[squid-users] RE: Squid Accelerator and SSL

[Henrik Nordstrom]

On Fri, 6 Feb 2004, Kent, Mr. John (Contractor) wrote:

> The problem I now have is that the accelerator works perfectly and hides
> the fact that the client is connecting to an https server.  

You should set up Squid as an https reverse proxy. See the https_port 
directive.

Regards
Hernik

RE: [squid-users] squid 2.5.STABLE4 + FreeBSD 5.x = crash after a while...

[Henrik Nordstrom]

On Sat, 7 Feb 2004, Evren Yurtesen wrote:

> This is a bit of a lame question I guess, but how can I get the stack 
> trace because squid process doesnt exit? I checked from the FAQ, it 
> says

The easiest way is to attach gdb to the running process.

gdb /path/to/squid pid_of_running_squid
backtrace

Many OS:es also have tools for printing a stack trace of a running 
process.

Regards
Henrik

RE: [squid-users] RE: Squid Accelerator and SSL

[Brian Peterson]

What I think you want is Squid as an SSL Accelerator, and the Webserver on
the back end running unsecure.

Load the Cert and Key in the squid.conf, squid -k reconfigure, and run from
there.

See also FAQ Section 19.

Brian Peterson
If it's there and you can see it   -  it's REAL 
If it's there and you can't see it -  it's TRANSPARENT 
If it's not there and you can see it   -  it's VIRTUAL 
If it's not there and you can't see it -  it's GONE 

> -Original Message-
> From: Kent, Mr. John (Contractor) [mailto:[EMAIL PROTECTED]
> Sent: Friday, February 06, 2004 5:32 PM
> To: Henrik Nordstrom
> Cc: Squid_Users (E-mail)
> Subject: [squid-users] RE: Squid Accelerator and SSL
> 
> 
> Greetings,
> 
> I downloaded and installed Squid3.0 and it works!
> 
> I can redirect to a backend server running https and the
> web pages come up fine.
> 
> The problem I now have is that the accelerator works 
> perfectly and hides
> the fact that the client is connecting to an https server.  
> 
> Somehow I don't think that's what I want.
> 
> Is there a way to hide all redirections from the clients 
> browser's except those
> going to an https server?
> 
> Doesn't the Client need to "see" https in the URL in order to 
> securely transmit a 
> password for instance?
> 
> I guess the only way to handle this is to have a hyperlink on 
> a page directly to 
> the https server and bypass Squid altogether.
> 
> If this shows a gross ignorance of the process, I confess.
> Perhaps someone can set me straight.
> 
> Thank you,
> John Kent
> 
> 
> -Original Message-
> From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]
> Sent: Friday, February 06, 2004 9:44 AM
> To: Kent, Mr. John (Contractor)
> Cc: Squid_Users (E-mail); Henrik Nordstrom (E-mail)
> Subject: Re: Squid Accelerator and SSL
> 
> 
> Squid-2.5.STABLE can not initiate SSL connections, only accept SSL 
> connections.
> 
> To initiate SSL connections you need the SSL update patch from
> devel.squid-cache.org, or Squid-3.
> 
> Regards
> Henrik
> 
> On Fri, 6 Feb 2004, Kent, Mr. John (Contractor) wrote:
> 
> > 
> > Greetings,
> > 
> > I am using Squid as a front-end accelerator on top of a server farm.
> > Wanted to re-direct to an https enabled Apache Server.
> > Squid is in a "DMZ" and talks to the server farm through a firewall.
> > The Apache server was set up independently of Squid, by which I mean
> > I created the keys and certificates for it only.
> > 
> > It works fine when accessed directly.
> > 
> > Per the FAQ, I rebuilt my Squid enabling ssl
> > 
> > ./squid -v  now gives =3D
> > >Squid Cache: Version 2.5.STABLE4
> > configure options:  --prefix=3D/users/webuser/www_squid =
> > --enable-storeio=3Ddiskd,ufs --enable-ssl --with-openssl=3D/usr/lib
> > 
> > When the redirection occurs get the following error page from Squid:
> > 
> > ERROR
> > The requested URL could not be retrieved
> > 
> > While trying to retrieve the URL: =
> > =20
> > The following error was encountered:=20
> > *   Unsupported Request Method and Protocol=20
> > Squid does not support all request methods for all access 
> protocols. For =
> > example, you can not POST a Gopher request.=20
> > 
> > Clicking on the "trying to retrieve" URL above works fine.
> > 
> > Any suggestions?
> > 
> > Obviously I'm missing a great deal here.
> > If there is more information that I have failed to read, I 
> accept all 
> > criticism, but would appreciate the link to
> > the applicable reference.
> > 
> > Thank you,
> > 
> > John Kent
> > Webmaster
> > Naval Research Laboratory
> > Monterey, CA
> > http://www.nrlmry.navy.mil
> > 
> > 
> > 
> 
<>

[squid-users] RE: Squid Accelerator and SSL

[Kent, Mr. John (Contractor)]

Greetings,

I downloaded and installed Squid3.0 and it works!

I can redirect to a backend server running https and the
web pages come up fine.

The problem I now have is that the accelerator works perfectly and hides
the fact that the client is connecting to an https server.  

Somehow I don't think that's what I want.

Is there a way to hide all redirections from the clients browser's except those
going to an https server?

Doesn't the Client need to "see" https in the URL in order to securely transmit a 
password for instance?

I guess the only way to handle this is to have a hyperlink on a page directly to 
the https server and bypass Squid altogether.

If this shows a gross ignorance of the process, I confess.
Perhaps someone can set me straight.

Thank you,
John Kent


-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]
Sent: Friday, February 06, 2004 9:44 AM
To: Kent, Mr. John (Contractor)
Cc: Squid_Users (E-mail); Henrik Nordstrom (E-mail)
Subject: Re: Squid Accelerator and SSL


Squid-2.5.STABLE can not initiate SSL connections, only accept SSL 
connections.

To initiate SSL connections you need the SSL update patch from
devel.squid-cache.org, or Squid-3.

