Re: [squid-users] authentication problem and "Server redirected too many times (20)" error message

2003-12-02 Thread Rami Jaamour 
I ran this test again as 'rjaamour' the cache effective user (as you can 
notice from my conf file) and it still succeeds on correct 
username/password pairs.

Thank you for your help.
Rami
Henrik Nordstrom wrote:

Did you run this test as the cache_effective_user or as root?

If as root, make sure to run the test as your cache_effective_user.

Regards
Henrik
On Tue, 2 Dec 2003, Rami Jaamour wrote:

 

I did that already.  It gives "ERR" on wrong username/password pairs and 
"OK" on the correct one.

Henrik Nordstrom wrote:

   

On Mon, 1 Dec 2003, Rami Jaamour wrote:



 

I do configure Mozilla to use the proxy, giving it the host name and 
port and it worked in the past before I did the authentication, but when 
Squid is configured to require authentication, then the browser (both 
mozilla and IE) keep prompting for username and password.  Is my 
squid.conf correct to do the proxy authentication?
  

   

Then most likely there is a configuration error.

First test is if the password file is correcly created.  Start the 
"auth_param basic program" command manually and then type a username password 
pair as input.

Regards
Henrik




 

   



 

--
Rami Jaamour
SOAPtest  
Development
ParaSoft Corporation

[squid-users] test

2003-12-02 Thread Nelson Rolando León Monserrate 

Please delete this mail

---
things you heard, never believe...
...things you saw, believe the half.
-
network administrator
nelson rolando león monserrate

yahoo! [EMAIL PROTECTED]
icq  166497000
 
home (0680) 373518
work  835 8100 - 02

[squid-users] Windows Update Problem

2003-12-02 Thread Sturgis, Grant 
Greetings All,

We have experienced an interesting problem with Windows Update.  Essentially, the 
service fails when the client (W2K / IE6) uses the proxy server and succeeds when it 
bypasses the proxy.  After you click "Scan for Updates" the web server replies with 
something like (sorry I don't have the exact error in front of me) "an unknown error 
has occurred".  The access.log and cache.log don't show anything out of the ordinary 
(access.log excerpt is below).

I have gotten around the problem temporarily by including:

acl windowsupdate dstdomain .windowsupdate.microsoft.com
no_cache deny windowsupdate

in squid.conf

The mailing list archives have some similar problems that point to cache_dir being too 
small (running out of cache space) but I don't believe that is my problem:

cache_dir aufs /usr/local/squid/cache0 48000 16 256
cache_dir aufs /usr/local/squid/cache1 48000 16 256

#df -h|grep cache
/dev/sdb1  67G   37G   27G  58% /usr/local/squid/cache0
/dev/sdc1  67G   37G   27G  58% /usr/local/squid/cache1

#./squid -v 

Squid Cache: Version 2.5.STABLE1-20030102
configure options:  --enable-storeio=ufs,aufs,diskd --enable-snmp

Any suggestions would be most welcome.

Thanks,

Grant 
-



access.log excerpt:

Tue Dec  2 15:30:36 2003 30 10.10.14.113 TCP_MEM_HIT/200 3592 GET 
http://windowsupdate.microsoft.com/ - NONE/- text/html
Tue Dec  2 15:30:36 2003 32 10.10.14.113 TCP_MEM_HIT/200 2391 GET 
http://windowsupdate.microsoft.com/redirect.js - NONE/- application/x-javascript
Tue Dec  2 15:30:36 2003102 10.10.14.113 TCP_MISS/302 428 GET 
http://v4.windowsupdate.microsoft.com/default.asp - DIRECT/207.46.244.222 text/html
Tue Dec  2 15:30:36 2003174 10.10.14.113 TCP_MISS/200 8383 GET 
http://v4.windowsupdate.microsoft.com/en/default.asp - DIRECT/65.54.249.61 text/html
Tue Dec  2 15:30:36 2003 35 10.10.14.113 TCP_MEM_HIT/200 3854 GET 
http://v4.windowsupdate.microsoft.com/shared/js/Redirect.js - NONE/- 
application/x-javascript
Tue Dec  2 15:30:36 2003129 10.10.14.113 TCP_HIT/200 22132 GET 
http://v4.windowsupdate.microsoft.com/shared/js/top.js - NONE/- 
application/x-javascript
Tue Dec  2 15:30:37 2003 51 10.10.14.113 TCP_HIT/200 520 GET 
http://v4.windowsupdate.microsoft.com/shared/js/top.vbs - NONE/- text/vbscript
Tue Dec  2 15:30:37 2003106 10.10.14.113 TCP_MISS/200 1173 GET 
http://v4.windowsupdate.microsoft.com/shared/js/survey.js? - DIRECT/65.54.249.61 
application/x-javascript
Tue Dec  2 15:30:37 2003136 10.10.14.113 TCP_MISS/200 1496 GET 
http://v4.windowsupdate.microsoft.com/en/footer.asp - DIRECT/65.54.249.61 text/html
Tue Dec  2 15:30:37 2003188 10.10.14.113 TCP_MISS/200 7109 GET 
http://v4.windowsupdate.microsoft.com/en/toc.asp? - DIRECT/65.54.249.61 text/html
Tue Dec  2 15:30:37 2003245 10.10.14.113 TCP_MISS/200 4351 GET 
http://v4.windowsupdate.microsoft.com/en/mstoolbar.asp? - DIRECT/207.46.244.222 
text/html
Tue Dec  2 15:30:37 2003178 10.10.14.113 TCP_MISS/200 1872 GET 
http://v4.windowsupdate.microsoft.com/en/splash.asp? - DIRECT/207.46.244.222 text/html
Tue Dec  2 15:30:37 2003 71 10.10.14.113 TCP_MEM_HIT/200 558 GET 
http://v4.windowsupdate.microsoft.com/shared/css/footer.css - NONE/- text/css
Tue Dec  2 15:30:37 2003 70 10.10.14.113 TCP_HIT/200 2656 GET 
http://v4.windowsupdate.microsoft.com/shared/js/mstoolbar.js - NONE/- 
application/x-javascript
Tue Dec  2 15:30:37 2003105 10.10.14.113 TCP_HIT/200 9547 GET 
http://v4.windowsupdate.microsoft.com/shared/js/toc.js - NONE/- 
application/x-javascript
Tue Dec  2 15:30:37 2003113 10.10.14.113 TCP_HIT/200 12615 GET 
http://v4.windowsupdate.microsoft.com/shared/js/content.js - NONE/- 
application/x-javascript
Tue Dec  2 15:30:37 2003 98 10.10.14.113 TCP_HIT/200 448 GET 
http://v4.windowsupdate.microsoft.com/shared/images/toc_endnode.gif - NONE/- image/gif
Tue Dec  2 15:30:37 2003 98 10.10.14.113 TCP_HIT/200 1578 GET 
http://v4.windowsupdate.microsoft.com/shared/css/hcp.css - NONE/- text/css
Tue Dec  2 15:30:37 2003139 10.10.14.113 TCP_HIT/200 1573 GET 
http://v4.windowsupdate.microsoft.com/shared/css/toc.css - NONE/- text/css
Tue Dec  2 15:30:37 2003 51 10.10.14.113 TCP_HIT/200 5463 GET 
http://v4.windowsupdate.microsoft.com/shared/css/content.css - NONE/- text/css
Tue Dec  2 15:30:38 2003200 10.10.14.113 TCP_HIT/200 2054 GET 
http://v4.windowsupdate.microsoft.com/shared/css/mstoolbar.css - NONE/- text/css
Tue Dec  2 15:30:38 2003166 10.10.14.113 TCP_HIT/200 449 GET 
http://v4.windowsupdate.microsoft.com/shared/images/mstoolbar_curve.gif - NONE/- 
image/gif
Tue Dec  2 15:30:38 2003168 10.10.14.113 TCP_HIT/200 6059 GET 
http://v4.windowsupdate.microsoft.com/shared/images/mstoolbar_icp.gif - NONE/- 
image/gif
Tue Dec  2 15:30:38 2003 82 10.10.14.113 TCP_HIT/200 874 GET 
http://v4.windowsupdate.microsoft.com/shared/images/mstoolbar_ms.gif - NONE/- image/gif
Tue Dec  2 15:30:38 2003192 10.10.14.113 TCP_MISS/2

