Re: [squid-users] squid 2.5 and wccp
Hello Henrik, and thatswhy the kernel does NOT catch and decapsulate the incoming packets before passing them to Squid when I turned on the wccp version 2 on the router. Do you see the decapsulated packets anywhere? This hint help a lot. Thanks tcpdump, iptables logging and this hint. I found out that the problem was neither the squid nor the kernel. A route was missing on the linux server (squid) to send the reply to the client network. I placed the squid in the internet as well as the router but the clients come with private IP addresses. At the end it works perfectly. Alexander
[squid-users] Questions about exploit blocking
I noticed the post from DB earlier this week regarding the IE exploit, and I became intrigued. First off, which exploit are we talking about? Microsoft enumerates them for reference, so I am confused which one this stops (or blocks). Second, I'm very interested to know that an ACL can be created to block an exploit, but the line described was incredibly simple (\%01\ or something like that). What exactly is being blocked in such a small line? Thanks. I don't mind adding things to my ACLs, but I'd love to know what I'm doing in the process. And if I totally got the context wrong, you guys can beat me up. Eric Geater Network Administrator MSCO, Inc. 731-935-8538 731-431-3742 egeater at mscoinc dot com
Re: AW: [squid-users] [OT] Buy my book?
On Thu, 11 Dec 2003 [EMAIL PROTECTED] wrote: - my company doesn't let us send money or donations to the squid project (I've asked - I'd like to donate a Sun since that is what we use, but we can't donate). Would a support contract work for you? Squid support contracts via MARA Systems is one quite direct way of supporting the Squid development, or at least my part of it. - It's nice to have a reference and I am sure it has bits that either weren't in the FAQ or on this list or are but will be more easily findable via the TOC or index/book format. The FAQ is helplessly behind and poorly structured. We have long been looking for someone who can help with maintaining the FAQ but so far no success.. there has been a few people who have tried, but they never even managed to make a single change (not even spelling corrections). I guess it is simply too much and they quickly ran away when realising what mess it is.. - I won't always be with this company and this will help me turn over our Squid proxies to whoever takes my place. And so would a support contract ;-) Regards Henrik
Re: [squid-users] SNMP + Remote query problem
Yeah I noticed that and tried limiting it to v1, however it get's the same error on the squid side. with 49 debug set to 9 the cache.log has this: 2003/12/12 03:46:09| snmpDecodePacket: Called. 2003/12/12 03:46:09| Failed SNMP agent query from : 192.168.252.82. 2003/12/12 03:46:10| snmpHandleUdp: Called. 2003/12/12 03:46:10| snmpHandleUdp: FD 11: received 44 bytes from 192.168.252.82 however that still really don't shed to much light on things. If it helps at all the squid box is a debian woody system with UCD-snmp version: 4.2.3 The logging box is a gentoo system with MRTG and is running net-snmp Version: 5.0.6 [pause in writing while I build ucd-snmp on the gentoo box] hmmph using ucd-snmp on the gentoo box worked fine... I'll bet had I tried MRTG instead of snmpwalk this whole time it would have worked. Well thanks for the help everyone! Berant On Thu, 2003-12-11 at 17:19, Henrik Nordstrom wrote: On Thu, 11 Dec 2003, Berant Lemmenes wrote: however that same statement from another box on the same network yeilds a time out and I get Failed SNMP agent query from : 192.168.252.82. on the squid box. Depending on the version of your SNMP tools you may need to specify which version of SNMP to use. The Squid SNMP agent is a little dated and only supports SNMPv1 or SNMPv2 queries. Using SNMPv1 is a safe bet. Regards Henrik
[squid-users] cache_dir doesent grow to given size
Hi all this is my cache_dir line in squid.conf cache_dir ufs /cache 3500 16 256 but df max shows my /cache to 3002100 it never grows beyond this googling gave me an idea that i have to increase the ttl(time to live ).but i cant go to the exact tag i am supposed to change in squid.conf. Hope some one can help Regards, Babar Haq -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm
Re: AW: [squid-users] [OT] Buy my book?
On Fri, 2003-12-12 at 17:58, Henrik Nordstrom wrote: Would a support contract work for you? Let me second this. If anyone here wants to contribute fiscally, but their company won't allow a donation, buy something from one of the active developers - I live in Sydney Australia, and support clients locally and worldwide. MARA systems supports folk worldwide as far as I'm aware. Rob -- GPG key available at: http://www.robertcollins.net/keys.txt. signature.asc Description: This is a digitally signed message part
RE: [squid-users] cache_dir doesent grow to given size
Hi all this is my cache_dir line in squid.conf cache_dir ufs /cache 3500 16 256 but df max shows my /cache to 3002100 it never grows beyond this googling gave me an idea that i have to increase the ttl(time to live ).but i cant go to the exact tag i am supposed to change in squid.conf. Hope some one can help Regards, Babar Haq From squid.conf(.default) : --- # TAG: cache_swap_low (percent, 0-100) # TAG: cache_swap_high (percent, 0-100) # # The low- and high-water marks for cache object replacement. # Replacement begins when the swap (disk) usage is above the # low-water mark and attempts to maintain utilization near the # low-water mark. As swap utilization gets close to high-water # mark object eviction becomes more aggressive. If utilization is # close to the low-water mark less replacement is done each time. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. # #Default: # cache_swap_low 90 M.