Regards
Henrik

On Fri, 6 Feb 2004, Kent, Mr. John (Contractor) wrote:

> 
> Greetings,
> 
> I am using Squid as a front-end accelerator on top of a server farm.
> Wanted to re-direct to an https enabled Apache Server.
> Squid is in a "DMZ" and talks to the server farm through a firewall.
> The Apache server was set up independently of Squid, by which I mean
> I created the keys and certificates for it only.
> 
> It works fine when accessed directly.
> 
> Per the FAQ, I rebuilt my Squid enabling ssl
> 
> ./squid -v  now gives =3D
> >Squid Cache: Version 2.5.STABLE4
> configure options:  --prefix=3D/users/webuser/www_squid =
> --enable-storeio=3Ddiskd,ufs --enable-ssl --with-openssl=3D/usr/lib
> 
> When the redirection occurs get the following error page from Squid:
> 
> ERROR
> The requested URL could not be retrieved
> 
> While trying to retrieve the URL: =
> =20
> The following error was encountered:=20
> * Unsupported Request Method and Protocol=20
> Squid does not support all request methods for all access protocols. For =
> example, you can not POST a Gopher request.=20
> 
> Clicking on the "trying to retrieve" URL above works fine.
> 
> Any suggestions?
> 
> Obviously I'm missing a great deal here.
> If there is more information that I have failed to read, I accept all 
> criticism, but would appreciate the link to
> the applicable reference.
> 
> Thank you,
> 
> John Kent
> Webmaster
> Naval Research Laboratory
> Monterey, CA
> http://www.nrlmry.navy.mil
> 
> 
> 

RE: [squid-users] squid 2.5.STABLE4 + FreeBSD 5.x = crash after a while...

[Evren Yurtesen]

On Fri, 6 Feb 2004, Henrik Nordstrom wrote:

> If it happens again then please get a stack trace of the running squid to 
> see if it is possible to see what it is doing.
> 
> Another important question: Does "kill -9" work? If not there is a kernel 
> problem.
> 
> Regards
> Henrik
> 
> 

kill -9 works.

I have realized this line in logs today
pid 546 (squid), uid 65534: exited on signal 6
I also realized that squid couldnt write to my coredump directory because 
of permissions (fixed now). I wil get a stack trace when I find a core 
file.

This is a bit of a lame question I guess, but how can I get the stack 
trace because squid process doesnt exit? I checked from the FAQ, it 
says

"There are two conditions under which squid will exit abnormally and 
generate a coredump. First, a SIGSEGV or SIGBUS signal will cause Squid to 
exit and dump core. Second, many functions include consistency checks. If 
one of those checks fail, Squid calls abort() to generate a core dump."

So, my squid process doesnt exit with those signals. May I just give the 
signal with kill command to the process when its in this loop?



The rest with the gdb etc. I can handle I guess...



Thanks,
Evren

RE: [squid-users] Squid 3.0 + squidguard + sarg

[Harry Crowder]

thank you

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]
Sent: Friday, February 06, 2004 5:03 PM
To: Harry Crowder
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] Squid 3.0 + squidguard + sarg


On Fri, 6 Feb 2004, Harry Crowder wrote:

> When squidguard blocks a site it redirects squid to an error page.  The
> access.log for squid reports the page as a TCP_MISS/403.  Is there a
setting
> in squid.con, squidguard.conf, or sarg.conf that I can change the
> TCP_MISS/403 to TCP_DENIED for reporting purposes?

By using squid access controls instead.

Or you could filter TCP_MISS/403 with no hierarchy code and replace them
with TCP_DENIED.

Regards
Henrik

Re: [squid-users] Segment Violation...dying.

[Henrik Nordstrom]

On Fri, 6 Feb 2004, squid wrote:

> 2004/02/06 09:19:37| WARNING: Closing client 137.198.232.157 connection due
> to lifetime timeout
> 2004/02/06 09:19:37|
> http://64.12.163.130/monitor?sid=400ca38289c6027e014c078014c3f858
> FATAL: Received Segment Violation...dying.
> 2004/02/06 09:19:39| ctx: enter level  0:
> 'http://www.statblaster.com/updatestats/update2.xml'
> 2004/02/06 09:19:39| storeDirWriteCleanLogs: Starting...
> 2004/02/06 09:19:39| WARNING: Closing open FD   36
> 
> 
> Recieved a FATAL ERROR (FATAL: Received Segment Violation...dying.)and then
> the squid service stopped responding to requests.


Please file a bug report on this issue per the instructions in the  Squid 
FAQ.

Regards
Henrik

Re: [squid-users] Squid 3.0 + squidguard + sarg

[Henrik Nordstrom]

On Fri, 6 Feb 2004, Harry Crowder wrote:

> When squidguard blocks a site it redirects squid to an error page.  The
> access.log for squid reports the page as a TCP_MISS/403.  Is there a setting
> in squid.con, squidguard.conf, or sarg.conf that I can change the
> TCP_MISS/403 to TCP_DENIED for reporting purposes?

By using squid access controls instead.

Or you could filter TCP_MISS/403 with no hierarchy code and replace them 
with TCP_DENIED.

Regards
Henrik

Re: [squid-users] Massive problems with https connections to Domino Server (long)

[vda]

On Friday 06 February 2004 10:44, Rainer Traut wrote:
> >>The default number of resumable sessions that will be cached on the
> >>server is 50. To modify the number of sessions
> >>cached, set the SSL_RESUMABLE_SESSIONS notes.ini variable to the desired
> >>number. Setting
> >>SSL_RESUMABLE_SESSIONS=1 will disable SSL session resumption on the
> >> server.
> >
> > Did you try to disable this SSL resumables?
>
> Yes, I have disabled this. Effect is then nearly the same or worse.
> If I higher this to eg. 1000 the effect is triggered later.
>
> > Also, tcpdump might help other on the list know what exactly is going on.
>
> Can you give me any hint how to do this?
> A 'tcpdump host w.x.y.z port 443' gives huge output...

Pick ip addr  of only one client host, not ip of the server.

# tcpdump -nli -s0 host w.x.y.z port 443 2>&1 | tee 443.log

# bzip2 -9 443.log
--
vda

[squid-users] Segment Violation...dying.

[squid]

2004/02/06 09:19:37| WARNING: Closing client 137.198.232.157 connection due
to lifetime timeout
2004/02/06 09:19:37|
http://64.12.163.130/monitor?sid=400ca38289c6027e014c078014c3f858
FATAL: Received Segment Violation...dying.
2004/02/06 09:19:39| ctx: enter level  0:
'http://www.statblaster.com/updatestats/update2.xml'
2004/02/06 09:19:39| storeDirWriteCleanLogs: Starting...
2004/02/06 09:19:39| WARNING: Closing open FD   36


Recieved a FATAL ERROR (FATAL: Received Segment Violation...dying.)and then
the squid service stopped responding to requests.


Once i restarted the service everything returned to normal, any ideas?


[EMAIL PROTECTED] root]# squid -v
Squid Cache: Version 2.5.STABLE4-20040204
configure options:  --host=i386-redhat-linux --build=i386-redhat-linux
--target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr
--exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
--datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib
--libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com
--mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr
--bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var
--sysconfdir=/etc/squid --disable-hostname-check --enable-underscores
--enable-cache_digests --enable-poll --enable-removal-policies=heap,lru
--enable-storeio=aufs,coss,diskd,ufs --enable-ssl
--with-openssl=/usr/kerberos --enable-delay-pools --enable-linux-netfilter
--with-pthreads --enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB,SASL,MSNT
--enable-ntlm-auth-helpers=SMB,winbind
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,win
bind_group



Is there a bug in Version 2.5.STABLE4-20040204, this has happened 2x today.
need help.

