[squid-users] Memory usage

[Dave Raven]

Top:
43236 nobody 2   0   368M   347M poll13:38  0.00%  0.00% squid

Ps -ax |grep squid:
43234  ??  Is 0:00.02 /usr/local/sbin/squid
43236  ??  D 13:37.96 (squid) (squid)
87951  ??  Ss 0:01.61 (squidGuard) (squidGuard)
87952  ??  Ss 0:00.24 (squidGuard) (squidGuard)
87953  ??  Is 0:00.10 (squidGuard) (squidGuard)
There are also 2x ldap_auth's running:
[EMAIL PROTECTED] /home/opteq # ps -ax|grep ldap
87955  ??  Is 0:00.48 (ldap_auth) -b OU=Users,
87956  ??  Is 0:00.18 (ldap_auth) -b OU=Users,

Squid.conf:
cache_mem 128 MB

Any suggestions as to why its using so much memory ?
It seems to have only started post ldap auth a few days 
ago... But that's not definate


Thanks
Dave Raven

RE: [squid-users] Memory usage

[Elsen Marc]

 
> 
> Top:
> 43236 nobody 2   0   368M   347M poll13:38  0.00%  0.00% squid
> 
> Ps -ax |grep squid:
> 43234  ??  Is 0:00.02 /usr/local/sbin/squid
> 43236  ??  D 13:37.96 (squid) (squid)
> 87951  ??  Ss 0:01.61 (squidGuard) (squidGuard)
> 87952  ??  Ss 0:00.24 (squidGuard) (squidGuard)
> 87953  ??  Is 0:00.10 (squidGuard) (squidGuard)
> There are also 2x ldap_auth's running:
> [EMAIL PROTECTED] /home/opteq # ps -ax|grep ldap
> 87955  ??  Is 0:00.48 (ldap_auth) -b OU=Users,
> 87956  ??  Is 0:00.18 (ldap_auth) -b OU=Users,
> 
> Squid.conf:
> cache_mem 128 MB
> 
> Any suggestions as to why its using so much memory ?
> It seems to have only started post ldap auth a few days 
> ago... But that's not definate

  Define 'so much' : note that cache_mem does not pose
  an upperbound on squid's mem. usage. See comment in 
  squid.conf.default for 'cache_mem'.

  Also : squid's mem. usage is related to the size of the
  cache dir(s), see FAQ for relational info.

  If you are restricted by phys mem. available then reduce
  'cache_mem' to it's default setting.

  Ps: my squid's currently on 460Meg with cache mem
  setting of 64Mb.

  M.

  

  M.
> 
> 
> Thanks
> Dave Raven
> 
> 

Re: [squid-users] Squid, transparent proxy, and logs

[Henrik Nordstrom]

On Thu, 19 Feb 2004 [EMAIL PROTECTED] wrote:

> Thanks again for being patient with me.  Hopefully we can get to the
> bottom of this.

Which exact Squid and kernel versions? (including patches).

Squid configure flags uses? (Output of "squid -v")

Regards
Henrik

RE: [squid-users] Number of threads in AUFS

[Henrik Nordstrom]

On Fri, 20 Feb 2004, Ko Jong Hyun wrote:

> Do you mean that i can see the squid threads using 'ps -m' ?

Yes.

Regards
Henrik

Re: [squid-users] Deny yahoo messager

[Henrik Nordstrom]

On Fri, 20 Feb 2004, Winanjaya wrote:

> but yahoomessenger is smarter, it will check the opened port and then use it

Find what it is using and then block that.

Regards
Henrik

Re: [squid-users] Number of threads in AUFS

[Henrik Nordstrom]

On Fri, 20 Feb 2004, Ko Jong Hyun wrote:

> But, when i execute Squid with aufs mode, i cannot found Squid threads like 
> below:
> (I compile squid with '--with-aufs-threads=16 --with-pthreads 
> --enable-storeio=aufs' options)

Have your Squid had any activity?

The threads is only started when there is activity.

Regards
Henrik

Re: [squid-users] Number of threads in AUFS

[Ko Jong Hyun]

Yes, I execute httperf to request http object to the machine in which Squid 
is operating.

But, it's still a problem.