Re: [squid-users] How to make squid serve cached pages even if Internet connection is unavailable?

2003-12-02 Thread Henrik Nordstrom 
On Tue, 2 Dec 2003, Chris Wilcox wrote:

> I've done some google trawling on this and it appears that the current Squid 
> 2.x release doesn't seem to support 'offline' browsing via the cache as well 
> as older versions did.  Many sites mention a patch which allows a value to 
> be set in the squid.conf file which determines how Squid behaves if a 
> monitored network connection is unavailable.

There is the offline_mode directive, and this can be toggled on/off via 
cachemgr.

> If at all possible I'd really rather stick to the official squid release.  
> If I do this, can I acheive the ability to let users browse cached content 
> even if the origin server for this content is down?

Yes, but the chances are very high that the content the users are looking
for is not cached as most index pages these days are dynamically generated
and not cachable. Caching still works great for images, "attachments" and 
other static content.

Regards
Henrik

Re: [squid-users] Parent-sibling structure with squidGuard in the parent

2003-12-02 Thread Henrik Nordstrom 
On Tue, 2 Dec 2003, José Gerez Morata wrote:

> Now we have implemented 3 Windows box in regional offices and have setup 
> squid in this boxes like siblings of central squid. This tree machines 
> haven't acces to Internet, so it requests all cache fails to the central 
> one.

See the Squid FAQ on how to use Squid within a firewall when doing this..

> We want to make content filtering only in the central squid because there 
> aren't a squidGuard port to Windows.
> 
> It's possible to do that?

It is how it works in the setup you have described.

Regards
Henrik

Re: [squid-users] authentication issues using winbind and ntlm

2003-12-02 Thread Henrik Nordstrom 
On Tue, 2 Dec 2003, Jim Crippen wrote:

> I don't know if this has already been answered but I was unable to find
> anything about it.  I've setup squid-2.5.STABLE4 with Samba 3.0.0 using
> winbind for authentication.  Everything works fine, except, every page
> accessed first enters 2 TCP_DENIED entries in the access log.

This is due to how NTLM authentication works.

On each new client connection there is first two denied requests while 
NTLM tries to negotiate the authentication.

We could add filters to squid not logging these, but then we risk both 
logging interesting details in case of problems and to allow hackers to 
probe the proxy without getting noticed.

> I wanted to know if there is a way around this as when I add back in
> the following acl "acl test url_regex "/etc/blacklist" " and deny access
> to it, I can not get the username recorded in the access log.

You can if you blacklist after requiring authentication..

The two questions are not related.

Regards
Henrik

RE: [squid-users] Wb_group error message in cache.log

2003-12-02 Thread Henrik Nordstrom 
On Tue, 2 Dec 2003, Mark Pelkoski wrote:

> Nothing in the smbd.log file.

winbind is logging to the log.winbindd log file, not smbd.log.

> This message shows up randomly giving no notice to any particular user.
> Just curious if this is any issue or not.

If you do not have any complaints from users it most likely is not an 
issue..

Regards
Henrik

Re: [squid-users] authentication problem and "Server redirected too many times (20)" error message

2003-12-02 Thread Henrik Nordstrom 
Did you run this test as the cache_effective_user or as root?

If as root, make sure to run the test as your cache_effective_user.

Regards
Henrik

On Tue, 2 Dec 2003, Rami Jaamour wrote:

> I did that already.  It gives "ERR" on wrong username/password pairs and 
> "OK" on the correct one.
> 
> Henrik Nordstrom wrote:
> 
> >On Mon, 1 Dec 2003, Rami Jaamour wrote:
> >
> >  
> >
> >>I do configure Mozilla to use the proxy, giving it the host name and 
> >>port and it worked in the past before I did the authentication, but when 
> >>Squid is configured to require authentication, then the browser (both 
> >>mozilla and IE) keep prompting for username and password.  Is my 
> >>squid.conf correct to do the proxy authentication?
> >>
> >>
> >
> >Then most likely there is a configuration error.
> >
> >First test is if the password file is correcly created.  Start the 
> >"auth_param basic program" command manually and then type a username password 
> >pair as input.
> >
> >Regards
> >Henrik
> >
> >
> >
> >  
> >
> 
>

[squid-users] Parent-sibling structure with squidGuard in the parent

2003-12-02 Thread José Gerez Morata 
Hi,

we had a squid cache running on a RedHat box, for our entire organization 
in a central location with squidGuard filtering contents in this box.

Now we have implemented 3 Windows box in regional offices and have setup 
squid in this boxes like siblings of central squid. This tree machines 
haven't acces to Internet, so it requests all cache fails to the central 
one.

The cache_peer line in squid.conf is:

cache_peer parentSquid   parent80  3130 no-query no-digest 
no-netdb-exchange

We want to make content filtering only in the central squid because there 
aren't a squidGuard port to Windows.

It's possible to do that?
 
Regards,
José Gerez 
Departamento de Sistemas de TRAGSATEC
e-mail: [EMAIL PROTECTED]
Tlf.: +34 1 3963507
Fax: + 34 1 3963410

RE: [squid-users] Wb_group error message in cache.log

2003-12-02 Thread Mark Pelkoski 
Nothing in the smbd.log file. This message shows up randomly giving no
notice to any particular user. Just curious if this is any issue or not.

-Mark

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 02, 2003 9:22 AM
To: Mark Pelkoski
Cc: [EMAIL PROTECTED]
Subject: RE: [squid-users] Wb_group error message in cache.log


Not really.. 