David Johnson | Network Administrator |
Hampton University | Hampton, VA | 23669 |
office 757.728.6528 | fax 757.727.5438
mailto:[EMAIL PROTECTED]

Re: [squid-users] proxy_auth repetition problems

[Sylvester Manx]

Well... I thought I did... but, as it turns out (and
it shouldn't come as a shock to you), I was being an
idiot.  

Thanks for your help.  It is working now. 


--- Henrik Nordstrom <[EMAIL PROTECTED]> wrote:
> Have you even tried what I suggested? The change
> does not modify your 
> access controls a bit, it just stops Squid from
> requesting the user to log 
> in again when blocked.
> 
> Regards
> Henrik
> 
> On Wed, 4 Feb 2004, Sylvester Manx wrote:
> 
> > Ok.  I see what you are saying... but all of the
> > proxy_auth users are from the same (Windows)
> domain
> > group.  How do I then allow limited access to the
> > Retail group and unlimited (but filtered) access
> to
> > the InternetUsers group?
> > 
> > Thank you so much for your time.
> > 
> > --- Henrik Nordstrom <[EMAIL PROTECTED]> wrote:
> > > On Wed, 4 Feb 2004, Sylvester Manx wrote:
> > > 
> > > > http_access deny FtpAccess
> > > 
> > > This will require the user to authenticate
> again. If
> > > you do not want this 
> > > then use another acl type as last acl on the
> > > http_access deny line which 
> > > the user is blocked by, for example
> > > 
> > > http_access deny FtpAccess all
> > > 
> > > Regards
> > > Henrik
> > > 
> > 
> > 
> > __
> > Do you Yahoo!?
> > Yahoo! SiteBuilder - Free web site building tool.
> Try it!
> > http://webhosting.yahoo.com/ps/sb/
> > 
> 


__
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html

[squid-users] Squid 3.0 + squidguard + sarg

[Harry Crowder]

When squidguard blocks a site it redirects squid to an error page.  The
access.log for squid reports the page as a TCP_MISS/403.  Is there a setting
in squid.con, squidguard.conf, or sarg.conf that I can change the
TCP_MISS/403 to TCP_DENIED for reporting purposes?

Re: [squid-users] Passing parameters to auth_param basic program

[Henrik Nordstrom]

On Fri, 6 Feb 2004, David Rippel wrote:

> Is it possible to pass parameters to the auth_param basic program similar to how 
> external_acl_type works, for instance:
> 
> external_acl_type ident_cmd %SRC /usr/libexec/check_ident
> 
> I'd like to pass the client IP to my basic auth program.

This you can't do.

But there is nothing which stops you from combing authentication and IP 
based checks in sequence. See for example the user_ip helper.

Regards
Henrik

Re: [squid-users] squid & SFTP protocol

[Henrik Nordstrom]

On Fri, 6 Feb 2004, Petr Linke wrote:

> has anyone experience with proxying SFTP protocol throw squid ?

Probably won't work unless you remove all security limitations from the 
CONNECT method which will leave your proxy vulnerable to multiple 
different abuses by your users.

If you want proxying of protocols like this you SHOULD look into using a 
SOCKS proxy in addition to Squid for web caching.

Regards
Henrik

RE: [squid-users] squid 2.5.STABLE4 + FreeBSD 5.x = crash after a while...

[Henrik Nordstrom]

On Fri, 6 Feb 2004, Evren Yurtesen wrote:

> But wouldnt it only delay the result? and the problem is that all of a 
> sudden squid starts using a lot of cpu and does nothing. It looks like it 
> enters to a loop of some kind. 

Correct.

> I will let you know later when I try that. I now try a newly built freebsd 
> and new snapshot again.


Ok.

If it happens again then please get a stack trace of the running squid to 
see if it is possible to see what it is doing.

Another important question: Does "kill -9" work? If not there is a kernel 
problem.

Regards
Henrik

[squid-users] Re: Squid Accelerator and SSL

[Henrik Nordstrom]

Squid-2.5.STABLE can not initiate SSL connections, only accept SSL 
connections.

To initiate SSL connections you need the SSL update patch from
devel.squid-cache.org, or Squid-3.

Regards
Henrik

On Fri, 6 Feb 2004, Kent, Mr. John (Contractor) wrote:

> 
> Greetings,
> 
> I am using Squid as a front-end accelerator on top of a server farm.
> Wanted to re-direct to an https enabled Apache Server.
> Squid is in a "DMZ" and talks to the server farm through a firewall.
> The Apache server was set up independently of Squid, by which I mean
> I created the keys and certificates for it only.
> 
> It works fine when accessed directly.
> 
> Per the FAQ, I rebuilt my Squid enabling ssl
> 
> ./squid -v  now gives =3D
> >Squid Cache: Version 2.5.STABLE4
> configure options:  --prefix=3D/users/webuser/www_squid =
> --enable-storeio=3Ddiskd,ufs --enable-ssl --with-openssl=3D/usr/lib
> 
> When the redirection occurs get the following error page from Squid:
> 
> ERROR
> The requested URL could not be retrieved
> 
> While trying to retrieve the URL: =
> =20
> The following error was encountered:=20
> * Unsupported Request Method and Protocol=20
> Squid does not support all request methods for all access protocols. For =
> example, you can not POST a Gopher request.=20
> 
> Clicking on the "trying to retrieve" URL above works fine.
> 
> Any suggestions?
> 
> Obviously I'm missing a great deal here.
> If there is more information that I have failed to read, I accept all 
> criticism, but would appreciate the link to
> the applicable reference.
> 
> Thank you,
> 
> John Kent
> Webmaster
> Naval Research Laboratory
> Monterey, CA
> http://www.nrlmry.navy.mil
> 
> 
> 

Re: [squid-users] squid_ldap_auth

[Henrik Nordstrom]

On Fri, 6 Feb 2004, Dave Raven wrote:

> This would be the user:
> CN=Test User,OU=Users,OU=Branch1,DC=test,DC=co,DC=za

Is all users below OU=Users,OU=Branch1,... or do you have users in other 
OUs as well?

Also, what should be used as the login name?

The man page for squid_ldap_auth has a couple of good examples to start 
from. I would recommend using the search mode as this is most flexible on 
both questions above.

> And this is the group he is a member of, that means 
> He has internet access:
> CN=iNet,OU=Groups,OU=Branch1,DC=test,DC=co,DC=za

Group lookups is done by the squid_ldap_group helper.

Start with authentication. When authentication is running fine then move 
into authorization using groups. The path to group based authorization 
when authentication is correctly configured is pretty simple, but if 
attemting both before you know authentication is running correctly may be 
somewhat confusing.

