Re: [squid-users] Re: what library is libz.so ?
On Wednesday 09 July 2003 07.17, Li Wei wrote: > Dear Henrik > > I did install zlib package into my server. > > However, when I run Webalizer, I always faced same error message. > > $./webalizer > ld.so.1: ./webalizer: fatal: libz.so: open failed: No such file or > directory Killed > > Actually, during making the package, that file seems not to be > found. Then you are most likely missing the zlib development files (usually distributed in a separate package unless you install from source). Regards Henrik
Re: [squid-users] Re: Unable to forward this request at this time
On Wednesday 09 July 2003 01.55, Norman Zhang wrote: > I set miss_access allow all, but problem still persists. Do you > have further suggestions. BTW, should I be prompted for the > username and password as I had set > > acl password proxy_auth REQUIRED You also need to use this in http_access. > But I got the "Unable to forward this request at this time." as > soon as I hit on any page. The only two directives which can give this error is miss_access never_direct The default of both are suitable for most setups. You should not set these directives in squid.conf at all unless you have a clear reason why to as these are not about access control but how Squid may forward allowed requests to/from your peer caches. So make sure you don't have any of these in yor squid.conf anywhere and then restart squid. If you still have problems, please post your squid.conf (without the comments). Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] Re: Squid is Overperforming ;)
On Wednesday 09 July 2003 05.39, Chijioke Kalu wrote: > Hi Henrik, > > Previously when i use squid, it seems just fine, it caches and > browsing seems to be ok, but recently I activated delay pools for > the same network, and ever since then, my browsing is extremely > fast, overthrottling I might add. Probably because the delay pool throttles the most heavy bandwidth users, allowing for more bandwith for surfing for all others. Regards Henrik
[squid-users] Squid Help
Hello All, Can anyone help me out w.r.t Squid. My job what has to be done is to insert a Resize Module insidee squid. This resize module will catch the data coming from inetrnet & changes the values of all the html tags present in it & sends back the resized data back to the squid. Main objective is to display the browser in the PDA w.r.t its resolution. Now, I have inserted my module & since I will not be knowing in prior abt the no. of bytes od data coming from net ( i.e., its a stream of bytes) I will be using very big amount of buffers some are static & some are dynamic. After inserting this module into squid, I have a lot of memory problems. My module is being inserted in "comm.c" file & inside the function " void comm_write(int fd, const char *buf, int size, CWCB Mail backups lists lock mbox tmp handler, void *handler_data, FREE Mail backups lists lock mbox tmp free_func) ". Can anyone please let me know whether I can modify the squid code so that resizing can be done & also b'cos of the delay caused by my reszing module timeout in squid is occuring. Thanks in advance. Please anyone help me out. Regards, Pooja Prakash Send free SMS using the Yahoo! Messenger. Go to http://in.mobile.yahoo.com/new/pc/
[squid-users] Re: what library is libz.so ?
Dear Henrik I did install zlib package into my server. However, when I run Webalizer, I always faced same error message. $./webalizer ld.so.1: ./webalizer: fatal: libz.so: open failed: No such file or directory Killed Actually, during making the package, that file seems not to be found. Why? Anyway, do you know which analyse tool is the best for Squid? ** Li Wei ^-^ HAVE A GOOD DAY ^-^ JFTT E-mail: [EMAIL PROTECTED] **
[squid-users] Squid is Overperforming ;)
Hi Henrik, Previously when i use squid, it seems just fine, it caches and browsing seems to be ok, but recently I activated delay pools for the same network, and ever since then, my browsing is extremely fast, overthrottling I might add. am just curious, is this the work of delay pools, cause i intend to experiment with it more? acl cafenet160kusers src blah.blah.blah.blah/255.255.255.0 delay_pools 1 delay_class 1 3 delay_access 1 allow cafenet160kusers delay_access 1 deny all delay_parameters 1 17920/17920 -1/-1 600/17920 and I know my network has not been upgraded in any other way, like bandwidth increase, etc Thanks K _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus
[squid-users] Re: Unable to forward this request at this time
Hi Henrik, * Unable to forward this request at this time. >>> >>> This message is only seen if you are using never_direct. >> >> But default setting for squid.conf never_direct is none. I haven't >> touched those fancy options yet 8) > > miss_access is also related to this option. I set miss_access allow all, but problem still persists. Do you have further suggestions. BTW, should I be prompted for the username and password as I had set auth_param ntlm program /usr/lib/squid/wb_ntlmauth auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes acl password proxy_auth REQUIRED But I got the "Unable to forward this request at this time." as soon as I hit on any page. Regards, Norman
