works some said it doesn?t  but there has never been a "real" answer or
an example
concerning whether it is possible or not!

My Squid.conf looks like this (using Squid 2.5 stable1):

http_port 172.16.3.131:80
https_port 172.16.3.131:443 cert=squid_cert.pem  key=squid_key.pem
...
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl allowed_hosts src 192.168.1.1/255.255.255.0
acl SSL_ports port 443 563
...
acl CONNECT method CONNECT
...
redirect_rewrites_host_header off


http_access allow manager localhost
http_access deny manager
http_access allow allowed_hosts
http_access deny all
http_access allow CONNECT !SSL_ports
http_access allow CONNECT
...
acl our_networks src 192.168.1.0/24 192.168.4.0/24
http_access allow our_networks
http_reply_access allow all
...
httpd_accel_port 443
httpd_accel_host virtual
httpd_accel_single_host off
httpd_accel_with_proxy off
httpd_accel_uses_host_header on


And at my /etc/hosts I added an entry

192.168.1.10   localserver

When I try to access localserver through Squid and https I get the error
Message
"Error- Bad Request This web server is running in SSL mode. Try the URL
https:://pc352:443/ instead."

pc352 is the computer name of localserver.

How to I get SSL to work from Squid to the localserver?

I would be more than thankful if someone could help me out on this one!

THX

Sebastian

***
Beratungsgesellschaft
Software Systemplanung AG
Geschäftssitz Mainz
Niederlassung Rhein/Main
Robert-Koch-Straße 41
55129 Mainz
Phone:  06131 914-0 (-166), Fax -400
E-Mail: [EMAIL PROTECTED]
web: www.bgs-ag.de

Re: [squid-users] mrtg and squid.

[MASOOD AHMAD]

hmmm
it's very strange for me that there is a difference
between MRTG + cachemgr.cgi I think difference can be
in time. check it out..

Best Regards,
Masood Ahmad Shah
System Administrator
Fibre Net
http://www.fibre.net.pk
 
--- Mauro <[EMAIL PROTECTED]> wrote:
> Hallo.
> I use linux debian with kernel 2.4.20 and squid 2.4
> stable6.
> Someone use the program MRTG for squid statistics? 
> I've notice that the values from mrtg and
> cachemgr.cgi are different.
> Regards.
> 
> Mauro


__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

[squid-users] Knowing the client's IP

[Boniforti Flavio]

I would like to get a means to know ALL the clients that EVER connected
through my proxy.

Is this feasable?

I looked into it with cachemgr.cgi, but it just tells me which clients
are ACTUALLY using it!

Thank you

---
Boniforti Flavio
Provincia del Verbano-Cusio-Ossola
Ufficio Informatica

Tecnoparco del Lago Maggiore
Via dell'Industria, 25
28924 Verbania
---

[squid-users] Variable traffic limit

[Sergey Smirnov]

I know that using delay_pool I can limit traffic.
But this limitation is constant. I try to explain what i mean.
For example I have 512 kb/s line. If 100 clients connected I limit
each user 5 kb/s. If 10 clients connected I limit 50 kb/s. If only one
client limit is 500 kb/s.
Can squid do something like this?
--
Sergey Smirnov

[squid-users] authentication program

[Ramzi S. Abdallah]

Hi all,

I need some help in configuring squid to authenticate users using an
external authentication program. I wrote a simple perl script that
authenticate users against a MySQL database but does not seem to be
working properly. What's happening is that squid keeps rejecting the
username and password and access gets denied. At first I thought that
the perl script is not functioning properly so I replaced it with this
simple script that always return "OK" as a result but still not working.

#!/usr/bin/perl -w

$|=1;

while () {
  chomp;
  my @login = split(/ /);
  print "OK\n";
}


Following is my squid.conf config that relates to authentication:

authenticate_program /etc/squid/scripts/authsql

acl pass proxy_auth REQUIRED
acl rocks_admin src 192.168.101.0/255.255.255.0
acl auburn_edu  src 192.168.104.0/255.255.255.0

http_access allow rocks_admin
http_access allow auburn_edu
http_access allow pass


Thank you for any help

Ramzi

[squid-users] NC4.x and restricted web access?

[Steck, Steffen M.]

Hi,
i have some users with full web access and others only allowed on certain
sites. All going through Squid 2.4 Stable 7. When a restricted user accesses
an allowed site with an external link on it (most often banner ads) and uses
an old NC 4.x browser, the site is not displayed since NC 4.x gets the error
message from squid and shows it full screen. IE or Mozialla for instance
show the access denied message only in the place where the gif should be...
Is there a smart idea how to resolve this or make a redirect to some
transparent gif to get this working for NC4 users? (updating is not really
an option ;-(  )
Thx.
Steffen

[squid-users] Transparent proxying + LDAP authentication

[Kristian Du]

Hi Everyone,

I have looked through the FAQs but could not find an answer to my
doubts.

I was wondering whether the following scenario can be implemented or
not:

- A user logs on a Win 2K box authenticated via an LDAP server
- Opens up a browser that has NOT been configured to use a 
  proxy server for web access (transparent proxying comes into
  play behind the scenes)
- When the user accesses an external site (i.e. outside the
  local intranet) he does NOT have to enter a username and a
  password for authenticating with the proxy server
- The proxy administrator can generate reports and view 
  surfing habits on a per user basis

What I am mainly doubtful about is whether the user identity can flow
transparently from NT user logon to the proxy authentication stage.

Any help will be much appreciated.

--
Kristian

[squid-users] median_svc_time

[atit jariwala]

in cachemr.cgi script
we have cache utilization section displaying various statistics

considering following :

client_http.all_median_svc_time
client_http.miss_median_svc_time
client_http.nm_median_svc_time
client_http.nh_median_svc_time
client_http.hit_median_svc_time

i want to get better performance in terms of good response time to user
accessing cache

for that
does all_median_svc_time be high/low?
does hit_median_svc_time be high/low?
does miss_median_svc_time be high/low?

i also want to know:
1) how median_svc_time is calculated for HTTP Requests?
2) how Near Hits for HTTP Requests are calculated...?
3) how Not-Modified Replies are calculated?

regards
=atit




waiting for reply.
regards
==atit

[squid-users] want to freeze some sites permanently in RAM

[atit jariwala]

I am using SQUID 2.5 STABLE1

following are some sites frequetly  used by clients

www.yahoo.com
www.mail.yahoo.com
www.rediff.com
www.updates.microsoft.com



i want to freeze all stastic contents of these sites permanently in memory
they should not be deleted even when swapping is done for other contents
so that i have TCP_MEM_HIT for all these and my clients will have better
response time

is it possible?
if so how?

waiting for reply

regards
atit

Re: [squid-users] Transparent proxying + LDAP authentication

[Robert Collins]

On Wed, 2003-03-26 at 23:00, Kristian Du wrote:
> Hi Everyone,
> 
> I have looked through the FAQs but could not find an answer to my
> doubts.

Under transparent proxying:
Does it work with authentication?

No.

Rob
-- 
GPG key available at: .


signature.asc
Description: This is a digitally signed message part

Re: [squid-users] header_access design problem?

[Henrik Nordstrom]

ons 2003-03-26 klockan 09.19 skrev Gerhard Wiesinger:

> > > 1.) header_access works for Request headers well, but Response headers are
> > > cutted to!!!
> >
> > Yes. This is intentional.
> >
> 
> Would you accept a patch or is someone working on different config for
> request and response?

A patch is probably accepted if the new config makes sense. If the patch
is for Squid-3 then the likelihood of acceptance after one or two
reviews is very high.

To my knowledge there is noone working on such change, at least none of
the regular Squid developers are.

Note: Squid-2.5 is in it's STABLE release cycle where no changes to
configuration directives is allowed. But a separate patch can always be
published.

> BTW: Was it the same behaviour as in previous versions? (especially
> 2.4.STABLE x)

I do not know. It is not a feature I normally use or have worked on.



If you (or anyone else) want to join the open development of Squid
please take a look at http://devel.squid-cache.org/. Having a focused
task at hand such as extending the anonymisation feature (i.e.
header_access) helps a lot to get started but there is always many ideas
floating around if you have interest but need help to select suitable
starting tasks.

As a registered Squid developer you have access to

 * Up to date CVS access to the Squid sources, both the current
development version and STABLE versions.

 * Automatic tools to maintain your changes to always keep them current
with the Squid sources, based on CVS.

 * Web space to publish notes

 * Automatic publish of patches with your Squid changes.

 * Access to the squid-dev mailinglist for discussing Squid internals
and other topics which is interesting to the development of Squid. 


The only commitment from your side is that find Squid development
interesting, and have an open mind. It obviously helps if you also know
a little of C and/or C++. There is no obligation to actually produce any
improvements to Squid, but life will obviously be more interesting as a
Squid developer if you do.


The Squid project also need other people not directly involved in
development. Current open positions are

  * FAQ maintainer (Linuxdoc SGML)
  * Technical writers for the Squid Users Guide  (DocBook)
  * Technical writers for the Squid Programmers Guide (DocBook). For
this task it helps a lot if you also have some interest in Squid
development and can read C / C++ source.
  * Bug database maintainer, to classify and keep track of bug reports
and try to reproduce reported bugs.
  * Alpha testers who can test development versions of Squid in
controlled manners (not production)
  * Beta testers who can test and verify STABLE or PRE versions of
Squid, and also independent verification of bug fixes.
  * And probably many other positions I have not thought of

-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] Transparent proxying + LDAP authentication

[Richard Barrett]

At 12:00 26/03/2003, Kristian Du wrote:
Hi Everyone,

I have looked through the FAQs but could not find an answer to my
doubts.
I was wondering whether the following scenario can be implemented or
not:
- A user logs on a Win 2K box authenticated via an LDAP server
- Opens up a browser that has NOT been configured to use a
  proxy server for web access (transparent proxying comes into
  play behind the scenes)
- When the user accesses an external site (i.e. outside the
  local intranet) he does NOT have to enter a username and a
  password for authenticating with the proxy server
- The proxy administrator can generate reports and view
  surfing habits on a per user basis
And which particular branch of the secret police are you commissioning this 
system for?

What I am mainly doubtful about is whether the user identity can flow
transparently from NT user logon to the proxy authentication stage.
Any help will be much appreciated.

--
Kristian

Re: [squid-users] mrtg and squid.

[Henrik Nordstrom]

Minor note:

For historical reasons cachemgr.cgi reports averages while SNMP reports
median. This may cause a slight difference in the value reported, but
usually the median and average are quite close.

Usually when there is large differences there is a misunderstanding on
the variables. It is not always obvious to map the SNMP variables to
cachemgr.cgi, and some of the SNMP variable names are slightly
confusing.. (several names which are close to each other but mean quite
different things)

If you indicate which values you have problems with we may have greater
success in helping you or explaining why there is a difference.

Regards
Henrik


ons 2003-03-26 klockan 09.51 skrev Mauro:
> Hallo.
> I use linux debian with kernel 2.4.20 and squid 2.4 stable6.
> Someone use the program MRTG for squid statistics? 
> I've notice that the values from mrtg and cachemgr.cgi are different.
> Regards.
> 
> Mauro
-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] SSL problem on cache hierarchy

[Henrik Nordstrom]

ons 2003-03-26 klockan 08.24 skrev Matthias Henze:

> i can see the https request in the logs of the secorndary squid (which also 
> does proxy auth) but the log entry does not apear immediately. i apears 
> after the timeout of the secondary proxy. i think, that the secondary proxy 
> tries to connect DIRECTLY to the wanted ssl host but his parent.

>From my previous reply:

Can your Squid go direct, or must the parent be used? If the parent must
be used, have you told Squid that you are inside a firewall? (see the
FAQ)

Regards
Henrik

-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] median_svc_time

[Henrik Nordstrom]

ons 2003-03-26 klockan 07.45 skrev atit jariwala:

> i want to get better performance in terms of good response time to user
> accessing cache
> 
> for that
> does all_median_svc_time be high/low?
> does hit_median_svc_time be high/low?
> does miss_median_svc_time be high/low?


You always want service times low.


> and i think ( not sure) that all_median_svc_time is avg svc_time derived
> from other 4 svc_times
> am i making sense?

The "all" case is measured separately, measured on all requests.

It is the median service time of all requests seen by Squid,
irregardless if the response was a hit/miss/...

Regards
Henrik
-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] want to freeze some sites permanently in RAM

[Henrik Nordstrom]

This cannot be done without implementing such functionality in Squid
first..