Does it happen for all users or just some?

Is there any log messages from Samba in the Samba or messages log files?

Regards
Henrik

On Tue, 2 Dec 2003, Mark Pelkoski wrote:

> DOES ANYBODY HAVE AN IDEA ABOUT THIS???
> 
> -Original Message-
> From: Mark Pelkoski
> Sent: Wednesday, November 26, 2003 10:27 AM
> To: [EMAIL PROTECTED]
> Subject: [squid-users] Wb_group error message in cache.log
> 
> 
> List,
> I keep seeing this error in my cache.log a couple of times a day. Is 
> this normal or do I have a problem? I require my users to belong to a 
> certain NT group in order to use Squid. I wasn't seeing it when I 
> tested it with 70 users. Now I have 800+ users.
> 
> (wb_group)[9464](wb_check_group.c:231): Warning: Can't enum user 
> groups.
> 
> TIA.
> 
> -Mark
> 
> 
>

[squid-users] How to make squid serve cached pages even if Internet connection is unavailable?

2003-12-02 Thread Chris Wilcox 
Hi all,

I've done some google trawling on this and it appears that the current Squid 
2.x release doesn't seem to support 'offline' browsing via the cache as well 
as older versions did.  Many sites mention a patch which allows a value to 
be set in the squid.conf file which determines how Squid behaves if a 
monitored network connection is unavailable.

If at all possible I'd really rather stick to the official squid release.  
If I do this, can I acheive the ability to let users browse cached content 
even if the origin server for this content is down?  If so can anyone point 
me in the right direction of where to look?

Thanks for any advice,

Regards,

nry

_
Find a cheaper internet access deal - choose one to suit you. 
http://www.msn.co.uk/internetaccess

RE: [squid-users] authentication issues using winbind and ntlm

2003-12-02 Thread Anthony Boynes 
I see the same thing in my logs after getting ntlm to work about a month
ago.  I think is more of an issue with how squid processes its acls.  I wish
squid would handle its acls in the same manner as Cisco routers, which is
that a packet is accepted or denied based on the first matching rule that it
encounters.

-Original Message-
From: Jim Crippen [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 02, 2003 10:18 AM
To: '[EMAIL PROTECTED]'
Subject: [squid-users] authentication issues using winbind and ntlm


Hi all,

I don't know if this has already been answered but I was unable to find
anything about it.  I've setup squid-2.5.STABLE4 with Samba 3.0.0 using
winbind for authentication.  Everything works fine, except, every page
accessed first enters 2 TCP_DENIED entries in the access log.  I wanted to
know if there is a way around this as when I add back in the following acl
"acl test url_regex "/etc/blacklist" " and deny access to it, I can not get
the username recorded in the access log.  Below is an entry from the
access.log from opening yahoo.com.

1070384877.123  9 192.168.12.50 TCP_DENIED/407 1741 GET
http://www.yahoo.com/ - NONE/- text/html
1070384877.152  9 192.168.12.50 TCP_DENIED/407 1741 GET
http://www.yahoo.com/ - NONE/- text/html
1070384877.456303 192.168.12.50 TCP_MISS/200 13360 GET
http://www.yahoo.com/ ELITEHOU\JIMC DIRECT/66.218.71.93 text/html
1070384878.276  7 192.168.12.50 TCP_DENIED/407 2094 GET
http://srd.yahoo.com/M=264255.3922691.5448124.3540639/D=yahoo_top/S=2716149:
JAM/A=1886591/N=1226/id=load_cap_lan/fv=6/0.35301091527173617/*1 - NONE/-
text/html
1070384878.288  8 192.168.12.50 TCP_DENIED/407 2098 GET
http://srd.yahoo.com/M=264255.3922691.5448124.3540639/D=yahoo_top/S=2716149:
JAM/A=1886591/N=1226/id=load_cap_lan/fv=6/0.35301091527173617/*1 - NONE/-
text/html
1070384878.312187 192.168.12.50 TCP_MISS/304 391 GET
http://switch.atdmt.com/action/PTCYahooFront ELITEHOU\JIMC
DIRECT/216.39.69.71 -
1070384878.446154 192.168.12.50 TCP_MISS/200 261 GET
http://srd.yahoo.com/M=264255.3922691.5448124.3540639/D=yahoo_top/S=2716149:
JAM/A=1886591/N=1226/id=load_cap_lan/fv=6/0.35301091527173617/*1
ELITEHOU\JIMC DIRECT/66.218.71.101 image/gif
1070384879.032587 192.168.12.50 TCP_MISS/200 515 GET
http://kd.barcfg.myway.com/speedbar/mySpeedbarCfg2.jsp? ELITEHOU\JIMC
DIRECT/63.236.66.5 text/html

Here is the relevant section of the squid.conf file:

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --enable-helper-fail-open -d 10 -l
auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 1 auth_param
ntlm max_challenge_lifetime 20 minutes

auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param
basic realm Squid proxy-caching web server auth_param basic credentialsttl 2
hours

I appreciate any help anyone can give me.

Thanks.

Jim Crippen
Sr LAN Administrator
Elite Transportation
[EMAIL PROTECTED]

[squid-users] authentication issues using winbind and ntlm

2003-12-02 Thread Jim Crippen 
Hi all,

I don't know if this has already been answered but I was unable to find
anything about it.  I've setup squid-2.5.STABLE4 with Samba 3.0.0 using
winbind for authentication.  Everything works fine, except, every page
accessed first enters 2 TCP_DENIED entries in the access log.  I wanted to
know if there is a way around this as when I add back in the following acl
"acl test url_regex "/etc/blacklist" " and deny access to it, I can not get
the username recorded in the access log.  Below is an entry from the
access.log from opening yahoo.com.

1070384877.123  9 192.168.12.50 TCP_DENIED/407 1741 GET
http://www.yahoo.com/ - NONE/- text/html
1070384877.152  9 192.168.12.50 TCP_DENIED/407 1741 GET
http://www.yahoo.com/ - NONE/- text/html
1070384877.456303 192.168.12.50 TCP_MISS/200 13360 GET
http://www.yahoo.com/ ELITEHOU\JIMC DIRECT/66.218.71.93 text/html
1070384878.276  7 192.168.12.50 TCP_DENIED/407 2094 GET
http://srd.yahoo.com/M=264255.3922691.5448124.3540639/D=yahoo_top/S=2716149:
JAM/A=1886591/N=1226/id=load_cap_lan/fv=6/0.35301091527173617/*1 - NONE/-
text/html
1070384878.288  8 192.168.12.50 TCP_DENIED/407 2098 GET
http://srd.yahoo.com/M=264255.3922691.5448124.3540639/D=yahoo_top/S=2716149:
JAM/A=1886591/N=1226/id=load_cap_lan/fv=6/0.35301091527173617/*1 - NONE/-
text/html
1070384878.312187 192.168.12.50 TCP_MISS/304 391 GET
http://switch.atdmt.com/action/PTCYahooFront ELITEHOU\JIMC
DIRECT/216.39.69.71 -
1070384878.446154 192.168.12.50 TCP_MISS/200 261 GET
http://srd.yahoo.com/M=264255.3922691.5448124.3540639/D=yahoo_top/S=2716149:
JAM/A=1886591/N=1226/id=load_cap_lan/fv=6/0.35301091527173617/*1
ELITEHOU\JIMC DIRECT/66.218.71.101 image/gif
1070384879.032587 192.168.12.50 TCP_MISS/200 515 GET
http://kd.barcfg.myway.com/speedbar/mySpeedbarCfg2.jsp? ELITEHOU\JIMC
DIRECT/63.236.66.5 text/html

Here is the relevant section of the squid.conf file:

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --enable-helper-fail-open -d 10 -l
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 1
auth_param ntlm max_challenge_lifetime 20 minutes

auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

I appreciate any help anyone can give me.