Re: [squid-users] Issues with Windows Update (transparent proxy + squid guard + seperate squid box)
On Tuesday 08 July 2003 23.03, Nick Pappas wrote: > So the goal at the moment is to find a way to transparently make > https traffic go in and out of the squid box (from the NAT box). See advanced routing. Hint: You don't nat either of http or https on the "NAT" gateway, just route them. -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] Issues with Windows Update (transparent proxy + squid guard + seperate squid box)
Hello, I've spent the past two weeks searching through the archives and the web for possible solutions to our issue with no solution yet. Here's a brief description and setup: We have a 10.10.1.0/24 subnet. All internet traffic passes through a NAT box before going out to the Internet. On that NAT box, we have a mangle rule (iptables) to send tcp80 traffic to the squid box, which is setup correctly to act transparently. It is 2.5.STABLE3. In addition, SquidGuard-1.2.0 is used for content filtering using the squid redirector interface. The strange part is that in purely transparent mode, Windows Update (and some other sites that use https with http) fails; though if we set the browser settings manually to use the proxy, it works like a charm! I have never seen this before. I have tried adding extension_methods (listed in numerous replies here), no cache directives, and I've even spent some time trying to see if I can get squid to at least just pass traffic for 443. I could be entirely wrong, but I get the feeling the issue is from the requests coming out on two different boxes (the http and the https following that). Unfortunately, I have been largely unsuccessful in finding a way to just forward ssl traffic (I don't care to police or cache it) out the same way that the http traffic is handled (mangle to the squid box). Right now we're using a hack-like solution, which is having the NAT box not send traffic to Windows Update IP's through squid, but this is far from ideal since those IP's are ever changing and caching updates would save a great amount of bandwidth. So the goal at the moment is to find a way to transparently make https traffic go in and out of the squid box (from the NAT box). Thanks for your time; I look forward to trying some new solutions. Sincerely, Nick Pappas The Keyes Company
Re: [squid-users] getting dhcpd client-hostname (or other name) in access log
Yes, the external_acl_type appears to work nicely. I wrote a small C prog that gets the client hostname & mac address using the dhcpctl api provided with the isc dhcp server. I should have looked more closely at the squid.conf before posting. Thanks! > You can't query DHCP who an IP address belongs to using standard > protocols, but real DHCP servers supports automatic DNS updates these > days to keep DNS data in synch with DHCP updates.. > > There is also the option (for Windows netowrks) to use Microsoft DNS > with a WINS fallback which works to some level.. > > However, if you find a way to query the user name (including looking > direclty into the dhcpd database of IP addresses) or equivalent based > on the source IP address then you can easily plug this into Squid via > an external acl returning the information as user name (see > external_acl_type). > > Regards > Henrik > > -- > Donations welcome if you consider my Free Squid support helpful. > https://www.paypal.com/xclick/business=hno%40squid-cache.org > > If you need commercial Squid support or cost effective Squid or > firewall appliances please refer to MARA Systems AB, Sweden > http://www.marasystems.com/, [EMAIL PROTECTED] >
RE: [squid-users] Page loading issues
Well I was able to resolve the problem it seems that the google toolbar was causing it to hang up, the access.log was showing multiple deny's to an address space owned by google even though I was on a completely different website. I uninstalled it this morning and I haven't had any page hangs happen since (usually I would have a few by now). Thanks for your help on letting me know that the behavior with the cache.log is normal. Jeremy Broadway Network Administrator [EMAIL PROTECTED] Office: 734-727-3151 Cell: 734-216-9359 -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 6:56 PM To: Jeremy Broadway; [EMAIL PROTECTED] Subject: Re: [squid-users] Page loading issues On Monday 07 July 2003 18.57, Jeremy Broadway wrote: > 2003/07/07 12:46:33| The request GET > http://www.google.com/webhp?hl=en&edition=usa&q= is DENIED, because > it matched 'AuthorizedUsers' This is normal and should correlate to a TCP_DENIED/407 entry in cache.log. > 2003/07/07 12:46:33| The request GET > http://www.google.com/webhp?hl=en&edition= > sa&q= is ALLOWED, because it matched 'AuthorizedUsers' The same request as above but after successful authentication. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Your opinions on setup