Regards
Henrik

[squid-users] Squid Accelerator and SSL

[Kent, Mr. John (Contractor)]

Greetings,

I am using Squid as a front-end accelerator on top of a server farm.
Wanted to re-direct to an https enabled Apache Server.
Squid is in a "DMZ" and talks to the server farm through a firewall.
The Apache server was set up independently of Squid, by which I mean
I created the keys and certificates for it only.

It works fine when accessed directly.

Per the FAQ, I rebuilt my Squid enabling ssl

./squid -v  now gives =3D
>Squid Cache: Version 2.5.STABLE4
configure options:  --prefix=3D/users/webuser/www_squid =
--enable-storeio=3Ddiskd,ufs --enable-ssl --with-openssl=3D/usr/lib

When the redirection occurs get the following error page from Squid:

ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: =
=20
The following error was encountered:=20
*   Unsupported Request Method and Protocol=20
Squid does not support all request methods for all access protocols. For =
example, you can not POST a Gopher request.=20

Clicking on the "trying to retrieve" URL above works fine.

Any suggestions?

Obviously I'm missing a great deal here.
If there is more information that I have failed to read, I accept all 
criticism, but would appreciate the link to
the applicable reference.

Thank you,

John Kent
Webmaster
Naval Research Laboratory
Monterey, CA
http://www.nrlmry.navy.mil

[squid-users] Passing parameters to auth_param basic program

[David Rippel]

Is it possible to pass parameters to the auth_param basic program similar to how 
external_acl_type works, for instance:

external_acl_type ident_cmd %SRC /usr/libexec/check_ident

I'd like to pass the client IP to my basic auth program.

Thanks,
David

[squid-users] Yahoo Games Problem

[Shan Ch.]

HI!

Can anyone help me out with yahoo games. i am using red hat 8 and m y
problem is that java applications wont run through squid. can anyone give me
a hint on how to do this? i have already tried http_access on 11999.
Thanks

Shan

_
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

RE: [squid-users] squid & SFTP protocol

[Elsen Marc]

  
> 
> Hello,
> has anyone experience with proxying SFTP protocol throw squid ?
> 
> Client (filezilla) is set to passive mode, ftp control 
> channel works, but
> I cannot receive any data.
> Squid has configured ports 1024-65535 to allow CONNECT (one from these
> ports is randomly used for data transfer over sftp protocol).
 
 Won't work,at all, since squid deals with http proxying only.

 M. 

[squid-users] squid & SFTP protocol

[Petr Linke]

Hello,
has anyone experience with proxying SFTP protocol throw squid ?

Client (filezilla) is set to passive mode, ftp control channel works, but
I cannot receive any data.
Squid has configured ports 1024-65535 to allow CONNECT (one from these
ports is randomly used for data transfer over sftp protocol).

Thank's for any idea, Petr linke

__
Petr Linke   tel.: +420-2-71777231
Novicom s.r.o.   FAX.: +420-2-71777233
Konevova 67, Praha 3   [EMAIL PROTECTED]

Re: [squid-users] Re: Some NTLM info which may explain failures

[Dave Augustus]

Henrik,

Thank you so much!

We have been fighting this problem for at least six weeks. I look
forward to migrating this into production.

Once again,
Thanks,
Dave

RE: [squid-users] squid 2.5.STABLE4 + FreeBSD 5.x = crash after a while...

[Evren Yurtesen]

On Fri, 6 Feb 2004, Elsen Marc wrote:

>  
> > 
> > 
> > Never tried, it occurs when its 32mbytes
> > What is your reasoning? It was working fine with FreeBSD 4.9 
> > with 32mbytes 
> > cache_mem
> > 
> 
>   It's a 'long shot' ; possible malloc bugs e.d.
>   I would try it as an 'easy-thing-to-do-and-check'
> 
>   M.
> 

But wouldnt it only delay the result? and the problem is that all of a 
sudden squid starts using a lot of cpu and does nothing. It looks like it 
enters to a loop of some kind. 

I will let you know later when I try that. I now try a newly built freebsd 
and new snapshot again.

Evren

Re: [squid-users] Blocking external access only

[Stephen J. McCracken]

I have a set of rules in Squid that will allow no one to access the
outside world but i still need users to access the local http deamon
(webserver) does anyone know what rules i need to put to allow this.

Why use squid at all if you're not giving anyone access the outside? 
Wouldn't firewall rules be better and then let everyone connect directly 
with the webserver?

Re: [squid-users] IP and MAC and login/password

[Szemerédy Gábor]

Thank you for your answer!
I would like to ask you an other question.
My system is Red Hat 9 with Squid -2.5.STABLE1-2.
Squid is installed during the standard operating system installation
without any manual intervention.
How can I know which options are installed?
Does it support all three ACL criteria? ( by IP , by MAC and by
proxy_auth )
Have I to recompile squid and choose additional options , or they are
already
built
in ?
Thanks in advance!
Gabor

RE: [squid-users] squid 2.5.STABLE4 + FreeBSD 5.x = crash after a while...

[Elsen Marc]

 
> 
> 
> Never tried, it occurs when its 32mbytes
> What is your reasoning? It was working fine with FreeBSD 4.9 
> with 32mbytes 
> cache_mem
> 

  It's a 'long shot' ; possible malloc bugs e.d.
  I would try it as an 'easy-thing-to-do-and-check'

  M.

RE: [squid-users] squid 2.5.STABLE4 + FreeBSD 5.x = crash after a while...

[Evren Yurtesen]

Never tried, it occurs when its 32mbytes
What is your reasoning? It was working fine with FreeBSD 4.9 with 32mbytes 
cache_mem

On Fri, 6 Feb 2004, Elsen Marc wrote:

>  
> > 
> > On Fri, 6 Feb 2004, Elsen Marc wrote:
> >...
> >...
> > 
> > 
> > The size of squid process was about 200mbyte. I recently 
> > erased all my 
> > cache dirs with rm -rf and rebuilt with -z option. I have 64mbyte 
> > cache_mem set. The squid process is roughly downloading 
> > 4-5gbytes of data 
> > in 24 hours. Normally use 5-8% of the CPU(p4-3.2ghz htt 
> > enabled, but I had 
> > the same problem with amd xp2400+ so I think cpu is not 
> > related to this 
> > problem)
> > 
> > I have 256 x 256 cache dir's on 120gbyte sata drives.
> > 
> > The system has 2gbyte ram. It wasnt swapping either. (well it 
> > had about 
> > 1.5gbyte free so)
> > 
> > The kernel has been compiled with the options to increase 
> > maximum process 
> > size to 2gbyte. But I guess this is irrelevant too. I just 
> > copied these 
> > options from my 4.9 kernel file to 5.x. Also the shared 
> > memory settings 
> > were copied directly. (the working settings in 4.9)
> > 
> > Anything else which might give any clue?
> 
>   Does your problem also happen when 'cache_mem' is reduced to 8mbyte ?
> 
>   M.
> 
> > 
> > 
> 

RE: [squid-users] squid 2.5.STABLE4 + FreeBSD 5.x = crash after a while...