Thanks.

Jim Crippen
Sr LAN Administrator
Elite Transportation
[EMAIL PROTECTED]

Re: [squid-users] authentication problem and "Server redirected too many times (20)" error message

2003-12-02 Thread Rami Jaamour 
I did that already.  It gives "ERR" on wrong username/password pairs and 
"OK" on the correct one.

Henrik Nordstrom wrote:

On Mon, 1 Dec 2003, Rami Jaamour wrote:

 

I do configure Mozilla to use the proxy, giving it the host name and 
port and it worked in the past before I did the authentication, but when 
Squid is configured to require authentication, then the browser (both 
mozilla and IE) keep prompting for username and password.  Is my 
squid.conf correct to do the proxy authentication?
   

Then most likely there is a configuration error.

First test is if the password file is correcly created.  Start the 
"auth_param basic program" command manually and then type a username password 
pair as input.

Regards
Henrik


 

--
Rami Jaamour
SOAPtest  
Development
ParaSoft Corporation 
(626) 256-3680 ext. 1217

Re: [squid-users] Disk hit ratio question

2003-12-02 Thread Henrik Nordstrom 
On Tue, 2 Dec 2003, unixware wrote:

> i am getting very low Request Disk Hit Ratios: 5 min
> 0.3% as compare to other proxies in cache farm which
> are getting around 34 % disk ratio. cache manager.
> 
> is this normal ?

It is not normal that one proxy in a farm has significantly different hit 
ratios if all members of the farm have approximately similar traffic.

> is this recommeneded feature when used cache farm . ??

Depends on the setup and how requests are distributed among the farm 
members.

Regards
Henrik

RE: [squid-users] Wb_group error message in cache.log

2003-12-02 Thread Henrik Nordstrom 
Not really.. 

Does it happen for all users or just some?

Is there any log messages from Samba in the Samba or messages log files?

Regards
Henrik

On Tue, 2 Dec 2003, Mark Pelkoski wrote:

> DOES ANYBODY HAVE AN IDEA ABOUT THIS???
> 
> -Original Message-
> From: Mark Pelkoski 
> Sent: Wednesday, November 26, 2003 10:27 AM
> To: [EMAIL PROTECTED]
> Subject: [squid-users] Wb_group error message in cache.log
> 
> 
> List,
> I keep seeing this error in my cache.log a couple of times a day. Is
> this normal or do I have a problem? I require my users to belong to a
> certain NT group in order to use Squid. I wasn't seeing it when I tested
> it with 70 users. Now I have 800+ users.
> 
> (wb_group)[9464](wb_check_group.c:231): Warning: Can't enum user groups.
> 
> TIA.
> 
> -Mark
> 
> 
>

Re: [squid-users] Redirect_program not working

2003-12-02 Thread Henrik Nordstrom 
No other ideas. For redirectors it is only the redirect_program and 
redirect_access directives which are relevant.

Well, there is the obvious question of course: Did the traffic reach the 
proxy at all? I.e. is the requests logged in access.log?

Regards
Henrik

On Tue, 2 Dec 2003, Cyril COUPEL wrote:

> Thanks,
> I ame using the default RedHat Squid config file.
> 
> The redirector_access directive is not set. I tried to set it to
> redirector_access allow all, with all is acl all src 0.0.0.0/0.0.0.0
> 
> This does not solve my problem.
> 
> An other idea?
> 
> 
> Le mar 02/12/2003 à 15:51, Henrik Nordstrom a écrit :
> > Maybe you have denied the use of the redirect_program via the 
> > redirector_access directive?
> > 
> > On Tue, 2 Dec 2003, Cyril COUPEL wrote:
> > 
> > > All seems to work like squid don't redirect querys to redirect_program.
>

[squid-users] Squid Authetication via Samba

2003-12-02 Thread Nobody 
hello everybody,

I would like if you help me:

does anyone know if there is a way to get squid to autenticate through PAM and
using the samba file password?


thanks

RE: [squid-users] proxy authentication/system access

2003-12-02 Thread John Hally 
Excellent.  I got it to work pretty easily, just wasn't too sure whether the
auth program would send back the user id to use in another ACL.

Thanks!

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]
Sent: Monday, December 01, 2003 6:27 PM
To: John Hally
Cc: '[EMAIL PROTECTED]'
Subject: Re: [squid-users] proxy authentication/system access


On Mon, 1 Dec 2003, John Hally wrote:

> I have Squid acting as a proxy and using webmin to control access via
> login/pwd.  What I'd like to do is to further limit the user so that they
> can only use the proxy to access certain web servers.  I'm guessing that
> I'll have to use something else to authenticate against other than the
> webmin authentication scheme.  Has anyone done something similar?

authentication and authorization is different concepts..

I am not a webmin user but you do this by

a) Defining the authentication scheme an helper, allowing Squid to verify
the users authentication credentials (login+password for basic 
authentication). This is done with the auth_param directive.

b) Defining access controls telling what users are allowed to request what
when. This is done by the auth_param directive by combining acl
definitions defined by the acl directive.

See the Squid FAQ on access control.

Regards
Henrik

[squid-users] Disk hit ratio question

2003-12-02 Thread unixware 


i am getting very low Request Disk Hit Ratios: 5 min
0.3% as compare to other proxies in cache farm which
are getting around 34 % disk ratio. cache manager.

is this normal ?

we are not using cache peer relationship between cache
farm .

is this recommeneded feature when used cache farm . ??

