Re: [squid-users] "-k rotate" partially rotating
"Ethy H. Brito" wrote: > > On Tue, 10 Jun 2003 20:20:24 +0200 > "Marc Elsen" <[EMAIL PROTECTED]> wrote: > > > > Couldn find anything in the logs that mention access or store log > > > files. > > Any extra info in the beginning of cache.log and the end of > > cache.log.0 > > when this is being tried (examine both files (!)). ? > > Surprisingly YES. A SEG Violation in all of cache.log.[0-3] files. > Look: > > # head cache.log > > 2003/06/10 04:00:00| storeDirWriteCleanLogs: Starting... > FATAL: Received Segment Violation...dying. > 2003/06/10 04:00:02| storeDirWriteCleanLogs: Starting... > 2003/06/10 04:00:02| Finished. Wrote 5566 entries. > 2003/06/10 04:00:02| Took 0.0 seconds (118362.6 entries/sec). > CPU Usage: 65.560 seconds = 45.030 user + 20.530 sys > Maximum Resident Size: 0 KB > Page faults with physical i/o: 340 > Memory usage for squid via mallinfo(): > total space in arena:7300 KB > Ordinary blocks: 7279 KB 23 blks > Small blocks: 0 KB 0 blks > Holding blocks: 192 KB 1 blks > Free Small blocks: 0 KB > Free Ordinary blocks: 20 KB > Total in use:7471 KB 102% > Total free:20 KB 0% > 2003/06/10 04:00:12| Starting Squid Cache version 2.5.STABLE3-20030605 > for i586- pc-linux-gnu... > 2003/06/10 04:00:12| Process ID 2323 > > > > > Which version of squid are you using ? > > On which platform/os/version ? > > squid-2.5.STABLE3-20030605 > Linux Slackware 9.0 Kernel 2.4.20 on a Pentium 166Mhz w/128MB RAM > > What now? Since, this is about the latest release, I guess filing a bug report would be the most appropriat thing to do , M.
Re: [squid-users] Squidalyser help still
Quoting Simon Bryan <[EMAIL PROTECTED]>: > Hi all, > I have the Squidalyser that Henrik has kindly placed on the Squid site, > however it > has no instructions as to how to setup the database. If anybody has these or > knows > what to do I would appreciate some help > > Cheers, > > > Simon Bryan > IT Manager > OLMC Parramatta > See the attachement. Regards, Cécile. - Mail sent through GFI Mailserver1.0 info: [EMAIL PROTECTED] squidalyser-02_53.txt.gz Description: GNU Zip compressed data
[squid-users] windows update not working with squid squid-2.4.STABLE7-4
Hi people, Since setting up Squid, I cannot longer go to the windows update site. The update web page gives me an error 0x80072F76 . I've added the following extension methods: extension_methods SEARCH SUBSCRIBE UNSUBSCRIBE POLL BCOPY BPROPPATCH GNUTELLA REPORT MERGE MKACTIVITY CHECKOUT GET HEAD DELETE OPTIONS TRACE CONNECT POST PUT SOAP Any ideas on how to get windowes update page working again? I do not get any errors in the logs or any activity in the cache.log. John W.
[squid-users] Squidalyser version 2.55
I have a more recent version of squidalyser => 2.55 (but I don't know if it is the latest). I have tested and it works fine for me. I don't remember where i had downloaded it, that goes back already to several months ! If someone is interested to have this... Maybe can I send a copy "to" squid-cache.org ? Regards, Cecile. - Mail sent through GFI Mailserver1.0 info: [EMAIL PROTECTED]
Re: [squid-users] squid build reccomendations
ons 2003-06-11 klockan 07.29 skrev [EMAIL PROTECTED]: > My current parent proxys in peak times are running at about 2-3MBits/sec > My current busiest child proxy in peak times are running at no more than > 2MBits/sec Then you should have very little to worry about.. > Running Solaris 9, Squid 2.5 STABLE3 > > I have been advised to mount all cache disks with noatime For high speed proxies (15Mbps or more) I also recommend adding a disksuite transaction log to the filesystems with the log on a drive not used for caching (the same drive as used for other logs is OK). Note: From what I have been told this is not the same as the transaction log supported by the Solaris 9 UFS filesystem. The UFS transaction log mainly provides filesystem recovery, the disksuite transaction log in addition provides improved performance. > 1 Disk for logs > Several cache disks, 3 has been reccomended does anyone have any valuable > input on this ? I would recommend 1 cache drive per 3Mbps of traffic, at least on Linux/FreeBSD or on Solaris with a separate disksuite transaction log. Not sure what number to use for Solaris without transaction log. > Lots of RAM, Im hoping my 2GB will be enough? It will be a bit overkill even. > For children I was thinking 1 x 36 for cache and the other 36 split up for > logs and OS as I only have 2 disks (can anyone see an issue with this?) I would mirror the OS and logs, and split the cache on both drives.. For only 3Mbps of traffic you do not need a huge cache. > I have also been told its a good idea to tune the kernel to the weird > things squid does, I dont really understand this comment but does anyone > this its worth looking at tuning, and if so does anyone have a good place > to start with Solaris 9? Not sure which weird things this would be... Squid is a pretty straight forward TCP/IP application, and you may need mostly the same tunings as for a web server or other TCP/IP application. If you use diskd then there is a bit of tuning required to increase the shared memory and IPC message queues used by diskd as the default is ridiculously small on most OS:es.. (Solaris included). See the Squid FAQ for diskd requirements. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] problems with mail.yahoo.com