[squid-users] forwarded_for
Hi, In one jerarquia of 3 levels of proxy-cache, we have configured so that the first level shows ips of the clients (forwarded on) and works well, and in proxis-cache of third-level of exit (forwarded off), but here is where it does not work and shows the following thing: X-Forwarded-For: x.x.x.x, x.x.x.x X-Forwarded-For: x.x.x.x, x.x.x.x X-Forwarded-For: x.x.x.x, x.x.x.x X-Forwarded-For: x.x.x.x, x.x.x.x X-Forwarded-For: x.x.x.x, x.x.x.x X-Forwarded-For: x.x.x.x, x.x.x.x where x.x.x.x is ips of our clients. instead of: X-Forwarded-For: unknown The squid version is squid-2.5Stable4 Thanks in advanced. Emilio smime.p7s Description: S/MIME Cryptographic Signature
[squid-users] help me with authentication
Henrik, i know that i am annoying you with all these e-mails, but i couldn't solve my problems with squid_ldap_auth. I followed your adivice and putted the following line in squid.conf: auth_param basic program /usr/lib/squid/squid_ldap_auth -p -R -b dc=tre-pb, dc=gov, dc=br -D cn=victor,cn=users,dc=tre-pb,dc=gov,dc=br -w XXX -f ((userPrincipalName=%s)objectClass=Person)) -h ldapserver ip address where victor and XXX is, respectively, a user DN and a password to perform the searches. the problem is that i can't authenticate at all. I've already tried everything that is in the manual. I have no idea of what i'm doing wrong.I just have some users in the domain tre-pb.gov.br in the win2K/ActiveDirectory server and i want to authenticate their access to the internet through squid_ldap_auth. the following error message appears in /var/log/squid/access.log: 2003/12/12 09:53:39| 0 Swapfile clashes avoided. 2003/12/12 09:53:39| Took 5.8 seconds ( 0.0 objects/sec). 2003/12/12 09:53:39| Beginning Validation Procedure 2003/12/12 09:53:39| Completed Validation Procedure 2003/12/12 09:53:39| Validated 0 Entries 2003/12/12 09:53:39| store_swap_size = 0k 2003/12/12 09:53:40| storeLateRelease: released 0 objects squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials' squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials' squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials' please help me with this!!! regards, Victor Souza Menezes
[squid-users] Website for predefined links of servers
Hi all! I have found several month ago a website who has links of Proxys, webmailer usw. I have forgotten the website. Can nanybody help me? Paul
Re: AW: [squid-users] [OT] Buy my book?
Yes Indeed thats very good news ... and feeling good seeing both gurus and Wessel and Henrik replies these are really helpful and informative. and i want to request a author will he share sample chapter from his book in electric form if possible :) Wish Them GOOD luck in their future. Thanks and Regards UW --- [EMAIL PROTECTED] wrote: On Thu, 11 Dec 2003 16:42:37 +0100, Werner wrote: This list and the whole world is waiting for this book since month and years;-) Announcing this book are good news for us. Indeed - many congratulations Duane. I saw Duane's sig and like Henrik just assumed it was supposed to be a sig but like he said, if Duane wants to put it at the top, no problem for me all his posts were/are helpful. Although this mailing list is awesome I will be buying the book for three reasons: - my company doesn't let us send money or donations to the squid project (I've asked - I'd like to donate a Sun since that is what we use, but we can't donate). But we *can* buy books so we'll be getting at least two. - It's nice to have a reference and I am sure it has bits that either weren't in the FAQ or on this list or are but will be more easily findable via the TOC or index/book format. - I won't always be with this company and this will help me turn over our Squid proxies to whoever takes my place. Again, I think this is a great achievement and I am looking forward to it. And as Henrik mentions, it's a major step for Squid and should be noticed! Thanks again Duane and the whole Squid Team! adam __ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/
[squid-users] squid_ldap_auth special character in password
Hello all, our squid (2.5stable3) is authenticating users via squid_ldap_auth (with OpenLDAP 2.0.25) against our NDS. If a password contains special characters (e.g.: §, \, ', ä, ö, ü, EURO-sign, a, o, u with accent) the authentication fails. According to a Novell TID the NDS seems to expect the passwords to be encoded in UTF8 and special characters escaped with a \ (as in RFC2253, Chap. 2.4). Since we're located in the german area especially the german umlauts would be nice to have ;-) Though i'm not a C wizard, i had a look at squid_ldap_auth.c, but couldn't find any character escaping and/or UTF8 conversion. Hence the question, is the character escaping and/or UTF8 conversion done in the OpenLDAP functions/libraries, or has this to be provided by the squid_ldap_auth helper? Has anyone experienced a similar problem and/or can give me some pointers how to solve the problem? Regards, Frank __ Horoskop, Comics, VIPs, Wetter, Sport und Lotto im WEB.DE Screensaver1.2 Kostenlos downloaden: http://screensaver.web.de/?mc=021110
Re: [squid-users] redirecting transparently to few different ports based on URL or domain name
On Thu, 11 Dec 2003, Rami Jaamour wrote:
#!/usr/bin/perl
$|=1;
while () {
[EMAIL PROTECTED]://soaptest.parasoft.com/[EMAIL
PROTECTED]://soaptest.parasoft.com/glue/calculator-01.wsdl@;
[EMAIL PROTECTED]://soaptest.parasoft.com/glue/[EMAIL
PROTECTED]://soaptest.parasoft.com:8000/glue/calculator@;
print;
}
The first one work fine, but the when there are port changes like the
second one it does not work, I just get a 404 from apache on 81!
