[squid-users] private networks
we have one rule that filter the traffic toward private directions, but sometimes if fails with gateway timeout. 067588792.006 239048 x.x.x.x TCP_MISS/504 7219 GET http://192.168.0.1/noticias/mail/imgs/blue.gif - NONE/- text/html 1067588792.009 2 x.x.x.x TCP_DENIED/403 6796 GET http://192.168.0.1/noticias/mail/imgs/blue.gif - NONE/- text/html 1067588792.011 1 x.x.x.x TCP_DENIED/403 6796 GET http://192.168.0.1/noticias/mail/imgs/blue.gif - NONE/- text/html 1067588793.001 239980 x.x.x.x TCP_MISS/504 7219 GET http://192.168.0.1/noticias/mail/imgs/blanco.gif - NONE/- text/html 1067588793.004 2 x.x.x.x TCP_DENIED/403 6796 GET http://192.168.0.1/noticias/mail/imgs/blanco.gif - NONE/- text/html 1067588793.009 1 x.x.x.x TCP_DENIED/403 6796 GET http://192.168.0.1/noticias/mail/imgs/blanco.gif - NONE/- text/html 1067588793.775 2 x.x.x.x TCP_DENIED/403 6796 GET http://192.168.0.1/noticias/mail/imgs/blanco.gif - NONE/- text/html 1067588793.789 1 x.x.x.x TCP_DENIED/403 6796 GET http://192.168.0.1/noticias/mail/imgs/blanco.gif - NONE/- text/html 1067588924.005 239998 x.x.x.x TCP_MISS/504 7219 GET http://192.168.0.1/noticias/mail/imgs/logo.gif - NONE/- text/html That it can happen? Thanks. Emilio smime.p7s Description: S/MIME Cryptographic Signature
Re: [squid-users] Routing to multiple Parent proxies
On Fri, 31 Oct 2003, Brett Lymn wrote: Because it can be seen as an interruption to service - squid actually appears to refuse requests for a short period when it is reconfiguring some users find that disturbing. True.. Squid briefly (usually 1ms or less) refuses new connections while reading the new configuration, but it does not stop already accepted connections. If you see larger disruptions of service than this then something is wrong. Regards Henrik
Re: [squid-users] grc scan
On Fri, 31 Oct 2003, Fritz Mesedilla wrote: X-Forwarded-For: 192.168.247.21 It got my private ip address. How do I hide this including the line about squid? Look for forwarded_for in squid.conf. Regards Henrik
[squid-users] Squid
Hi there, I am looking for an alternative solution to the Network Appliance Web Caches C760 platform. Will Squid be a sufficient product for use in an ISP environment? We currently have over 120million HTTP requests per day with a ful set of access-control filters. I need to give some feedback on this so as much info as possible would be great Thanks alot Stephen Bailey
[squid-users] slow Internet access using squid [Was: time based Instant Message blocking]
Hi, How much RAM is in the machine? How fast is the disk (rotational speed and data rate)? The machine hardware configuration is: RAM: 128 MB Hard disk: 20 GB P3 1.2 processor How do I find out the rotational speed data rate? Looking at your past emails, I see that you are using UFS for the cache_dir type. That is only recommended for a few concurrent users; anything beyond that should be using one of the async I/O modes (aufs or diskd - aufs being preferred on Linux). Support for aufs must be compiled into Squid - see 'configure --help' for details. You might also want to remote the cache_store_log setting - store.log is generally only used for debugging, and the logging it creates puts Adam, I've done both of your suggestions, but the access speed is still noticeably slow. For instance, to access google.com with squid: 11 seconds without squid: 3 seconds to access msn-messenger: with squid: 31 seconds without squid: 6 seconds I know that's not very concrete evidence, but it was just to give an idea that access is very slow with squid and I'm getting a lot of complaints from the students. Do you require any more data? I don't know if this is because I have misconfigured my proxy or it's something to do with hardware/memory/cpu resources. (This is rather urgent since college re-opens in 4 days and I'll have more students more complaints to deal with!) Regards, Manu
[squid-users] -- Squid with no cache...
Hello, I'm trying to configure my squid to not do cache, just proxy, but it seems to have a minimum size... I know this message already passed here, but I couldn't find them. So, how can I configure squid to not cache the pages, just proxy ??? Thanks...