Hi Edgardo, Probably due to too many invalid logins... you can try to email Yahoo <[EMAIL PROTECTED]> Rgds, Wei Keong On Tue, 10 Jun 2003, Edgardo Lust wrote: > I have problem with mail.yahoo.com when I try to logging the yahoo server returm me > : "Unfortunately, we are unable to process your request at this time. We apologize > for the inconvenience. Please try again later" but in secure mode work fine. Only > have this problem with the "standard mode". > > I think the problem is with squid because the connection work if I conect direct (no > squid-proxy). > > I'm using transparent proxy with RH 7.3 > > Thanks in advance > > Edgardo > > >
Re: [squid-users] Squidalyser version 2.55
Hi Cecile, This is only my very personal opinion and I have no intention to persuade anyone else to adopt my opinion as theirs. Several months ago OpenBSD users have been warned about existence of trojan horse code in OpenSSH distribution. This incident has again underline the usefulness of MD5 sum of every open source code distribution. I admit even I do not use MD5 sum often especially when downloading from well-known sites such as Squid or ISC but I always try to check MD5 sum first before running the code. Now I did not say that your Squidalyser may have malicious code within but I only want to say that it will be much appreaciated if you can point us to a well-known and has MD5 sites instead of directly offer others your copy of Squidalyser. I hope you understand my concern. Regards, Anthony M. Rasat Speednet Engineering PT. Halmahera Palangkaraya Palangkaraya - Indonesia.- On Wednesday 11 June 2003 15:27, you wrote: > I have a more recent version of squidalyser => 2.55 (but I don't know if it > is the latest). > I have tested and it works fine for me. > I don't remember where i had downloaded it, that goes back already to > several months ! > > If someone is interested to have this... > Maybe can I send a copy "to" squid-cache.org ? > > Regards, > > Cecile. > > > > > > > > > > > > > > > > > - > Mail sent through GFI Mailserver1.0 > info: [EMAIL PROTECTED]
Re: [squid-users] Squidalyser version 2.55
I think what you have is actually 0.2.55, not 2.55. There seems to be two "latest" versions of squidalyzer: 0.2.55 STABLE 1.0balpha-but-stable with many added features Regards Henrik ons 2003-06-11 klockan 10.27 skrev Cécile Leyman: > I have a more recent version of squidalyser => 2.55 (but I don't know if it is > the latest). > I have tested and it works fine for me. > I don't remember where i had downloaded it, that goes back already to several > months ! > > If someone is interested to have this... > Maybe can I send a copy "to" squid-cache.org ? > > Regards, > > Cecile. > > > > > > > > > > > > > > > > > - > Mail sent through GFI Mailserver1.0 > info: [EMAIL PROTECTED] -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] "-k rotate" partially rotating
ons 2003-06-11 klockan 09.01 skrev Marc Elsen: > > Surprisingly YES. A SEG Violation in all of cache.log.[0-3] files. > > Look: > > > > # head cache.log > > > > 2003/06/10 04:00:00| storeDirWriteCleanLogs: Starting... > > FATAL: Received Segment Violation...dying. > > Since, this is about the latest release, I guess filing a bug report > would be the most appropriat thing to do , It is. In such report please include a) A backtrace of where the segmentation fault occurs. b) Any squid.conf settings which may be relevant. c) Your configure options. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] windows update not working with squidsquid-2.4.STABLE7-4
ons 2003-06-11 klockan 10.41 skrev John Weez: > Any ideas on how to get windowes update page working again? I do not get > any errors in the logs or any activity in the cache.log. What do you get in access.log? Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Squidalyser version 2.55
Quoting Henrik Nordstrom <[EMAIL PROTECTED]>: > I think what you have is actually 0.2.55, not 2.55. > > There seems to be two "latest" versions of squidalyzer: > > 0.2.55STABLE > 1.0b alpha-but-stable with many added features > > Regards > Henrik > Oops, I did not pay attention to that enough ! All my excuses with all. Regards, Cécile. - Mail sent through GFI Mailserver1.0 info: [EMAIL PROTECTED]
Re: [squid-users] Squidalyser version 2.55
ons 2003-06-11 klockan 11.38 skrev Anthony M. Rasat: > Now I did not say that your Squidalyser may have malicious code within but I > only want to say that it will be much appreaciated if you can point us to a > well-known and has MD5 sites instead of directly offer others your copy of > Squidalyser. The problem with Squidalyser is that it has disappeared from the net with no official and well-known location to refer to, and the author is no longer reachable. The faith of Squidalyser is currently unknown. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] simple SQUID config file
Hi SquitNT-Gurus, if have downloaded the stable3 2.5 nt version for the first Time. I have the following env: -> NT4.0 192.168.2.1/16external interface 10.10.2.1/16internal interface -> Authentication: Schema: Basic NT Domain: OMELET Groups: ExternalSYS, InternalSYS -> proxy port 8080 -> only https support for CONNECT tunneling. (no ftp, ping, http) -> no caching (or max. 5 MB) -> use the dns from the os system -> full logging -> no ICP -> no admin stuff for internal interface Please send me the params that I need for the squid.conf Thanks for the moment, and I will happy if I get this simple config. Thanks and greetings from germany Mr. Proxy
Re: [squid-users] simple SQUID config file