Thanks and Regards

uw


Connection information for squid:
Number of clients accessing cache:  3188
Number of HTTP requests received:   1536134
Number of ICP messages received:0
Number of ICP messages sent:0
Number of queued ICP replies:   0
Request failure ratio:   0.00
Average HTTP requests per minute since start:   3948.7
Average ICP messages per minute since start:0.0
Select loop called: 5003017 times, 4.665 ms avg
Cache information for squid:
Request Hit Ratios: 5min: 56.1%, 60min: 58.8%
Byte Hit Ratios:5min: 27.9%, 60min: 29.0%
Request Memory Hit Ratios:  5min: 17.0%, 60min: 20.4%
Request Disk Hit Ratios:5min: 0.2%, 60min: 0.2%
Storage Swap size:  13210884 KB
Storage Mem size:   32644 KB
Mean Object Size:   13.80 KB
Requests given to unlinkd:  0




__
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

RE: [squid-users] Oracle Portal

2003-12-02 Thread Manfred Milhofer 
Thanks Henrik I will have a look

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: 02 December 2003 14:01
To: Manfred Milhofer
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] Oracle Portal


On Tue, 2 Dec 2003, Manfred Milhofer wrote:

> Hi
> 
> We have a client who is using Oracle Portal behind a Squid proxy. They 
> are having a problem whereby documents published via the portal appear 
> to be cached by the proxy, that is, if an existing document is updated 
> then the new version is often not seen by users who access the portal 
> via the proxy - they continue to see the old version. Users who bypass 
> the proxy always see the updated document.
> 
> The steps taken to try and sort the problem are:
> 
> - disable caching on the PC ('always refresh' in the browser)
> - disable caching in the portal
> - configure the proxy so that it "proxies but no longer caches any 
> data" (the clients words - I know little about proxies)
> 
> Has anyone any experiences similar to this which they could share with 
> me?

I would recommend you to read the "Caching Tutorial for web masters"  
document http://www.mnot.net/cache_docs/>. This document explains in detail how 
the whole picture pulls together and what should be done to applications/servers to 
work properly in precense of caches.

It also explains many of the common errors which is often done, allowing 
you to not repeat the same stupid mistakes.

This document should be mandatory reading for anyone who designs a web 
system for publishing content.

Regards
Henrik


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003

Re: [squid-users] Redirect_program not working

2003-12-02 Thread Cyril COUPEL 
Thanks,
I ame using the default RedHat Squid config file.

The redirector_access directive is not set. I tried to set it to
redirector_access allow all, with all is acl all src 0.0.0.0/0.0.0.0

This does not solve my problem.

An other idea?


Le mar 02/12/2003 à 15:51, Henrik Nordstrom a écrit :
> Maybe you have denied the use of the redirect_program via the 
> redirector_access directive?
> 
> On Tue, 2 Dec 2003, Cyril COUPEL wrote:
> 
> > All seems to work like squid don't redirect querys to redirect_program.
-- 
Cyril COUPEL <[EMAIL PROTECTED]>

[squid-users] Réf. : Re: [squid-users] squid_ldap_group with 2 levels of group

2003-12-02 Thread sdavy 

Henrik,

thanks for the reply. Yes, I wanted to make some recursive membership in
groups, but I think I'll work in a different way and use some groups
containing only users according to your answer.

Best regards,

Stéphane



   
   
  Henrik Nordstrom 
   
  <[EMAIL PROTECTED]> Pour :   [EMAIL PROTECTED]   
 
cc : [EMAIL PROTECTED] 
 
  02/12/2003 15:50  Objet :  Re: [squid-users] 
squid_ldap_group with 2 levels of group
   
   
   
   




On Tue, 2 Dec 2003 [EMAIL PROTECTED] wrote:

> I'd like to create group in a LDAP directory, and these groups would
> contain some other groups would should contain users. And of course, I'd
> like to match this ugly thing using squid_ldap_group.

Now you make me slightly confused.. is these groups member of the bigger
group, or is the bigger group a OU the other groups are located under?

The OU case is trivial.

The recursive group membership case of groups being members of groups is
not, and such group design will be very slow and complex to look up via
LDAP.

I would seriously recommend making the users direct members of the group.

Regards
Henrik

RE: [squid-users] Wb_group error message in cache.log

2003-12-02 Thread Mark Pelkoski 
DOES ANYBODY HAVE AN IDEA ABOUT THIS???

-Original Message-
From: Mark Pelkoski 
Sent: Wednesday, November 26, 2003 10:27 AM
To: [EMAIL PROTECTED]
Subject: [squid-users] Wb_group error message in cache.log


List,
I keep seeing this error in my cache.log a couple of times a day. Is
this normal or do I have a problem? I require my users to belong to a
certain NT group in order to use Squid. I wasn't seeing it when I tested
it with 70 users. Now I have 800+ users.

(wb_group)[9464](wb_check_group.c:231): Warning: Can't enum user groups.

TIA.

-Mark

Re: [squid-users] Redirect_program not working

2003-12-02 Thread Henrik Nordstrom 
Maybe you have denied the use of the redirect_program via the 
redirector_access directive?

On Tue, 2 Dec 2003, Cyril COUPEL wrote:

> All seems to work like squid don't redirect querys to redirect_program.

Re: [squid-users] squid_ldap_group with 2 levels of group

2003-12-02 Thread Henrik Nordstrom 
On Tue, 2 Dec 2003 [EMAIL PROTECTED] wrote:

> I'd like to create group in a LDAP directory, and these groups would
> contain some other groups would should contain users. And of course, I'd
> like to match this ugly thing using squid_ldap_group.

Now you make me slightly confused.. is these groups member of the bigger 
group, or is the bigger group a OU the other groups are located under?

The OU case is trivial.

The recursive group membership case of groups being members of groups is
not, and such group design will be very slow and complex to look up via
LDAP.

I would seriously recommend making the users direct members of the group.

Regards
Henrik

[squid-users] Redirect_program not working

2003-12-02 Thread Cyril COUPEL 
Hi all,
I ame using Squid-2.5.STABLE3-1.i686 on redhat 9.

The Goal:
I want to use squidGuard (1.2.0).

Squid is working fine.
SquidGuard is working fine, in test mode (run as squid user on the
command line)

The Problem :
I added the line redirect_program /usr/local/bin/squigGuard at the end
of my squid.conf.
I modifyed the squidGuard code to display in the log all the lines
received from stdin.

When I run squidGuard from the command line I have in the logs:
2003-12-02 09:11:31 [15829] init domainlist
/etc/squidGuard/db/blacklist/domains
2003-12-02 09:11:31 [15829] init urllist
/etc/squidGuard/db/blacklist/urls
2003-12-02 09:11:31 [15829] squidGuard 1.2.0 started (1070374291.687)
2003-12-02 09:11:31 [15829] squidGuard ready for requests
(1070374291.746)
2003-12-02 09:12:01 [15829] Received squid line: http://toto.fr/
10.1.1.1/- - GET
2003-12-02 09:12:01 [15829] Parsed squid line:
http;toto.fr;http://toto.fr/

so SquidGuard is working well in stand alone.

But whenI start squid and try to access an URL, I have in the log:
2003-12-02 08:39:03 [27432] init domainlist
/etc/squidGuard/db/blacklist/domains
2003-12-02 08:39:03 [27432] init urllist
/etc/squidGuard/db/blacklist/urls
2003-12-02 08:39:03 [27432] squidGuard 1.2.0 started (1070372343.133)
2003-12-02 08:39:03 [27432] squidGuard ready for requests
(1070372343.342)

and nothing else.