But using refresh_pattern to make Suqid more aggressively cache the
content usually suffices, but needs to be applied wisely.

Regards
Henrik


ons 2003-03-26 klockan 07.51 skrev atit jariwala:
> I am using SQUID 2.5 STABLE1
> 
> following are some sites frequetly  used by clients
> 
> www.yahoo.com
> www.mail.yahoo.com
> www.rediff.com
> www.updates.microsoft.com
> 
> 
> 
> i want to freeze all stastic contents of these sites permanently in memory
> they should not be deleted even when swapping is done for other contents
> so that i have TCP_MEM_HIT for all these and my clients will have better
> response time
> 
> is it possible?
> if so how?
> 
> waiting for reply
> 
> regards
> atit
-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] identify the name of an uploaded file

[Henrik Nordstrom]

Not without coding the functionality. Not an easy task.

Regards
Henrik

ons 2003-03-26 klockan 09.34 skrev Messner, Alexander:
> Hi all,
> 
> yesterday I´ve already questioned:
> is there a posibility in the logs to identify the name of an uploaded file?
> Websweeper for Windows can do this - can this Squid?
> 
> Mit freundlichen Grüssen :-)
> Alexander Messner
> ---
> Graffinity Pharmaceuticals AG
> Im Neuenheimer Feld 518-519  ---  D-69120 Heidelberg
> Tel: 06221/6510-152 --- Fax: 06221/6510-111
> mailto: [EMAIL PROTECTED] --- http://www.graffinity.com
>  
> 
> 
> **
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
> This footnote also confirms that this email message has been swept by
> MIMEsweeper for the presence of computer viruses.
> www.graffinity.com
> **
-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] Squid as SSL ReverseProxy - SSL Gateway orhowever you wanna call it

[Henrik Nordstrom]

Squid-2.5 does not support this out of the box.

With the SSL update patch for Squid-2.5 it gets somewhat possible by
defining the internal server as a ssl enabled cache_peer (works with
most web servers) or using a redirector to rewrite the accelerated URLs
into https://... (works with all web servers)


Squid-3 will support such configuration directly, and is significantly
easier to configure than Squid-2.5 + ssl_update.


In both cases the https:// request is proxied by Squid, meaning that
there is one SSL tunnel between the client and Squid, and another SSL
tunnel between Squid and the web server, with Squid decrypting and then
re-encrypting the traffic in the middle.

If what you want is a SSL tunnel between the client and the internal
server then you need to use a tcp plug or port forwarding.

Regards
Henrik


ons 2003-03-26 klockan 09.58 skrev [EMAIL PROTECTED]:
> Hi!
> 
> I have been reading through this mailing list quite a while and have
> stumbled over a lot of
> Posts concerning  Squid and SSL but not an answer to what I really need.
> What I need is a SSL Connection on both sides of Squid
> 
> Client < -SSL > Squid < - SSL - > Internal Server
> 
> I know that this question has been ask quite often and there where People
> who said
> it works some said it doesn?t  but there has never been a "real" answer or
> an example
> concerning whether it is possible or not!
> 
> My Squid.conf looks like this (using Squid 2.5 stable1):
> 
> http_port 172.16.3.131:80
> https_port 172.16.3.131:443 cert=squid_cert.pem  key=squid_key.pem
> ...
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl allowed_hosts src 192.168.1.1/255.255.255.0
> acl SSL_ports port 443 563
> ...
> acl CONNECT method CONNECT
> ...
> redirect_rewrites_host_header off
> 
> 
> http_access allow manager localhost
> http_access deny manager
> http_access allow allowed_hosts
> http_access deny all
> http_access allow CONNECT !SSL_ports
> http_access allow CONNECT
> ...
> acl our_networks src 192.168.1.0/24 192.168.4.0/24
> http_access allow our_networks
> http_reply_access allow all
> ...
> httpd_accel_port 443
> httpd_accel_host virtual
> httpd_accel_single_host off
> httpd_accel_with_proxy off
> httpd_accel_uses_host_header on
> 
> 
> And at my /etc/hosts I added an entry
> 
> 192.168.1.10   localserver
> 
> When I try to access localserver through Squid and https I get the error
> Message
> "Error- Bad Request This web server is running in SSL mode. Try the URL
> https:://pc352:443/ instead."
> 
> pc352 is the computer name of localserver.
> 
> How to I get SSL to work from Squid to the localserver?
> 
> I would be more than thankful if someone could help me out on this one!
> 
> THX
> 
> Sebastian
> 
> ***
> Beratungsgesellschaft
> Software Systemplanung AG
> Geschäftssitz Mainz
> Niederlassung Rhein/Main
> Robert-Koch-Straße 41
> 55129 Mainz
> Phone:  06131 914-0 (-166), Fax -400
> E-Mail: [EMAIL PROTECTED]
> web: www.bgs-ag.de
> 
-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] Knowing the client's IP

[Henrik Nordstrom]

Squid only keeps in memory the addresses which have used Squid since
Squid was last restarted, and only if the client database is enabled in
squid.conf.

To get longer time reports you need to grab the addresses from your
access.log archives.

Regards
Henrik


ons 2003-03-26 klockan 10.27 skrev Boniforti Flavio:
> I would like to get a means to know ALL the clients that EVER connected
> through my proxy.
> 
> Is this feasable?
> 
> I looked into it with cachemgr.cgi, but it just tells me which clients
> are ACTUALLY using it!
> 
> Thank you
> 
> ---
> Boniforti Flavio
> Provincia del Verbano-Cusio-Ossola
> Ufficio Informatica
> 
> Tecnoparco del Lago Maggiore
> Via dell'Industria, 25
> 28924 Verbania
> ---
-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] Auth Help

[Henrik Nordstrom]

ons 2003-03-26 klockan 08.51 skrev NetSnake:
> Hi, all
>Where are the auth module in Squid 2.5.STABLE2?

In the source the auth modules can be found in the helpers directory.

When installed the modules can be found in libexec.

-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] how median_svc_time calculated?

[Henrik Nordstrom]

ons 2003-03-26 klockan 08.45 skrev atit jariwala:
> I am using SQUID 2.5 stable1
> i want to know:
> 1) how median_svc_time is calculated for HTTP Requests?

The median service time of the requests, calculated by keeping a
histogram of the service times of requests received and then summarise
this histogram into a median service time.

For information on how to make histograms and how to calculate median or
average based on a histogram see any text book on statistics.

> 2) how Near Hits for HTTP Requests are calculated...?

Near Hits is requests for which Squid received a ICP_HIT message from
one of it's peers.

> 3) how Not-Modified Replies are calculated?

What about them?

-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] Variable traffic limit

[Henrik Nordstrom]

ons 2003-03-26 klockan 10.48 skrev Sergey Smirnov:
> I know that using delay_pool I can limit traffic.
> But this limitation is constant. I try to explain what i mean.
> For example I have 512 kb/s line. If 100 clients connected I limit
> each user 5 kb/s. If 10 clients connected I limit 50 kb/s. If only one
> client limit is 500 kb/s.
> Can squid do something like this?

Squid intends to give the users more or less fair share of the allocated
bandwidth when they compete for the same delay pool. This is why there
is aggregate pool definitions.

-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] Transparent proxying + LDAP authentication

[Brett Lymn]

On Wed, Mar 26, 2003 at 11:19:06AM +, Richard Barrett wrote:
> 
> And which particular branch of the secret police are you commissioning this 
> system for?
> 

Probably the ones that pay for the infrastructure that the people are
using - it is called reporting and, it can, save your arse by
providing hard facts to your boss that you are NOT surfing the web all
day - just that he/she happens by when you are surfing.  If you want
the feeling of some (transitory) privacy then surf on your own time
and infrastructure but don't think for a minute that cannot be tracked
either.

-- 
Brett Lymn

Re: [squid-users] authentication program

[Henrik Nordstrom]

Works here using very similar scripts..

Note: Upgrade to Squid-2.5 is recommended.

Regards
Henrik


ons 2003-03-26 klockan 11.16 skrev Ramzi S. Abdallah:
> Hi all,
> 
> I need some help in configuring squid to authenticate users using an
> external authentication program. I wrote a simple perl script that
> authenticate users against a MySQL database but does not seem to be
> working properly. What's happening is that squid keeps rejecting the
> username and password and access gets denied. At first I thought that
> the perl script is not functioning properly so I replaced it with this
> simple script that always return "OK" as a result but still not working.
> 
> #!/usr/bin/perl -w
> 
> $|=1;
> 
> while () {
>   chomp;
>   my @login = split(/ /);
>   print "OK\n";
> }
> 
> 
> Following is my squid.conf config that relates to authentication:
> 
> authenticate_program /etc/squid/scripts/authsql
> 
> acl pass proxy_auth REQUIRED
> acl rocks_admin src 192.168.101.0/255.255.255.0
> acl auburn_edu  src 192.168.104.0/255.255.255.0
> 
> http_access allow rocks_admin
> http_access allow auburn_edu
> http_access allow pass
> 
> 
> Thank you for any help
> 
> Ramzi
-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Re: [squid-users] Transparent proxying + LDAP authentication

[Henrik Nordstrom]

ons 2003-03-26 klockan 13.00 skrev Kristian Du:
> Hi Everyone,
> 
> I have looked through the FAQs but could not find an answer to my
> doubts.
> 
> I was wondering whether the following scenario can be implemented or
> not:
> 
> - A user logs on a Win 2K box authenticated via an LDAP server
> - Opens up a browser that has NOT been configured to use a 
>   proxy server for web access (transparent proxying comes into
>   play behind the scenes)
> - When the user accesses an external site (i.e. outside the
>   local intranet) he does NOT have to enter a username and a
>   password for authenticating with the proxy server

Sorry. To use proxy authentication the browser MUST be configured to use
a proxy.

What can be done is a separate authentication scheme where the user
authenticates his IP address. Such authentication is most easily done by
having the domain logon script registering in a database who the current
user of the clients IP address is, and then have the proxy query this
database to find the username.

Another alternative is to use IDENT, but requires a IDENT server to be
installed on each and every client station. Note: the IDENT server may
be started by the domain logon script, but in such case knowledgeable
users may easily fake their identity to the proxy.

-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

RE: [squid-users] Knowing the client's IP

[Boniforti Flavio]

> Squid only keeps in memory the addresses which have used 
> Squid since Squid was last restarted, and only if the client 
> database is enabled in squid.conf.

Well, does this mean that if my client A connects today it gets
displayed in that view, but will it last in that view forever (until the
next restart)?

> To get longer time reports you need to grab the addresses 
> from your access.log archives.

That's what I supposed to do if nothing else would be feasable...

[squid-users] Squid 2.5S1 mutilating https request

[Deac Nkisetlein]

Dear listmembers,

I have a squid 2.5S1 on a solaris 8 box with basic auth (smb) running
happily. 

But theres one problem, I was not able to nail down yet.

If I open a browser, and direct it to (for example)

https://sourceforge.com

I get the auth-box. After successfully logging in I do get the error page
displayed
saying that squid could not retrieve the URL "/". 

My entered URL is not displayed anymore. The error only says, that it were
not able to retrieve "/".

Squids error log shows up:

xx.xx.xx.xx - - [26/Mar/2003:12:58:38 +0100] "CONNECT sourceforge.com:443
HTTP/1.0" 407 1442 TCP_DENIED:NONE
xx.xx.xx.xx - - [26/Mar/2003:12:58:39 +0100] "GET / HTTP/0.0" 400 1571
NONE:NONE

I tested MS-IE 6.0 so far. Netscape 4.7 does not show up these errors.

Any help is greatly appreciated!

Regards.

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

RE: [squid-users] hotmail problem

[Raja R]

No, I am not using transparent proxy. using squid on linux . have tried with
different browsers (ie, netscape), clearing cache, clearing local cache,
etc, but no luck.

BUT SOME interesting observation :

Hotmail works when I route Squid proxy thru ISDN (dial-up) line but does not
work when it is behind a Firewall with static NAT. Do I need to allow some
specific ports from outside to the proxy when behind a firewall for HOTMAIL
?
But the problem has nothing to do with squid version, b'coz I faced a
similar problem on squid-2.3 also.
Pls. suggest .
Regards,
Raja.