I don't see even how first can work. How does your Squid find it's way to
port 81? The redirector is looking for a port 80 url and returning a port
80 url..
Regards
Henrik
Re: AW: [squid-users] [OT] Buy my book?
Dear All squid is very popular software You people should invite for college and university students to maintain squid site for you. and they aslo can sponsor squid development. or something at Govt level. aslo there is very less information about support contract at MARA System site . i should me written clearly and their charges in $$$ so anyone interested will look at services you are offering. Wish all developers Good Luck for what they do. keep it up the good work ! Thanks and Regards UW --- Henrik Nordstrom [EMAIL PROTECTED] wrote: On Thu, 11 Dec 2003 [EMAIL PROTECTED] wrote: - my company doesn't let us send money or donations to the squid project (I've asked - I'd like to donate a Sun since that is what we use, but we can't donate). Would a support contract work for you? Squid support contracts via MARA Systems is one quite direct way of supporting the Squid development, or at least my part of it. - It's nice to have a reference and I am sure it has bits that either weren't in the FAQ or on this list or are but will be more easily findable via the TOC or index/book format. The FAQ is helplessly behind and poorly structured. We have long been looking for someone who can help with maintaining the FAQ but so far no success.. there has been a few people who have tried, but they never even managed to make a single change (not even spelling corrections). I guess it is simply too much and they quickly ran away when realising what mess it is.. - I won't always be with this company and this will help me turn over our Squid proxies to whoever takes my place. And so would a support contract ;-) Regards Henrik __ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/
[squid-users] FW: Squid, NT Domains and non logged in systems
-Original Message- From: Wolfe, Austin Sent: Friday, December 12, 2003 11:10 AM To: '[EMAIL PROTECTED]' Subject: Squid, NT Domains and non logged in systems Hello, I am running Squid version 2.5.STABLE2 on a linux Slackware version 9.1 server. It has been running fine but I am in the process of locking down all of my VLANS and forcing users to access web sites via the proxy servers. I have several NT domains and I have NTLM , winbindd and smb running with no problems. Today I have been working with several users who are having a problem. They do not have their workstations log into any domain on my network. They log in with a local account. When they open up the web browser, they get prompted for a user name a password / domain which they supply. They start accessing the web but then a strange thing occurs. If they hit a page that the proxy denies, they click on their back button, see the previous page and then when they click on another link or try to go to another site the browser seems to lock. I have watched the logs while this ocurs and when it locks, their system does no seem to access the proxy. If they shut down IE and try again, it will function until the next deny. I have had them try to access the proxy without using wpad.dat and they still get the same issue. I have another proxy that does not require authentication and the problem does not occur. I then had them log their system into a domain, they get prompted for the username password / domain, which they enter and the problem does not occur. How do I resolve this? Network and system stats and versions: Squid Version 2.5.STABLE2 Linux Slackware 9.1 Workstations are running Win2k with IE 6.0 I have smb, winbind and NTLM configured and running. I am using wpad.dat Thank You, Austin Wolfe
[squid-users] Question regarding squid and url's
Hello, I am attempting to do the following: Type in http://10.0.0.1:3128/www.yahoo.com in my browser. I need to be able to access a site like that because of some software we will be using that does not have a proxy setting. That gives me an error about not being able to bring up /www.yahoo.com. Is there a different way of using the cache in the same manner? Or is there a way to filter out the initial / ? Thanks for your help. Jim G
[squid-users] Squid dstdomain ACL
All, I have a fairly busy cache using native squid ACLs to block access to certain sites using the dstdomain ACL type. This is fine for denying access to sites like www.playboy.com, but doesn't work when people use google's cache of pages and google images, since the domain becomes www.google.com. My question; is there an ACL that will deny both http://www.playboy.com and http://www.google.com/search?q=cache:www.playboy.com/? I know regexes might be able to do this, but will there be a performance hit? Thanks. Mike
Re: [squid-users] Squid dstdomain ACL
On Fri, 12 Dec 2003, Mike McCall wrote: All, I have a fairly busy cache using native squid ACLs to block access to certain sites using the dstdomain ACL type. This is fine for denying access to sites like www.playboy.com, but doesn't work when people use google's cache of pages and google images, since the domain becomes www.google.com. My question; is there an ACL that will deny both http://www.playboy.com and http://www.google.com/search?q=cache:www.playboy.com/? I know regexes might be able to do this, but will there be a performance hit? You have (at least) two options: 1) use the 'url_regex' type to block hostnames that appear anywhere in the URL, like: acl foo url_regex www.playboy.com The performance hit depends on the size of your regex list and the load on Squid. If Squid is not currently running at, say mor than 50% of CPU usage, you'll probably be fine. 2) Use a similar ACL to block all google cache queries: acl foo url_regex google.com.*cache: Duane W.