On Wed, Jun 11, 2003 at 12:44:52PM +0200, Mr. Proxy wrote: > Hi SquitNT-Gurus, > > if have downloaded the stable3 2.5 nt version for the first Time. > I have the following env: > [...] > Please send me the params that I need for the squid.conf Do you really expect people to support your attitude? You don't want to read the documentation and don't provide your real name? Be reasonable. RTFM. Try it out. RTFM again. Do this ten times. If then you have a special problem with a special setup then post details here and ask again. Curse everyone who helps you. Christoph -- ~ ~ ".signature" [Modified] 3 lines --100%--3,41 All
Re: [squid-users] still looking for help getting dns resolution done by the parent tests=IN_REP_TO,DOUBLE_CAPSWORD version=2.31
On Wed, Jun 11, 2003 at 12:06:43AM +0200, Henrik Nordstrom wrote: > > You have to make your Squid not depend on any DNS lookups to forward > the request to your parent. and how do i do that? > A squid configured to unconditionally forward all requests to a parent > does not depend on DNS lookups (other than for the address of the > parent) from what i can tell, unless i'm completely missing something, i've got it to unconditionally forward all requests. it isn't working however. > Note: you probably need to start Squid with the -D option to disable > the DNS sanity check on startup. already done. -brian -- "You know, evil comes in many forms, be it a man-eating cow or Joseph Stalin. But you can't let the package hide the pudding. Evil is just plain bad! You don't cotton to it! You gotta smack it on the nose with the rolled up newspaper of goodness! Bad dog! Bad dog!" -- The Tick
RE: [squid-users] Performance and stupid questions
I tried squid on an other box : IBM Xseries 232, 1,13 GHz, 768 Mo Ram, 1 Hard drive (Raid0) for the system 3 Hard drive (Raid0) for the squid cache. Noatime, Reiserfs. Linux 9 out-of-the-box, no firewall, Kernel 2.4.20, squid build by me with this options: --enable-external-acl-helpers=winbind_group \ --enable-cache-digests \ --enable-async-io \ --enable-storeio=diskd,ufs \ --enable-auth=ntlm,basic \ --enable-snmp \ --enable-poll \ --enable-linux-netfilter \ --enable-ssl \ --with-openssl=/usr/kerberos \ --enable-basic-auth-helpers=winbind \ --enable-ntlm-auth-helpers=winbind \ --enable-ntlm-fail-open \ --prefix=/usr \ --exec-prefix=/usr \ --bindir=/usr/sbin \ --sbindir=/usr/sbin \ --sysconfdir=/etc/squid \ --datadir=/usr/share \ --includedir=/usr/include \ --libdir=/usr/lib \ --libexecdir=/usr/lib/squid \ --localstatedir=/var \ --sharedstatedir=/usr/com \ --mandir=/usr/share/man \ --infodir=/usr/share/info Same configuration as before (see my first post for it). I still have the same level of performance: after 200 req/sec, same level of performance. I/O are not a problem (monitoring this with sar shows me that everything is normal). CPU is 100% busy during tests, mainly used by squid process. Should I consider this as the normal level of performance for this processor? I should be able to do some tests on a 2,4 Ghz Xeon processor next week. Thank you very much, and once again sorry for this kind of questions. Nicolas Chaillot -Message d'origine- De : Ralf Hildebrandt [mailto:[EMAIL PROTECTED] Envoye : vendredi 6 juin 2003 21:57 A : Chaillot Nicolas Cc : [EMAIL PROTECTED] Objet : Re: [squid-users] Performance and stupid questions * Chaillot Nicolas <[EMAIL PROTECTED]>: > Kernel is 2.4.20-SMP (directly from Redhat 9 ). In that case some other processes can utilize the other processor -- maybe the dns-caching component of squid. > > Squid is probably I/O bound. And due to it's architecture it cannot > > take advantage of another processor. > > I didn't know that. It has to fetch & write data from and to the disk. > That's not so far of what I'm doing: I'm currently in the test period. Excellent! > >At a real-world load (production use) of 200 connections/s it has a > load of 0.75. > > You mean 0.75% of CPU Load ??? Impressive !!! > Is it 200 connection/s = 200 request/sec ?? Yes. We use 3 proxies here. 2 of the type I mentioned and one humble old Sun box with two processors. We split the load by giving one box all ".de" domains, the other box does all of ".com" while the old box does the rest. -- Ralf Hildebrandt (Im Auftrag des Referat V a) [EMAIL PROTECTED] Charite Campus MitteTel. +49 (0)30-450 570-155 Referat V a - Kommunikationsnetze - Fax. +49 (0)30-450 570-916 AIM: ralfpostfix
Re: [squid-users] Performance and stupid questions
I'll take Udo into this. When talking to him, he mentioned that our choice of XFS for the cache was mainly caused by XFS better performance when writing large amounts of data to disk. Also it seems that after a lot of creating and deleting files (which happens a lot in caches I would think), XFS keeps the speed. > I tried squid on an other box : IBM Xseries 232, 1,13 GHz, 768 Mo Ram, > 1 Hard drive (Raid0) for the system > 3 Hard drive (Raid0) for the squid cache. Noatime, Reiserfs. > Linux 9 out-of-the-box, no firewall, Kernel 2.4.20, squid build by me with > this options: > --enable-external-acl-helpers=winbind_group \ > --enable-cache-digests \ > --enable-async-io \ > --enable-storeio=diskd,ufs \ > --enable-auth=ntlm,basic \ > --enable-snmp \ > --enable-poll \ > --enable-linux-netfilter \ > --enable-ssl \ > --with-openssl=/usr/kerberos \ > --enable-basic-auth-helpers=winbind \ > --enable-ntlm-auth-helpers=winbind \ > --enable-ntlm-fail-open \ > --prefix=/usr \ > --exec-prefix=/usr \ > --bindir=/usr/sbin \ > --sbindir=/usr/sbin \ > --sysconfdir=/etc/squid \ > --datadir=/usr/share \ > --includedir=/usr/include \ > --libdir=/usr/lib \ > --libexecdir=/usr/lib/squid \ > --localstatedir=/var \ > --sharedstatedir=/usr/com \ > --mandir=/usr/share/man \ > --infodir=/usr/share/info > > Same configuration as before (see my first post for it). > > I still have the same level of performance: after 200 req/sec, same > level of performance. I/O are not a problem (monitoring this with sar > shows me that everything is normal). CPU is 100% busy during tests, > mainly used by squid process. Should I consider this as the normal > level of performance for this processor? Interesting. I would have expected the disk to be the bottleneck. -- Ralf Hildebrandt (Im Auftrag des Referat V a) [EMAIL PROTECTED] Charite Campus MitteTel. +49 (0)30-450 570-155 Referat V a - Kommunikationsnetze - Fax. +49 (0)30-450 570-916 AIM: ralfpostfix
Re: [squid-users] still looking for help getting dns resolutiondone by the parent tests=IN_REP_TO,DOUBLE_CAPSWORD version=2.31
ons 2003-06-11 klockan 15.16 skrev Brian Hechinger: > On Wed, Jun 11, 2003 at 12:06:43AM +0200, Henrik Nordstrom wrote: > > > > You have to make your Squid not depend on any DNS lookups to forward > > the request to your parent. > > and how do i do that? 1. never_direct allow all 2. do not use dst or srcdomain acl types (well, in theory you can use these if your dns properly rejects Internet data..) 3. Make sure your Squid knows how to find the address of your parent. Either if registered in your internal DNS, or in /etc/hosts. If not, specify the parent by IP address instead of name. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] still looking for help getting dns resolution done by the parent tests=IN_REP_TO,DOUBLE_CAPSWORD version=2.31 tests=IN_REP_TO version=2.31
On Wed, Jun 11, 2003 at 04:22:07PM +0200, Henrik Nordstrom wrote: > > 1. never_direct allow all i use: never_direct allow my_networks, is that ok? or should i use all? > 2. do not use dst or srcdomain acl types (well, in theory you can use > these if your dns properly rejects Internet data..) i only use src type acls. > 3. Make sure your Squid knows how to find the address of your parent. > Either if registered in your internal DNS, or in /etc/hosts. If not, > specify the parent by IP address instead of name. yup, no problems there, it's in /etc/hosts. thanks! -brian -- "You know, evil comes in many forms, be it a man-eating cow or Joseph Stalin. But you can't let the package hide the pudding. Evil is just plain bad! You don't cotton to it! You gotta smack it on the nose with the rolled up newspaper of goodness! Bad dog! Bad dog!" -- The Tick
[squid-users] restrict downloads by time limit
This mail is probably spam. The original message has been attached along with this report, so you can recognize or block similar unwanted mail in future. See http://spamassassin.org/tag/ for more details. Content preview: Hi list As you can see I with a lot of help from the mailing list have been able to restrict windows update downloads and restrict a segment of users to only 5 connects but I still face one problem the download restrict is permamnt for the entire day I would like to keep a small window of time after 23:00 rhs for all downloads I tried a lot of combination on the ines of max connect but to no avail can anybody help pls ☺ [...] Content analysis details: (5.70 points, 5 required) X_PRIORITY_HIGH(2.0 points) Sent with 'X-Priority' set to high MSGID_CHARS_SPAM (0.4 points) Message-Id has characters indicating spam FORGED_MUA_OUTLOOK (3.3 points) Forged mail pretending to be from MS Outlook --- Begin Message --- Hi list As you can see I with a lot of help from the mailing list have been able to restrict windows update downloads and restrict a segment of users to only 5 connects but I still face one problem the download restrict is permamnt for the entire day I would like to keep a small window of time after 23:00 rhs for all downloads I tried a lot of combination on the ines of max connect but to no avail can anybody help pls ☺ #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 563 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT acl naaoffice src 192.168.1.1-192.168.1.9 192.168.1.11-192.168.1.22 192.168.1.24-192.168.1.30 acl naadomainristrict dstdomain microsoft.windowsupdate.com windowsupdate.com windowsupdate.microsoft.com download.microsoft.com acl snmp snmp_community public acl movies urlpath_regex -i \.mp[e]g$ acl naaconectlimit maxconn 5 acl naaserver src 192.168.1.230-192.168.1.230 192.168.1.154-192.168.1.154 acl naaristrict src 192.168.1.10-192.168.1.10 192.168.1.23-192.168.1.23 acl naaspecial src 192.168.1.40-192.168.1.41 acl downloadtime1 time 05:00-23:59 http_access allow localhost http_access deny movies http_access deny naadomainristrict http_access deny naaconectlimit !naaoffice !naaserver http_access deny naaspecial http_access allow naaristrict http_access allow naaoffice http_access allow naaserver http_access deny all Best Regards, Asante Sana, Med venlig hilsen Rahul T. Kartha IT Coordinator NCC-Aarsleff Joint Venture TANZANIA P.O.Box 252, Morogoro Tanzania Tel, reception: +255 (0)23 260 1196 / 1345 Mobil Phone direct: +255 (0)744 277266 email: [EMAIL PROTECTED] --- End Message ---
Re: [squid-users] still looking for help getting dns resolution done by the parent tests=IN_REP_TO,DOUBLE_CAPSWORD version=2.31