[squid-users] wb_group and samba 3
I need wb_group to work under samba 3. Compiling it with the samba 3 libraries give this error_ [EMAIL PROTECTED] winbind_group]# make source='wb_common.c' object='wb_common.o' libtool=no \ depfile='.deps/wb_common.Po' tmpdepfile='.deps/wb_common.TPo' \ depmode=gcc3 /bin/sh ../../../cfgaux/depcomp \ gcc -DHAVE_CONFIG_H -I. -I. -I../../../include -I. -I../../../include -I../. ./../include -I../../../src -I../../../include/samba-g -O2 -Wall -c `test -f wb_common.c || echo './'`wb_common.c wb_common.c: In function `init_request': wb_common.c:68: structure has no member named `domain' wb_common.c:77: structure has no member named `domain' wb_common.c:77: structure has no member named `domain' wb_common.c:77: structure has no member named `domain' wb_common.c:77: structure has no member named `domain' wb_common.c:77: structure has no member named `domain' wb_common.c:77: structure has no member named `domain' wb_common.c:77: structure has no member named `domain' wb_common.c:77: structure has no member named `domain' wb_common.c:78: structure has no member named `domain' wb_common.c:78: structure has no member named `domain' wb_common.c: In function `winbindd_send_request': wb_common.c:334: structure has no member named `domain' make: *** [wb_common.o] Error 1 And compiling without samba 3 librarier make wb_group to not find winbind even if it is already started and working. How to solve this problem ? I need to authenticate groups of users and I don't want to use wbinfo_group.pl Thanks in Advance BEst Regards. Federico
Re: [squid-users] Squid
On Fri, 31 Oct 2003, Stephen Bailey (Backbone Team) wrote: I am looking for an alternative solution to the Network Appliance Web Caches C760 platform. Will Squid be a sufficient product for use in an ISP environment? Depends on the bandwidth requirements and how many proxy servers you are prepared to have running. We currently have over 120million HTTP requests per day with a ful set of access-control filters. This will require quite a number of Squid servers. A realistic figure is that one correcly set up Squid server (in terms of both hardware and software) is capable of 300 req/s sustained peak load. It is possible to build slightly faster boxes but only at a substantially increased hardware cost if you want to have caching. But it can probably be built with about the same rack density as a solution based on netapp C760 servers.. If you are only interested in access controls and no caching then higher rates can be aheived per box, probably as high as 1500 req/s or more with todays hardware. Regards Henrik
Re: [squid-users] wb_group and samba 3
On Fri, 31 Oct 2003, Lombardo Federico wrote: I need wb_group to work under samba 3. Won't work. wb_group is a Samba-2.X helper. For Samba-3 you can use the wbinfo_group helper which is Samba version neutral. Regards Henrik
[squid-users] Having a freak problem
Hi, everybody... I´m heavi this freak problem... I´ve setting up a Linux Box as Squid-cahe and gatway for may network. The problem is: LAN: 129.12.7.0/24 Gateway/Proxy: -- eth0: 129.12.7.1/24 -- eth1: 129.12.7.2/24 ADSL-Router: 129.12.7.254/24 (see: It´s all in the same class C) I´m using this linux box as Gateway just to make sure that my clientes will no change the gateway manualy and start to have access to the internet. In my linux-box, when I can ping my LAN I can´t ping my ADSL-Router, or when I can ping bouth of them I can´t ping or have access to www.I´d already config my /etc/resolv.conf. What´s going on? Do I really need to set ip a gateway to set up a Squid-cahe?Don´t we have another way to do this saftely? I´m using: -- 2 NIC´s Realteck -- Red Hat Linux 7.1 -- ipchains (I´ve tried IPTABLES too.) Thanks a lot!!! Marcos Azevedo __ Acabe com aquelas janelinhas que pulam na sua tela. AntiPop-up UOL - É grátis! http://antipopup.uol.com.br/
[squid-users] -- Is it possible ???
Hello all, I'm triyng to setup SQUID to work with dansguardian here. But I have a little problem that my auth scheme must be NTLM, and DansGuardian does not support it. So, I am make the following scheme: Network- SQUID1 (NTLM+BASIC) - DansGuardian - SQUID2 - Internet The problem with it is that on DG I do not have who it is blocking, because all requests are from Squid1. So I configured SQUID2 to make BASIC Auth (Dans support), and my Ideia is to make SQUID1 PASS authentication to DansGuardian, through the tag: cache_peer SQUID2 port 1 no-cache login=PASS Since I still have problem with winbind I'm trying to resolve, I'd like to know if it is possible to configure them like this, so SQUID1 authenticates my clients, pass the authentication to Dans/SQUID2 that logs everything with the correct user Thanks...
Re: [squid-users] -- Squid with no cache...