-Original Message-
From: Marc Elsen [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 26, 2003 1:35 PM
To: [EMAIL PROTECTED]
Cc: 'squid'
Subject: Re: [squid-users] hotmail problem




Raja R wrote:
>
> Hi ,
> I am posting this qtn again as I did not get any reply..pls. help me..I
have
> a strange problem with HOTMAIL. The page says DONE before it fully loads
> the page with No Display. I am using squid 2.5 stable 1 . I think the
squid
> is sending Finish too fast, before actually loading the page.
> I am facing this problem only with hotmail . Allowed connections to 443
> (https) also in the config as hotmail requires it...but still no luck..ANy
> pointers ?

  I have no problem at all, using hotmail thru 2.5Stable1 and
2.5Stable2.

  On what OS are you using squid (version etc) ?

  Are you using transp. proxying ?

  Verify problem, preferrably with different browsers :

   Mozilla - Netscape - IE (e.g.).

  To exclude that in the problem analysis path, you are not confronted
  with a browser issue.

  M.

>
> Regards,
> Raja.

--

 'Time is a consequence of Matter thus
 General Relativity is a direct consequence of QM
 (M.E. Mar 2002)

RE: [squid-users] Knowing the client's IP

[Henrik Nordstrom]

ons 2003-03-26 klockan 13.02 skrev Boniforti Flavio:
> > Squid only keeps in memory the addresses which have used 
> > Squid since Squid was last restarted, and only if the client 
> > database is enabled in squid.conf.
> 
> Well, does this mean that if my client A connects today it gets
> displayed in that view, but will it last in that view forever (until the
> next restart)?

>From memory, yes.

> > To get longer time reports you need to grab the addresses 
> > from your access.log archives.
> 
> That's what I supposed to do if nothing else would be feasable...

It is the only method which is reliable. Can also give you interesting
trends on how usage varies with time.

-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

[squid-users] HTML Codes?

[Lee Bailey]

Hello,

I'm new to squid and have a query from one of my users...

"If I attempt to access a site which no longer exists, e.g.
http://www.timesite.co.uk/ The Squid cache reports:

"The following error is encountered:

Unable to determine IP address from host name for 
www.timesite.co.uk 
The dnsserver returned:
Name Error: The domain name does not exist.
"

I understand why the error was generated. The DNS entry for this site 
no longer exists, as stated. But it appears that the HTML error code 
generated by the proxy server could be incorrect. It is recorded by my
link-checking software as error 503.

According to my list of HTML error codes, 503 means 'Out of Resources 
- The server cannot process the request due to a system overload. This
should be a temporary condition.'

Since the lack of a DNS registration is neither 'out of resources' 
and probably not 'temporary', shouldn't the error code be different 
(e.g. 410 which is 'Gone - The requested resource is no longer 
available at the server and no forwarding address is known')?"

I've got 3 Squid-based proxy servers and all return a tcp_miss/503 for
any URLs that don't exist/typos. I don't regard this as a problem but a
query as to whether this is the correct response for this situation or
whether the 503 definition has changed?. 

Can anyone please comment, so I can give an informed respsponse?

Many thanks, 

Lee.



 
 

[squid-users] max_user_ip doesn't work properly

[Alexander Kiselev]

Hi all.

on Squid2.5.STABLE2 i found that there is a problem with "acl max_user_ip".
I use this feature to limit users to use Internet from one PC only in the
same time. It works fine only in case if the same authentication method is
using on both PCs, i.e. NTLM (if users on both PCs use IExplorer) or Basic
(if they use any others browsers).

My configuration (a part of "squid.conf" file):

# All users must log in
acl authenticated proxy_auth REQUIRED
http_access deny !authenticated
deny_info ERR_AUTH_FAILED authenticated

# No users may share their login/password with others
acl MaxIP max_user_ip -s 1
http_access deny MaxIP
deny_info ERR_MAX_USER_IP MaxIP

# vip_users allowed always
acl vip_users proxy_auth "/path/to/vip_users"
http_access allow vip_users


How to limit the users with "acl max_user_ip" feature not depending on
browser they use?

Thanks.

--
Cheers,
Alex

[squid-users] how to install ldap_auth program?

[Dvd]

i'm sorry for my trivial question. I installed squid-2.5-STABLE2 but i
can't find the ldap_auth program. where is it?
thanx

[squid-users] ldap-authentification with DominoNotes

[Stefan . Vogel]

Hello,

we currently have a squid 2.5Stable1 with authentification to a Netscape
LDAP-Server running.

To make administration easyer, we want to authenticate against the LDAP
Service on our DominNotesServer (5.10).

[squid-users] Authentification against DominoNotes LDAP

[Stefan . Vogel]

Hello,

we currently have a squid2.5stable1 with authentification against a
Netscape LDAP-Server up and running.

To make administration easyer, we want to authenticate against our
DominoNotesServer (5.10) with LDAP.
We want to create a group for all users who should have access to the
Internet and make sure that all other users can not access the internet.

Has anyone running something like this or can tell me what must the search
string look like?

Kind regards

Stefan Vogel

[squid-users] From where cachemge.cgi will take statistics data.........?

[atit jariwala]

I am using Squid 2.5 STABLE 1,
i am using cachemgr.cgi for squid performance monitoring
I want to know how this script is generated?

This script is using various statistics information (e.g svc_time , disk io
etc)
i want to how these data comes to script


regards
==atit

[squid-users] Access to port 8081 over https does not work

[Stefan . Vogel]

Hello,

we must have access to a external Website that has an URL like  https:
\\.???.de:8081.
Unfortunately this does not work  over our Squid 2.5stable1
The port itself if in the Safe_ports list.

What do I have to do to make this working?

Kind regards
Stefan Vogel

Re: [squid-users] Access to port 8081 over https does not work

[Marc Elsen]

[EMAIL PROTECTED] wrote:
> 
> Hello,
> 
> we must have access to a external Website that has an URL like  https:
> \\.???.de:8081.
> Unfortunately this does not work  over our Squid 2.5stable1
> The port itself if in the Safe_ports list.
> 
> What do I have to do to make this working?

 Provided some kind of not so far from default conf it must be
 in :

 SSL_Ports

 M.

> 
> Kind regards
> Stefan Vogel

-- 

 'Time is a consequence of Matter thus
 General Relativity is a direct consequence of QM
 (M.E. Mar 2002)

RE: [squid-users] Problems with NTLM in Squid2.5.STABLE2

[daniel . jarboe]

> This happens sometimes and i can't determine the reason of that. In
> Squid.2.5.STABLE1 + Samba 2.2.5 all works without any 
> problems with the same configuration.

I think I remember reading that winbind interface/headers changed with
Samba 2.2.6, and STABLE2 has headers for Samba >= 2.2.6.  So consider
upgrading Samba to latest (not a bad idea anyway, because of a number of
security&bugfixes).  Here it is,
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html ... To use STABLE2 with
samba versions 2.2.5 or earlier, the new --with-samba-sources = ...
configure option is required.

> Cheers,
> Alex

HTH,
~ Daniel











---

This message is the property of Time Inc. or its affiliates. It may be
legally privileged and/or confidential and is intended only for the use
of the addressee(s). No addressee should forward, print, copy, or
otherwise reproduce this message in any manner that would allow it to be
viewed by any individual not originally listed as a recipient. If the
reader of this message is not the intended recipient, you are hereby
notified that any unauthorized disclosure, dissemination, distribution,
copying or the taking of any action in reliance on the information
herein is strictly prohibited. If you have received this communication
in error, please immediately notify the sender and delete this message.
Thank you.

[squid-users] Service down.

[Ampugnani, Fernando]

Hi all,
My access.log had 2.0 Gb more or less and squid shut down alone. The
question is, support squid an access.log as big as 2.0 gb or more?.
I have 3.6 gb in the log ´s file system.
I send the cache.log error of that moment.


2003/03/26 11:10:35|   Took 2.9 seconds (56618.3 entries/sec).
FATAL: logfileWrite: /usr/local/squid/logs/access.log: (0) Success

Squid Cache (Version 2.4.STABLE4): Terminated abnormally.
CPU Usage: 141873.640 seconds = 53158.470 user + 88715.170 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 360775
Memory usage for squid via mallinfo():
total space in arena:  150678 KB
Ordinary blocks:   106093 KB   9375 blks
Small blocks:   0 KB  0 blks
Holding blocks:   176 KB  1 blks
Free Small blocks:  0 KB
Free Ordinary blocks:   44584 KB
Total in use:  106269 KB 71%
Total free: 44584 KB 30%

Thanks in advance.

Fernando Ampugnani
EDS Argentina - Software, Storage & Network
Global Operation Solution Delivery
Tel: 5411 4704 3428
Mail: [EMAIL PROTECTED]

Re: [squid-users] Service down.

[Sander Winkel]

I think "/usr/local/squid/bin/squid -k rotate" for example every 24hours
will help you. :-)


- Original Message -
From: "Ampugnani, Fernando" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 26, 2003 4:04 PM
Subject: [squid-users] Service down.


Hi all,
My access.log had 2.0 Gb more or less and squid shut down alone. The
question is, support squid an access.log as big as 2.0 gb or more?.
I have 3.6 gb in the log ´s file system.
I send the cache.log error of that moment.


2003/03/26 11:10:35|   Took 2.9 seconds (56618.3 entries/sec).
FATAL: logfileWrite: /usr/local/squid/logs/access.log: (0) Success

Squid Cache (Version 2.4.STABLE4): Terminated abnormally.
CPU Usage: 141873.640 seconds = 53158.470 user + 88715.170 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 360775
Memory usage for squid via mallinfo():
total space in arena:  150678 KB
Ordinary blocks:   106093 KB   9375 blks
Small blocks:   0 KB  0 blks
Holding blocks:   176 KB  1 blks
Free Small blocks:  0 KB
Free Ordinary blocks:   44584 KB
Total in use:  106269 KB 71%
Total free: 44584 KB 30%

Thanks in advance.

Fernando Ampugnani
EDS Argentina - Software, Storage & Network
Global Operation Solution Delivery
Tel: 5411 4704 3428
Mail: [EMAIL PROTECTED]

Re: [squid-users] Service down.

[Marc Elsen]

"Ampugnani, Fernando" wrote:
> 
> Hi all,
> My access.log had 2.0 Gb more or less and squid shut down alone. The
> question is, support squid an access.log as big as 2.0 gb or more?.

 Yes, but the limit was probably imposed by your os+filesys-type 
 restrictions.

 M.


> I have 3.6 gb in the log ´s file system.
> I send the cache.log error of that moment.
> 
> 2003/03/26 11:10:35|   Took 2.9 seconds (56618.3 entries/sec).
> FATAL: logfileWrite: /usr/local/squid/logs/access.log: (0) Success
> 
> Squid Cache (Version 2.4.STABLE4): Terminated abnormally.
> CPU Usage: 141873.640 seconds = 53158.470 user + 88715.170 sys
> Maximum Resident Size: 0 KB
> Page faults with physical i/o: 360775
> Memory usage for squid via mallinfo():
> total space in arena:  150678 KB
> Ordinary blocks:   106093 KB   9375 blks
> Small blocks:   0 KB  0 blks
> Holding blocks:   176 KB  1 blks
> Free Small blocks:  0 KB
> Free Ordinary blocks:   44584 KB
> Total in use:  106269 KB 71%
> Total free: 44584 KB 30%
> 
> Thanks in advance.
> 
> Fernando Ampugnani
> EDS Argentina - Software, Storage & Network
> Global Operation Solution Delivery
> Tel: 5411 4704 3428
> Mail: [EMAIL PROTECTED]

-- 

 'Time is a consequence of Matter thus
 General Relativity is a direct consequence of QM
 (M.E. Mar 2002)

Re: [squid-users] hotmail problem

[Patrick Kwan]

may be the following info. help. (from squid FAQ)

11.16 ``Hot Mail'' complains about: Intrusion Logged. Access denied.
``Hot Mail'' is proxy-unfriendly and requires all requests to come from
the same IP address. You can fix this by adding to your squid.conf:

hierarchy_stoplist hotmail.com


Patrick


> Hi ,
> I am posting this qtn again as I did not get any reply..pls. help me..I
> have a strange problem with HOTMAIL. The page says DONE before it fully
> loads the page with No Display. I am using squid 2.5 stable 1 . I think
> the squid is sending Finish too fast, before actually loading the page.
> I am facing this problem only with hotmail . Allowed connections to 443
> (https) also in the config as hotmail requires it...but still no
> luck..ANy pointers ?
>
> Regards,
> Raja.

[squid-users] using pam_radius module with squid

[Alex Sharaz]

Hi all,
I've been running squid configured to use pam_auth for a while now in 
conjunction with an ldap authentication (pam) module which works fine.