I replace the squidGuard by a simple script that print in the log file
all lines comming from the stdin:

#!/bin/bash
while true
do
read toto
logger -t test received: "$toto"
done

and chowned squid:squid and chmod 777

Nothing is received.

All seems to work like squid don't redirect querys to redirect_program.

I any one can help me???
I have to install it on Thursday.
-- 
Cyril COUPEL <[EMAIL PROTECTED]>

[squid-users] squid_ldap_group with 2 levels of group

2003-12-02 Thread sdavy 
Hello dear Squid users,

I'd like to make the following thing with the external_acl feature:

I'd like to create group in a LDAP directory, and these groups would
contain some other groups would should contain users. And of course, I'd
like to match this ugly thing using squid_ldap_group.
An example:
I create a group called "www-users", and I put in this group a group called
"Support". The Support group contains all the users of the "Support"
service. So, I'd like to know how to check that a user from the Support
group fits in the www-users group, but without any hard-coded stuff related
to "Support" group in my squid config.

Do you have any idea?

Another question: is there a good place where I can find some examples of
squid_ldap_group usage?

Thanks a lot for your help

Re: [squid-users] squid Version in ERROR Page

2003-12-02 Thread Henrik Nordstrom 

> I want to remove the default signature from squid completely from the
> ERROR pages.

You cant remove it completely. What you can do is to hide the Squid 
version in a comment.

See the Squid FAQ on writing custom error messages.

Regards
Henrik

Re: [squid-users] Oracle Portal

2003-12-02 Thread Henrik Nordstrom 
On Tue, 2 Dec 2003, Manfred Milhofer wrote:

> Hi
> 
> We have a client who is using Oracle Portal behind a Squid proxy. They are having a 
> problem whereby documents published via the portal appear to be cached by the proxy, 
> that is, if an existing document is updated then the new version is often not seen 
> by users who access the portal via the proxy - they continue to see the old version. 
> Users who bypass the proxy always see the updated document.
> 
> The steps taken to try and sort the problem are:
> 
> - disable caching on the PC ('always refresh' in the browser)
> - disable caching in the portal
> - configure the proxy so that it "proxies but no longer caches any data" (the 
> clients words - I know little about proxies)
> 
> Has anyone any experiences similar to this which they could share with me?

I would recommend you to read the "Caching Tutorial for web masters"  
document http://www.mnot.net/cache_docs/>. This document explains in
detail how the whole picture pulls together and what should be done to
applications/servers to work properly in precense of caches.

It also explains many of the common errors which is often done, allowing 
you to not repeat the same stupid mistakes.

This document should be mandatory reading for anyone who designs a web 
system for publishing content.

Regards
Henrik

[squid-users] squid Version in ERROR Page

2003-12-02 Thread Heiko Wuest 
Hi,

I want to remove the default signature from squid completely from the
ERROR pages.

I always get at the End:

Generated Tue, 02 Dec 2003
13:21:20 GMT by gate (squid/2.5.STABLE4)


I dont understand why this is implented so stupid:

If I use %s oder %S in my custom error pages i can sustomize them, if I
dont use %s or %S I get the default signature, but how can I completely
remove it ! :-(

Help  :-)


Heiko Wüst
Technical Consultant


ADIVA Computertechnologie GmbH
Norsk-Data-Str. 1
D-61352 Bad Homburg v.d.H.
Fon: +49(0) 61 72/48 61-118
Fax: +49(0) 61 72/48 61-718
Web: http://www.adiva.de  eMail: [EMAIL PROTECTED]

Diese E-Mail Nachricht enthält vertrauliche und/oder rechtlich geschützte
Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich
erhalten haben,
informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.

This e-mail message may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in
error)
please notify the sender immediately and destroy this e-mail.

RE: [squid-users] Oracle Portal

2003-12-02 Thread Manfred Milhofer 
Thanks for the info. I am setting up a test environment here and will look at thte 
link you sent.
Manfred

-Original Message-
From: Elsen Marc [mailto:[EMAIL PROTECTED] 
Sent: 02 December 2003 12:45
To: Manfred Milhofer; [EMAIL PROTECTED]
Subject: RE: [squid-users] Oracle Portal




 
>I think the client has just disabled caching for the relevant server.

>I would agree that in an ideal setup, the webserver should be 
>responsible for maintaining >'freshness'. I suspect that there is a 
>configuration gotcha with Portal and Squid which is >causing this 
>problem, I am hoping someone else has hit this.

 Ok, but basically squid doesn't know anything about or even knows what a Portal is : 
it only looks at http headers for each acquired object for making relevant caching 
decisions. These can also be verified with , for instance :

   http://www.ircache.net/cgi-bin/cacheability.py

M.

 


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003

Re: [squid-users] ldap on freeBSD

2003-12-02 Thread Henrik Nordstrom 
On Tue, 2 Dec 2003, Tomas Palfi wrote:

> No matter what I do I can't install ldap helpers on FreeBSD5.0.  It
> always bombs out on the lber.h and ldap.h

So what exact error do you receive?

And is the files really in /usr/include? As yourself run "cat
/usr/include/ldap.h" and "cat /usr/include/lber.h" and the same for the
other OpenLDAP include files.. but if a file is missing the error should 
tell which..

Regards
Henrik

Re: [squid-users] diskd - option

2003-12-02 Thread Henrik Nordstrom 
On Tue, 2 Dec 2003, shadha nker wrote:

> Thanks for your response. So one solution is "I can
> change samba version >= 2.2.6 to run this itself and
> no need to rebuild for newer samba"

Yes.

Or you can rebuild the Squid helpers to your older version of Samba as per
the Squid release notes, your choice.

Regards
Henrik

RE: [squid-users] Oracle Portal

2003-12-02 Thread Elsen Marc 


 
>I think the client has just disabled caching for the relevant server.

>I would agree that in an ideal setup, the webserver should be responsible for 
>maintaining >'freshness'. I suspect that there is a configuration gotcha with Portal 
>and Squid which is >causing this problem, I am hoping someone else has hit this.

 Ok, but basically squid doesn't know anything about or even knows what a Portal
is : it only looks at http headers for each acquired object for making relevant
caching decisions. These can also be verified with , for instance :

   http://www.ircache.net/cgi-bin/cacheability.py

M.

RE: [squid-users] Oracle Portal

2003-12-02 Thread Manfred Milhofer 
Thanks for that.

I think the client has just disabled caching for the relevant server.

I would agree that in an ideal setup, the webserver should be responsible for 
maintaining 'freshness'. I suspect that there is a configuration gotcha with Portal 
and Squid which is causing this problem, I am hoping someone else has hit this.