Re: [squid-users] Question regarding squid and url's
On Fri, 12 Dec 2003, Jim Greene wrote: Hello, I am attempting to do the following: Type in http://10.0.0.1:3128/www.yahoo.com in my browser. I need to be able to access a site like that because of some software we will be using that does not have a proxy setting. That gives me an error about not being able to bring up /www.yahoo.com. Is there a different way of using the cache in the same manner? Or is there a way to filter out the initial / ? Thanks for your help. Jim G Squid does not normally support this form of proxying. However, it might work if you: 1) write the URL like this: http://10.0.0.1:3128/http://www.yahoo.com 2) write a Squid redirctor program that removes the leading slash from certain requests and changes /http://; into http://;. Duane W.
[squid-users] Proxy server restart without reason
Hi everybody! I have this problem with the office's proxy server: Every 3 weeks, more or less, the server crashes and even the console doesn't respond. I have no choice but to reboot it manually. I set up the syslog service to log all the important system messages, at least is what I believe =), but when I consult the log files there are no reason for the crash. You can see the syslog's config file below. I'll appreciate if you could tell me what's going on with the server or what should I do with the server or with the syslog daemon to find the reason and to solve it. The server specifications are next: - CPU: Pentium III 68A, 800 MHz, 256 Kb caché. - RAM: 1 GB. - HDD: SCSI Seagate, 33 GB. - Squid Proxy Server 2.5 Stable 2. Thaks for your help and time! = SYSLOG'S CONFIG FILE # /etc/syslog.conf - Configuration file for syslogd(8) # # For info about the format of this file, see man syslog.conf. # # # # print most on tty10 and on the xconsole pipe # kern.warn;*.err;authpriv.none/dev/tty10 kern.warn;*.err;authpriv.none |/dev/xconsole *.emerg * # enable this, if you want that root is informed # immediately, e.g. of logins #*.alert root # # all email-messages in one file # mail.* -/var/log/mail # # all news-messages # # these files are rotated and examined by news.daily news.crit -/var/log/news/news.crit news.err-/var/log/news/news.err news.notice -/var/log/news/news.notice # enable this, if you want to keep all news messages # in one file #news.* -/var/log/news.all # # Warnings in one file # *.=warn;*.=err /var/log/warn *.crit /var/log/warn # # save the rest in one file # *.*;mail.none;news.none -/var/log/messages # # enable this, if you want to keep all messages # in one file #*.*-/var/log/allmessages # # Some foreign boot scripts require local7 # local0,local1.* -/var/log/localmessages local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages local6,local7.* -/var/log/localmessages kern.* /var/log/firewall authpriv.* /var/log/syslog cron.* /var/log/cronlog daemon.warn /var/log/warn syslog.*-/var/log/syslog.log user.*;user.!warn -/var/log/userlog user.warn/var/log/userlog.warn = LOG FILE /var/log/messages Dec 11 13:43:12 proxy -- MARK -- dic 11 13:45:26 proxy PAM-unix2[608]: session started for user root, service xdm Dec 11 13:59:00 proxy /USR/SBIN/CRON[29879]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) --- Between this happen the crash --- Dec 11 14:24:38 proxy syslogd 1.3-3: restart. Dec 11 14:24:41 proxy kernel: klogd 1.3-3, log source = /proc/kmsg started. Dec 11 14:24:41 proxy kernel: Inspecting /boot/System.map-2.4.4-64GB-SMP Dec 11 14:24:41 proxy kernel: Loaded 2 symbols from /boot/System.map-2.4.4-64GB-SMP. Dec 11 14:24:41 proxy kernel: Symbols match kernel version 2.4.4. Dec 11 14:24:41 proxy kernel: Loaded 326 symbols from 4 modules. Dec 11 14:24:41 proxy kernel: ip_conntrack (8191 buckets, 65528 max) Dec 11 14:24:41 proxy kernel: IPv6 v0.8 for NET4.0 Dec 11 14:24:41 proxy kernel: IPv6 over IPv4 tunneling driver Dec 11 14:24:42 proxy in.identd[419]: started Dec 11 14:24:53 proxy /usr/sbin/cron[617]: (CRON) STARTUP (fork ok) Dec 11 14:24:54 proxy kernel: eth0: no IPv6 routers present Dec 11 14:24:54 proxy kernel: eth0: no IPv6 routers present Dec 11 14:25:19 proxy webmin[744]: Webmin starting Dec 11 14:30:00 proxy /USR/SBIN/CRON[762]: (root) CMD (/sbin/reportarconexionesproxy 2 /dev/null) _ MSN Fotos: la forma más fácil de compartir e imprimir fotos. http://photos.msn.es/support/worldwide.aspx
Re: [squid-users] forwarded_for
Duane Wessels wrote: Here is how X-Forwarded-For works: Each proxy in the hierarchy is going to append something to the X-Forwarded-For header. If 'forwarded_for' is on, then Squid appends the client's IP address. Yes, it works in our first level of proxys. If it is off, then Squid appends the string 'unknown'. Here, in our third level of proxys fail. with forwarded_for off appear the ips of clients instead the string unknown Thanks Duane and Sorry if I am something confused. Emilio. smime.p7s Description: S/MIME Cryptographic Signature
RE: [squid-users] Squid dstdomain ACL