For local reasons I'd like the pam auth procedure to also authenticate 
against a radius server I've got.

So 

I downloaded and compiled a pam_radius_auth module version 1.3.15 from 
ftp.freeradius.org and replaced my /etc/pam.d/squid file with one 
containing
auth sufficient /lib/security/pam_radius_auth.so debug

Connecting to my squid server from a browser gives me a login dialog box. I 
type in a test userid and pasword
and I can see the radius server saying they are valid - but the cache keeps 
passing me back a prompt to enter my uid and password

Is anyone else running a pam based radius authentication module against 
squid?
alex

RE: [squid-users] how to install ldap_auth program?

[Cecile Leyman]

Hi,

./configure --prefix=* --mandir=* --enable-ldap --enable-auth-ldap --with-ld
ap

You have a help file in the source directory.

Regards,

Cecile.

-Original Message-
From: Dvd [mailto:[EMAIL PROTECTED]
Sent: mercredi 26 mars 2003 14:24
To: [EMAIL PROTECTED]
Subject: [squid-users] how to install ldap_auth program?


i'm sorry for my trivial question. I installed squid-2.5-STABLE2 but i
can't find the ldap_auth program. where is it?

thanx

Re: [squid-users] Transparent proxying + LDAP authentication

[Richard Barrett]

At 11:51 26/03/2003, Brett Lymn wrote:
On Wed, Mar 26, 2003 at 11:19:06AM +, Richard Barrett wrote:
>
> And which particular branch of the secret police are you commissioning 
this
> system for?
>

Probably the ones that pay for the infrastructure that the people are
using - it is called reporting and, it can, save your arse by
providing hard facts to your boss that you are NOT surfing the web all
day - just that he/she happens by when you are surfing.  If you want
the feeling of some (transitory) privacy then surf on your own time
and infrastructure but don't think for a minute that cannot be tracked
either.
--
Brett Lymn


You missed the point entirely.

I have no problem with employers, governments and ISP's publishing rules 
and policing them.

For instance, I see no problem with an employer publishing a network use 
policy to its staff, checking that it is adhered to, and taking action if 
it is not. I have no problem with the use of an overt proxy server's logs 
to investigate possible abuses of network use policy. By overt, I mean that 
the user of it is aware of it's existence and its purpose. Hell, you can 
use the logs to bill your staff for private use of your network if you want 
to make that a condition of their service.

My objection is to the use of transparent proxying for secretly monitoring 
user behaviour which is what the original poster was suggesting. I regard 
this as fundamentally dishonest, underhand and an abuse of civil liberties, 
which only the supporters of the secret police can see as justifiable. I am 
not so naive as to think that this sort of abuse does not go on but abuse 
is still abuse. In my opinion it should be challenged when encountered.
 

[squid-users] Authentication not working exactly as desired

[Claudio Alonso]

Hi,
We are testing a squid 2.5 STABLE1 (non transpartent, with NTLM auth and 
Basic auth; both, in that order) on a Sun Ultra 5 (with Solaris 8).
The basic authentication was included for users who are accessing the web 
from a Linux box or from any machine not logged in the WinNT domain. But the 
users logged in the domain shouldn't be asked for their username and 
password (they should use NTLM auth).
Usually it works fine, but from time to time, users who are logged in the 
domain are asked to provide their login information.
Why may be this happening? And how could this be avoided? I already 
increased the children parameter from 5 to 15 (and currently we have only 14 
users using this proxy).

Here is part of my squid.conf file:

...
auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
auth_param ntlm children 15
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/local/squid/libexec/wb_auth
auth_param basic children 15
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
...
acl internet-group external wbinfo_group InternetSquid
...
http_access allow internet-group
...
http_access deny all
...
Thanks in advance,

--Claudio



_
Charla con tus amigos en línea mediante MSN Messenger: 
http://messenger.yupimsn.com/

Re: [squid-users] Service down.

[Roberto Barbieri]

Hi,

which OS are you using?

If you're using linux and your /var/log partition's filesystem
is ext2 or ext3, the problem is that these filesystems
by default don't supports files larger than 2gb.

To solve this problem you should reformat your
/var/log partition  (with mkfs), specifing an higher limit.

This is not a squid problem but a filesystem limit.

Another solution is to use a software like logrotate
to rotate the logs when they grow to more than 1.5gb


ciao
Roberto


- Original Message -
From: "Ampugnani, Fernando" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 26, 2003 4:04 PM
Subject: [squid-users] Service down.


Hi all,
My access.log had 2.0 Gb more or less and squid shut down alone. The
question is, support squid an access.log as big as 2.0 gb or more?.
I have 3.6 gb in the log ´s file system.
I send the cache.log error of that moment.


2003/03/26 11:10:35|   Took 2.9 seconds (56618.3 entries/sec).
FATAL: logfileWrite: /usr/local/squid/logs/access.log: (0) Success

Squid Cache (Version 2.4.STABLE4): Terminated abnormally.
CPU Usage: 141873.640 seconds = 53158.470 user + 88715.170 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 360775
Memory usage for squid via mallinfo():
total space in arena:  150678 KB
Ordinary blocks:   106093 KB   9375 blks
Small blocks:   0 KB  0 blks
Holding blocks:   176 KB  1 blks
Free Small blocks:  0 KB
Free Ordinary blocks:   44584 KB
Total in use:  106269 KB 71%
Total free: 44584 KB 30%

Thanks in advance.

Fernando Ampugnani
EDS Argentina - Software, Storage & Network
Global Operation Solution Delivery
Tel: 5411 4704 3428
Mail: [EMAIL PROTECTED]

[squid-users] 2.5-stable1: mbuf clusters on fBSD

[Dave Raven]

Hi all,
Having some serious troubles with a clients squid box,
its running on FreeBSD-4.7-RELEASE-p9; and I've
just installed the squid through ports, -STABLE1 +
all the patches in ports Makefile.

26229/26624/133120 mbufs in use (current/peak/max):
23620 mbufs allocated to data
2609 mbufs allocated to packet headers
23367/23478/33280 mbuf clusters in use (current/peak/max)
53612 Kbytes allocated to network (11% of mb_map in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines


Thats the output I am currently getting from netstat -mb; as you
can see the mbuf cluster usage is EXTREMELY high, considering
this box is on a 256k link with +/- 50 users. Not high load at all.

When I reboot the box the mbuf clusters value is obviously reset
to 0; but from there is steadily rises as the cache is used, and
continues
to rise until reaching 33280 (an enormous value for mbuf clusters).
I've
pushed this value up throughout the day, and am certain that
something
is wrong. What could be causing squid to chew through these mbuf
clusters at a constant rate until its completely used? The value
does drop
a little now and then, like from 23367 to 23365, then continues to
rise.

What can I do to find out whats causing the usage? Or how can I halt
it,
I've checked most of the mailing lists and people are just having
problems
because they dont have enough mbuf clusters, I have far too many, a
usual box like this uses less than 5000 in my experience.

Any help will be much appreciated

Thanks
Dave

RE: [squid-users] how to install ldap_auth program?

[Cecile Leyman]

Davide,

If you use OpenLDAP 2.x, don't forget to enable ldapv2 in your slapd.conf
(You must build it with --enable-referrals and add "allow bindv2" in your
slapd.conf after your rights rules).
By default, openldap 2.x use ldapv3 protocol to communicate and squid use
ldapv2...

Regards,

Cecile.

-Original Message-
From: Dvd [mailto:[EMAIL PROTECTED]
Sent: mercredi 26 mars 2003 17:10
To: [EMAIL PROTECTED]
Subject: Re: [squid-users] how to install ldap_auth program?


thank you so much!

Davide


Cecile Leyman wrote:
> Hi,
>
>
./configure --prefix=* --mandir=* --enable-ldap --enable-auth-ldap --with-ld
> ap
>
> You have a help file in the source directory.
>
> Regards,
>
> Cecile.
>
> -Original Message-
> From: Dvd [mailto:[EMAIL PROTECTED]
> Sent: mercredi 26 mars 2003 14:24
> To: [EMAIL PROTECTED]
> Subject: [squid-users] how to install ldap_auth program?
>
>
> i'm sorry for my trivial question. I installed squid-2.5-STABLE2 but i
> can't find the ldap_auth program. where is it?
>
> thanx
>
>
>

Re: [squid-users] ssl between squid accellerators

[mlister]

I'll have to agree, I am lost in how to configure this and then determine
that it is truly speaking ssl.  I'm adding cache_peer configuration(s) and
not seeing anything break or change.  I want to see in the end result that
SSL is  the only option and no other communication is allowed.  I have setup
the servers where SQUID2 accellerates the webserver then SQUID1 accellerates
SQUID2.  Maybe I should'nt be doing a "double accelleration" where I am
using SSL to between the client and two SQUID servers only and not the
webserver.  I dunno.

Anyways I will compile Squid-3 and start working with it, but I am curious
if you (Henrik, or any of the listers) have any sample configuration files
or could give me cache_peer directive examples to where I have something to
mold.

client <---SSL-->SQUID1<---SSL--->SQUID2<---HTTP-->webserver

- Original Message -
From: "Henrik Nordstrom" <[EMAIL PROTECTED]>
To: "mlister" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, March 25, 2003 12:09 PM
Subject: Re: [squid-users] ssl between squid accellerators


> tis 2003-03-25 klockan 16.09 skrev mlister:
> > I have been poking around in the FAQ's and whitepapers trying to find
how I
> > can
> > configure one squid accel. server to speak SSL to another.  I have the
SSL
> > patch
> > installed and both accellerators are configured as SSL servers using
> > identical certs.
> > I am not sure if I should be trying to configure some kind of peer or
what.
> > cache_peer look like its in the general direction but looks more for a
> > proxy.
>
> See the cache_peer directive in your patched Squid, or have a redirector
> rewrite the requested URLs to https://
>
> This kind of thing will be a lot easier in Squid-3 with it's new
> accelerator support.
>
> Regards
> Henrik
>
> --
> Henrik Nordstrom <[EMAIL PROTECTED]>
> MARA Systems AB, Sweden
>

[squid-users] Configuration question

[Aaron Stromas]

Hello,

This is my first time using Squid, and I must be making a newbie error, yet
I haven't found it mentioned in the FAQ or archives. I hope, somebody can
tell me what is wrong. I built Squid 2.5 STABLE 2 on Red Hat Linux 7.3.
Proxy is listening on port 4443 and should proxy ports 80 and 443 to host
164.95.119.70, but it doesn't. This is what the cache log shows:

commBind: Cannot bind socket FD 15 to 164.95.119.70:0: (99) Cannot assign
requested address

It appears to me it can't bind the socket to the local port, yet from the
proxy host I can telnet to port 80 and 443 on 164.95.119.70. Any hints? TIA,

-a

-- 
Aaron Stromas | "Tik-tik-tik!!!... ja, Pantani is weg..."
[EMAIL PROTECTED]| BRTN commentator
+1 (301) 493 4933 | L'Alpe d'Huez
http://www.izoard.com | 1995 Tour de France

Re: Re: [squid-users] Squid as SSL ReverseProxy - SSL Gatewayor however you wanna call it

[Henrik Nordstrom]

The 2.5 version of the ssl update patch is currently for 2.5.STABLE2.