Manfred

-Original Message-
From: Elsen Marc [mailto:[EMAIL PROTECTED] 
Sent: 02 December 2003 12:37
To: Manfred Milhofer; [EMAIL PROTECTED]
Subject: RE: [squid-users] Oracle Portal



 

>Hi

>We have a client who is using Oracle Portal behind a Squid proxy. They 
>are having a problem >whereby documents published via the portal appear 
>to be cached by the proxy, that is, if an >existing document is updated 
>then the new version is often not seen by users who access the >portal 
>via the proxy - they continue to see the old version. Users who bypass 
>the proxy >always see the updated document.

>The steps taken to try and sort the problem are:

>- disable caching on the PC ('always refresh' in the browser)
>- disable caching in the portal
 (?)
>- configure the proxy so that it "proxies but no longer caches any 
>data" (the clients words >- I know little about proxies)

>Has anyone any experiences similar to this which they could share with 
>me?

 
 It is the responsibility of the remote webserver(+portal) to provide correct 
freshness info , for the discussed items (docs). If it doesn't when docs are updated 
then one could state that the remote webserver and portal architecture  is defunct.

Anyway you also have the possibility of limiting a no cache setting in squid.conf for 
a particular site/server(see squid.conf). You don't need to disable complete caching 
in squid.

M.


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003

RE: [squid-users] Oracle Portal

2003-12-02 Thread Elsen Marc 

 

>Hi

>We have a client who is using Oracle Portal behind a Squid proxy. They are having a 
>problem >whereby documents published via the portal appear to be cached by the proxy, 
>that is, if an >existing document is updated then the new version is often not seen 
>by users who access the >portal via the proxy - they continue to see the old version. 
>Users who bypass the proxy >always see the updated document.

>The steps taken to try and sort the problem are:

>- disable caching on the PC ('always refresh' in the browser)
>- disable caching in the portal
 (?)
>- configure the proxy so that it "proxies but no longer caches any data" (the clients 
>words >- I know little about proxies)

>Has anyone any experiences similar to this which they could share with me?

 
 It is the responsibility of the remote webserver(+portal) to provide
correct freshness info , for the discussed items (docs). If it doesn't when
docs are updated then one could state that the remote webserver and
portal architecture  is defunct.

Anyway you also have the possibility of limiting a no cache setting in squid.conf
for a particular site/server(see squid.conf). You don't need to disable complete 
caching
in squid.

M.

[squid-users] Oracle Portal

2003-12-02 Thread Manfred Milhofer 
Hi

We have a client who is using Oracle Portal behind a Squid proxy. They are having a 
problem whereby documents published via the portal appear to be cached by the proxy, 
that is, if an existing document is updated then the new version is often not seen by 
users who access the portal via the proxy - they continue to see the old version. 
Users who bypass the proxy always see the updated document.

The steps taken to try and sort the problem are:

- disable caching on the PC ('always refresh' in the browser)
- disable caching in the portal
- configure the proxy so that it "proxies but no longer caches any data" (the clients 
words - I know little about proxies)

Has anyone any experiences similar to this which they could share with me?

Thanks very much

Manfred

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003

[squid-users] ldap on freeBSD

2003-12-02 Thread Tomas Palfi 
Henrick,

No matter what I do I can't install ldap helpers on FreeBSD5.0.  It
always bombs out on the lber.h and ldap.h

I have 2 installations running already on solaris 5.9, however, I
haven't succeeded on FreeBSD.  I have installed openldap-2.0.27 (the
same as on solaris) with ldap v2.0 and the lber.h and ldap.h installed
in /usr/include

You have mentioned in one of mails that running make from the squid root
directory to build support functions. That bombed out with the same
error.

On the solaris boxes I have the lber.h and ldap.h in /usr/include as
well as /usr/local/include, however, the /usr/include are being used.
When I tried to install the openldap headers in /usr/include it still
did not work.

Don't get me wrong, I'm well chuffed with the authentication, however,
it's still bugging me why I can't run it on FreeBSD. I even tried to
edit the Makefile in the helpers, no success.

Thankf

tomas



--
tp 



This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk

Re: [squid-users] diskd - option

2003-12-02 Thread shadha nker 
Hello Henrik,

Thanks for your response. So one solution is "I can
change samba version >= 2.2.6 to run this itself and
no need to rebuild for newer samba"

Thanks . If anythong wrong in my above statement,plz
reply.

Regs,
-Sadha

--- Henrik Nordstrom <[EMAIL PROTECTED]> wrote:
> On Tue, 2 Dec 2003, shadha nker wrote:
> 
> > Thanks for the reply. I've seen Releasenotes.
> > As i said in prev mail, samba version is < 2.2.6
> > But i came to know that winbind helpers updated to
> > match Samba-2.2.7a and should work with
> Samba-2.2.6 or
> > later (required).
> > So my pbl is runtime pbl or build pbl? 
> 
> A build problem.
> 
> > i mean will it(wb_auth or wb_group) run by
> chnaging
> > samba verion (it is build where the machine has
> > samba-2.2.3a.) or i need to rebuild squid after
> having
> > samba > 2.2.6 verison.
> 
> You either need to change Samba version or rebuild
> the helpers to use your
> older Samba version according to the instructions in
> the release notes.
> 
> Regards
> Henrik
> 


__
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

Re: [squid-users] diskd - option

2003-12-02 Thread Henrik Nordstrom 
On Tue, 2 Dec 2003, shadha nker wrote:

> Thanks for the reply. I've seen Releasenotes.
> As i said in prev mail, samba version is < 2.2.6
> But i came to know that winbind helpers updated to
> match Samba-2.2.7a and should work with Samba-2.2.6 or
> later (required).
> So my pbl is runtime pbl or build pbl? 

A build problem.

> i mean will it(wb_auth or wb_group) run by chnaging
> samba verion (it is build where the machine has
> samba-2.2.3a.) or i need to rebuild squid after having
> samba > 2.2.6 verison.

You either need to change Samba version or rebuild the helpers to use your
older Samba version according to the instructions in the release notes.

Regards
Henrik

Re: [squid-users] diskd - option

2003-12-02 Thread shadha nker 
Hello Henrik,

Thanks for the reply. I've seen Releasenotes.
As i said in prev mail, samba version is < 2.2.6
But i came to know that winbind helpers updated to
match Samba-2.2.7a and should work with Samba-2.2.6 or
later (required).
So my pbl is runtime pbl or build pbl? 
i mean will it(wb_auth or wb_group) run by chnaging
samba verion (it is build where the machine has
samba-2.2.3a.) or i need to rebuild squid after having
samba > 2.2.6 verison.

plz help me.