> On Wed, Jun 11, 2003 at 12:06:43AM +0200, Henrik Nordstrom wrote: > > You have to make your Squid not depend on any DNS lookups to forward > > the request to your parent. On Wed, Jun 11, 2003 at 09:16:27AM -0400, Brian Hechinger wrote: > and how do i do that? I believe that you need to have the plain IP address of your parent proxy set in the "cache_peer" directive. Or at least put it into /etc/hosts. If you have a policy where you forward all requests to the parent proxy you could as well disable DNS queries (/etc/host.conf and /etc/nsswitch.conf). Christoph -- ~ ~ ".signature" [Modified] 3 lines --100%--3,41 All
Re: [squid-users] still looking for help getting dns resolution done by the parent tests=IN_REP_TO,DOUBLE_CAPSWORD version=2.31 tests=IN_REP_TO version=2.31 tests=IN_REP_TO version=2.31
On Wed, Jun 11, 2003 at 10:27:54AM -0400, Brian Hechinger wrote: > > > > 1. never_direct allow all > > i use: never_direct allow my_networks, is that ok? or should i use all? i cahnged my_networks to all with no affect. it still insists on doing dns locally. -brian -- "You know, evil comes in many forms, be it a man-eating cow or Joseph Stalin. But you can't let the package hide the pudding. Evil is just plain bad! You don't cotton to it! You gotta smack it on the nose with the rolled up newspaper of goodness! Bad dog! Bad dog!" -- The Tick
Re: [squid-users] simple SQUID config file
Hi, list... After having a PM talk with Daniel he told me that after using Squid 2.3 stable 5 the problem was solved. He saw his IE crashed when trying to authenticate users. However I'm sure that this is not a Squid problem. :) EOT Christoph -- ~ ~ ".signature" [Modified] 3 lines --100%--3,41 All
Re: [squid-users] still looking for help getting dns resolution done by the parent tests=IN_REP_TO,DOUBLE_CAPSWORD version=2.31 tests=IN_REP_TO version=2.31
On Wed, Jun 11, 2003 at 04:37:34PM +0200, Christoph Haas wrote: > > I believe that you need to have the plain IP address of your parent > proxy set in the "cache_peer" directive. Or at least put it into > /etc/hosts. If you have a policy where you forward all requests to the yeah, it's in /etc/hosts, and i even tried the IP address right in the squid config file, made no difference. > parent proxy you could as well disable DNS queries (/etc/host.conf and > /etc/nsswitch.conf). except that the machine needs to be able to resolve internal names, so that's not good at all. -brian -- "You know, evil comes in many forms, be it a man-eating cow or Joseph Stalin. But you can't let the package hide the pudding. Evil is just plain bad! You don't cotton to it! You gotta smack it on the nose with the rolled up newspaper of goodness! Bad dog! Bad dog!" -- The Tick
[squid-users] Proxy Chaining
Hi, Does everybody know if I can threat proxy chaining from a Squid Server to a Windows 2000 server without proxy server ? I cannot change the Squid configuration and must receive the requests like this. Thank, _ Matthieu BOUCHINET CERIEL, l'Architecte de vos projets informatiques 7 rue Andrei Sakharov - 76130 MONT SAINT AIGNAN Tel +33 (0)2 35 60 89 09 Fax +33 (0)2 35 60 86 80 email [EMAIL PROTECTED]
Re: [squid-users] still looking for help getting dns resolutiondone by the parent tests=IN_REP_TO,DOUBLE_CAPSWORD version=2.31tests=IN_REP_TO version=2.31
ons 2003-06-11 klockan 17.04 skrev Brian Hechinger: > yeah, it's in /etc/hosts, and i even tried the IP address right in the squid > config file, made no difference. Triple check your always_direct/never_direct rules. If the request is forced to not go direct (always_direct deny, never_direct allow) then Squid will either send the request to a parent or reject the request. > > parent proxy you could as well disable DNS queries (/etc/host.conf and > > /etc/nsswitch.conf). > > except that the machine needs to be able to resolve internal names, so that's > not good at all. Also, Squid insists on at least one DNS server being defined even if not used, and does not use /etc/nsswitch.conf. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Proxy Chaining
ons 2003-06-11 klockan 18.01 skrev Matthieu BOUCHINET: > Does everybody know if I can threat proxy chaining from a Squid Server to a > Windows 2000 server without proxy server ? > I cannot change the Squid configuration and must receive the requests like > this. What is the Windows 2000 server running, and how is it supposed to get the requests? -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] still looking for help getting dns resolution done by the parent tests=IN_REP_TO,DOUBLE_CAPSWORD version=2.31 tests=IN_REP_TO version=2.31 tests=IN_REP_TO version=2.31
On Wed, Jun 11, 2003 at 06:30:59PM +0200, Henrik Nordstrom wrote: > > Triple check your always_direct/never_direct rules. If the request is > forced to not go direct (always_direct deny, never_direct allow) then > Squid will either send the request to a parent or reject the request. there are no always_direct rules, and the only never_direct is 'never_direct allow all' -brian -- "You know, evil comes in many forms, be it a man-eating cow or Joseph Stalin. But you can't let the package hide the pudding. Evil is just plain bad! You don't cotton to it! You gotta smack it on the nose with the rolled up newspaper of goodness! Bad dog! Bad dog!" -- The Tick
[squid-users] Segmentation Fault