None of the development patches are included in 2.5.STABLE2, only the
bugfixes listed on http://www.squid-cache.org/Versions/v2/2.5/bugs/

Regards
Henrik


ons 2003-03-26 klockan 15.46 skrev [EMAIL PROTECTED]:
> Hi!
> Thanks so far, I couldn't applie the ssl_update to 2.5 Stable1 but I useed
> Squid 2.5 Stable2 cause somewhere
> it said that all Patches for Stable1 are included there!
> After the installation I included a little rewrite cgi into the squid.conf
> which rewrites the incoming request like :
> https://localserver  into  https://192.168.1.1 but I still get the error
> message Bad Request ...
> What am I doing wrong?
> Is there a usable version of Squid 3 out yet?
> 
> Thanks again for your support
> greetz
> Sebastian Nell
> 
> 
> 
> 
> 
> 
> Henrik Nordstrom <[EMAIL PROTECTED]> am 26.03.2003 12:42:46
> 
> An:[EMAIL PROTECTED]
> Kopie: [EMAIL PROTECTED]
> Thema: Re: [squid-users] Squid as SSL ReverseProxy - SSL Gateway or
>however you wanna call it
> 
> 
> Squid-2.5 does not support this out of the box.
> 
> With the SSL update patch for Squid-2.5 it gets somewhat possible by
> defining the internal server as a ssl enabled cache_peer (works with
> most web servers) or using a redirector to rewrite the accelerated URLs
> into https://... (works with all web servers)
> 
> 
> Squid-3 will support such configuration directly, and is significantly
> easier to configure than Squid-2.5 + ssl_update.
> 
> 
> In both cases the https:// request is proxied by Squid, meaning that
> there is one SSL tunnel between the client and Squid, and another SSL
> tunnel between Squid and the web server, with Squid decrypting and then
> re-encrypting the traffic in the middle.
> 
> If what you want is a SSL tunnel between the client and the internal
> server then you need to use a tcp plug or port forwarding.
> 
> Regards
> Henrik
> 
> 
> ons 2003-03-26 klockan 09.58 skrev [EMAIL PROTECTED]:
> > Hi!
> >
> > I have been reading through this mailing list quite a while and have
> > stumbled over a lot of
> > Posts concerning  Squid and SSL but not an answer to what I really need.
> > What I need is a SSL Connection on both sides of Squid
> >
> > Client < -SSL > Squid < - SSL - > Internal Server
> >
> > I know that this question has been ask quite often and there where People
> > who said
> > it works some said it doesn?t  but there has never been a "real" answer
> or
> > an example
> > concerning whether it is possible or not!
> >
> > My Squid.conf looks like this (using Squid 2.5 stable1):
> >
> > http_port 172.16.3.131:80
> > https_port 172.16.3.131:443 cert=squid_cert.pem  key=squid_key.pem
> > ...
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
> > acl allowed_hosts src 192.168.1.1/255.255.255.0
> > acl SSL_ports port 443 563
> > ...
> > acl CONNECT method CONNECT
> > ...
> > redirect_rewrites_host_header off
> >
> >
> > http_access allow manager localhost
> > http_access deny manager
> > http_access allow allowed_hosts
> > http_access deny all
> > http_access allow CONNECT !SSL_ports
> > http_access allow CONNECT
> > ...
> > acl our_networks src 192.168.1.0/24 192.168.4.0/24
> > http_access allow our_networks
> > http_reply_access allow all
> > ...
> > httpd_accel_port 443
> > httpd_accel_host virtual
> > httpd_accel_single_host off
> > httpd_accel_with_proxy off
> > httpd_accel_uses_host_header on
> > 
> >
> > And at my /etc/hosts I added an entry
> >
> > 192.168.1.10   localserver
> >
> > When I try to access localserver through Squid and https I get the error
> > Message
> > "Error- Bad Request This web server is running in SSL mode. Try the URL
> > https:://pc352:443/ instead."
> >
> > pc352 is the computer name of localserver.
> >
> > How to I get SSL to work from Squid to the localserver?
> >
> > I would be more than thankful if someone could help me out on this one!
> >
> > THX
> >
> > Sebastian
> >
> > ***
> > Beratungsgesellschaft
> > Software Systemplanung AG
> > Geschäftssitz Mainz
> > Niederlassung Rhein/Main
> > Robert-Koch-Straße 41
> > 55129 Mainz
> > Phone:  06131 914-0 (-166), Fax -400
> > E-Mail: [EMAIL PROTECTED]
> > web: www.bgs-ag.de
> > 
> --
> Henrik Nordstrom <[EMAIL PROTECTED]>
> MARA Systems AB, Sweden
> 
> 
-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

[squid-users] - Download Issues

[Simon Magee]

Hi,

I am having what may be a silly problem with Squid, when my users try
and download PDF files from the net the get a message saying they are
not authorised to view the page.

Is there something in the squid.conf file which needs setting to allow
my users to download pdf's.

(Appologies if tis is a stupid question)

Thanks in advance.

Simon.


NOTICE: All email sent to or from this address will be received by the
Bottomline Technologies Europe Corporate Email System and is subject to
archival and review by someone other than the intended recipient. 
Any opinions expressed in this email are those of the individual and not
necessarily the Company. This email and any files transmitted with it 
are confidential and intended solely for the use of the individual or
entity to whom they are addressed. If you are not the intended recipient
or the person responsible for delivering to the intended recipient, be 
advised that you have received this email in error and that any use is
strictly prohibited. All email accounts hosted by this Company are 
corporate email accounts which exist for the purpose of supporting
the business activities of this Company. These accounts and their contents
remain at all times the property of this Company. They are not personal 
email accounts and must not be used for the purpose of exchanging 
Sensitive Personal Information as defined by the UK Data Protection 
Act 1998 (1998 c29). Please address an enquiry regarding this notice to
[EMAIL PROTECTED]

Bottomline Technologies Europe Ltd, Chatham Street, Reading, RG1 7JX, UK.
Tel: +44 (0)118 925 8250
http://www.bottomline.co.uk

Re: [squid-users] Logging of denied sites and setting up acl

[Gary Hostetler]

I'm trying to use my blocklist.txt

Here is my squid.conf

acl gator dstdomain www.gator.com gatorcme.gator.com


  http_access deny gator
  acl to_block dstdomain "/usr/local/squid/blocklist.txt"

  http_access allow all

  acl INSIDE dstdomain wwwproxy.k12.de.us
  always_direct allow INSIDE
  never_direct allow all

My blocklist.txt is

doubleclick.net

cometsystems.com

ad.trafficmp.com

gator.com

www.sexy-ksenia.maxhosted.com

vampirella.com

candystand.com

shockwave.com

media.popuptraffic.com

miniclip.com


Any ideas why it doesn't work. I know it is supposed to be one line per
entry but I thought it would just skip the blank lines.

Thanks
Gary

I have has squid up for about a week and it is great.




>> list into squid.conf after I put the names one after another with a
>> space in between.
> 
> Better to put them in a separate file if the list is long.
> 
> acl to_block dstdomain "/path/to/blocklist.txt"
> and blocklist.txt contains a list of domains to block, one per line.
> Lines starting with a # is ignored and assumed to be comments.
> 
> Regards
> Henrik
> 
> 

[squid-users] non-caching objects still use FD mechanism?

[Adam]

Simple question:  does everything get recorded by the Process
Filedescriptor's Allocation menu, including no_cache items?  I have .tar
files set to no_cache and they still register in this menu item.  One
responder said that maybe the FD mechanism is used for all objects but I'd
like confirmation from peopel who don't quote an entire post and then add
one line - besides that seems very counter intuitive.

Second simple question: What are the meaning of the Nwrite and Nread columns
and the * next to some entries in the "Process Filedescriptor's Allocation
menu" - I looked in the source for cachemgr.cgi and comm_select and online
but found no good explanation.  At first we thought it was bytes but the
ratio is actually about 1.6 actual bytes to every *Nwrite or *Nread unit.

thanks,

Adam

[squid-users] system performance and memory question

[Pat Lendon]

Hello All,

Enclosed is a chart mapping our squid 2-5.1 memory usage.The squid 
memory continues to grow and grow.  It appears that when squid is 
shutdown and then restarted, memory returns to zero and then steadily 
grows and grows.  Memory continues to grow until squid is shutdown at 
some point.

We are using Redhat Linux OS.  System has 1 gig of memory.   Cache 
Manager and top command show squid memory at steady 5%.   I've read 
squid faq 8.11 "How much memory do I need in my squid server?" 

cache_dir ufs /d1/squid_cache 2048 16 256
/d1 resides on separate file system (18gig of disk, with 7 gig 
available).   Squid cache is configured to use 2 gig.
10 MB of ram per GB of total cach_dirs would be 20MB
cache_mem 8 MB
Plus cache_mem setting is 8 MB.  Plus additional 20MB does calculate to 
the 5% (50 meg) of the 1 gig of memory system contains.  System appears 
to have enough memory. 

Looking at chart enclosed, is it normal for squid memory usage to grow 
and grow?
What causes this? 

Furthermore - I'm also seeing slight delays on system (system is 
momentarily slow). System has two AMD Athlon(TM) MP 1800+ processors 
cpu MHz 1533.431.   When system seems delayed we run top and cpu's are 
not even at 50%,  memory looks fine.  The only thing we've noticed is 
load average increases from 0.85% to 5%.I've always kept default of 
cache_dir ufs, do I need to configure aufs or other?   I'm not even sure 
if squid is cause of random system slow/delay moments.  

Any ideas/suggestions much appreciated.   Thank you!


<>

[squid-users] Told squid to not cache, but it still is

[Adam Kennedy]

I have the following in my config file:

acl oursite dstdomain niesc.k12.in.us
no_cache deny oursite
But Squid still cache's niesc.k12.in.us. Did I miss the syntax somewhere?

Squid 2.5Stable1
Linux 2.4.20ac2 w/glibc 2.2.5
Mozilla 1.2.1, 1.3, Netscape 6.2, 7.0, IE 5.5sp2, 6.0sp1
--

| Northern Indiana Educational Services Center |

| Adam Kennedy - [EMAIL PROTECTED]  |
| Certified Linux Administrator - Master Level |
| Phone: (574) 254-0111 x113   |
| Fax: (574) 254-0148  |

[squid-users] memory question and system performance

[Pat Lendon]

Hello All,

Enclosed is a chart mapping our squid 2-5.1 memory usage.The squid 
memory continues to grow and grow.  It appears that when squid is 
shutdown and then restarted, memory returns to zero and then steadily 
grows and grows.  Memory will continue to grow until squid is shutdown 
at some point.

We are using Redhat Linux OS.  System has 1 gig of memory.   Cache 
Manager and top command show squid memory at 5%.
I've read squid faq 8.11 "How much memory do I need in my squid server?"
cache_dir ufs /d1/squid_cache 2048 16 256
/d1 resides on separate file system (18gig of disk, with 7 gig 
available). Squid cache is configured to use 2 gig.
10 MB of ram per 2 GB of total cach_dirs would be 20MB
cache_mem 8 MB
Plus additional/extra 20MB does calculate to the 5% (50 meg) of the 1 
gig of memory system contains.  System appears to have enough memory.

Looking at chart enclosed, is it normal for squid memory usage to grow 
and grow?
What causes this?

Furthermore - I'm also seeing slight delays on system.  System has two 
AMD Athlon(TM) MP 1800+ processors cpu MHz 1533.431.   When system seems 
delayed we run top and cpu's are not even at 50%,  memory looks fine.  
The only thing we've noticed is load average increases from 0.85% to 
5%.I've always kept default of cache_dir ufs, do I need to configure 
aufs or other?   I'm not even sure if squid is cause of random system 
slow/delay moments. 
Any ideas/suggestions much appreciated.   Thank you!




squid_mem.png.gz
Description: GNU Zip compressed data

[squid-users] zero sized reply

[jschmidt]

I think I have thoroughly checked this out, and am stuck with this 
problem.
Hotmail is not working for me through squid.  I go to www.hotmail.com, get 

redirected to the login page, I login and then in IE get the following 
error:

"While trying to retrieve the URL: 
http://lw10fd.law10.hotmail.msn.com/cgi-bin/hmhome? 
The following error was encountered: 
Zero Sized Reply 
Squid did not receive any data for this request."

This has also happened while logged into Autodesk's website in the support 
forums, and
while logged into the Dell website trying to download drivers.  Otherwise 
squid is working 
perfectly.