On Fri, 12 Dec 2003, Mike McCall wrote: All, I have a fairly busy cache using native squid ACLs to block access to certain sites using the dstdomain ACL type. This is fine for denying access to sites like www.playboy.com, but doesn't work when people use google's cache of pages and google images, since the domain becomes www.google.com. My question; is there an ACL that will deny both http://www.playboy.com and http://www.google.com/search?q=cache:www.playboy.com/? I know regexes might be able to do this, but will there be a performance hit? You have (at least) two options: 1) use the 'url_regex' type to block hostnames that appear anywhere in the URL, like: acl foo url_regex www.playboy.com The performance hit depends on the size of your regex list and the load on Squid. If Squid is not currently running at, say mor than 50% of CPU usage, you'll probably be fine. 2) Use a similar ACL to block all google cache queries: acl foo url_regex google.com.*cache: Duane W. Thanks Duane. Unfortunately, my domains list is HUGE (~600,000 domains) and the cache already runs at 50-95% CPU during the day, most of which I assume is due to the huge domains list. If I were to lose the dstdomain ACL and only use url_regex, would performance stay where it is? Sadly, I can't use the second option you mention because google's cache is useful for other non-offensive websites. Mike
Re: [squid-users] forwarded_for
On Fri, 12 Dec 2003, Emilio Casbas wrote: Duane Wessels wrote: Here is how X-Forwarded-For works: Each proxy in the hierarchy is going to append something to the X-Forwarded-For header. If 'forwarded_for' is on, then Squid appends the client's IP address. Yes, it works in our first level of proxys. If it is off, then Squid appends the string 'unknown'. Here, in our third level of proxys fail. with forwarded_for off appear the ips of clients instead the string unknown I don't think there are any bugs with the 'forwarded_for' directive. Perhaps you have the directive repeated in your config file and it is really set to on when you think it is off? You can request 'config' from the cache manager and see what Squid has the value set to internally. Duane W.
[squid-users] Re: help me with authentication
On Fri, 12 Dec 2003, Victor Souza Menezes wrote: squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials' The -D either does not give a correct DN of the user you want Squid to log in as while performing the searches, or the -w password is wrong. Regards Henrik
RE: [squid-users] Squid dstdomain ACL
Thanks Duane. Unfortunately, my domains list is HUGE (~600,000 domains) and the cache already runs at 50-95% CPU during the day, most of which I assume is due to the huge domains list. If I were to lose the dstdomain ACL and only use url_regex, would performance stay where it is? Sadly, I can't use the second option you mention because google's cache is useful for other non-offensive websites. Switching from dstdomain to url_regex will likely be much less efficient. dstdomain searching is probably O(log N), while url_regex searching is O(N). There are some redirectors (like Squirm, Jersed, and squidGuard) that claim to be very fast and efficient. You might be able to do regex searching with them faster than with Squid's internal implementation. A nice thing about redirectors, too, is that you can test them separately before you configure Squid to use them. Duane W.
Re: [squid-users] cache_dir doesent grow to given size
On Fri, 12 Dec 2003, babar haq wrote: this is my cache_dir line in squid.conf cache_dir ufs /cache 3500 16 256 but df max shows my /cache to 3002100 it never grows beyond this What have you set as cache_swap_low/high? Regards Henrik
Re: [squid-users] cache_dir doesent grow to given size
On Fri, 12 Dec 2003, babar haq wrote: but df max shows my /cache to 3002100 it never grows beyond this And what filesystem are you using? If reiserfs or another filesystem dealing well with small files then Squid may think it is using slightly more than it actually ius.. Regards Henrik
Re: [squid-users] forwarded_for
See squid.conf or the FAQ. Regards Henrik On Fri, 12 Dec 2003, Emilio Casbas wrote: Hi, In one jerarquia of 3 levels of proxy-cache, we have configured so that the first level shows ips of the clients (forwarded on) and works well, and in proxis-cache of third-level of exit (forwarded off), but here is where it does not work and shows the following thing: X-Forwarded-For: x.x.x.x, x.x.x.x X-Forwarded-For: x.x.x.x, x.x.x.x X-Forwarded-For: x.x.x.x, x.x.x.x X-Forwarded-For: x.x.x.x, x.x.x.x X-Forwarded-For: x.x.x.x, x.x.x.x X-Forwarded-For: x.x.x.x, x.x.x.x where x.x.x.x is ips of our clients. instead of: X-Forwarded-For: unknown The squid version is squid-2.5Stable4 Thanks in advanced. Emilio
Re: [squid-users] forwarded_for
Duane Wessels wrote: On Fri, 12 Dec 2003, Emilio Casbas wrote: Duane Wessels wrote: Here is how X-Forwarded-For works: Each proxy in the hierarchy is going to append something to the X-Forwarded-For header. If 'forwarded_for' is on, then Squid appends the client's IP address. Yes, it works in our first level of proxys. If it is off, then Squid appends the string 'unknown'. Here, in our third level of proxys fail. with forwarded_for off appear the ips of clients instead the string unknown I don't think there are any bugs with the 'forwarded_for' directive. Perhaps you have the directive repeated in your config file and it is really set to on when you think it is off? You can request 'config' from the cache manager and see what Squid has the value set to internally. This is from cache manager: tcp_recv_bufsize 0 bytes err_html_text memory_pools on memory_pools_limit 0 bytes forwarded_for off --- log_icp_queries on icp_hit_stale off minimum_direct_hops 4 I don't know what it can be happening. Duane W. Thanks. Emilio. smime.p7s Description: S/MIME Cryptographic Signature