Hi, I have just upgraded my squid to version 2.5.STABLE3 and now I'm receiving a "Segmentation Fault" message when parsing the squid.conf file. This error is occurring in the second "DENY_INFO" line of my file. deny_info ERRO_PORN porn deny_info ERRO_PORNSITES pornsites deny_info ERRO_CHAT chat deny_info ERRO_VIRUS virus deny_info ERRO_EXTENSOES extensoes deny_info ERRO_MULTIMIDIA multimidia If the "DENY_INFO" lines are commented on squid runs without problem. Files locations and squid user permissions are OK. -- proxy:/usr/local/squid/sbin# squid -X 2003/06/10 19:11:10| Memory pools are 'off'; limit: 0.00 MB 2003/06/10 19:11:10| cachemgrRegister: registered mem 2003/06/10 19:11:10| cbdataInit 2003/06/10 19:11:10| cachemgrRegister: registered cbdata 2003/06/10 19:11:10| cachemgrRegister: registered events 2003/06/10 19:11:10| authSchemeAdd: adding basic . . . 2003/06/10 19:11:10| Processing: 'deny_info ERRO_PORN porn' 2003/06/10 19:11:10| parse_line: deny_info ERRO_PORN porn 2003/06/10 19:11:10| Processing: 'deny_info ERRO_PORNSITES pornsites' 2003/06/10 19:11:10| parse_line: deny_info ERRO_PORNSITES pornsites Falha de segmentação << Segmentation Fault -- Any help? Thanks. Teobaldo Medeiros.
RE: [squid-users] Location rewrites and rproxy
Henrik, I guess no response from my last email means that you are not interested. Could you suggest someone that might be? Regards Mike -Original Message- From: Mike Kelson Sent: 10 June 2003 13:57 To: Henrik Nordstrom Cc: [EMAIL PROTECTED] Subject: RE: [squid-users] Location rewrites and rproxy Henrik, Again thank you for your unbelievably quick response. I am not a squid hacker, unix programmer etc. Would you be interested in porting the location rewrite portion to rproxy to version 3.0 for a fee? Would it be sensible for me to use version 3.0 in a production environment, considering the requirement for location rewrites? Regards Mike -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 10 June 2003 13:14 To: Mike Kelson Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] Location rewrites and rproxy On Tuesday 10 June 2003 12.26, Mike Kelson wrote: > Thank you very much for replying. Excuse me for asking what are > probably dumb questions. How and where does one get the 2.6 > development version? You don't... the development of Squid-2.6 has stopped and Squid-3.0 will be the next release. > The squid web site only seems to list 2.5 and > 3.0. Is there a convenient tar of 2.6 and the rproxy branch? You can always get the rproxy branch from the SourceForge CVS server. This will give you Squid-2.6+rproxy at the last point in time the rproxy branch was developed. Unfortunately I do not think this Squid version will be very stable... > Finally are there any example scripts for rewriting http to https? Not sure I understand the question, but if you refer to the location rewrite interface of rproxy then the location rewrites function very much like the forward url rewrites via the redirector interface.. The helper is sent one line per Location header seen, starting with the URL and followed by some additional information, and Squid expects the helper to return the new URL to use, or a blank line for no change.. -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED] Received by star. This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.atl.uk.net This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.atl.uk.net
Re: [squid-users] windows update not working withsquid squid-2.4.STABLE7-4
ons 2003-06-11 klockan 18.37 skrev John Weez: > > Here is the output of squids access.log when i try to connect to > window supdate page Nothing strange there... Have you enabled any anonymization features in Suqid? (http_header_access/http_header_replace in Squid-2.5) If you have then these can quite likely disturb Windows update.. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] still looking for help getting dns resolutiondone by the parent tests=IN_REP_TO,DOUBLE_CAPSWORD version=2.31tests=IN_REP_TO version=2.31 tests=IN_REP_TO version=2.31
ons 2003-06-11 klockan 18.34 skrev Brian Hechinger: > On Wed, Jun 11, 2003 at 06:30:59PM +0200, Henrik Nordstrom wrote: > > > > Triple check your always_direct/never_direct rules. If the request is > > forced to not go direct (always_direct deny, never_direct allow) then > > Squid will either send the request to a parent or reject the request. > > there are no always_direct rules, and the only never_direct is 'never_direct > allow all' And the "all" acl is defined before this? (see "squid -k parse") Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Segmentation Fault
ons 2003-06-11 klockan 18.38 skrev [EMAIL PROTECTED]: > I have just upgraded my squid to version 2.5.STABLE3 and now I'm receiving > a "Segmentation Fault" message when parsing the squid.conf file. > > This error is occurring in the second "DENY_INFO" line of my file. http://www.squid-cache.org/Versions/v2/2.5/bugs/ Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] Chaining squid to another vendor proxy....and FTP
Im using my squid to forward to BlueCoat proxy device. HTTP works fine. When my IE or Netscape issues an FTP request to squid, which gets forwarded to BC proxy, the result is a read-only session. I cannot do PUTs in this scenario. Squid is 2.5. Is this an issue of chaining two proxies? Is it a caching issue? BlueCoat support staff was not helpful - they dont support squid so what can I say. Any hints or sympathies are greatly appreciated. Clint Davis
Re: [squid-users] still looking for help getting dns resolution done by the parent tests=IN_REP_TO,DOUBLE_CAPSWORD version=2.31 tests=IN_REP_TO version=2.31 tests=IN_REP_TO version=2.31 tests=IN_REP_TO version=2.31