This is my access.log at the time of one of these requests with debug set 
to 33,2

1048709468.088  1 frishackv.buhler.com TCP_DENIED/407 1676 GET 
http://www.hotmail.com/ - NONE/- text/html
1048709468.108  6 frishackv.buhler.com TCP_DENIED/407 1770 GET 
http://www.hotmail.com/ - NONE/- text/html
1048709468.425317 frishackv.buhler.com TCP_MISS/302 226 GET 
http://www.hotmail.com/ buhler\jamie DIRECT/64.4.43.7 -
1048709468.437  3 frishackv.buhler.com TCP_DENIED/407 1760 GET 
http://lc1.law13.hotmail.passport.com/cgi-bin/login - NONE/- text/html
1048709468.454  3 frishackv.buhler.com TCP_DENIED/407 1854 GET 
http://lc1.law13.hotmail.passport.com/cgi-bin/login - NONE/- text/html
1048709469.052598 frishackv.buhler.com TCP_MISS/302 525 GET 
http://lc1.law13.hotmail.passport.com/cgi-bin/login buhler\jamie 
DIRECT/64.4.43.7 text/html
1048709469.064  3 frishackv.buhler.com TCP_DENIED/407 1670 GET 
http://ld.cb.msn.com/ - NONE/- text/html
1048709469.080  3 frishackv.buhler.com TCP_DENIED/407 1764 GET 
http://ld.cb.msn.com/ - NONE/- text/html
1048709469.287198 frishackv.buhler.com TCP_MISS/302 675 GET 
http://ld.cb.msn.com/ buhler\jamie DIRECT/207.68.172.239 text/html
1048709469.533245 frishackv.buhler.com TCP_MISS/200 1419 GET 
http://loginnet.passport.com/login.srf? buhler\jamie DIRECT/65.54.226.254 
text/html
1048709471.004  2 frishackv.buhler.com TCP_DENIED/407 1730 GET 
http://login.passport.net/1033/L/PPIE.css - NONE/- text/html
1048709471.019  2 frishackv.buhler.com TCP_DENIED/407 1824 GET 
http://login.passport.net/1033/L/PPIE.css - NONE/- text/html
1048709471.030 10 frishackv.buhler.com TCP_HIT/200 3974 GET 
http://login.passport.net/1033/L/PPIE.css buhler\jamie NONE/- text/css
1048709471.247217 frishackv.buhler.com TCP_MISS/404 258 GET 
http://cb.msn.com/passport/cbhm_js.ashx? buhler\jamie 
DIRECT/207.68.171.234 -
1048709471.271  5 frishackv.buhler.com TCP_DENIED/407 1763 GET 
http://www.passportimages.com/logo_msnhmr_468x60.gif - NONE/- text/html
1048709471.287  6 frishackv.buhler.com TCP_DENIED/407 1763 GET 
http://www.passportimages.com/1033/dotnetlogoBIG.gif - NONE/- text/html
1048709471.291  3 frishackv.buhler.com TCP_DENIED/407 1857 GET 
http://www.passportimages.com/logo_msnhmr_468x60.gif - NONE/- text/html
1048709471.314   1221 frishackv.buhler.com TCP_MISS/200 15652 POST 
http://login.passport.net/uilogin.srf? buhler\jamie DIRECT/65.54.225.244 
text/html
1048709471.314  6 frishackv.buhler.com TCP_DENIED/407 1857 GET 
http://www.passportimages.com/1033/dotnetlogoBIG.gif - NONE/- text/html
1048709471.484236 frishackv.buhler.com TCP_MISS/200 366 GET 
http://login.passport.net/images/T.gif buhler\jamie DIRECT/65.54.229.254 
image/gif
1048709471.518226 frishackv.buhler.com TCP_MISS/200 2257 GET 
http://www.passportimages.com/logo_msnhmr_468x60.gif buhler\jamie 
DIRECT/207.68.183.190 image/gif
1048709471.539209 frishackv.buhler.com TCP_MISS/200 2184 GET 
http://www.passportimages.com/1033/dotnetlogoBIG.gif buhler\jamie 
DIRECT/207.68.183.190 image/gif
1048709471.548227 frishackv.buhler.com TCP_MISS/200 368 GET 
http://login.passport.net/images/yellow.gif buhler\jamie 
DIRECT/65.54.229.246 image/gif
1048709478.124  2 frishackv.buhler.com TCP_DENIED/407 1673 CONNECT 
login.passport.com:443 - NONE/- text/html
1048709478.139  2 frishackv.buhler.com TCP_DENIED/407 1767 CONNECT 
login.passport.com:443 - NONE/- text/html
1048709478.616476 frishackv.buhler.com TCP_MISS/200 1889 CONNECT 
login.passport.com:443 buhler\jamie DIRECT/65.54.230.240 -
1048709478.628  2 frishackv.buhler.com TCP_DENIED/407 1682 CONNECT 
loginnet.passport.com:443 - NONE/- text/html
1048709478.643  2 frishackv.buhler.com TCP_DENIED/407 1776 CONNECT 
loginnet.passport.com:443 - NONE/- text/html
1048709479.146503 frishackv.buhler.com TCP_MISS/200 2851 CONNECT 
loginnet.passport.com:443 buhler\jamie DIRECT/65.54.226.247 -
1048709495.125  15927 frishackv.buhler.com TCP_MISS/503 1332 GET 
http://www.hotmail.msn.com/cgi-bin/sbox? buhler\jamie DIRECT/64.4.52.7 
text/html

Looked at FAQ section 11.16 ``Hot Mail'' complains about: Intrusion 
Logged. Access denied. 
``Hot Mail'' is proxy-unfriendly and requires all requests to come from 
the same IP address. You can fix this by adding to your squid.conf: 

hierarchy_sto

Re: [squid-users] system performance and memory question

[Robert Collins]

On Thu, 2003-03-27 at 06:57, Pat Lendon wrote:

> cache_dir ufs /d1/squid_cache 2048 16 256
> ...

> Furthermore - I'm also seeing slight delays on system (system is 
> momentarily slow). System has two AMD Athlon(TM) MP 1800+ processors 
> cpu MHz 1533.431.   When system seems delayed we run top and cpu's are 
> not even at 50%,  memory looks fine.  The only thing we've noticed is 
> load average increases from 0.85% to 5%.I've always kept default of 
> cache_dir ufs, do I need to configure aufs or other?   I'm not even sure 
> if squid is cause of random system slow/delay moments.  

ufs is the lowest performing cache dir - it will show the symptoms of
slowness you have described. aufs (if you upgrade to 2.5 stable 2) or
diskd will be better.

As for the memory - no idea. I don't recall any memory leaks in
2.5stable1. I'd upgrade to 2.5 stable 2 as a top priority though.

Rob
-- 
GPG key available at: .


signature.asc
Description: This is a digitally signed message part

Re: [squid-users] max_user_ip doesn't work properly

[Robert Collins]

On Thu, 2003-03-27 at 00:09, Alexander Kiselev wrote:
> Hi all.
> 
> on Squid2.5.STABLE2 i found that there is a problem with "acl max_user_ip".
...
> 
> How to limit the users with "acl max_user_ip" feature not depending on
> browser they use?

The problem is that NTLM users appear like 'DOMAIN\USER', and basic
users (when you have a default domain you authenticate against) as
'USER'.

In squid
DOMAIN\USER != USER

It shouldn't be too hard to design and code a sensible approach to
manage this.

Rob
-- 
GPG key available at: .


signature.asc
Description: This is a digitally signed message part

Re: [squid-users] Authentication not working exactly as desired

[Robert Collins]

On Thu, 2003-03-27 at 03:07, Claudio Alonso wrote:
> Hi,
> We are testing a squid 2.5 STABLE1 

Upgrade to 2.5 stable 2 as the first and most probable thing.

Rob


-- 
GPG key available at: .


signature.asc
Description: This is a digitally signed message part

[squid-users] Best squid layout

[Eduardo Bejar]

Hi,

I was wondering... As there are many, many ways to configure Squid, I would
like to get ideas -from your experience- about which is the best way to
deploy squid in order to help on this task:

Mission: increase browsing speed on dial up users. Not download of files,
just plain http browsing.

Which is the best approach:

1. Configure one squid box and make squid use plenty of disk capacity,
increase object TTL, object cacheable size, and related?
2. Configure two squid boxes, one that works transparent for dial up users,
and the other that serves as parent proxy for the first one?

There are many software products that claim to increase browsing speed on
the client side, but seems the best approach is to install a proxy on each
client so most visited sites load fast, but this is not practical.

Thanks for any ideas,

Edo

Re: [squid-users] Authentification against DominoNotes LDAP

[Henrik Nordstrom]

[EMAIL PROTECTED] wrote:

> We want to create a group for all users who should have access to the
> Internet and make sure that all other users can not access the internet.
> 
> Has anyone running something like this or can tell me what must the search
> string look like?

Done such things to quite many different LDAP servers, but not
specifically Domino.

See the squid_ldap_group helper. Upgrading to 2.5.STABLE2 is recommended
as the group helper has been updated quite a bit since 2.5.STABLE1 and
is now both easier to use and better documented.

Regards
Henrik

Re: [squid-users] ldap-authentification with DominoNotes

[Henrik Nordstrom]

Should work fine.

The LDAP structure might be slightly different however, so your
arguments to the helper may need to be adjusted accordingly.

Regards
Henrik

[EMAIL PROTECTED] wrote:
> 
> Hello,
> 
> we currently have a squid 2.5Stable1 with authentification to a Netscape
> LDAP-Server running.
> 
> To make administration easyer, we want to authenticate against the LDAP
> Service on our DominNotesServer (5.10).

Re: [squid-users] how to install ldap_auth program?

[Henrik Nordstrom]

See configure --help when you build Squid, or go into
helpers/basic_auth/LDAP/ and run "make install".

Regards
Henrik

Dvd wrote:
> 
> i'm sorry for my trivial question. I installed squid-2.5-STABLE2 but i
> can't find the ldap_auth program. where is it?
> 
> thanx

Re: [squid-users] max_user_ip doesn't work properly

[Henrik Nordstrom]

This is a known problem. To Squid the two users are different users, and
there is no clear way of matching them.

You also see this symptom in access.log, where the user column shows
differently.

Regards
Henrik

Alexander Kiselev wrote:
> 
> Hi all.
> 
> on Squid2.5.STABLE2 i found that there is a problem with "acl max_user_ip".
> I use this feature to limit users to use Internet from one PC only in the
> same time. It works fine only in case if the same authentication method is
> using on both PCs, i.e. NTLM (if users on both PCs use IExplorer) or Basic
> (if they use any others browsers).
> 
> My configuration (a part of "squid.conf" file):
> 
> # All users must log in
> acl authenticated proxy_auth REQUIRED
> http_access deny !authenticated
> deny_info ERR_AUTH_FAILED authenticated
> 
> # No users may share their login/password with others
> acl MaxIP max_user_ip -s 1
> http_access deny MaxIP
> deny_info ERR_MAX_USER_IP MaxIP
> 
> # vip_users allowed always
> acl vip_users proxy_auth "/path/to/vip_users"
> http_access allow vip_users
> 
> How to limit the users with "acl max_user_ip" feature not depending on
> browser they use?
> 
> Thanks.
> 
> --
> Cheers,
> Alex

Re: [squid-users] From where cachemge.cgi will take statistics data.........?

[Henrik Nordstrom]

atit jariwala wrote:
> 
> I am using Squid 2.5 STABLE 1,
> i am using cachemgr.cgi for squid performance monitoring
> I want to know how this script is generated?
> 
> This script is using various statistics information (e.g svc_time , disk io
> etc)
> i want to how these data comes to script

cachemgr.cgi makes a http request to Squid and then converts the tabular
data returned into HTML. See access.log when using cachemgr.

Regards
Henrik

Re: [squid-users] Squid 2.5S1 mutilating https request

[Henrik Nordstrom]

Deac Nkisetlein wrote:

> Squids error log shows up:
> 
> xx.xx.xx.xx - - [26/Mar/2003:12:58:38 +0100] "CONNECT sourceforge.com:443
> HTTP/1.0" 407 1442 TCP_DENIED:NONE
> xx.xx.xx.xx - - [26/Mar/2003:12:58:39 +0100] "GET / HTTP/0.0" 400 1571
> NONE:NONE
> 
> I tested MS-IE 6.0 so far. Netscape 4.7 does not show up these errors.


This is a browser bug. Not much Squid can do about it I think.

Squid told your browser that authentication is required.

Your browser then forgot it is using a proxy or even SSL and forwarded
the request as a plain HTTP request trying to use Squid as a http web
server, instead of requesting a SSL tunnel to the intended web server.

Probably related to the generic basic auth bug in IE6, but I do not know
for sure.

Try experimenting with the following options in your browsers Internet
options:

  * Show user friendly HTTP error messages
  * Use HTTP/1.1 via proxies
  * Use HTTP/1.1

Maybe there is a setting where IE6 do work..


You might also want to try with and without the authentication hotfix
from Microsoft..


Regards
Henrik

Re: [squid-users] HTML Codes?

[Henrik Nordstrom]

It can be discussed if 503 is the correct error code for this case, but
it is a close match. Squid has to return a 5xx class of error in this
case, and there is not that many to select from..

410 is not allowed, as Squid has no means of knowing that the domain is
permanently gone, or just temporarily not published.

404 may be applicable, but it is a thin line as the request is correctly
composed and the error only occurs because Squid as a proxy could not
find any knowledge on where to forward the request. Also risk returning
false negatives in case of temporary DNS failures etc.