RE: [squid-users] Proxy server restart without reason
Hi Austin! I check my access.log files like you recommend it and I found that the largest is 350 MB size. Hopefully the squid rotate the logs daily and don't become bigger. When my system crashes, the screen turns black, the keyboard doesn't respond and the HDD led is off. I can't login or use the server, both via console and network. Only the power fan is on =))) Thanks anyway for your comments! From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [squid-users] Proxy server restart without reason Date: Fri, 12 Dec 2003 12:15:12 -0500 I had a similar problem except I could get to the console. It turned out that my access.log was getting past 2 gig in size and Linux had a hard time dealing with this. Squid would stop responding. Once I mv the log and restart the process, I had no problems. Take a look at your log file size. Hope this helps. Austin Wolfe -Original Message- From: Linuxero Tux [mailto:[EMAIL PROTECTED] Sent: Friday, December 12, 2003 12:11 PM To: [EMAIL PROTECTED] Subject: [squid-users] Proxy server restart without reason Hi everybody! I have this problem with the office's proxy server: Every 3 weeks, more or less, the server crashes and even the console doesn't respond. I have no choice but to reboot it manually. I set up the syslog service to log all the important system messages, at least is what I believe =), but when I consult the log files there are no reason for the crash. You can see the syslog's config file below. I'll appreciate if you could tell me what's going on with the server or what should I do with the server or with the syslog daemon to find the reason and to solve it. The server specifications are next: - CPU: Pentium III 68A, 800 MHz, 256 Kb caché. - RAM: 1 GB. - HDD: SCSI Seagate, 33 GB. - Squid Proxy Server 2.5 Stable 2. Thaks for your help and time! = SYSLOG'S CONFIG FILE # /etc/syslog.conf - Configuration file for syslogd(8) # # For info about the format of this file, see man syslog.conf. # # # # print most on tty10 and on the xconsole pipe # kern.warn;*.err;authpriv.none/dev/tty10 kern.warn;*.err;authpriv.none |/dev/xconsole *.emerg * # enable this, if you want that root is informed # immediately, e.g. of logins #*.alert root # # all email-messages in one file # mail.* -/var/log/mail # # all news-messages # # these files are rotated and examined by news.daily news.crit -/var/log/news/news.crit news.err-/var/log/news/news.err news.notice -/var/log/news/news.notice # enable this, if you want to keep all news messages # in one file #news.* -/var/log/news.all # # Warnings in one file # *.=warn;*.=err /var/log/warn *.crit /var/log/warn # # save the rest in one file # *.*;mail.none;news.none -/var/log/messages # # enable this, if you want to keep all messages # in one file #*.*-/var/log/allmessages # # Some foreign boot scripts require local7 # local0,local1.* -/var/log/localmessages local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages local6,local7.* -/var/log/localmessages kern.* /var/log/firewall authpriv.* /var/log/syslog cron.* /var/log/cronlog daemon.warn /var/log/warn syslog.*-/var/log/syslog.log user.*;user.!warn -/var/log/userlog user.warn/var/log/userlog.warn = LOG FILE /var/log/messages Dec 11 13:43:12 proxy -- MARK -- dic 11 13:45:26 proxy PAM-unix2[608]: session started for user root, service xdm Dec 11 13:59:00 proxy /USR/SBIN/CRON[29879]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) --- Between this happen the crash --- Dec 11 14:24:38 proxy syslogd 1.3-3: restart. Dec 11 14:24:41 proxy kernel: klogd 1.3-3, log source = /proc/kmsg started. Dec 11 14:24:41 proxy kernel: Inspecting /boot/System.map-2.4.4-64GB-SMP Dec 11 14:24:41 proxy kernel: Loaded 2 symbols from /boot/System.map-2.4.4-64GB-SMP. Dec 11 14:24:41 proxy kernel: Symbols match kernel version 2.4.4. Dec 11 14:24:41 proxy kernel: Loaded 326 symbols from 4 modules. Dec 11 14:24:41 proxy kernel: ip_conntrack (8191 buckets, 65528 max) Dec 11 14:24:41 proxy kernel: IPv6 v0.8 for NET4.0 Dec 11 14:24:41 proxy kernel: IPv6 over IPv4 tunneling driver Dec 11 14:24:42 proxy in.identd[419]: started Dec 11 14:24:53 proxy /usr/sbin/cron[617]: (CRON) STARTUP (fork ok) Dec 11 14:24:54 proxy kernel: eth0: no IPv6 routers present Dec 11 14:24:54 proxy kernel: eth0: no IPv6 routers present Dec 11 14:25:19 proxy webmin[744]: Webmin starting Dec 11 14:30:00 proxy /USR/SBIN/CRON[762]: (root) CMD (/sbin/reportarconexionesproxy 2
Re: [squid-users] forwarded_for
On Fri, 2003-12-12 at 12:47, Emilio Casbas wrote: Duane Wessels wrote: On Fri, 12 Dec 2003, Emilio Casbas wrote: Duane Wessels wrote: Here is how X-Forwarded-For works: Each proxy in the hierarchy is going to append something to the X-Forwarded-For header. If 'forwarded_for' is on, then Squid appends the client's IP address. [snip] Here, in our third level of proxys fail. with forwarded_for off appear the ips of clients instead the string unknown [snip] Are you expecting it to OVERWRITE (sobre-escribir) instead of APPEND (agregar)? As Duane said, Squid does not remove or replace X-Forwarded-For entries, it only adds to them. If you want to remove the header completely, use the 'header_access' and 'header_replace' directives.