Alex Carlos Braga Antão wrote: Hello, I'm trying to configure my squid to not do cache, just proxy, but it seems to have a minimum size... I know this message already passed here, but I couldn't find them. So, how can I configure squid to not cache the pages, just proxy ??? Thanks... You have to configure (build) squid with the null storage device option : % ./configure --enable-storeio=null,ufs ... After that use the following directive in squid.conf : cache_dir null /null M. -- 'Love is truth without any future. (M.E. 1997)
RE: [squid-users] time based Instant Message blocking
Insert a rule allowing IM access before you require authentication in http_access. What would that look like in a squid.conf file? Right now, I have the following order of acl operator lines: Your http_access list looks fine. The only reason you should be seeing a login prompt for IM is if your restrict-im acl isn't matching right. Try putting this in your /etc/squid/im file instead of what's there: .msg.yahoo.com messenger.hotmail.com Then change restrict-im to a dstdomain acl type (and remove the -i option). See if that helps. Adam
Re: [squid-users] Having a freak problem
nikonlinux wrote: Hi, everybody... I´m heavi this freak problem... I´ve setting up a Linux Box as Squid-cahe and gatway for may network. The problem is: LAN: 129.12.7.0/24 Gateway/Proxy: -- eth0: 129.12.7.1/24 -- eth1: 129.12.7.2/24 ADSL-Router: 129.12.7.254/24 (see: It´s all in the same class C) I´m using this linux box as Gateway just to make sure that my clientes will no change the gateway manualy and start to have access to the internet. In my linux-box, when I can ping my LAN I can´t ping my ADSL-Router, or when I can ping bouth of them I can´t ping or have access to www.I´d already config my /etc/resolv.conf. What´s going on? Do I really need to set ip a gateway to set up a Squid-cahe?Don´t we have another way to do this saftely? I´m using: -- 2 NIC´s Realteck -- Red Hat Linux 7.1 -- ipchains (I´ve tried IPTABLES too.) Thanks a lot!!! Note that squid and ip issues are unrelated. A squid box, can be anywhere on your perimeter on Intranet network, provided it has adequate Internet access or alternatively using parents who have (see FAQ). But for your Linux box, your to-ADSL-Net and your Intranet LAN can't be on the same ip NET. You must define different networks and use adequate routing statements. M.
Re: [squid-users] -- Squid with no cache...
On Fri, 31 Oct 2003, Alex Carlos Braga Antão wrote: I'm trying to configure my squid to not do cache, just proxy, but it seems to have a minimum size... Squid FAQ 4.20 Can I make Squid proxy only, without caching anything? url:http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.20 Regards Henrik
Re: [squid-users] Having a freak problem
On Fri, 31 Oct 2003, nikonlinux wrote: Hi, everybody... I´m heavi this freak problem... I´ve setting up a Linux Box as Squid-cahe and gatway for may network. The problem is: LAN: 129.12.7.0/24 Gateway/Proxy: -- eth0: 129.12.7.1/24 -- eth1: 129.12.7.2/24 ADSL-Router: 129.12.7.254/24 (see: It´s all in the same class C) This won't work unless you know very well what you are doing.. multi-homing with the same network on boths sides is tricky. I would strongly advice you to move at least one of the sides to another IP segment. The easiest would probably be to move the ADSL router to a private IP range such as 192.168.0.254/24. If you absolutely need to have the same IP segment on both sides then see information on how to set up a proxy-arp gateway. This contains information on how to tell the server in the middle how the network is divided between the two LAN interfaces. Regards Henrik
Re: [squid-users] -- Is it possible ???