[Elsen Marc]

 
> 
> On Fri, 6 Feb 2004, Elsen Marc wrote:
>...
>...
> 
> 
> The size of squid process was about 200mbyte. I recently 
> erased all my 
> cache dirs with rm -rf and rebuilt with -z option. I have 64mbyte 
> cache_mem set. The squid process is roughly downloading 
> 4-5gbytes of data 
> in 24 hours. Normally use 5-8% of the CPU(p4-3.2ghz htt 
> enabled, but I had 
> the same problem with amd xp2400+ so I think cpu is not 
> related to this 
> problem)
> 
> I have 256 x 256 cache dir's on 120gbyte sata drives.
> 
> The system has 2gbyte ram. It wasnt swapping either. (well it 
> had about 
> 1.5gbyte free so)
> 
> The kernel has been compiled with the options to increase 
> maximum process 
> size to 2gbyte. But I guess this is irrelevant too. I just 
> copied these 
> options from my 4.9 kernel file to 5.x. Also the shared 
> memory settings 
> were copied directly. (the working settings in 4.9)
> 
> Anything else which might give any clue?

  Does your problem also happen when 'cache_mem' is reduced to 8mbyte ?

  M.

> 
> 

RE: [squid-users] Blocking external access only

[Elsen Marc]

 
> i have tryed thatbut i cant see nothing, iv tryed all sorts of combo's
> and nothing seems to work
> 

  I am not that good on the acl front (not much experience); suggesting :

 acl mydomain dstdomain .mydomain.com
 http_access deny !mydomain

  Perhaps.


> >>> "Elsen Marc" <[EMAIL PROTECTED]> 02/06/04 01:16pm >>>
> 
>  
> > Hi
> > 
> > I have a set of rules in Squid that will allow no one to access the
> > outside world but i still need users to access the local http deamon
> > (webserver) does anyone know what rules i need to put to allow this.
>  
>Check the Squid FAQ  ('Access controls').
> 
>M.
 
> 

RE: [squid-users] squid 2.5.STABLE4 + FreeBSD 5.x = crash after a while...

[Evren Yurtesen]

On Fri, 6 Feb 2004, Elsen Marc wrote:

> 
> >...
> > - Well, it is consuming a lot of cpu, and doesnt 
> > respond(crash?) at the 
> > same time. It doesnt answer to its port, it doesnt respond to the -k 
> > shutdown or kill -TERM [pid] commands.
> > 
> > - I have checked the cache log every time this happened. It just has 
> > something else as the last entry. Usually its something about illegal 
> > domain names, some people always enter some domain names 
> > which are totally 
> > wrong. I doubt the problem is something about that. I also check the 
> > operating system's logs like messages file etc. There is absolutely 
> > nothing. I check the memory status and shared memory status. 
> > I didnt see 
> > anything weird.
> > 
> > - I have tried rebuilding the OS and the squid. I think 
> > FreeBSD was about 
> > version 5.1 when I started using the 5.x versions and now its 
> > almost 5.3 
> > version. Everytime I recompiled the operating system from 
> > sources. I also 
> > downloaded the latest snapshot of squid and compiled it too. 
> > Here are my 
> > configure arguments
> > 
> > --enable-err-language=Turkish --enable-removal-policies=heap 
> > --disable-hostname-checks --enable-storeio=diskd --enable-icmp
> > 
> > Evren
> > 
> 
>   What's the size of squid process  when this occurs ?
>   Is the system sized according to squid's mem. needs ?
> 
>   M.
> 

The size of squid process was about 200mbyte. I recently erased all my 
cache dirs with rm -rf and rebuilt with -z option. I have 64mbyte 
cache_mem set. The squid process is roughly downloading 4-5gbytes of data 
in 24 hours. Normally use 5-8% of the CPU(p4-3.2ghz htt enabled, but I had 
the same problem with amd xp2400+ so I think cpu is not related to this 
problem)

I have 256 x 256 cache dir's on 120gbyte sata drives.

The system has 2gbyte ram. It wasnt swapping either. (well it had about 
1.5gbyte free so)

The kernel has been compiled with the options to increase maximum process 
size to 2gbyte. But I guess this is irrelevant too. I just copied these 
options from my 4.9 kernel file to 5.x. Also the shared memory settings 
were copied directly. (the working settings in 4.9)

Anything else which might give any clue?

RE: [squid-users] squid 2.5.STABLE4 + FreeBSD 5.x = crash after a while...

[Elsen Marc]

>...
> - Well, it is consuming a lot of cpu, and doesnt 
> respond(crash?) at the 
> same time. It doesnt answer to its port, it doesnt respond to the -k 
> shutdown or kill -TERM [pid] commands.
> 
> - I have checked the cache log every time this happened. It just has 
> something else as the last entry. Usually its something about illegal 
> domain names, some people always enter some domain names 
> which are totally 
> wrong. I doubt the problem is something about that. I also check the 
> operating system's logs like messages file etc. There is absolutely 
> nothing. I check the memory status and shared memory status. 
> I didnt see 
> anything weird.
> 
> - I have tried rebuilding the OS and the squid. I think 
> FreeBSD was about 
> version 5.1 when I started using the 5.x versions and now its 
> almost 5.3 
> version. Everytime I recompiled the operating system from 
> sources. I also 
> downloaded the latest snapshot of squid and compiled it too. 
> Here are my 
> configure arguments
> 
> --enable-err-language=Turkish --enable-removal-policies=heap 
> --disable-hostname-checks --enable-storeio=diskd --enable-icmp
> 
> Evren
> 

  What's the size of squid process  when this occurs ?
  Is the system sized according to squid's mem. needs ?

  M.

RE: [squid-users] Blocking external access only

[Chris Burton]

i have tryed thatbut i cant see nothing, iv tryed all sorts of combo's
and nothing seems to work

>>> "Elsen Marc" <[EMAIL PROTECTED]> 02/06/04 01:16pm >>>

 
> Hi
> 
> I have a set of rules in Squid that will allow no one to access the
> outside world but i still need users to access the local http deamon
> (webserver) does anyone know what rules i need to put to allow this.
 
   Check the Squid FAQ  ('Access controls').

   M.
  


**
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.
**

RE: [squid-users] squid 2.5.STABLE4 + FreeBSD 5.x = crash after a while...