So to be on the safe site Squid uses 503 when the request could be
correctly processed but no server where to forward the request could be
found for whatever reason this is, and 504 when forwarding of the
request times out. A more detailed description of the actual error is
contained in the returned message.

Regards
Henrik



Lee Bailey wrote:

> I understand why the error was generated. The DNS entry for this site
> no longer exists, as stated. But it appears that the HTML error code
> generated by the proxy server could be incorrect. It is recorded by my
> link-checking software as error 503.
> 
> According to my list of HTML error codes, 503 means 'Out of Resources
> - The server cannot process the request due to a system overload. This
> should be a temporary condition.'
> 
> Since the lack of a DNS registration is neither 'out of resources'
> and probably not 'temporary', shouldn't the error code be different
> (e.g. 410 which is 'Gone - The requested resource is no longer
> available at the server and no forwarding address is known')?"
> 
> I've got 3 Squid-based proxy servers and all return a tcp_miss/503 for
> any URLs that don't exist/typos. I don't regard this as a problem but a
> query as to whether this is the correct response for this situation or
> whether the 503 definition has changed?.
> 
> Can anyone please comment, so I can give an informed respsponse?
> 
> Many thanks,
> 
> Lee.
> 
> 
>

Re: [squid-users] how to install ldap_auth program?

[Henrik Nordstrom]

Cecile Leyman wrote:
> 
> Hi,
> 
> ./configure --prefix=* --mandir=* --enable-ldap --enable-auth-ldap --with-ld
> ap


What are all those ldap flags? Not in any Squid version I have seen?

Regards
Henrik

Re: [squid-users] Service down.

[Henrik Nordstrom]

Roberto Barbieri wrote:

> If you're using linux and your /var/log partition's filesystem
> is ext2 or ext3, the problem is that these filesystems
> by default don't supports files larger than 2gb.

Err, they do. It is the applications (or actually the application
programming interface used for file I/O) which does not.

To use files larger than 2GB on a 32bit CPU such as any X86 cpu the
application must be compiled using 64-bit file I/O. However, this mode
of operation has not been tested much in Squid and is known to have a
few gotchas as 64 bits is larger than the 32 bit long integer data type
of 32 bit CPUs which causes problems when file sizes is converted into
integers for calculations etc, so this is not enabled in Squid.

The above is true for all known UNIX like OS:es on 32bit CPUs, and all
reasonably modern ones do support large files if explicitly enabled when
compiling the application only.

Regards
Henrik

Re: [squid-users] ssl between squid accellerators

[Henrik Nordstrom]

mlister wrote:

> Anyways I will compile Squid-3 and start working with it, but I am curious
> if you (Henrik, or any of the listers) have any sample configuration files
> or could give me cache_peer directive examples to where I have something to
> mold.
> 
> client <---SSL-->SQUID1<---SSL--->SQUID2<---HTTP-->webserver


Squid-3:

SQUID1:

https_port 443 cert=... accel defaultsite=www.your.domain
cache_peer squid2 parent 443 0 ssl no-query originserver

SQUID2:

https_port 443 cert=... accel defaultsite=www.your.domain
cache_peer webserver parent 80 0 no-query originserver


Squid-2.5+ssl update:

SQUID1:

https_port 443 cert=...
httpd_accel_host www.your.domain
httpd_accel_port 80
cache_peer squid2 parent 443 0 ssl no-query
never_direct allow all

alternatively instead of using cache_peer+never_direct, use a redirector
which rewrites the requests as https://www.your.domain/ and register
www.your.domain into /etc/hosts with the address of SQUID2.

SQUID2:

https_port 443 cert=..
httpd_accel_host www.your.domain

and put www.your.domain into /etc/hosts with the address of the real web
server.




In all cases you should also configure http_access to only allow access
to www.your.domain..




Regards
Henrik

[squid-users] SquidNT Service fails to stop after error

[Gary Price \(ICT\)]

Hi
I am using squidNT.2.5STABLE1, built from source using Visual Studio. It appears that 
sometimes the service does not start and stop
cleanly, and I was wondering if this was a known issue. This has happened several 
times in our installation. I can reproduce it by
including a bad DNS name in dns_testnames, then starting the service manually from the 
SCM or the command line. Squid.exe shows up
in the process list in Task Manager but the start operation does not finish 
successfully.

With a single DNS test name "nosuchdnsname.com.xx" I started the service from the 
command line, and this is what I got:

[start command line]
C:\squid\sbin>net start squidnt
The SquidNT service is starting..
The SquidNT service could not be started.

More help is available by typing NET HELPMSG 3523.


C:\squid\sbin>net helpmsg 3523

The *** service could not be started.
[end command line]

I got the following in cache.log (ALL,9):

[start log]
2003/03/27 10:00:22| Starting Squid Cache version 2.5.STABLE1.NT-CVS for 
i686-pc-winnt...
2003/03/27 10:00:22| Running as SquidNT Windows System Service on Windows 2000
2003/03/27 10:00:22| Service command line is:
2003/03/27 10:00:22| Process ID 2848
2003/03/27 10:00:22| With 8192 file descriptors available
2003/03/27 10:00:22| With 512 CRT stdio descriptors available
2003/03/27 10:00:22| Windows sockets initialized
2003/03/27 10:00:22| Initializing IP Cache...
2003/03/27 10:00:22| Performing DNS Tests...
FATAL: ipcache_init: DNS name lookup tests failed.
Squid Cache (Version 2.5.STABLE1.NT-CVS): Terminated abnormally.
CPU Usage: 0.070 seconds = 0.030 user + 0.040 sys
Maximum Resident Size: 4708 KB
Page faults with physical i/o: 1216
2003/03/27 10:00:22| Leaving Squid service
[end log]

The squid.exe process seems to stay in the task manager indefinitely after this. It 
has the process ID 2848. Perhaps it is stuck in
a system mutex somewhere.

It seems to me that any abnormal termination may lead to this behaviour, and so the 
ability to restart squid automatically after an
exit would be compromised.
Any help you can provide would be much appreciated.

Thanks
Gary Price
ICT

Re: [squid-users] non-caching objects still use FD mechanism?

[Henrik Nordstrom]

Adam wrote:
> 
> Simple question:  does everything get recorded by the Process
> Filedescriptor's Allocation menu, including no_cache items?

UNIX uses filedescriptors for everything, including network connections.

What this means is that a typical cache miss is as much as 3 entries in
the filedescriptor allocation menu:

1. Connection from the client
2. Cache object file
3. Connection to the upstream server

For cache hits you have 1 and maybe 2 (depends on if it was a disk or a
memory hit).

For uncacheable requests you will have 1 and 3.

Regards
Henrik

Re: [squid-users] Told squid to not cache, but it still is

[Henrik Nordstrom]

What do you get in access.log?

Regards
Henrik



Adam Kennedy wrote:
> 
> I have the following in my config file:
> 
> acl oursite dstdomain niesc.k12.in.us
> no_cache deny oursite
> 
> But Squid still cache's niesc.k12.in.us. Did I miss the syntax somewhere?
> 
> Squid 2.5Stable1
> Linux 2.4.20ac2 w/glibc 2.2.5
> Mozilla 1.2.1, 1.3, Netscape 6.2, 7.0, IE 5.5sp2, 6.0sp1
> --
> 
> | Northern Indiana Educational Services Center |
> 
> | Adam Kennedy - [EMAIL PROTECTED]  |
> | Certified Linux Administrator - Master Level |
> | Phone: (574) 254-0111 x113   |
> | Fax: (574) 254-0148  |
> 

Re: [squid-users] Configuration question

[Henrik Nordstrom]

Aaron Stromas wrote:
> 
> Hello,
> 
> This is my first time using Squid, and I must be making a newbie error, yet
> I haven't found it mentioned in the FAQ or archives. I hope, somebody can
> tell me what is wrong. I built Squid 2.5 STABLE 2 on Red Hat Linux 7.3.
> Proxy is listening on port 4443 and should proxy ports 80 and 443 to host
> 164.95.119.70, but it doesn't. This is what the cache log shows:
> 
> commBind: Cannot bind socket FD 15 to 164.95.119.70:0: (99) Cannot assign
> requested address

Hmm.. looks to me as if you have set tcp_outgoing_address to
164.95.119.70.

This directive tells Squid that it should try to use 164.95.119.70 as
source address when initiating connections to web servers and cache
peers.

Regards
Henrik

Re: [squid-users] Logging of denied sites and setting up acl

[Henrik Nordstrom]

Gary Hostetler wrote:
> 
> I'm trying to use my blocklist.txt
> 
> Here is my squid.conf
> 
> acl gator dstdomain www.gator.com gatorcme.gator.com
> 
>   http_access deny gator
>   acl to_block dstdomain "/usr/local/squid/blocklist.txt"
> 
>   http_access allow all
> 


Only defining the to_block acl is not sufficient. You also need to make
use of it in http_access to tell what Squid should do with the acl..

Regards
Henrik

Re: [squid-users] memory question and system performance

[Henrik Nordstrom]

Pat Lendon wrote:

> We are using Redhat Linux OS.  System has 1 gig of memory.   Cache
> Manager and top command show squid memory at 5%.
> I've read squid faq 8.11 "How much memory do I need in my squid server?"
> cache_dir ufs /d1/squid_cache 2048 16 256
> /d1 resides on separate file system (18gig of disk, with 7 gig
> available). Squid cache is configured to use 2 gig.
> 10 MB of ram per 2 GB of total cach_dirs would be 20MB
> cache_mem 8 MB
> Plus additional/extra 20MB does calculate to the 5% (50 meg) of the 1
> gig of memory system contains.  System appears to have enough memory.

The above configuration should be happy with as little as 128MB with a
standard bloated full server installation.. or as little as 64MB if the
server is stripped down to not run X or any other unneeded memoryhungry
services besides Squid..

> Looking at chart enclosed, is it normal for squid memory usage to grow
> and grow?

No. The normal is that Squid relatively quickly settles on a stdeady
value after it has been in use for a while, and grow a little while the
cache is being filled up.

If top says Squid is using 5% of the memory, What is it that you measure
when you measure the Squid memory usage?

> What causes this?

Good question. If it is Squid who is using this memory additional hints
may be provided by looking at the "Memory Utilization" cachemgr page.

> Furthermore - I'm also seeing slight delays on system.  System has two
> AMD Athlon(TM) MP 1800+ processors cpu MHz 1533.431.   When system seems
> delayed we run top and cpu's are not even at 50%,  memory looks fine.

Keep in mind that Squid is a single application and can only make use of
one CPU..

Regards
Henrik

RE: [squid-users] HTML Codes?

[Lightfoot.Michael]

> I understand why the error was generated. The DNS entry for this site 
> no longer exists, as stated. But it appears that the HTML error code 
> generated by the proxy server could be incorrect. It is recorded by my
> link-checking software as error 503.
> 
And in the squid access.log

> According to my list of HTML error codes, 503 means 'Out of Resources 
> - The server cannot process the request due to a system overload. This
> should be a temporary condition.'
> 
It isn't an HTML error code, it is an HTTP status code.  For all the
status codees see RFC 2616 chapter 10.  For the definition of 503 see
10.5.4 "503 Service Unavailable" (page 45 of my copy).  The status codes
are also reproduced in chapter 6 of the squid FAQ - specifically 6.8
HTTP Status Codes.



NOTICE: This e-mail message and attachments may contain confidential 
information. If you are not the intended recipient you should not use or 
disclose any information in the message or attachments. If received in 
error, please notify the sender by return email immediately.  Comcare 
does not waive any confidentiality or privilege.

[squid-users] Filemap bits in use problem

[Eric Lawson]

I'm running 2.5.STABLE1-20030317 on a Sun Cobalt Linux box. Downloaded and installed 
it just before 2.5 stable 2 was released, doh what timing I have. Looking in 
cachemgr.cgi in the store directory stats I'm seeing something strange. Filemap bits 
in use seems excessively high compared to the % capacity used. This is a copy of the 
cachemgr.cgi screen.