On Fri, 31 Oct 2003, Alex Carlos Braga Antão wrote: I'm triyng to setup SQUID to work with dansguardian here. But I have a little problem that my auth scheme must be NTLM, and DansGuardian does not support it. So, I am make the following scheme: cache_peer SQUID2 port 1 no-cache login=PASS In this kind of setup you need to use the fake password method of forwarding the login to dansguardian. login=*:secretpassword then configure dansguardian with a password file having the secretpassword as password for all users. This way the users authenticate to Squid, and Squid then authenticates using the same login name to dansguardian, but a different password. Note: NTLM users will use the login names domainname/loginname, so you need to remember to create faked accounts for both loginname and domainname/loginname in your dansguardian password file. Regards Henrik
Re: [squid-users] wb_group and samba 3
Henrik I'm sorry to be pedant, but wbinfo_group is a perl script, I've a lot of users... I'm afraid that will slow down authentication process, isn't it ? wb_group is as far tested to be rock stable and fast, is possible to re-implement it to work on samba 3 ? Is in roadmap a ntlm_auth for ADS groups that implement fully NTLMv2 authentication with group support ? I think that ntlm_auth that comes with samba 3 is fast and useful, But I must track 1000 users in a ACL regex... this is not a good thing... Also because I need to create policies for groups of users. What do you think if I integrate winbind with ADS win2k with PAM, and use squid pam authentication for groups ? is possible ? BEst Regards, Federico - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Lombardo Federico [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 12:48 PM Subject: Re: [squid-users] wb_group and samba 3 On Fri, 31 Oct 2003, Lombardo Federico wrote: I need wb_group to work under samba 3. Won't work. wb_group is a Samba-2.X helper. For Samba-3 you can use the wbinfo_group helper which is Samba version neutral. Regards Henrik
Re: [squid-users] OWA on Exchange 2003 proxy
Thanks again for the help Henrik. Answers to your questions are below. On Thursday, October 30, 2003, at 05:57 PM, Henrik Nordstrom wrote: On Thu, 30 Oct 2003, Jonathan Giles wrote: in squid.conf in ver. 3, these are the options I have made: https_port 443 cert=/etc/openssl/cacert.pem key=/etc/openssl/privkey.pem accel defaultsite=owa.clinedavis.com cache_peer owa.clinedavis.com parent 80 0 no-query front-end-https=on --- in /etc/hosts --- 10.1.16.67 owa.clinedavis.com --- and when I go to the squid server I get this... Bad Request (Invalid URL) Hmm.. you should not be seeing this error. I am confused as well. What does it mean? in access.log I get this 1067539553.232 1 10.1.16.100 TCP_NEGATIVE_HIT/400 270 GET https://owa.clinedavis.com/ - NONE/- text/html What was the first entry? This is a cache hit for an error which occurred earlier. you are probably right. These are definitely associated with the session: 1067612977.854 22 10.1.16.100 TCP_MISS/400 262 GET https://owa.clinedavis.com/exchange - FIRST_UP_PARENT/owa.clinedavis.com text/html TCP_MISS means that the page wasn't in the cache, so I should just ignore it right? 1067543543.673 23 10.1.16.100 TCP_MISS/400 262 GET https://owa.clinedavis.com/ - FIRST_UP_PARENT/owa.clinedavis.com text/html This looks better. when I change the ip in etc/hosts to some other web server, it works. Does the OWA server listen on 10.1.16.67 port 80? yes. Note: You do not need to specify the server by name in cache_peer. Using IP addresses is fine here. but the name should work right? In squid2 this following config works, but still has that not loading folders problem. What URL is the client asking for? For this to work the client must be asking for https://owa.clinedavis.com/ yup what the client is asking for is https://owa.clinedavis.com/exchange Regards Henrik ---=---=--- Jonathan Giles Senior Unix Administrator Cline Davis Mann --- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.
Re: [squid-users] wb_group and samba 3
On Fri, 31 Oct 2003, Lombardo Federico wrote: but wbinfo_group is a perl script, I've a lot of users... I'm afraid that will slow down authentication process, isn't it ? Not really. The speed difference is marginal, and in both cases the results are aggressively cached by Squid. wb_group is as far tested to be rock stable and fast, is possible to re-implement it to work on samba 3 ? Not unless the Samba team provides such helper. Is in roadmap a ntlm_auth for ADS groups that implement fully NTLMv2 authentication with group support ? yes. In fact the Samba-3 helper does so already but there is issues in Squid preventing it from happening. group support is independent of NTLMv2. I think that ntlm_auth that comes with samba 3 is fast and useful, But I must track 1000 users in a ACL regex... this is not a good thing... Also because I need to create policies for groups of users. Use wbinfo_group helper. What do you think if I integrate winbind with ADS win2k with PAM, and use squid pam authentication for groups ? is possible ? For ADS you should be using the LDAP helpers for group membership lookups and basic authentication. PAM is also possible (for Basic authentication only), but generally only makes the setup several orders of magnitude more complex, and is only interesting if you really want the OS to know about all the users. Regards Henrik