tis 2003-07-08 klockan 18.33 skrev glen hyland: > So far I have not been able to get it > to work. Now I ask for your help, in deciding what > would be the best way to get different access levels, > and figuring out what would be the best > authentification. If your boss wants NTLM then give it a try. See the Squid FAQ entry on using Squid with winbind. > Would LDAP be able to accomplish > that. Everything but NTLM. > What would be the best way to handle this? > running two squids and two DG's, using an ldap > server?? As you only need one DG policy (restricted access) you in theory only need one Squid. DG works as a proxy IIRC, and you should be able to select via cache_peer_access/always_direct/never_direct who is sent to DG and who is allowed to bypass the filter. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
RE: [squid-users] credentialsttl
tis 2003-07-08 klockan 17.12 skrev Adam Aube: > However, I have noticed there is a credentialsttl for basic auth, and > there is also an authenticate_ttl that applies to all auth types. > Perhaps Henrick can shed some light on the differences between the two. authenticate_ttl does not provide any meaningful functionality outside the internal guts of Squid. All you need to remember is to make sure authenticate_ttl is bigger than any of the other user related ttl values (mainly authenticate_ip_ttl and basic credentialsttl). Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] credentialsttl
tis 2003-07-08 klockan 14.07 skrev Alejandro Javier Pomeraniec: > I am using squid_ldap_auth helper to authenticate. > > I need squid to query the helper again to any user that has been inactive for a > period of time, let's say 20 minutes. You can set Squid to query the helper lets say every 20 minutes via the credentailsttl parameter. However, note that this has nothing to do with the interaction between the user and Squid or how often the user needs to log in. All this controls is how long Squid may assume the password of the user has not changed. If you want the user to have to login again after a certain period of inactivity then this has to be configured within the browser. The browser logs in to Squid on each and every request and the only reason why the user does not have to login all the time is because the browser remembers the login+password and automatically sends the same login+password on future requests to the proxy. If you want the user to have to login again after 20 minutes of inactivity then you have to make the browser forget the users login after 20 minutes of inactivity, there is nothing the proxy can do about this. Regards Henrik
[squid-users] Your opinions on setup
Hello, I have been trying to figure out the best authentification to use with DG and squid. Here is the scenrio. My boss wants NTLM authentification, with different policies for different users. Like one for teacher(for all access), and one for student (with limitd access). So far I have not been able to get it to work. Now I ask for your help, in deciding what would be the best way to get different access levels, and figuring out what would be the best authentification. Would LDAP be able to accomplish that. What would be the best way to handle this? running two squids and two DG's, using an ldap server?? Any comments or working solutions would be grateful! Thanks Glen __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
[squid-users] Performance and tuning on Sparc with Solaris
Hi folks, I'm going to implement squid on a SUN E450 with Solaris 9. The machine has 4 x 450MHz processors and 4GB RAM. The expected load will be around 300 req/s at peak and will probably increase over time. So the question is how to tune E450/Solaris/squid to achive maximum performance. Obvious things like different disks on different controllers for different cache_dirs are clear. As squid can't take advantage of multiple processors I'm thinking of running several instances of squid bound to different processor to share the load. Is there anybody out there running a similar setup who could give comments or recommendations? Thanks, Frank
RE: [squid-users] Many TCP_DENIED with NTLM auth
> I'm using the wb_ntlmauth helper, and I've noticed in my access.log there > will often be two TCP_DENIED requests for an object with no user > information, then a successful TCP request for the same object, this time > with the user information. Now I feel extremely foolish. Google hit a thread on the mailing list from Feb 7, 2003, and the site for the Squid NTLM authentication project. Both hits indicated this was a normal behavior. That is odd, though - I searched for "ntlm TCP_DENIED" in the Squid archive search and got no hits, but searched for "squid ntlm TCP_DENIED" on Google and hit in the Squid archives. Are there problems with the Squid mailing list archive search tool? Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
[squid-users] Many TCP_DENIED with NTLM auth
I'm using the wb_ntlmauth helper, and I've noticed in my access.log there will often be two TCP_DENIED requests for an object with no user information, then a successful TCP request for the same object, this time with the user information. Example: 1057675581.034 19 192.168.127.100 TCP_DENIED/407 1454 GET http://www.google.com/ - NONE/- text/html 1057675581.044 2 192.168.127.100 TCP_DENIED/407 1470 GET http://www.google.com/ - NONE/- text/html 1057675581.181136 192.168.127.100 TCP_MISS/200 1601 GET http://www.google.com/ [domain]\[user] DIRECT/216.239.37.99 text/html Note that the user nevers sees any error message in the browser; the page loads perfectly. Is this normal? Is there anything I can do to reduce the ocurrence of this? Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