Re: [squid-users] squid_ldap_auth special character in password
On Fri, 12 Dec 2003, Frank Fegert wrote: Though i'm not a C wizard, i had a look at squid_ldap_auth.c, but couldn't find any character escaping and/or UTF8 conversion. Hence the question, is the character escaping and/or UTF8 conversion done in the OpenLDAP functions/libraries, or has this to be provided by the squid_ldap_auth helper? It is the responsibility of the helper to translate whatever format was sent by the browser to whatever format is expected by the backend used by the helper. Unfortunately the specifications on all parts are very vague on what happens on non-ascii characters so it is a bit of a mess currently. For example some browsers send you the data encoded in their local code page, some send it in UTF8. If you find a reasonable way to deal with this then I would be very glad to know. Even better if you patch up squid_ldap_auth to do it correcly. Regards Henrik
Re: [squid-users] FW: Squid, NT Domains and non logged in systems
On Fri, 12 Dec 2003 [EMAIL PROTECTED] wrote: access the proxy. If they shut down IE and try again, it will function until the next deny. I have had them try to access the proxy without using wpad.dat and they still get the same issue. I have another proxy that does not require authentication and the problem does not occur. I then had them log their system into a domain, they get prompted for the username password / domain, which they enter and the problem does not occur. How do I resolve this? First try applying the latest security update for MSIE if you have not already. This includes several bugfixes in how MSIE maintains authentication to proxies. Regards Henrik
Re: [squid-users] Question regarding squid and url's
On Fri, 12 Dec 2003, Jim Greene wrote: Type in http://10.0.0.1:3128/www.yahoo.com in my browser. I need to be able to access a site like that because of some software we will be using that does not have a proxy setting. That gives me an error about not being able to bring up /www.yahoo.com. You need to enable the http accelerator features of Squid for this to work, then you need a redirector to rewrite the URL into what was intended to be requested. Regards Henrik
Re: [squid-users] Proxy server restart without reason
On Fri, 12 Dec 2003, Linuxero Tux wrote: Every 3 weeks, more or less, the server crashes and even the console doesn't respond. I have no choice but to reboot it manually. This is either a hardware or kernel problem, almost certainly not a Squid problem. I would recommend testing the server hardware using memtest86 and other similar hardware test tools, and make sure the system kernel is up to date with the latest bug fixes from your OS vendor. Regards Henrik
RE: [squid-users] Squid dstdomain ACL
On Fri, 12 Dec 2003, Mike McCall wrote: Thanks Duane. Unfortunately, my domains list is HUGE (~600,000 domains) and the cache already runs at 50-95% CPU during the day, most of which I assume is due to the huge domains list. If I were to lose the dstdomain ACL and only use url_regex, would performance stay where it is? Sadly, I can't use the second option you mention because google's cache is useful for other non-offensive websites. Ouch.. such large regex list will give a significant performance hit. You could extend Squid with a special acl type for dstdomain matches to google cache lookups. This should allow to keep the speed the same as using dstdomain. Regards Henrik
RE: [squid-users] FW: Squid, NT Domains and non logged in systems
I checked the systems that were affected and they were already up to date with the lastest, according to windows update. Any other ideas? Austin Wolfe -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Friday, December 12, 2003 1:34 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] FW: Squid, NT Domains and non logged in systems On Fri, 12 Dec 2003 [EMAIL PROTECTED] wrote: access the proxy. If they shut down IE and try again, it will function until the next deny. I have had them try to access the proxy without using wpad.dat and they still get the same issue. I have another proxy that does not require authentication and the problem does not occur. I then had them log their system into a domain, they get prompted for the username password / domain, which they enter and the problem does not occur. How do I resolve this? First try applying the latest security update for MSIE if you have not already. This includes several bugfixes in how MSIE maintains authentication to proxies. Regards Henrik
Re: [squid-users] forwarded_for
On Fri, 12 Dec 2003, Emilio Casbas wrote: Here, in our third level of proxys fail. with forwarded_for off appear the ips of clients instead the string unknown Then forwarded_for is enabled. One thing you can do if making sure forwarded_for is off on all child caches is to use http_header_access on the main proxy to deny the header from being forwarded. Regards Henrik
Re: [squid-users] Proxy server restart without reason
Every 3 weeks, more or less, the server crashes and even the console doesn't respond. I have no choice but to reboot it manually. This is either a hardware or kernel problem, almost certainly not a Squid problem. I hadn't thought it. Maybe you're right, because I never did hardware tests. I would recommend testing the server hardware using memtest86 and other similar hardware test tools, and make sure the system kernel is up to date with the latest bug fixes from your OS vendor. Besides memtest86, what other hardware test tools do you recommend for CPU, hard disks, network interfaces, etc.? I'm using Suse Linux 7.2. Do I need to update it or there are any patch for the kernel? Regards Henrik Thanks a lot Henrik! _ MSN Fotos: la forma más fácil de compartir e imprimir fotos. http://photos.msn.es/support/worldwide.aspx