Store Directory Statistics:
Store Entries  : 125975
Maximum Swap Size  : 12863488 KB
Current Store Swap Size:  1178513 KB
Current Capacity   : 9% used, 91% free

Store Directory #0 (ufs): /home/squid2/cache
FS Block Size 1024 Bytes
First level subdirectories: 16
Second level subdirectories: 256
Maximum Size: 12863488 KB
Current Size: 1178513 KB
Percent Used: 9.16%
Filemap bits in use: 125828 of 131072 (96%)
Filesystem Space in use: 1415920/17671528 KB (8%)
Filesystem Inodes in use: 134728/4621888 (3%)
Flags: SELECTED
Removal policy: lru
LRU reference age: 9.72 days

The two relevant sections in squid.conf are

cache_dir ufs /home/squid2/cache 12562.548 16 256
store_avg_object_size 9 KB

the 9k figure  for the store_avg_object_size I chose from the following section of 
General Runtime Information in cachemgr.cgi

Cache information for squid:
Request Hit Ratios: 5min: 39.8%, 60min: 35.0%
Byte Hit Ratios:5min: 9.5%, 60min: 41.4%
Request Memory Hit Ratios:  5min: 1.3%, 60min: 1.2%
Request Disk Hit Ratios:5min: 19.8%, 60min: 31.2%
Storage Swap size:  1181892 KB
Storage Mem size:   19076 KB
Mean Object Size:   9.36 KB
Requests given to unlinkd:  668

According to the faq, the filemap bits in use should be equal to 2 * swap size / avg 
object size, so my filemaps should be 2,858,553 filemap bits, instead of the 131,072 
which is listed?

What can I do to increase the number of filemap bits in use, I don't want to see what 
will happen when it hits 100%

Also, is there a quick and easy way to update from 2.5 stable 1, to 2.5 stable 2?

Eric

##
 Warning

This email message and any attached files may contain information 
that is confidential and subject of legal privilege intended only
for use by the individual or entity to whom they are addressed. If 
you are not the intended recipient or the person responsible for 
delivering the message to the intended recipient be advised that
you have received this message in error and that any use, copying, 
circulation, forwarding, printing or publication of this message or
attached files is strictly forbidden, as is the disclosure of the 
information contained therein. If you have received this message in
error, please notify the sender immediately and delete it from your
Inbox.

ACC Web Site: www.crimecommission.gov.au
##

Re: [squid-users] how to install ldap_auth program?

[Cécile Leyman]

I'm sorry, i confused with the flags of Apache.  
You are right = > /configure --* --enable-auth="basic"
--enable-auth-module="ldap" or "auth_ldap"

Regards,

Cécile

Quoting Henrik Nordstrom <[EMAIL PROTECTED]>:

> Cecile Leyman wrote:
> > 
> > Hi,
> > 
> > ./configure --prefix=* --mandir=* --enable-ldap --enable-auth-ldap
> --with-ld
> > ap
> 
> 
> What are all those ldap flags? Not in any Squid version I have seen?
> 
> Regards
> Henrik
> 




-
Mail sent through GFI Mailserver1.0
info: [EMAIL PROTECTED]

- End forwarded message -




-
Mail sent through GFI Mailserver1.0
info: [EMAIL PROTECTED]

[squid-users] cache_peer_domain not working for https pages

[Fernando Medina, Jr.]

It works perfectly for http, directing queries of chosen domains to
specific parent server, but use https for any of the domains and it does
nto send them to parent squid. The version is 2.5Stable1.

cache_peer_domain [parent proxy here] .mastercard.com .mastercard.net

if I access http://www.mastercard.com/ it goes to selected parent, if I
try https://hsm2stl101.mastercard.net/ it does not

Do I have to add something for https? thanks,

-- 
Fernando Medina, Jr.
[EMAIL PROTECTED]
Grupo Financiero Uno

[squid-users] Enable Additonal Options

[Ben White]

Hi,

I have done "./configure --prefix=/usr/local/squid
--enable-underscores" this morning.  When I use squid
-v to confirm my squid options, I found all my
previous existing options were gone. Were they
disabled ?

Shd I decide to enable additional squid configure
options at later stage, how to do it without disabling
existing ones ?

Also, how to disable or remove existing options if I
decide a particular option not to be used anymore in
future ?

I can't find the answers in squid user manaul and faq.
If this is documented somewhere, kindly show me the
link.

Thanks.

__
Do You Yahoo!?
Promote your business from just $5 a month!
http://sg.biztools.yahoo.com

Re: [squid-users] Transparent proxying + LDAP authentication

[Brett Lymn]

On Wed, Mar 26, 2003 at 04:03:08PM +, Richard Barrett wrote:
> 
> You missed the point entirely.
> 

Indeed - you were a bit vague about what your objection was.

> 
> My objection is to the use of transparent proxying for secretly monitoring 
> user behaviour which is what the original poster was suggesting. I regard 
> this as fundamentally dishonest, underhand and an abuse of civil liberties, 
> which only the supporters of the secret police can see as justifiable. I am 
> not so naive as to think that this sort of abuse does not go on but abuse 
> is still abuse. In my opinion it should be challenged when encountered.
>  

Heh - my experience has been even when you are up front about the
monitoring most people seem to have no clue as to the extent you can
track their activities.  This is even when they get a
username/password dialogue box stuck in their face.

Monitoring/reporting _does_ need to be backed by clear policy on what
will be collected and who it will be diseminated to.

-- 
Brett Lymn

[squid-users] squid+wccp+cisco 3660

[Sukhjit Singh]

Dear all,


I am having some problem when working with squid and wccp and Cisco router
3660.

I have red hat Linux 8.0 with kernel version 2.4.18-14
and squid version squid-2.5.STABLE2.tar.gz

you have mentioned in our site to patch the kernel and the squid is it
required in this case also.
kindly tell me if it is required and if not how to check it wccp is active
or not.


I would really appreciate your response on this issue.







   Regards

   Sukhjit Singh

RE: [squid-users] Enable Additonal Options

[Lightfoot.Michael]

 
> I have done "./configure --prefix=/usr/local/squid 
> --enable-underscores" this morning.  When I use squid -v to 
> confirm my squid options, I found all my previous existing 
> options were gone. Were they disabled ?
> 
Each run of configure should include all the options you wish to
compile.




Michael Lightfoot
Unix Consultant
ISG Host Systems
Comcare
+61 2 62750680
Apologies for the rubbish that follows...


NOTICE: This e-mail message and attachments may contain confidential 
information. If you are not the intended recipient you should not use or 
disclose any information in the message or attachments. If received in 
error, please notify the sender by return email immediately.  Comcare 
does not waive any confidentiality or privilege.

[squid-users] squid_ldap_group problems

[Mark]

Hi
I have some problems configuring authentication of ldap users group.
Authentication from squid_ldap_auth fine, but if I attempt add
authentication with group - fail.
dn: uid=sysadmin,ou=uit,dc=rusautogaz,dc=ru
cn:: 0JrRgNC40YfQvNCw0YAg0JzQsNGA0Log0JzQuNGF0LDQudC70L7QstC40Yc=
dn: ou=uit,dc=rusautogaz,dc=ru
objectClass: top
objectClass: organizationalUnit
ou: uit
-- squid.conf --
auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -P -b
dc=rusautogaz,dc=ru -D cn=Manager,dc=rusautogaz,dc=ru -w password -f
(&(uid=%s)(description=active)) -h 172.16.6.1:389
external_acl_type ldap_group %LOGIN
/usr/local/squid/libexec/squid_ldap_group -d -P -b dc=rusautogaz,dc=ru
-f (&(uid=%v)(member=%a)(objectClass=organizationalUnit)) -h 172.16.6.1
-p 389
acl admin external ldap_group uit

http_access allow admin

-

Anybody help me

Re: [squid-users] ymessenger

[Mr. Singh]

Disable PAM authentication and I suppose it will work for you.
Singh
On 24 Mar 2003, arun wrote:

> 
>  I am using ymessenger ver .99 and its installation is OK on Linux
> Client, I have tried configuring proxy with IP/port 8080 defined for
> squid proxy ( I am using squid 2.4.Stable6 on RHL7.3 with PAM
> authentication on Server). but when I give yahoo id / password it became
> in connecting mode which never ends.
>  
>  I have also tried GAIM which while connecting gives error "unable to
>  sign on : Connection Problem"
>  
> can any body tell me what need to set in these to run ymessenger
> properly.
>  
>  Arun
>  
>  
> 
> 

-- 
Vimal P. Singh Thoudam

RE: [squid-users] hotmail problem

[Raja R]

No. I tried .. doesn't help...but I have something interesting to tell..
the same squid config works fine for hotmail when the proxy is on a dial-up
ISDN line but does not work if the proxy
is put behind a firewall with static NAT. So just wondering If i have to
allow some specific ports on the firewall to the proxy from outside for
hotmail to work. I am attaching a text file to give u all clues to see where
the problem is . This is the source of the hotmail page when it says DONE.
It clearly  shows breakage.. Everytime it breaks there..even after
refreshing (ctrl-refresh, shift-refresh, etc) ..PLS. HELP

Regards,
Raja.



-Original Message-
From: Patrick Kwan [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2003 5:20 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] hotmail problem



may be the following info. help. (from squid FAQ)

11.16 ``Hot Mail'' complains about: Intrusion Logged. Access denied.
``Hot Mail'' is proxy-unfriendly and requires all requests to come from
the same IP address. You can fix this by adding to your squid.conf:

hierarchy_stoplist hotmail.com


Patrick


> Hi ,
> I am posting this qtn again as I did not get any reply..pls. help me..I
> have a strange problem with HOTMAIL. The page says DONE before it fully
> loads the page with No Display. I am using squid 2.5 stable 1 . I think
> the squid is sending Finish too fast, before actually loading the page.
> I am facing this problem only with hotmail . Allowed connections to 443
> (https) also in the config as hotmail requires it...but still no
> luck..ANy pointers ?
>
> Regards,
> Raja.











Please sign in



http://cb.msn.com/passport/cbhm_js.ashx?PP_SERVICE=login&PP_PAGE=ppLogin&lid=1033";>

[squid-users] Installing squid with different name

[atit jariwala]

Hello squid uesrs

I am using Squid 2.5 stable 1 on red hat linux 7.1
i want to install squid with some other name saying "xyz"
means
my /etc/squid/squid.conf must be /etc/xyz/xyz.conf
my squid binary name must be xyz...
etc

i gone through configuration command line options
but i have steel not identified solution
can any one help me?

waiting for reply

regards
=== atit

Re: [squid-users] max_user_ip doesn't work properly

[Alexander Kiselev]

Henrik,

there is actually one user. In the Netscape's password prompt i write
"domain\username" in username field.

In the access.log there is the same user, but comes from different
addresses.

I suppose that NTLM and Basic helpers hold an user's caches differently,
that is why they don't see each other, but they SHOULD do that, because is a
hole for the users to share their passwords and use the different browsers
on different computers in the same time.

Any suggestions?

--
Cheers,
Alex


- Original Message -
From: "Henrik Nordstrom" <[EMAIL PROTECTED]>
To: "Alexander Kiselev" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, March 27, 2003 2:53 AM
Subject: Re: [squid-users] max_user_ip doesn't work properly


> This is a known problem. To Squid the two users are different users, and
> there is no clear way of matching them.
>
> You also see this symptom in access.log, where the user column shows
> differently.
>
> Regards
> Henrik
>
> Alexander Kiselev wrote:
> >
> > Hi all.
> >
> > on Squid2.5.STABLE2 i found that there is a problem with "acl
max_user_ip".
> > I use this feature to limit users to use Internet from one PC only in
the
> > same time. It works fine only in case if the same authentication method
is
> > using on both PCs, i.e. NTLM (if users on both PCs use IExplorer) or
Basic
> > (if they use any others browsers).
> >
> > My configuration (a part of "squid.conf" file):
> >
> > # All users must log in
> > acl authenticated proxy_auth REQUIRED
> > http_access deny !authenticated
> > deny_info ERR_AUTH_FAILED authenticated
> >
> > # No users may share their login/password with others
> > acl MaxIP max_user_ip -s 1
> > http_access deny MaxIP
> > deny_info ERR_MAX_USER_IP MaxIP
> >
> > # vip_users allowed always
> > acl vip_users proxy_auth "/path/to/vip_users"
> > http_access allow vip_users
> >
> > How to limit the users with "acl max_user_ip" feature not depending on
> > browser they use?
> >
> > Thanks.
> >
> > --
> > Cheers,
> > Alex
>

[squid-users] Squid and Weblogic Application running JSP

[Yeo Andy]

Hi,

I have this problem of retrieving data from a Weblogic application server 
running JSP when proxy is being set to one of my squid proxy server.

This problem of retrieveing data does not happened when I run the same JSP 
by pointing my proxy to one of my apache proxy server.

Can anyone advise why is this so and what is the resolution.

Thank you.



_
Send a fun phone greeting to your friend! 
http://www.msn.com.sg/mobile/fungreetings/