RE: [squid-users] credentialsttl
> I need squid to query the helper again to any user that has been > inactive for a period of time, let's say 20 minutes. As Henrick has already noted: 1) credentialsttl will make Squid re-verify the user's credentials with the auth helper at a given interval. 2) credentialsttl will NOT make the user have to re-authenticate in their browser. However, I have noticed there is a credentialsttl for basic auth, and there is also an authenticate_ttl that applies to all auth types. Perhaps Henrick can shed some light on the differences between the two. Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
Re: [squid-users] credentialsttl
Hi ! I am using squid_ldap_auth helper to authenticate. I need squid to query the helper again to any user that has been inactive for a period of time, let's say 20 minutes. Thanks !! On 08 Jul 2003 14:25:56 +0200 Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > tis 2003-07-08 klockan 14.07 skrev Adam Aube: > > > I notice that it's only listed for basic auth; does it also work with NTLM > > auth? > > NTLM auth works very differently, and the helpers need to be queried a > lot compared to basic. Basically there is two helper queries per client > TCP connnection. > > The closest similar parameter of NTLM auth is the max_challenge_reuses > and max_challenge_lifetime parameters, but again, these are very > different from the basic auth credentialsttl parameter. Also, these > parameters are merely a bandaid to lessen the impact of a slight design > problem in the current Squid NTLM implementation and may go away in a > later Squid release. > > Regards > Henrik > > -- > Donations welcome if you consider my Free Squid support helpful. > https://www.paypal.com/xclick/business=hno%40squid-cache.org > > Please consult the Squid FAQ and other available documentation before > asking Squid questions, and use the squid-users mailing-list when no > answer can be found. Private support questions is only answered > for a fee or as part of a commercial Squid support contract. > > If you need commercial Squid support or cost effective Squid and > firewall appliances please refer to MARA Systems AB, Sweden > http://www.marasystems.com/, [EMAIL PROTECTED] >
Re: Res: RE: [squid-users] --> Simple question about authentication
tis 2003-07-08 klockan 14.43 skrev Alex Carlos Braga Antão: > Thanks, Adam, > The problem with external_acls is that I also use NTLM auth, and > external_acl is good if I have just one auth scheme. external_acl_type does not care how many auth schemes you have, and several of the helpers handle both domain\user and user as login name if asked to. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] --> Daily Snapshot and Patches
tis 2003-07-08 klockan 14.23 skrev Alex Carlos Braga Antão: > Hello, > Let me ask you something: > Does the daily snapshots of squid has the patches already applied Yes, and may also contain some other changes not yet published as a patch. > If I download it and install te last version, do I have to apply that > patches ??? No. But it is recommended you spend some time on reading the list of patches to determine if you really need any of these patches or if the latest STABLE release is sufficient for you. The latest snapshot is not always the best. Notice: In the same document you can also find a short list of known issues for which there is not yet a official patch available. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Res: RE: [squid-users] --> Simple question about authentication
Thanks, Adam, The problem with external_acls is that I also use NTLM auth, and external_acl is good if I have just one auth scheme. My squid firt authenticate by NTLM and if the browser does not accepts NTLM (everything else but IE), it authenticates with BASIC by LDAP. For the group I can easly make a filter to ldap_auth to return just users for a specific group. I already have this filter here... Thanks... Alex C. B. Antão Analista de Sistemas e Suporte ICQ: 5144629http://motoviagens.pagina.de http://e-modelismo.pagina.de Um "bom" pouso é aquele do qual você sai caminhando. Um "ótimo" pouso é aquele depois do qual você pode usar o avião novamente. ---Mensagem original--- De: Adam Aube Data: terça-feira, 08 de julho de 2003 09:31:05 Para: [EMAIL PROTECTED] Assunto: RE: [squid-users] --> Simple question about authentication > If I change the FULANOS acl to > acl FULANOS proxy_auth REQUIRED > What will gonna happen ? Squid will allow access to anyone it can > authenticate by LDAP ? regardless of my user list on SQUID? Correct. REQUIRED will match any user Squid can successfully authenticate. There is an external_acl LDAP group helper - you could use that to verify that your LDAP users are members of a specific group, and base authentication on that. I've never used the group helpers, so I can't give you any configuration info, but you should be able to find it easily on the list archive (search for "LDAP auth"). Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001 .