[Evren Yurtesen]

On Fri, 6 Feb 2004, Elsen Marc wrote:

> 
>   
> > Hello,
> > 
> > I have been using squid 2.5 stable for a while with 4.9 
> > version of FreeBSD 
> > and it was working fine for months. Now I had to upgrade to 
> > 5.x version to 
> > get better support for hyperthreading and sata drives.
> > When I am using squid with 5.x version of the freebsd. It 
> > crash after 1-3 
> > days of usage randomly.
> > 
> > The symptoms are that squid use 98% of the cpu and it doesnt respond.
> > It just stucks and I cant even send kill -TERM signal to it. 
> > I have tried 
> > using half closed clients option on and off in my conf file 
> > with the same 
> > result.
> > 
> > Is there anybody else who is having similar problem? I dont 
> > have any ACLs 
> > at all and the same conf file of squid was working with 4.9 
> > stable anyhow.
> > 
> > Any suggestions?
> 
>- which 2.5 stable release are you using ?
>- Does squid crash or just consumes lot's of CPU ?
>- Anyway whatever, anything in cache.log which could provide
>  more info ?
>  Or error related info in cache.log, prior to the real problem
>  situation you are encountering at a certain point ?
>- Possibly weird incompat. issues related to os 'offered' shared libs
>  may be a culprit. Did you try re-building squid ?
> 

- I have been using multiple 2.5 stable releases from latest nightly 
snapshots for few months. I got newest versions and compiled 4-5 times. 
All with the same result.

- Well, it is consuming a lot of cpu, and doesnt respond(crash?) at the 
same time. It doesnt answer to its port, it doesnt respond to the -k 
shutdown or kill -TERM [pid] commands.

- I have checked the cache log every time this happened. It just has 
something else as the last entry. Usually its something about illegal 
domain names, some people always enter some domain names which are totally 
wrong. I doubt the problem is something about that. I also check the 
operating system's logs like messages file etc. There is absolutely 
nothing. I check the memory status and shared memory status. I didnt see 
anything weird.

- I have tried rebuilding the OS and the squid. I think FreeBSD was about 
version 5.1 when I started using the 5.x versions and now its almost 5.3 
version. Everytime I recompiled the operating system from sources. I also 
downloaded the latest snapshot of squid and compiled it too. Here are my 
configure arguments

--enable-err-language=Turkish --enable-removal-policies=heap 
--disable-hostname-checks --enable-storeio=diskd --enable-icmp

Evren

RE: [squid-users] squid 2.5.STABLE4 + FreeBSD 5.x = crash after a while...

[Dave Raven]

Agreed - info from cache.log and try recompile your squid now with bsd5

-Original Message-
From: Elsen Marc [mailto:[EMAIL PROTECTED] 
Sent: 06 February 2004 03:08 PM
To: Evren Yurtesen; [EMAIL PROTECTED]
Subject: RE: [squid-users] squid 2.5.STABLE4 + FreeBSD 5.x = crash after a
while...



  
> Hello,
> 
> I have been using squid 2.5 stable for a while with 4.9 
> version of FreeBSD 
> and it was working fine for months. Now I had to upgrade to 
> 5.x version to 
> get better support for hyperthreading and sata drives.
> When I am using squid with 5.x version of the freebsd. It 
> crash after 1-3 
> days of usage randomly.
> 
> The symptoms are that squid use 98% of the cpu and it doesnt respond.
> It just stucks and I cant even send kill -TERM signal to it. 
> I have tried 
> using half closed clients option on and off in my conf file 
> with the same 
> result.
> 
> Is there anybody else who is having similar problem? I dont 
> have any ACLs 
> at all and the same conf file of squid was working with 4.9 
> stable anyhow.
> 
> Any suggestions?

   - which 2.5 stable release are you using ?
   - Does squid crash or just consumes lot's of CPU ?
   - Anyway whatever, anything in cache.log which could provide
 more info ?
 Or error related info in cache.log, prior to the real problem
 situation you are encountering at a certain point ?
   - Possibly weird incompat. issues related to os 'offered' shared libs
 may be a culprit. Did you try re-building squid ?

  M.

   
> 
> Thanks,
> Evren 
> 
> 

RE: [squid-users] Blocking external access only

[Elsen Marc]

 
> Hi
> 
> I have a set of rules in Squid that will allow no one to access the
> outside world but i still need users to access the local http deamon
> (webserver) does anyone know what rules i need to put to allow this.
 
   Check the Squid FAQ  ('Access controls').

   M.
  

RE: [squid-users] squid 2.5.STABLE4 + FreeBSD 5.x = crash after a while...

[Elsen Marc]

  
> Hello,
> 
> I have been using squid 2.5 stable for a while with 4.9 
> version of FreeBSD 
> and it was working fine for months. Now I had to upgrade to 
> 5.x version to 
> get better support for hyperthreading and sata drives.
> When I am using squid with 5.x version of the freebsd. It 
> crash after 1-3 
> days of usage randomly.
> 
> The symptoms are that squid use 98% of the cpu and it doesnt respond.
> It just stucks and I cant even send kill -TERM signal to it. 
> I have tried 
> using half closed clients option on and off in my conf file 
> with the same 
> result.
> 
> Is there anybody else who is having similar problem? I dont 
> have any ACLs 
> at all and the same conf file of squid was working with 4.9 
> stable anyhow.
> 
> Any suggestions?

   - which 2.5 stable release are you using ?
   - Does squid crash or just consumes lot's of CPU ?
   - Anyway whatever, anything in cache.log which could provide
 more info ?
 Or error related info in cache.log, prior to the real problem
 situation you are encountering at a certain point ?
   - Possibly weird incompat. issues related to os 'offered' shared libs
 may be a culprit. Did you try re-building squid ?

  M.

   
> 
> Thanks,
> Evren 
> 
> 

[squid-users] squid 2.5.STABLE4 + FreeBSD 5.x = crash after a while...

[Evren Yurtesen]

Hello,

I have been using squid 2.5 stable for a while with 4.9 version of FreeBSD 
and it was working fine for months. Now I had to upgrade to 5.x version to 
get better support for hyperthreading and sata drives.
When I am using squid with 5.x version of the freebsd. It crash after 1-3 
days of usage randomly.

The symptoms are that squid use 98% of the cpu and it doesnt respond.
It just stucks and I cant even send kill -TERM signal to it. I have tried 
using half closed clients option on and off in my conf file with the same 
result.

Is there anybody else who is having similar problem? I dont have any ACLs 
at all and the same conf file of squid was working with 4.9 stable anyhow.

Any suggestions?

Thanks,
Evren 

[squid-users] Blocking external access only

[Chris Burton]

Hi

I have a set of rules in Squid that will allow no one to access the
outside world but i still need users to access the local http deamon
(webserver) does anyone know what rules i need to put to allow this.

many regards

Chris


**
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.
**

Re: [squid-users] Group based ACLs

[Henrik Nordstrom]

On Fri, 6 Feb 2004, Babs wrote:

> Wanted to know if group based acl is possible in Squid

Yes.

> as I have two group of users in Windows ADS and
> users are getting authenticated from ADS. I wanted to
> restrict users based on the group, is that possible
> using squid and winbind? Ur comments pls

See the wbinfo_group helper.