Re: [squid-users] OWA on Exchange 2003 proxy
On Fri, 31 Oct 2003, Jonathan Giles wrote: 1067612977.854 22 10.1.16.100 TCP_MISS/400 262 GET https://owa.clinedavis.com/exchange - FIRST_UP_PARENT/owa.clinedavis.com text/html TCP_MISS means that the page wasn't in the cache, so I should just ignore it right? Right.. but the /400 code indicates a fatal error returned by the contacted server. Try specifying the OWA Server by IP address in your cache_peer directive. I think that your Squid for some reason is talking to itself instead of the owa server in this configuration. Note: You do not need to specify the server by name in cache_peer. Using IP addresses is fine here. but the name should work right? Yes. Regards Henrik
[squid-users] cachemgr.cgi just redirects me
I tried installing the cachemgr.cgi from a stable release, but it still just redirects me. I've carefully read and followed the directions in the FAQ for configuring apache. I don't think my httpd.conf file is the problem, though, since I get the login page. Any ideas on things to try would be appreciated. Thanks. I am running squid on port 80 and apache on port 81 like this: http_port 80 accel vport=81 When I visit http://localhost:81/cgi-bin/cachemgr.cgi I get Cache Host: Cache Port: Manager name: Password: I enter localhost and 80. When I click Continue... I am redirected to http://localhost:81/ and I don't get logged in. I've tried setting and unsetting cachemgr_passwd secret all I've tried various usernames. cachemgr.cgi/3.0-PRE3-20031002 Thanks for your help. _ Want to check if your PC is virus-infected? Get a FREE computer virus scan online from McAfee. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
[squid-users] citrix access through a pair of squid proxy servers
Hi all I have an issue where a client cannot get access to a Citrix server from behind a pair of squid servers over port 443; the solution is using Citrix NFuse and Citrix Secure Gateway. The users can get access over HTTPS to the NFuse web page however when the attempt to connect to the CSG server the connection seems to be rejected and the client request states that is cannot connect to the proxy. I have no real knowledge of Squid or Sun Solaris so any information would be gratefully received. Andrew Woodland Senior Consultant Citrix Solutions Architect
Re: [squid-users] citrix access through a pair of squid proxy servers
I had the same problem. My determination was that what ever Citrix is doing to tunnel the ICA protocol over SSL does not meet the SSL protocol specs. I had to change the configuration to have the Citrix SSL connections not use any type of proxy. Tim Bernhardson Senior Technical Engineer Certified Citrix Metaframe Administrator Certified CyberGuard Administrator Certified AIX 4.3 System Administrator Sun-Maid Growers of California 7273 Murray Drive, Ste 18 Stockton, CA 95210 tbernhar at sunmaid dot com Andrew Woodland [EMAIL PROTECTED] 10/31/03 08:31AM Hi all I have an issue where a client cannot get access to a Citrix server from behind a pair of squid servers over port 443; the solution is using Citrix NFuse and Citrix Secure Gateway. The users can get access over HTTPS to the NFuse web page however when the attempt to connect to the CSG server the connection seems to be rejected and the client request states that is cannot connect to the proxy. I have no real knowledge of Squid or Sun Solaris so any information would be gratefully received. Andrew Woodland Senior Consultant Citrix Solutions Architect
Re: [squid-users] citrix access through a pair of squid proxy servers
On Fri, 31 Oct 2003, Andrew Woodland wrote: The users can get access over HTTPS to the NFuse web page however when the attempt to connect to the CSG server the connection seems to be rejected and the client request states that is cannot connect to the proxy. See access.log Most likely the Citrix client is not using port 443, and is denied by the proxy. Regards Henrik
[squid-users] VPN traffic through Squid
I'm running Squid 2.5 and RC.Firewall on a Mandrake 9.1 box. The firewall denies any unrequested outside traffic, but allows anything that IS requested from the inside. And this is the beginning of my problem. I have a division that may begin using VPN connections to a vendor, and I set up the (sorry) Microsoft Network and Dialup Connections on a Win2k Pro machine to create a VPN client connection. All the choices are generic, so I'm presuming it's making a PPTP connection. And of course, it's not connecting. After 30 seconds, I get a No answer; error 678 box. I tail -30 messages on the firewall log, but it shows no denials from eth1 or eth0. Going to squid.conf, I added an acl that says ACL Safe_Ports port 50-51, and did the same for 500. 1701 and 1723 are already open because of a ACL that deems everything from 1024 up to be a safe_ports. I tried it again, but it's still not working. When I went to squid-cache.org to look at the FAQ (I did this time!), on the 450k HTML doc (http://squid-docs.sourceforge.net/latest/book-full.html) I did a search for vpn l2tp and pptp, but could find nothing. I don't know if that means the subject hasn't been handled or not. The last detail I can give you is that my Win box is sitting behind a router that passes to another router through frame relay. Then out of that router I go into the other division's network, to eth1 on the Squid box, then on to the outside world. And I'm presuming that my VPN client simply follow the path of my default gateway, which then should route any non-local-network traffic out its own gateway. Any idears? TIA. Eric Geater I.T. Representative MSCO, Inc. 731-935-8538 731-431-3742 egeater at mscoinc dot com