Re: [squid-users] --> Simple question about authentication
tis 2003-07-08 klockan 13.33 skrev Alex Carlos Braga Antão: >acl FULANOS proxy_auth REQUIRED > What will gonna happen ? Squid will allow access to anyone it can > authenticate by LDAP? Yes. REQUIRED matches any user who can successfully authenticate himself. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
RE: [squid-users] credentialsttl
tis 2003-07-08 klockan 14.07 skrev Adam Aube: > I notice that it's only listed for basic auth; does it also work with NTLM > auth? NTLM auth works very differently, and the helpers need to be queried a lot compared to basic. Basically there is two helper queries per client TCP connnection. The closest similar parameter of NTLM auth is the max_challenge_reuses and max_challenge_lifetime parameters, but again, these are very different from the basic auth credentialsttl parameter. Also, these parameters are merely a bandaid to lessen the impact of a slight design problem in the current Squid NTLM implementation and may go away in a later Squid release. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] --> Daily Snapshot and Patches
On Tuesday 08 July 2003 14:23, Alex Carlos Braga Antão wrote: Hi Alex, > Hello, > Let me ask you something: > Does the daily snapshots of squid has the patches already applied > If I download it and install te last version, do I have to apply that > patches ??? well, for sure they are already applied. If not, a daily-snapshot makes no sense ;) ciao, Marc
RE: [squid-users] --> Simple question about authentication
> If I change the FULANOS acl to > acl FULANOS proxy_auth REQUIRED > What will gonna happen ? Squid will allow access to anyone it can > authenticate by LDAP ? regardless of my user list on SQUID? Correct. REQUIRED will match any user Squid can successfully authenticate. There is an external_acl LDAP group helper - you could use that to verify that your LDAP users are members of a specific group, and base authentication on that. I've never used the group helpers, so I can't give you any configuration info, but you should be able to find it easily on the list archive (search for "LDAP auth"). Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
[squid-users] --> Daily Snapshot and Patches
Hello, Let me ask you something: Does the daily snapshots of squid has the patches already applied If I download it and install te last version, do I have to apply that patches ??? Thanks Alex C. B. Antão Analista de Sistemas e Suporte ICQ: 5144629http://motoviagens.pagina.de http://e-modelismo.pagina.de Um "bom" pouso é aquele do qual você sai caminhando. Um "ótimo" pouso é aquele depois do qual você pode usar o avião novamente.
Re: [squid-users] more on FD errors
tis 2003-07-08 klockan 13.37 skrev J.D. Bronson: > 2003/07/08 05:31:53| comm_accept: FD 16: (130) Software caused connection abort > 2003/07/08 05:31:53| httpAccept: FD 16: accept failure: (130) Software > caused connection abort It is not 100% clear to me when these errors are seen, but my theory is that these errors are seen if a client aborts the TCP connection before it has been accepted by Squid. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
RE: [squid-users] credentialsttl
>> Depends on what you mean by "expire". The credentialsttl setting >> will make Squid force the user to reauthenticate after a set time >> period. >Sorry, but this is not at all what credentialsttl does. > credentialsttl will make Squid requery the authentication helper after > a set time period (default 2 hours). I clearly misunderstood the description in the default config file. I notice that it's only listed for basic auth; does it also work with NTLM auth? Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
[squid-users] more on FD errors
2003/07/08 05:31:53| comm_accept: FD 16: (130) Software caused connection abort 2003/07/08 05:31:53| httpAccept: FD 16: accept failure: (130) Software caused connection abort 2003/07/08 05:33:26| comm_accept: FD 16: (130) Software caused connection abort 2003/07/08 05:33:26| httpAccept: FD 16: accept failure: (130) Software caused connection abort Ok..before all I ever had seen were the SSL "FD" errors...now I am seeing this! I am sure that I have plenty of file descriptors and especially at this time in the morning..the squid box is virtually quiet. Is there anyway to get further information on these errors and how to fix them once and for all? -- J.D. Bronson Aurora Health Care // Information Services // Milwaukee, WI USA Office: 414.978.8282 // Fax: 414.328.8282 // Pager: 414.314.8282
[squid-users] --> Simple question about authentication
Hello, I´d just like to answer a simple question. My squid authenticates by LDAP on AD. I Also have an user list of those who may access the proxy, like: http_access alow FULANOS SITES The FULANOS list is like the folowing: DOMAIN\FULANO1 DOMAIN\FULANO2 DOMAIN\FULANO3 The FULANOS acl is like: acl FULANOS proxy_auth FULANOS_FILE Now the question: If I change the FULANOS acl to: acl FULANOS proxy_auth REQUIRED What will gonna happen ? Squid will allow access to anyone it can authenticate by LDAP ? regardless of my user list on SQUID (since it will not be using anymore) So, if someone is added to my LDAP, he will have instantant access to squid, isn´t it ? Thanks... Alex C. B. Antão Analista de Sistemas e Suporte ICQ: 5144629http://motoviagens.pagina.de http://e-modelismo.pagina.de Um "bom" pouso é aquele do qual você sai caminhando. Um "ótimo" pouso é aquele depois do qual você pode usar o avião novamente.