Regards
Henrik

Re: [squid-users] Partial Authentication

[Henrik Nordstrom]

On Fri, 6 Feb 2004, Eberhard Pietzsch wrote:

>Proxy A should test if a requested hostname is contained in our
>list mentioned above. If not contained, proxy A should forward
>the request directly to the host in question.

See cache_peer_access and never_direct. You need both.

Note that you can not use external acls in cache_peer_access at this time, 
not reliably anyway. You may get an acceptable level if the acl is furst 
evaluated in http_access, but it is not 100% safe.

http_access deny restrictedacl !all

somwhere before where requests are allowed.

The use of the ACL in never_direct may work as well, but I have not 
verified.

Regards
Henrik

Re: [squid-users] Fw: Zero Sized Reply

[Henrik Nordstrom]

On Fri, 6 Feb 2004, Rohit Peyyeti wrote:

> When I try to access a web application, certain pages gives me "zero sized
> reply".

Most likely the web application is malfunctioning and does not always 
respond and closes the connection before sending a reply.

When not using a proxy these kind of problems sometimes goes unnoticed as 
not all browsers indicate when the server fails to respond.

Regards
Henrik

Re: [squid-users] Massive problems with https connections to Domino Server (long)

[Henrik Nordstrom]

On Fri, 6 Feb 2004, vda wrote:

> > SSL Session Resumption
> > SSL now performs session resumption. This will greatly improve
> > performance when the Notes HTTP Client or server is
> > using SSL, and may have a minor (positive) effect on other "Internet"
> > protocols as well.
> 
> Is it a standard thing or Domino's own hack?

It is a standard feature of SSLv3 and later, to speed up reconnections to 
the same server.

It is most likely not at all related to the issues discussed, and the only 
effect of disabling it should be slightly higher CPU usage on the client 
and server (mostly on the client).

For SSL there will be as many connections to the requested server as the 
browser have made connections to Squid. Normally a browser should not
open more than 2 connections and if it does there is a browser problem.

Regards
Henrik

RE: [squid-users] squid_ldap_auth

[Dave Raven]

BSD - ldap directory is an AD server running 2000

-Original Message-
From: Lewars, Mitchell (EM, PTL) [mailto:[EMAIL PROTECTED] 
Sent: 06 February 2004 01:55 PM
To: 'Dave Raven'
Subject: RE: [squid-users] squid_ldap_auth


Are you running on Linux ?

-Original Message-
From: Dave Raven [mailto:[EMAIL PROTECTED]
Sent: Friday, February 06, 2004 6:12 AM
To: [EMAIL PROTECTED]
Subject: [squid-users] squid_ldap_auth


Hi all, 
I have a need with squid_ldap_auth, 
and am entirely unsure how to get it 
working..

I need to autheticate users in one OU, 
but only if they are a member of a 
group in another OU -->

This would be the user:
CN=Test User,OU=Users,OU=Branch1,DC=test,DC=co,DC=za

And this is the group he is a member of, that means 
He has internet access:
CN=iNet,OU=Groups,OU=Branch1,DC=test,DC=co,DC=za

How might I accomplish this?
Any idea's will be helpful

Thanks
Dave

Re: [squid-users] Cache consuming more space than set to consume - Getting Critical

[Henrik Nordstrom]

On Thu, 5 Feb 2004 [EMAIL PROTECTED] wrote:

> >From /etc/squid/conf
> cache_dir ufs /var/spool/squid 5000 60 256

I think you may have some leftover crap in your cache. Maybe due to 
earlier crashes or uncontrolled shutdowns.

Try decreasing L1 to 10 and let Squid run for 24 hours without restart.

You can also try deleting swap.state.

Regards
Henrik

Re: [squid-users] Group based ACLs

[Durai]

Hi,

  You can use group based ACLs.

Eg:

acl unrestricted_users_group proxy_auth
"/opt/iexpress/squid/unrestricted.grp"
http_access allow unrestricted_users_group

Regards,
Durai.

- Original Message - 
From: "Babs" <[EMAIL PROTECTED]>
To: "Squid Users" <[EMAIL PROTECTED]>
Sent: Friday, February 06, 2004 2:36 PM
Subject: [squid-users] Group based ACLs


> Hi Everyone!
> Wanted to know if group based acl is possible in
> Squid, as I have two group of users in Windows ADS and
> users are getting authenticated from ADS. I wanted to
> restrict users based on the group, is that possible
> using squid and winbind? Ur comments pls
>
> Thanx in advance
> Babs
>
>
> __
> Do you Yahoo!?
> Yahoo! Finance: Get your refund fast by filing online.
> http://taxes.yahoo.com/filing.html


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004

[squid-users] RE: Squid-3 Release Date\Questions

[Henrik Nordstrom]

On Thu, 5 Feb 2004, Arbelaez, Jim wrote:

> The helper redirects as it should to https.  But for some reason it does not work 
> from the client session.

Exacly what does the helper return?

Regards
Henrik

[squid-users] squid_ldap_auth

[Dave Raven]

Hi all, 
I have a need with squid_ldap_auth, 
and am entirely unsure how to get it 
working..

I need to autheticate users in one OU, 
but only if they are a member of a 
group in another OU -->

This would be the user:
CN=Test User,OU=Users,OU=Branch1,DC=test,DC=co,DC=za

And this is the group he is a member of, that means 
He has internet access:
CN=iNet,OU=Groups,OU=Branch1,DC=test,DC=co,DC=za

How might I accomplish this?
Any idea's will be helpful

Thanks
Dave

[squid-users] Group based ACLs

[Babs]

Hi Everyone!
Wanted to know if group based acl is possible in
Squid, as I have two group of users in Windows ADS and
users are getting authenticated from ADS. I wanted to
restrict users based on the group, is that possible
using squid and winbind? Ur comments pls

Thanx in advance
Babs


__
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html

RE: [squid-users] Fw: Zero Sized Reply

[Elsen Marc]

 
> 
> Hello:
> 
> My environment details:
> OS: RH 7.3
> Kernel: 2.4.20-28.7
> Squid: squid-2.5.STABLE3-1rh_7x
> 
> My problem:
> When I try to access a web application, certain pages gives 
> me "zero sized
> reply".


  http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.51

  M.

> 
 
> Description:
> I login to a web based application written in jsp. Most of 
> the application
> seems to be okay i.e jsp pages display okay. But at certain 
> places in the
> application [where a jsp page is called within a iframe, 
> squid throws zero
> sized reply]. If I call that page directly [by getting the 
> URL from souce],
> it works fine. I'm not sure what is this error about.
> 
> I tried setting direct_access option in squid for that particular web
> application domain and also client_persistent_connections,
> server_presistent_connections to off. This also does not 
> solve the problem.
> 
> Any help?
> 
> Thanks!
> Rohit
> 
> PS: Will upgrading squid to latest version help?
> 
> 

[squid-users] Fw: Zero Sized Reply

[Rohit Peyyeti]

Hello:

My environment details:
OS: RH 7.3
Kernel: 2.4.20-28.7
Squid: squid-2.5.STABLE3-1rh_7x

My problem:
When I try to access a web application, certain pages gives me "zero sized
reply".