Re: [squid-users] Proxy server restart without reason
On Fri, 12 Dec 2003, Linuxero Tux wrote: Besides memtest86, what other hardware test tools do you recommend for CPU, hard disks, network interfaces, etc.? Stressing the disks with bonie++ and other benchmark tools etc. I'm using Suse Linux 7.2. Do I need to update it or there are any patch for the kernel? Maybe. Not very familiar with SuSe Linux. Have you applied the recommended updates from SuSe? Hmm.. is the 7.2 even maintained by SuSe any longer? Does not look so from the FTP archives.. the oldest release for which I can find updates available on the public FTP servers is 7.3. Regards Henrik
[squid-users] ncsa_auth
I am very new to squid, and I was following the instructions in a manual to make squid ask for a username/password. It said squid came with a programme called ncsa_auth, but when I looked for it, I couldn't find it anywhere. I did a locate, but it could only find two files in the source folder. Where do I get ncsa_auth from? Thanks, Simon -- __ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze
Re: [squid-users] ncsa_auth
On Sat, 13 Dec 2003, Simon Walters wrote: I am very new to squid, and I was following the instructions in a manual to make squid ask for a username/password. It said squid came with a programme called ncsa_auth, but when I looked for it, I couldn't find it anywhere. I did a locate, but it could only find two files in the source folder. Where do I get ncsa_auth from? When you compile Squid, you must add this option when you run configure: ./configure --enable-basic-auth-helpers=NCSA ... If you didn't compile Squid (i.e., you used an RPM or something) then you should probably get the source code and compile it from the start. Duane W.
Re: [squid-users] ncsa_auth
On Sat, 13 Dec 2003, Simon Walters wrote: I am very new to squid, and I was following the instructions in a manual to make squid ask for a username/password. It said squid came with a programme called ncsa_auth, but when I looked for it, I couldn't find it anywhere. I did a locate, but it could only find two files in the source folder. Where do I get ncsa_auth from? Squid is distributed 100% source code.. to get anything from source code you need to compile it.. If you have already compiled Squid then you can compile ncsa_auth by cd helpers/basic_auth/NCSA make install Regards Henrik
Re: [squid-users] ncsa_auth
ok, i've done make install in the /helpers/basic_auth/NCSA. do i go to squid.conf and edit some of the parameters? thanks. On Sat, 13 Dec 2003, Simon Walters wrote: I am very new to squid, and I was following the instructions in a manual to make squid ask for a username/password. It said squid came with a programme called ncsa_auth, but when I looked for it, I couldn't find it anywhere. I did a locate, but it could only find two files in the source folder. Where do I get ncsa_auth from? Squid is distributed 100% source code.. to get anything from source code you need to compile it.. If you have already compiled Squid then you can compile ncsa_auth by cd helpers/basic_auth/NCSA make install Regards Henrik Renato Kalugdan 65 Amador Village Circle Apt 36 Hayward, CA 94544 510-670-1114
RE: [squid-users] forwarded_for
Hi Emilio, This is my outbound squid config located on my firewall - which is the last squid in the chain configured as follows utilizing header_access filtering, # # header filtering header_access Allow allow all header_access Authorization allow all header_access WWW-Authenticate allow all header_access Cache-Control allow all header_access Content-Encoding allow all header_access Content-Length allow all header_access Content-Type allow all header_access Date allow all header_access Expires allow all header_access Host allow all header_access If-Modified-Since allow all header_access Last-Modified allow all header_access Location allow all header_access Pragma allow all header_access Accept-Charset allow all header_access Accept-Encoding allow all header_access Accept-Language allow all header_access Content-Language allow all header_access Mime-Version allow all header_access Retry-After allow all header_access Title allow all header_access Connection allow all header_access Proxy-Connection allow all header_access Set-Cookie allow all header_access Cookie allow all header_access Accept allow all header_access User-Agent allow all header_access Referer allow all header_access All deny all # Which removes all the ugly stuff!. ;-) -david -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Saturday, 13 December 2003 04:47 To: Emilio Casbas Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] forwarded_for See squid.conf or the FAQ. Regards Henrik On Fri, 12 Dec 2003, Emilio Casbas wrote: Hi, In one jerarquia of 3 levels of proxy-cache, we have configured so that the first level shows ips of the clients (forwarded on) and works well, and in proxis-cache of third-level of exit (forwarded off), but here is where it does not work and shows the following thing: X-Forwarded-For: x.x.x.x, x.x.x.x X-Forwarded-For: x.x.x.x, x.x.x.x X-Forwarded-For: x.x.x.x, x.x.x.x X-Forwarded-For: x.x.x.x, x.x.x.x X-Forwarded-For: x.x.x.x, x.x.x.x X-Forwarded-For: x.x.x.x, x.x.x.x where x.x.x.x is ips of our clients. instead of: X-Forwarded-For: unknown The squid version is squid-2.5Stable4 Thanks in advanced. Emilio