Re: [squid-users] Trying to select appropiate outgoing interface depending on src ip
On Tuesday 08 July 2003 11:48 am, Yusuf Goolamabbas wrote: > > Surely you should be using $ADSL_IP or $ETH_2 as the source address for > > outbound website requests? > > I assume that SNAT will take care of this, In any case. I did change it > to $ADSL_IP and $ETH_2 respectively and the same issue occurs Can you put a sniffer such as ethereal on the external interface and see: a) whether any packets are leaving the box at all b) what source / destination addresses they have c) whether you see any replies ? Antony. -- Having been asked to provide a reference for this man, I can confidently state that you will be very lucky indeed if you can get him to work for you.
Re: [squid-users] Trying to select appropiate outgoing interface depending on src ip
> Surely you should be using $ADSL_IP or $ETH_2 as the source address for > outbound website requests? I assume that SNAT will take care of this, In any case. I did change it to $ADSL_IP and $ETH_2 respectively and the same issue occurs -- Yusuf Goolamabbas [EMAIL PROTECTED]
[squid-users] Trying to select appropiate outgoing interface depending on src ip
Hi, I have the following configuration on my NAT box eth0 to an internal private network consisiting of 2 subnets 192.168.2.0/24 and 192.168.3.0/24. The NAT box has .1 address in both subnet and is the gateway for everybody eth1 is connected to an ADSL modem which I obtain an $ADSL_IP via ppp eth2 is connected to a routable Ethernet interface $ETH_2 Using policy routing/netfilter I am able to SNAT 192.168.2.0/24 to ADSL_IP via eth1 and 192.168.3.0/24 to $ETH_2 I have squid setup to listen on 192.168.2.1 and 192.168.3.1 on the NAT box. I thought I could use tcp_outgoing_address to do this acl net_1 src 192.168.2.0/255.255.255.0 acl net_2 src 192.168.3.0/255.255.255.0 tcp_outgoing_address 192.168.2.1 net_1 tcp_outgoing_address 192.168.3.1 net_2 However, my clients either on 192.168.2.0/24 nor on 192.168.3.0/24 are able to reach any website with these lines in the config file If I remove the tcp_outgoing_address lines, then I am able to reach websites via squids Any insights would be appreciated, Thanks Yusuf
Re: [squid-users] Client Socket Buffer leak?
tis 2003-07-08 klockan 10.56 skrev Brian: > Can anyone confirm that squid-2.5STABLE3 leaks a Client Socket Buffer > each time it denies a request through reply_body_max_size ? Is these objects with a known object size (denied up front) or denials of objects with unknown size (denied when reaching the set size)? > The CSBs were growing out of control on one of our newer accelerators, > which was odd, since the binary was directly copied from a working > install. The major difference is the new one is blocking quite a few > large requests. I would recommend registering a bug report. If you see the memory allocated for buffers grow out of control then there almost certainly is a leak of these. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Client Socket Buffer leak?
Brian wrote: > > Can anyone confirm that squid-2.5STABLE3 leaks a Client Socket Buffer > each time it denies a request through reply_body_max_size ? How do you observe this ? Which command/tool ? > > The CSBs were growing out of control on one of our newer accelerators, > which was odd, since the binary was directly copied from a working > install. The major difference is the new one is blocking quite a few > large requests. > Could the issue be os related ? Which platform/os/version are you using ? M. -- 'Love is truth without any future. (M.E. 1997)
RE: [squid-users] Improve performance in squid
Please be a little more specific. How much traffic through squid, what internet connection, how many req/sec, ... , what kind of hard drive(s) For general, i would recommend more and faster disks (not more partitions), if useful smaller cacheable dirs ... Hermann > -Original Message- > From: Adaíl Oliveira [mailto:[EMAIL PROTECTED] > Sent: Monday, July 07, 2003 4:27 PM > To: 'Hermann Strassner' > Subject: RE: [squid-users] Improve performance in squid > > > The squid is a litle slow. > > -Original Message- > From: Hermann Strassner [mailto:[EMAIL PROTECTED] > Sent: segunda-feira, 7 de Julho de 2003 15:25 > To: Adaíl Oliveira > Cc: Squid Mailinglist > Subject: RE: [squid-users] Improve performance in squid > > > Where do you have performance problems? > > > -Original Message- > > From: Adaíl Oliveira [mailto:[EMAIL PROTECTED] > > Sent: Monday, July 07, 2003 4:20 PM > > To: [EMAIL PROTECTED] > > Subject: [squid-users] Improve performance in squid > > > > > > Hi, > > I have a Dell Server with 4 GB ram + intel III 1 > > GHz dual processor machine.I have a cache dir of 17 Gb for squid. Any > > suggestions how to improve performance in squid? > > > > Thanks > > > > A.O > > > > > >
[squid-users] Client Socket Buffer leak?