On Wed, Jun 11, 2003 at 07:19:53PM +0200, Henrik Nordstrom wrote: > > And the "all" acl is defined before this? yup. the default: acl all src 0.0.0.0/0.0.0.0 > (see "squid -k parse") complains not at all. -brian -- "You know, evil comes in many forms, be it a man-eating cow or Joseph Stalin. But you can't let the package hide the pudding. Evil is just plain bad! You don't cotton to it! You gotta smack it on the nose with the rolled up newspaper of goodness! Bad dog! Bad dog!" -- The Tick
Re: [squid-users] Chaining squid to another vendor proxy....and FTP
On Wednesday 11 June 2003 19.44, Clint Davis wrote: > Im using my squid to forward to BlueCoat proxy device. HTTP works > fine. When my IE or Netscape issues an FTP request to squid, which > gets forwarded to BC proxy, the result is a read-only session. I > cannot do PUTs in this scenario. Squid is 2.5. Is this an issue > of chaining two proxies? Is it a caching issue? BlueCoat support > staff was not helpful - they dont support squid so what can I say. > Any hints or sympathies are greatly appreciated. IE and Netscape 6 does not support FTP PUT via HTTP proxies... Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Chaining squid to another vendor proxy....and F TP
On Wednesday 11 June 2003 21.41, Clint Davis wrote: > microsoft KB article #199376 shows my error. This article deals > with FTP sessions "flipping" to read-only ( which implies that IE > can do R/W). At least thats what I gleam from this article. IE can do R/W FTP when it speaks FTP to a FTP server. IE can not do FTP PUT via a HTTP proxy. When using a HTTP proxy IE (and any other browser) speaks HTTP to the proxy, not FTP, asking the proxy to fetch or store ftp:// URLs. > My goal is blocking off commandline FTP ( security policy). You cannot block protocols by the tool used unless you can run a local security policy on each computed mandading what your users may run on their computers. > So my users have to use some GUI to R/W FTP. Windozs users can > use any number of clients that support proxy servers. But what > would unix users use? IS there a CuteFTP or WS-FTP for unix? Any UNIX FTP GUI, or command line FTP asking it to connect via the FTP proxy (provided you have one). You cannot tell the difference at the proxy. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] load balancing HTTP servers using Squid
Hi, I'm searching for a software load balancer for HTTP servers. Scenario: We have two web servers in Germany and two in the USA for german content. For US/english content there are two web servers in the USA and two in Germany. The setup is similar, so I'll concentrate to a single case. Dream: Requests should get dynamically balanced to the two german web servers. If one fails, the second gets each and every request. If both fail, users will be served by the US servers using HTTP redirects or reverse proxying. Internet | | german load balancer <---> US load balancer | | | | firewall firewall /\ /\ / \ / \ www1 www2 www3 www4 (The load balancer never fail ;-)) Steps to a solution: http://devel.squid-cache.org/rproxy/ seems to be a good starting point. What it's state? Can Squid-2.5-STABLE2 be used for this setup? Is Squid-3.0-DEV geared towards these requirements? http://www.squid-cache.org/mail-archive/squid-dev/200010/0321.html has a nice patch for 2.3-STABLE4, but how far has development gone? Regards Bernie
[squid-users] Problem restarting all redirectors
I am sometimes getting the following in cache.log when either a log rotation or a reconfigure takes place. It is a symptom of not all my redirectors (Ad Zapper) being restarted: 2003/06/12 09:30:14| ipcCreate: fork: (12) Not enough space 2003/06/12 09:30:14| WARNING: Cannot run '/usr/local/squid/sbin/squid_redirect' process. 2003/06/12 09:30:14| ipcCreate: fork: (12) Not enough space 2003/06/12 09:30:14| WARNING: Cannot run '/usr/local/squid/sbin/squid_redirect' process. 2003/06/12 09:30:14| ipcCreate: fork: (12) Not enough space 2003/06/12 09:30:14| WARNING: Cannot run '/usr/local/squid/sbin/squid_redirect' process. This problem is not occuring every time, but it appears to be occurring more frequently in the past week or two. It is fixed by doing another reconfigure restart of squid (sometimes requires more than one of these.) The relevant details of my config are: Sun E220R with 2 450MHz CPUs, Solaris 9, 512 MB memory, 2 x 18 Gbyte disks (one for cache.) squid 2.5.STABLE2-20030318 with Smartfilter 3.1.1.02 patches cache_mem 80 MB cache_dir ufs /cache 4800 16 256 redirect_program /usr/local/squid/sbin/squid_redirect redirect_children 12 The redirector is adzapper (http://adzapper.sourceforge.net). There is other software running on the system, but inspection using top and vmstat do not indicate a memory problem - squid is using 197MB with 163MB resident, each redirector uses just over 5MB with 4.7 resident according to top; ipcs -a doesn't show any lingering shared memory or semaphores (and no configured message queues.) Michael Lightfoot Unix Consultant ISG Host Systems Comcare +61 2 62750680 Apologies for the rubbish that follows... NOTICE: This e-mail message and attachments may contain confidential information. If you are not the intended recipient you should not use or disclose any information in the message or attachments. If received in error, please notify the sender by return email immediately. Comcare does not waive any confidentiality or privilege.