Regs,
-Sadha
--- Henrik Nordstrom <[EMAIL PROTECTED]> wrote:
> On Mon, 1 Dec 2003, shadha nker wrote:
> 
> > ***my samba verison is  2.2.3a and 2.2.5.
> > I've one dbt then how with this version ,
> > squid2.5STABLE1, wb_auth and wb_group works, but
> in
> > squid2.5STABLE4 WON't.
> 
> See the Squid release notes.
> 
> Regards
> Henrik
> 


__
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

Re: [squid-users] Best conf for dial-up

2003-12-02 Thread Henrik Nordstrom 
On Tue, 2 Dec 2003, Fajar Priyanto wrote:

> Henrik, looks like half_closed_clients off option gives a positive result, 
> squid hasn't hang all day today. There was moment when I thought I hung, but 
> it resumed all by itself in about 20 seconds later.
> 
> Any idea why half_closed_clients affect dial-up connection?

It doesn't actually, but it considerably speeds up error recovery by
allowing Squid to terminate the request if it looks like the client
aborted the session.

In dial-up conditions there is many more error causes than in a fixed 
connection so the likelyhood that there is connectivity problems to the 
Internet is much higher, and without disabling half_closed_clients there 
is a high likelyhood for a lot of stuck connections to build up.

Regards
Henrik

Re: [squid-users] Best conf for dial-up

2003-12-02 Thread Fajar Priyanto 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Monday 01 December 2003 05:18 pm, Fajar Priyanto wrote:
> On Monday 01 December 2003 04:50 pm, Henrik Nordstrom wrote:
> > Try "half_closed_clients off".
>
> Thanks Henrik, I've done that and let's see the result tomorrow when the
> users are back online.

Henrik, looks like half_closed_clients off option gives a positive result, 
squid hasn't hang all day today. There was moment when I thought I hung, but 
it resumed all by itself in about 20 seconds later.

Any idea why half_closed_clients affect dial-up connection?
Thanks, you've been very kind.
- -- 
Fajar http://linux.arinet.org
Linux mdk91.sistek.kom 2.4.21-0.13mdk GNU/Linux
15:38:01 up 7:54, 10 users, load average: 0.70, 0.30, 0.16
Quote of the day:
Welcome to Hell! Here's your copy of Windows 98!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/zFBgMai9kCFqACoRAl9OAJ0bkt9L+fizvkYSEeyfN2757av+SQCdFkRL
nB+bD5MdBJXzOdXyra8J7vw=
=wxxC
-END PGP SIGNATURE-

Re: [squid-users] "anonymize_headers" headers description

2003-12-02 Thread Henrik Nordstrom 
On Tue, 2 Dec 2003, Mueller Tomas wrote:

> > I'm unsuccessfully trying to search a description of specific headers in
> > the tag anonymize_headres, for example "Allow", "Location", "Host" or
> > "Connection". Pls, does anybody know some URL with a complete list of this
> > headers and mainly with their description?

The HTTP specification RFC 2616 is a good source. See http://www.w3.org/

Regards
Henrik

Re: [squid-users] squid is not functioning properly

2003-12-02 Thread Henrik Nordstrom 
On Tue, 2 Dec 2003, Firas Mubarak wrote:

> start msn messenger or yahoo messenger or having any voice or vedio
> chats.

Last time I looked these are not HTTP applications and can not use a HTTP 
proxy.

> some of web sites are not opening such as www.hotmail.com.

for this problem have you tried what is said in the Squid FAQ about 
running Squid on Linux?

Regards
Henrik

Re: [squid-users] only allow HTTP and HTTPS protocol using pattern matching???

2003-12-02 Thread Henrik Nordstrom 
On Mon, 1 Dec 2003, Siew Wing Loon wrote:

> How can I only allow HTTP and HTTPS protocol using
> pattern matching in squid?

acl HTTP protocol HTTP
http_access deny !HTTP !CONNECT

but from the rest of your question this is most likely not what you want.

> This is because if users point the proxy setting to
> the squid server and they able to connect to MSN.

What do you get in access.log when they do?

Most likely the traffic is tunneled over HTTP.

Regards
Henrik

Re: [squid-users] cache performance

2003-12-02 Thread Henrik Nordstrom 
On Tue, 2 Dec 2003, Nelson Serrao wrote:

> I spoke to my ISP and found that option b) is the only one thats going to
> work in my case. I need help on how to use proxy-arp on the proxy server to
> divide your internal network in
>  two parts without renumbering.

See your OS documentation. Each OS does it slightly differently.

How to set up proxy-arp is a routing question, not a Squid question.


In Linux you assign the same IP on both interfaces and then set up routing
so the server knows which IP addresses of the local network segment are on
which side and then enable proxy_arp on the affected interfaces. If you
like you can cheat by using a 255.255.255.255 netmask on the "smallest"
interface, only requiring the routes for that interface.

Regards
Henrik

Re: [squid-users] what's the meaning of this?

2003-12-02 Thread Henrik Nordstrom 
On Tue, 2 Dec 2003, sword wrote:

> Median Service Times (seconds)  5 min60 min:
>   HTTP Requests (All):   0.58309  0.89858
>   Cache Misses:  0.61549  1.81376
>   Cache Hits:0.0  0.00179
>   Near Hits: 0.0  1.17732
>   Not-Modified Replies:  0.00179  0.00179
>   DNS Lookups:   0.00704  0.01686
>   ICP Queries:   0.0  0.0 

This gives the median service times for different aspects of the proxy 
operation.

For example the first line says that the median service time for requests
was 0.58309 seconds in the last 5 minutes or 0.89858 in the last 60
minutes.

Regards
Henrik

Re: [squid-users] Re: Re: Re: Hardware filewall + squid: blocking kazaa/kazaa lite

2003-12-02 Thread Henrik Nordstrom 
On Mon, 1 Dec 2003, Siew Wing Loon wrote:

> If there is a ed2k server running on port 80, will it
> able to access it via squid?

Most likely not.

Regards
Henrik

Re: [squid-users] diskd - option

2003-12-02 Thread Henrik Nordstrom 
On Mon, 1 Dec 2003, shadha nker wrote:

> ***my samba verison is  2.2.3a and 2.2.5.
> I've one dbt then how with this version ,
> squid2.5STABLE1, wb_auth and wb_group works, but in
> squid2.5STABLE4 WON't.

See the Squid release notes.

Regards
Henrik

Re: [squid-users] authentication problem and "Server redirected too many times (20)" error message

2003-12-02 Thread Henrik Nordstrom 
On Mon, 1 Dec 2003, Rami Jaamour wrote:

> I do configure Mozilla to use the proxy, giving it the host name and 
> port and it worked in the past before I did the authentication, but when 
> Squid is configured to require authentication, then the browser (both 
> mozilla and IE) keep prompting for username and password.  Is my 
> squid.conf correct to do the proxy authentication?

Then most likely there is a configuration error.

First test is if the password file is correcly created.  Start the 
"auth_param basic program" command manually and then type a username password 
pair as input.

Regards
Henrik

[squid-users] "anonymize_headers" headers description

2003-12-02 Thread Mueller Tomas 
> I'm unsuccessfully trying to search a description of specific headers in
> the tag anonymize_headres, for example "Allow", "Location", "Host" or
> "Connection". Pls, does anybody know some URL with a complete list of this
> headers and mainly with their description?
>