Can anyone confirm that squid-2.5STABLE3 leaks a Client Socket Buffer each time it denies a request through reply_body_max_size ? The CSBs were growing out of control on one of our newer accelerators, which was odd, since the binary was directly copied from a working install. The major difference is the new one is blocking quite a few large requests. -- Brian
Re: [squid-users] what library is libz.so ?
On Tuesday 08 July 2003 10.33, Li Wei wrote: > I intend to install Webalizer for analyzing its log file. > > But it warned me that libz.so was not found when installation. > I checked its requirements, and believe all of them was installed. > > What is it? Who know? libz is the library of zlib http://www.gzip.org/zlib/> Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] what library is libz.so ?
Li Wei wrote: > > I intend to install Webalizer for analyzing its log file. > > But it warned me that libz.so was not found when installation. > I checked its requirements, and believe all of them was installed. > > What is it? Who know? zlib compression and decompression library Which os/platform/version are you using ? Any way, you will apparently need this lib installed. M. > > ** > Li Wei ^-^ HAVE A GOOD DAY ^-^ > JFTT > E-mail: [EMAIL PROTECTED] > ** -- 'Love is truth without any future. (M.E. 1997)
Re: [squid-users] Squid proxying okay but not really cacheing?
On Tuesday 08 July 2003 10.20, Antony Stone wrote: > 1. Can I get any statistics out of squid to tell me what size cache > it's using, how full it is, and how quickly it's churning the > entries? Yes, via the cachemgr interface. > 2. Is there anything else I should be changing in the squid.conf > file to get good cacheing as well as proxying? Make sure that your cache size is sufficiently large to fit the content you want to cache. The default setting is just 100MB. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Squid proxying okay but not really cacheing?
Antony Stone wrote: > > Hi. > > I've just set up a squid system (2.5stable3) under Linux, and I've changed > only the access control setting in the squid.conf file, to allow me access. > It's working fine, and passing requests and pages through nicely. > > However, I can't really see that it's doing much cacheing, when I would > expect it to. So far I'm the only user, testing the system, and I'm using a > website mapping application which walks through every page on a website, > following all the local links, as a way of generating some traffic through > squid. > > I'm visiting a couple of sites which have nearly all static content, so it > should be cacheable okay. > > The first time I run the app, and I watch squid's access.log output, I see > lots of TCP_MISS entries, with the access going DIRECT to fetch the webpage > from the server. > > But it looks pretty much the same the second time I do the same thing - I get > very few TCP_HIT, TCP_IMS_HIT or TCP_MEM_HIT entries, and my inbound traffic > to the squid server is pretty much as high as it was the first time round. > > I have two questions, which I can't find in the FAQ: > > 1. Can I get any statistics out of squid to tell me what size cache it's > using, how full it is, and how quickly it's churning the entries? Use squid's cachemgr interface to obtain various stats/info about the cache. > > 2. Is there anything else I should be changing in the squid.conf file to get > good cacheing as well as proxying? > Not really, 'refresh_pattern' is related , though read the comment in squid.conf.default completely before tweaking this parameter. You can also use : http://www.ircache.net/cgi-bin/cacheability.py as a 'tool' to verify cacheability stats for objects returned by webservers. M.
[squid-users] what library is libz.so ?
I intend to install Webalizer for analyzing its log file. But it warned me that libz.so was not found when installation. I checked its requirements, and believe all of them was installed. What is it? Who know? ** Li Wei ^-^ HAVE A GOOD DAY ^-^ JFTT E-mail: [EMAIL PROTECTED] **
[squid-users] Squid proxying okay but not really cacheing?