Description:
I login to a web based application written in jsp. Most of the application
seems to be okay i.e jsp pages display okay. But at certain places in the
application [where a jsp page is called within a iframe, squid throws zero
sized reply]. If I call that page directly [by getting the URL from souce],
it works fine. I'm not sure what is this error about.

I tried setting direct_access option in squid for that particular web
application domain and also client_persistent_connections,
server_presistent_connections to off. This also does not solve the problem.

Any help?

Thanks!
Rohit

PS: Will upgrading squid to latest version help?

[squid-users] Partial Authentication

[Eberhard Pietzsch]

Hi,

I would be very pleased about a hint that solves our following
problem. It seems simple but I could not yet find a squid
configuration that works.
We have a list of about 12,000 Hostnames. Users should be forced
to authenticate if they request an URL from one of these Hosts.
Any other host in the internet not contained in the list should
be accessible without authentication.
We have tried the following configuration using two squid proxies:

- Proxy A (located in the computing center) should be the proxy
  which is publicly available to our user community. Users
  should configure their browsers to use this proxy.
  Proxy A should test if a requested hostname is contained in our
  list mentioned above. If not contained, proxy A should forward
  the request directly to the host in question.
  If contained in the list proxy A should forward the request to
  proxy B as a peer.
- Proxy B (located in the library) has an authentification scheme
  using squidguard. I should mention that, from the performance point
  of view, proxy B is unable to route all the traffic of our community.
  It can only handle requests to hosts contained in our list.
Proxy B works very fine. Proxy A does make problems.

Up to now we have tested two different configurations of proxy A.
None of these works. Our first try was:
external_acl_type restricted-area %DST \
  /usr/local/squid/bin/check-if-restricted
acl our-community src xxx.yyy.0.0/255.255.0.0
acl restrictedacl external restricted-area
http_access allow our-community
http_access deny all
cache_peer_access proxy-b.our-domain.de allow restrictedacl
The problem with this is that the program check-if-restricted
which checks if the host is contained in our list, is never
called, neither for hosts in our list nor for other
hosts.
Our second try was to use squidguard also for proxy A. Here,
the acl control rules from squidguard cannot be reused within
squid (as far a I know).
Can someone of you give me a hint?

Thanks from Frankfurt,
Eberhard
--
Dr. Eberhard Pietzsch
Stadt- und Universitätsbibliothek Frankfurt a.M.
Elektronische Dienste
Bockenheimer Landstr. 134-138
D - 60325 Frankfurt am Main
Tel.: (+49) 69 212 44 505

Re: [squid-users] Massive problems with https connections to Domino Server (long)

[vda]

On Thursday 05 February 2004 10:18, Rainer Traut wrote:
> We are using squid 2.5 S4 and also tried v3, OS is Redhat EL ES3,
> clients are always IE6 and IE5.5.
> Squid is the gateway to a small transfer net to firewall and then to DMZ
> and internet.
> Firewall has changed from Checkpoint FW1 to an iptables firewall, but no
> change in behaviour.
>
> I can login to Domino server fine but after some views and klicking too
> fast in our web application IE comes to a standstill, the domino server
> is blocked, there is no http or https traffic to the domino server.
> Nobody can work anymore!
>
> Exactly if I close my IE all works normal, http and https runs fine.
> This happens *only* if I use squid, when I go directly this never
> happens, all is fine.
>
> Here is my observation:
>
> There are many tcp connections from my client to squid in state
> 'connected' (around 20 to 30)
> and there are many connections from squid to domino server in state
> 'connected' (again around 20 to 30)
>
> Output of the domino http task:
> 05.02.2004 08:45:14   Http Worker Thread ID [44012]: Working session
> [4014]: Session State [SSL Handshake] :
> 05.02.2004 08:45:14   Http Worker Thread ID [48013]: Working session
> [3fed]: Session State [SSL Handshake] :
> 05.02.2004 08:45:14   Http Worker Thread ID [4c014]: Working session
> [3fee]: Session State [SSL Handshake] :
> 05.02.2004 08:45:14   Http Worker Thread ID [50015]: Working session
> [3fef]: Session State [SSL Handshake] :
> 05.02.2004 08:45:14   Http Worker Thread ID [54016]: Working session
> ... cut here
> as many http worker threads I configure (around 20 to 30...).
>
> The question is: why goes SSL Handshake wrong and connection is not
> getting terminated?
> And why don't I see this behaviour without squid?
>
> Here is an excerpt from domino release notes that might go into this
> direction:
>
> SSL Session Resumption
> SSL now performs session resumption. This will greatly improve
> performance when the Notes HTTP Client or server is
> using SSL, and may have a minor (positive) effect on other "Internet"
> protocols as well.

Is it a standard thing or Domino's own hack?

> The default number of resumable sessions that will be cached on the
> server is 50. To modify the number of sessions
> cached, set the SSL_RESUMABLE_SESSIONS notes.ini variable to the desired
> number. Setting
> SSL_RESUMABLE_SESSIONS=1 will disable SSL session resumption on the server.

Did you try to disable this SSL resumables?

Also, tcpdump might help other on the list know what exactly is going on.
--
vda

Re: [squid-users] yahoo messenger and squid

[vda]

On Friday 06 February 2004 06:41, Matt wrote:
> While we are on the subject is there a way to completely block yahoo
> messenger with squid?

watch the logs
construct acl
deny access
feel yourself like BOFH ;)

-- 
vda

[squid-users] IP blocking again

[Chris Burton]

Right, i have got squid to block by IP ranges via a web app i have
created, is there a way to enable access to the server thru the proxy
when in the banned list, is there a localhost directive or something.

Many many thanks

Chris


**
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.
**

Re: [squid-users] Massive problems with https connections to Domino Server (long)

[Rainer Traut]

Hi,

vda wrote:

The default number of resumable sessions that will be cached on the
server is 50. To modify the number of sessions
cached, set the SSL_RESUMABLE_SESSIONS notes.ini variable to the desired
number. Setting
SSL_RESUMABLE_SESSIONS=1 will disable SSL session resumption on the server.


Did you try to disable this SSL resumables?
Yes, I have disabled this. Effect is then nearly the same or worse.
If I higher this to eg. 1000 the effect is triggered later.
Also, tcpdump might help other on the list know what exactly is going on.
Can you give me any hint how to do this?
A 'tcpdump host w.x.y.z port 443' gives huge output...
Rainer