[squid-users] RE: Squid/Applet/SSL
> Hi > > I'm having an interesting problem running a third party applet over SSL > thru Squid. The applet starts up ok and downloads a small amount of data > fine. It has 4 lines items that I can load more details about - 3 of the > line items don't have much detail so load fine. However, one of the line > items has a fair amount of data to load and fails every time (state of a > multi-part database query was lost is the error the applet spits up). > > If I bypass Squid, it works ok (running across the same network/firewall). > > Looking at the access log, it looks like it is getting 26637 bytes before > failing. I have turned full debug on for Squid but can't see anything > obvious in the cache.log. I have tried changing a number of config > parameters but with no luck. > > Could it be a problem with the applet trying to connect directly to a host > to get some of it's data or some other funny with Squid and the volume of > data it's getting? > > My platform details are: Solaris 8, Squid 2.5.STABLE3. > > Cheers > Glenn
[squid-users] 2 different Proxy Authentication
Dear All, My network consist of: Checkpoint Firewall NT4 Domain Controller Proxy Server (using NAT with Checkpoint Firewall)-> Microsoft Proxy Server 2.0 Currently, the client is using IE to browse to internet through the Microsoft Proxy Server 2.0 with NT4 domain authentication(NTLM). I have 20 users, 10 are eligible to access internet through Microsoft Proxy Server 2.0, and other 10 have no access to internet at all. All user are authenticated in our NT4 PDC. I intend to create another proxy server based on Linux using Squid 2.5 Stable1 and Samba 2.25 running on Red Hat Linux 9 to serve 10 user that has no internet access on Microsoft Proxy Server 2.0. I create a dummy user ID that is eligible for internet access in Microsoft Proxy Server 2.0. This Squid Server on behave all 10 clients(client that is not eligible in Microsoft Proxy Server) will forward the internet access request using the authorized dummy ID to the existing Microsoft Proxy Server 2.0 and cache data in the squid server. So the squid server is act as client to Microsoft Proxy Server 2.0, but it also serve as proxy server for the rest 10 client that has no access on Microsoft Proxy Server 2.0 Is the scenario possible to implement? What configuration should I change in the Squid.conf? I try to using cache_peer command but terminated abnormaly when I run the Squid. Is Winbind need to installed. or there is another way to solve this issue? FYI: I can't change any configuration in Microsoft Proxy Server, NT4 PDC and the Firewall. TIA Regards, Wildy === "TELKOMNet Instan memberikan diskon 40% untuk akses malam hari dari pukul 23.00 sampai 06.00. Berlaku untuk wilayah Jawa Timur mulai 1 Mei 2003 sampai 30 Juni 2003." ===
[squid-users] External ACL with Ident
Hi Guys, I have a fairly unique squid setup that I still cannot get working 100%. I am hoping someone on this list may have a similar setup, or be able to shine some light on what it is I am doing wrong. Here goes: Every workstation in the building runs the IDENTD service under windows. This has been confirmed as working, and squid is able to lookup the username without problems. Occasionaly a workstation's IDENTD service will die, and there are also a few users who are using Laptops that do not have IDENTD installed. We have a central Novell Netware system which is running LDAP (eDirectory) and we place all our users into a group called 'InternetAccess'. I have also written two programs in C for interfacing with the LDAP database (external authenticators). The first attempts to bind to LDAP using the username/password specified by the user, and then it checks to see if the user is a member of 'InternetAccess'. The second program simply checks to see if the username exists and is in the 'InternetAccess' group. In the first instance, I need squid to perform an ident request for the user. It must then pass this ident response (if any) to my C program to see if the user is a real user and is in the correct group. If all is well, accept the user, and record all site visits in the log file. Failing that, squid should popup the proxy_auth box and request the username and password for the user. Pass this info off to the C program and attempt to bind to the LDAP tree with the given credentials. This is what my ACL lines look like: auth_param basic program /usr/local/squid/bin/ldap_acis external_acl_type ausaid %IDENT /usr/local/squid/bin/ident_acis acl all src 0.0.0.0/0.0.0.0 ident_lookup_access allow all acl all ident REQUIRED acl ident_auth external ausaid REQUIRED acl ldap_auth proxy_auth REQUIRED http_access allow ident_auth http_access allow ldap_auth http_access deny all First of all, in this configuration squid does not seem to wait for the ident reply and I am getting the username/password box. If I ignore it and keep hitting refresh, eventually it gets a response and caches the info (allowing me to the internet from then on). Second of all, if I add any ACLs to check things like dst address (we would like to allow ALL users access to a few sites), then squid behaves erratically. Any sort of help or push in the right direction would be great! Thanks in advance, Nathan - Nathan Le Nevez Information Technology Section Australian Agency for International Development Phone: 61 2 6206 4332 Fax: 61 2 6282 4328 Email: [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com **