RE: [squid-users] VPN traffic through Squid
I'm running Squid 2.5 and RC.Firewall on a Mandrake 9.1 box. The firewall denies any unrequested outside traffic, but allows anything that IS requested from the inside. And this is the beginning of my problem. I have a division that may begin using VPN connections to a vendor, and I set up the (sorry) Microsoft Network and Dialup Connections on a Win2k Pro machine to create a VPN client connection. This is not a Squid problem; Microsoft's VPN client does not tunnel over HTTP or HTTPS, which is the only way Squid would get involved in the exchange. Judging by your references to port 500 and port 50 and 51, I'm going to guess the VPN clients are using IPSec. IPSec uses UDP (not TCP) port 500 to negotiate a connection, then tunnels the traffic over protocol (NOT port) 50 or 51, depending on the VPN settings. Make sure your firewall forwards UDP port 500 and protocol 50 and 51 to the outside world. For further help, ask a list for your firewall product or a list for Mandrake, or contact Microsoft. Adam
Re: [squid-users] squid pipe data to a program
On Fri, Oct 31, 2003 at 04:50:41PM -0200, Pedro Zorzenon Neto wrote: Is there any way to tell squid to pipe all it will answer to users to another program before answering? The intention is to sanitize html content on-the-fly and remove some unwanted tags like script. No way with squid. Use privoxy or other content-scrambling proxies. (I use is myself and am quite happy. Be careful with rulesets in corporate environments.) Christoph -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
[squid-users] squid doesn't cache anything
I have been searching USENET archives, the mailing list archives, the FAQ, everything I can get my hands on for several hours. I have read about refreshing, no_cache and cache_peer, refresh_pattern, and I cannot get squid to write a damn thing to disk. Worse, it releases everything from memory before I even have a chance to hit refresh (even if I wanted to). How do I know this? I am tailing store.log in another window while a web page is a loading, and I can see the releases happening, even while the web page is still loading, and they have RELEASE -1 as the first 3 entries. The corresponding items in access.log are all TCP_MISS/200 (not 304). This occurs even after clearing the browser cache and restarting the browser and loading the site for the first time. I have checked site cacheability with a cacheability engine. I have changed refresh_pattern to give a positive minimum age to everything, and even added reload-into-ims. I started with a fresh RedHat 9 installation, applied all current errata RPMs, and then downloaded squid-2.5-STABLE4 sources and compiled it myself with the following options: Squid Cache: Version 2.5.STABLE4 configure options: --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid --enable-poll --enable-snmp --enable-removal-policies=heap,lru --enable-storeio=aufs,coss,diskd,ufs --enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools --enable-linux-netfilter --with-pthreads --enable-basic-auth-helpers=NCSA,PAM,SASL --enable-external-acl-helpers=ip_user,unix_group which is a subset of what RedHat compiles with. I have not added any RedHat patches from their source RPM. My squid.conf (as briefly as possible): cache_mem 64 MB cache_swap_low 94 cache_swap_high 98 maximum_object_size 32768 MB maximum_object_size_in_memory 32 KB cache_replacement_policy lru memory_replacement_policy lru cache_dir aufs /var/spool/squid 23000 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log ftp_user myuser@ refresh_pattern . 144020% 4320reload-into-ims acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost acl my_network src X/XX http_access allow my_network http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all cache_effective_user squid cache_effective_group squid error_directory /etc/squid/errors coredump_dir /var/spool/squid I think the last time I posted to a mailing list or USENET looking for technical help was probably 4 years ago; i.e. I don't often require help, and I'm willing to stick around and help others for awhile if I can get this solved (thereby reducing the load on the current list gurus). Let me know what I should try or what other things you'd like to see. TIA, Tom
[squid-users] NTLM, Samba 3.0, PAM
Does PAM have to be installed for NTLM authentication to work with the Samba 3.0 ntml_auth helper? I'm using Slackware Linux which of course does not have PAM. So far I have not been able to get NTLM authentication working although basic authentication does work with the helper. The only people I've heard from that have NTLM autentication working with Samba 3.0 are running Red Hat which does come with PAM.