Hi. I've just set up a squid system (2.5stable3) under Linux, and I've changed only the access control setting in the squid.conf file, to allow me access. It's working fine, and passing requests and pages through nicely. However, I can't really see that it's doing much cacheing, when I would expect it to. So far I'm the only user, testing the system, and I'm using a website mapping application which walks through every page on a website, following all the local links, as a way of generating some traffic through squid. I'm visiting a couple of sites which have nearly all static content, so it should be cacheable okay. The first time I run the app, and I watch squid's access.log output, I see lots of TCP_MISS entries, with the access going DIRECT to fetch the webpage from the server. But it looks pretty much the same the second time I do the same thing - I get very few TCP_HIT, TCP_IMS_HIT or TCP_MEM_HIT entries, and my inbound traffic to the squid server is pretty much as high as it was the first time round. I have two questions, which I can't find in the FAQ: 1. Can I get any statistics out of squid to tell me what size cache it's using, how full it is, and how quickly it's churning the entries? 2. Is there anything else I should be changing in the squid.conf file to get good cacheing as well as proxying? Thanks, Antony. -- Programming is a Dark Art, and it will always be. The programmer is fighting against the two most destructive forces in the universe: entropy and human stupidity. They're not things you can always overcome with a "methodology" or on a schedule. - Damian Conway, Perl God
Re: [squid-users] Squid Proxy not caching DNS
On Tuesday 08 July 2003 09.25, chisholm 27 wrote: > Hi Henrik, > > Thanks. But shouldn't it be not the DNS round robin problem as it's > the nature of it ? Traversing to next page happens within seconds > once connection & authentication completed, but the Squid proxy > queried DNS again thus invoking round robin resolution. The cause is the broken web server. The DNS round robin is just was triggers the error in this broken server. The server plainly is not designed for a load balanced setup, or they have selected a load balancing method which is not suitable for their server. Pick one. > Shouldn't it be the Squid proxy not caching name long enough (not > at all here) after initial session established? There's a > restriction where I am not allowed to add host file here. Can > something be done on Squid caching ? You do not need to add it to the systems hosts file, just the hosts file user by Squid. See the host_file directive in squid.conf. The side owner can retune their DNS to work better with proxies by taking the following measures: 1. Make sure their DNS server only returns one IP address per DNS query 2. Set the TTL of this DNS reply very high, making it very unlikely the DNS data expires while a user actively browses the site. However, this will seriously limit the benefits of their selected load balancing method at the same time. What should be done is that the site owner either fixes their web server to share the session information between all servers in their load balanced setup, or selects another method of load balancing which keeps users on their assigned server. DNS is NOT such a method. Regards Henrik
Re: [squid-users] the problem of blocking URL
On Tuesday 08 July 2003 03.20, Li Wei wrote: > However, when my colleague was accessing > http://photo.cameraunion.net:81/phpchat/index.php3, he was rejected > by Squid. This is probably blocked by the Safe_Ports acl as the server is running on a non-standard port. Port 81 is not included in the default set of safe ports. -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] Re: Squid server
On Tuesday 08 July 2003 09.22, Hussain Mohammad wrote: > Squid server version 3.0 where used to solve problem, it has been > used as proxy server. http worked fine but any https site does not > open and also an error occurred on squid server when https sites > were browsed. Squid-3.0 is still in development and not suitable for production use. Use Squid-2.5. > 2003/07/07 17:59:45| clientNegotiateSSL: Error negotiating SSL > connection on FD 25: error:1407609B:SSL > routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) You are trying to use a https_port as proxy port. This will not work. Specify the http_port as the proxy port in your browser. Regards Henrik
Re: [squid-users] urgent squid with squidguard help
On Tuesday 08 July 2003 07.02, Vishal For You wrote: > I have tried to used squid acl for this. Infact i am currently > using acl's but for the new configuration somehow it is not working > thats why i am using squidguard to solve the problem. > > I have denied everyone in my squid.conf. If you deny everyone in squid.conf, then noone will be able to reach SquidGuard. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Squid Proxy not caching DNS
On Tuesday 08 July 2003 06.26, chisholm 27 wrote: > Hello, > > I have a problem when connecting to a destination site who are > running DNS round robin for its 3 web servers A, B & C. Upon > opening the main page for list of reports, whihch required user ID > & password for SSL, it prompts for login again when trying to > traverse to next page quoting credentials timed-out. Sounds like a broken web site trying to combine DNS load balancing with server side sessions without a shared session database between the servers. Such web server setups will fail in many configurations, proxies being one. As you said, this broken web server design can be worked around by adding a /etc/hosts entry for the server. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Re: Unable to forward this request at this time
On Tuesday 08 July 2003 01.29, Norman Zhang wrote: > Hi, > > > On Tuesday 08 July 2003 00.47, Norman Zhang wrote: > >> * Unable to forward this request at this time. > > > > This message is only seen if you are using never_direct. > > But default setting for squid.conf never_direct is none. I haven't > touched those fancy options yet 8) miss_access is also related to this option. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] Page loading issues
On Tuesday 08 July 2003 06.28, Schelstraete Bart wrote: > Hernik, > > Is this normal?? Yes, if you have enabled more detailed debug_options than the default or is using "squid -k debug". Regards Henrik