[squid-users] cachemgr.cgi just redirects me
I upped the debugging level to 3 by editing the cachemgr.cc source code and recompiling squid. I also changed my httpd.conf a bit to allow directory indexing like so: Options Includes FollowSymLinks Indexes Now I get this in my apache error log when I try to get in: cmgr: encoding for pub... cmgr: got req: host: 'localhost' port: 80 uname: '' passwd: '' auth: '' oper: '' wrote request: 'GET cache_object://localhost/ HTTP/1.0 Accept: */* ' ...and I get to a page that says Cache Manager menu for localhost: and lists all the directories in my root web folderBut I still don't actually get the cache manager. Telnetting to localhost 80 and typing: GET cache_object://localhost/ HTTP/1.0 gives me the same. If anyone anywhere has any idea whatsoever pertaining to a possible solution, however remotely possible, please, please reply. Thanks in advance. I tried installing the cachemgr.cgi from a stable release, but it still just redirects me. I've carefully read and followed the directions in the FAQ for configuring apache. I don't think my httpd.conf file is the problem, though, since I get the login page. Any ideas on things to try would be appreciated. Thanks. I am running squid on port 80 and apache on port 81 like this: http_port 80 accel vport=81 When I visit http://localhost:81/cgi-bin/cachemgr.cgi I get Cache Host: Cache Port: Manager name: Password: I enter localhost and 80. When I click Continue... I am redirected to http://localhost:81/ and I don't get logged in. I've tried setting and unsetting cachemgr_passwd secret all I've tried various usernames. cachemgr.cgi/3.0-PRE3-20031002 Thanks for your help. _ Want to check if your PC is virus-infected? Get a FREE computer virus scan online from McAfee. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
Re: [squid-users] VPN traffic through Squid
On Fri, 31 Oct 2003, Eric Geater 10/30/03 wrote: I tried it again, but it's still not working. When I went to squid-cache.org to look at the FAQ (I did this time!), on the 450k HTML doc (http://squid-docs.sourceforge.net/latest/book-full.html) I did a search for vpn l2tp and pptp, but could find nothing. I don't know if that means the subject hasn't been handled or not. This is simply because Squid is a HTTP proxy. None of the protocols you mention are HTTP protocols. What you are looking for needs to be solved in the firewall, not Squid. Regards Henrik
Re: [squid-users] squid pipe data to a program
On Fri, 31 Oct 2003, Pedro Zorzenon Neto wrote: Is there any way to tell squid to pipe all it will answer to users to another program before answering? The easiest method is by using one of the ICAP patches, and write your own ICAP server. Regards Henrik
Re: [squid-users] NTLM, Samba 3.0, PAM
On Fri, 31 Oct 2003, Jim Richey wrote: Does PAM have to be installed for NTLM authentication to work with the Samba 3.0 ntml_auth helper? No, and neither does NSS. You just need winbindd and the ntlm_auth helper. It is safe to ignore anything which refers to PAM or NSS in the winbind installation instructions if your purpose of the winbind installation is to use it from Squid. PAM and NSS integration is only needed if you want your OS to use winbind for local accounts. Regards Henrik
Re: [squid-users] squid doesn't cache anything
It sounds like you're probably more advanced than I am with squid, so I apologize if this is obvious, but I've learned some about when things do and don't cache by lynxing pages through squid and then lynxing them directly from the site then comparing the headers like this: lynx -mime_header -dump http://my.squid.com/home.htm | head -n 15 lynx -mime_header -dump http://my.site.com/home.htm | head -n 15 Often I'll see that a header like Last-Modified, or Cache-Control isn't being set the way I need it to be. From: Tom Lahti [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [squid-users] squid doesn't cache anything Date: Fri, 31 Oct 2003 13:17:13 -0800 I have been searching USENET archives, the mailing list archives, the FAQ, everything I can get my hands on for several hours. I have read about refreshing, no_cache and cache_peer, refresh_pattern, and I cannot get squid to write a damn thing to disk. Worse, it releases everything from memory before I even have a chance to hit refresh (even if I wanted to). How do I know this? I am tailing store.log in another window while a web page is a loading, and I can see the releases happening, even while the web page is still loading, and they have RELEASE -1 as the first 3 entries. The corresponding items in access.log are all TCP_MISS/200 (not 304). This occurs even after clearing the browser cache and restarting the browser and loading the site for the first time. I have checked site cacheability with a cacheability engine. I have changed refresh_pattern to give a positive minimum age to everything, and even added reload-into-ims. I started with a fresh RedHat 9 installation, applied all current errata RPMs, and then downloaded squid-2.5-STABLE4 sources and compiled it myself with the following options: Squid Cache: Version 2.5.STABLE4 configure options: --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid --enable-poll --enable-snmp --enable-removal-policies=heap,lru --enable-storeio=aufs,coss,diskd,ufs --enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools --enable-linux-netfilter --with-pthreads --enable-basic-auth-helpers=NCSA,PAM,SASL --enable-external-acl-helpers=ip_user,unix_group which is a subset of what RedHat compiles with. I have not added any RedHat patches from their source RPM. My squid.conf (as briefly as possible): cache_mem 64 MB cache_swap_low 94 cache_swap_high 98 maximum_object_size 32768 MB maximum_object_size_in_memory 32 KB cache_replacement_policy lru memory_replacement_policy lru cache_dir aufs /var/spool/squid 23000 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log ftp_user myuser@ refresh_pattern . 144020% 4320reload-into-ims acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost acl my_network src X/XX http_access allow my_network http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all cache_effective_user squid cache_effective_group squid error_directory /etc/squid/errors coredump_dir /var/spool/squid I think the last time I posted to a mailing list or USENET looking for technical help was probably 4 years ago; i.e. I don't often require help, and I'm willing to stick around and help others for awhile if I can get this solved (thereby reducing the load on the current list gurus). Let me know what I should try or what other things you'd like to see. TIA, Tom _ Enjoy MSN 8 patented spam control and more with MSN 8 Dial-up Internet Service. Try it FREE for one month! http://join.msn.com/?page=dept/dialup
Re: [squid-users] cachemgr.cgi just redirects me
On Fri, 31 Oct 2003, Y Jones wrote: cmgr: encoding for pub... cmgr: got req: host: 'localhost' port: 80 uname: '' passwd: '' auth: '' oper: '' wrote request: 'GET cache_object://localhost/ HTTP/1.0 Accept: */* ' ...and I get to a page that says Cache Manager menu for localhost: and lists all the directories in my root web folderBut I still don't actually get the cache manager. Telnetting to localhost 80 and typing: GET cache_object://localhost/ HTTP/1.0 gives me the same. Then localhost:80 is your web server, not Squid. You need to give the address and port of your Squid proxy to cachemgr, not the address and port of your web server (the server where cachemgr runs is already known to cachemgr, what it does not know is which proxy you want to manage) Regards Henrik
Re: [squid-users] cachemgr.cgi just redirects me
I've verified that my httpd.conf says: Listen 81 ..and my squid.conf says http_port 80 accel vport=81 squid and apache are running on the same machine. At any rate trying port 80 or 81 produces the same result. From: Henrik Nordstrom [EMAIL PROTECTED] To: Y Jones [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: [squid-users] cachemgr.cgi just redirects me Date: Fri, 31 Oct 2003 23:16:17 +0100 (CET) On Fri, 31 Oct 2003, Y Jones wrote: cmgr: encoding for pub... cmgr: got req: host: 'localhost' port: 80 uname: '' passwd: '' auth: '' oper: '' wrote request: 'GET cache_object://localhost/ HTTP/1.0 Accept: */* ' ...and I get to a page that says Cache Manager menu for localhost: and lists all the directories in my root web folderBut I still don't actually get the cache manager. Telnetting to localhost 80 and typing: GET cache_object://localhost/ HTTP/1.0 gives me the same. Then localhost:80 is your web server, not Squid. You need to give the address and port of your Squid proxy to cachemgr, not the address and port of your web server (the server where cachemgr runs is already known to cachemgr, what it does not know is which proxy you want to manage) Regards Henrik _ Fretting that your Hotmail account may expire because you forgot to sign in enough? Get Hotmail Extra Storage today! http://join.msn.com/?PAGE=features/es
Re: [squid-users] squid doesn't cache anything
The corresponding items in access.log are all TCP_MISS/200 (not 304). This occurs even after clearing the browser cache and restarting the browser and loading the site for the first time. I have checked site cacheability with a cacheability engine. I have changed refresh_pattern to give a positive minimum age to everything, and even added reload-into-ims. Do you perhaps have a no_cache directive in your squid.conf blocking the content from being cached? There are no no_cache directives in squid.conf. Also verify the clock on your Squid server. If the clock is very much off then odd things will happen. The clock is quite sane. The only (possibly) wierd thing is that I'm in the habit of having the hardware clock set in UTC rather than local time. Hopefully squid doesn't query the hardware clock... Any more ideas? TIA, Tom
[squid-users] squid doesn't cache anything - solved
Thanks for all the replies, I have solved the problem. When making my initial configuration before running, I made the following typo: maximum_object_size 32768 MB Oops. (I meant KB, not MB!) Apparently, this causes squid to not cache anything. Not sure why. Perhaps there should be some range checking or validation on this configuration field. After changing it to KB, all is well. TIA, Tom