From: Henrik Nordstrom <[EMAIL PROTECTED]>
To: Ko Jong Hyun <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED], <[EMAIL PROTECTED]>, 
<[EMAIL PROTECTED]>
Subject: Re: [squid-users] Number of threads in AUFS
Date: Fri, 20 Feb 2004 09:49:24 +0100 (CET)
On Fri, 20 Feb 2004, Ko Jong Hyun wrote:

> But, when i execute Squid with aufs mode, i cannot found Squid threads 
like
> below:
> (I compile squid with '--with-aufs-threads=16 --with-pthreads
> --enable-storeio=aufs' options)
Have your Squid had any activity?

The threads is only started when there is activity.

Regards
Henrik
_
책상위에 다리 올리고 느긋하게 즐긴다... MSN 온라인 상영관   
http://vod.msn.co.kr  

RE: [squid-users] .cgi webmail password caching problem

[Henrik Nordstrom]

On Thu, 19 Feb 2004, Dan Didier wrote:

> Why does it work in transparent mode?

The server running on a non-standard port (8383). Because of this it is
not intercepted by the transparent redirection to the proxy and the client 
goes direct to the server not using the proxy.

Regards
Henrik

Re: [squid-users] Some basic Squid questions: mrtg, performance tuning ?

[Henrik Nordstrom]

On Fri, 20 Feb 2004, aiggno wrote:

> Hi all,
> 
> When monitoring the Squid with mrtg, with cacheServerInKb&cacheServerOutKb
> variables, I got these output:
> 
> Server traffic volume (In/Out):
> Max Traffic In  73.7 M b/min   Average Traffic In  32.6 M b/min   Current
> Traffic In  53.4 M b/min
> Max Traffic Out  4706.0 k b/min   Average Traffic Out  1615.0 k b/min
> Current Traffic Out  2574.0 k b/min
> 
> What does it mean ? How can the traffic to the cache in 73 Mb/minute while
> the traffic out is only about 5 Mb/minute ?

These two variables monitor the amount of traffic between Squid and the 
origin (and peer) servers.

Your Squid is sending 5 Mb/minute of data out to origin servers (request 
headers etc), and receiving 73 Mb/minute of data back.



If you want to monitor the amount of data sent by Squid to clients then 
this is cacheHttpOutKb.

I usually plot these combinations:


   cacheServerInKb & cacheHttpOutKb

   cacheHttpInKb & cacheServerOutKb

This gives nice graphs of the traffic in both directions and the impact of 
the cache.

Regards
Henrik

Re: [squid-users] value of cacheServerRequests variables

[Henrik Nordstrom]

On Fri, 20 Feb 2004, aiggno wrote:

> Hi all,
> 
> Could you please help me about the value of these variables:
> cacheServerRequests
> cacheHttpHits
> cacheServerInKb
> cacheServerOutKb
> 
> Are the value of these variables: request per minute or request per second ?
> kilobit or kilobyte per minute or sec ?

These are counters, not gauges.

Requests since startup. Kb since startup.

Regards
Henrik

[squid-users] FW: isee and squid

[Emiel van Kalken]

hi there,

I was wondering whether more people have configured ISEE to access the
internet through a proxy server. I do get the install of ISEE to work
(the
three default messages in ISEE), but I do get these errors in the
mad.log :

190204 12:18:55.711 ERROR,[Comm] comm.cpp:989 NetworkException (10):
Socket::rea
d(): recv() timeout [[128.1.50.250]]

190204 12:18:55.711 ERROR,[Comm] sendReceive FAILED
190204 12:18:55.712 ERROR,[Comm] NetworkException (10): Socket::read():
recv() t
imeout [[128.1.50.250]]

HP support told me it ws a problem in my proxy or firewall
configuration.
Our firewall is managed by a third party supplier, so I want to be sure
whether my squid config needs special changes for ISEE to work before I
contact our firewall maintainer.

I'm using squid version 2.4 STABLE 6 with authentication module
smb_auth. I
already disabled the authentication module to make sure it wasn't the
problem. That didn't solve the problem.

thanks for your suggestions

Emiel 

Re: [squid-users] Deny yahoo messager

[Serban Teodorescu]

Another idea:

Read from messenger.yahoo.com which ports have to be opened to what hostnames.

Block the entire IP classes of those hosts for the respective ports (be aware, 
a hostname usually point to several IPs).

This is how i managed to allow yahoo messenger (by allowing that traffic).

Don't forget to check from time to time is any of the host has a new IP.
They usually do that relatively often :|

Good luck.

> On Fri, 20 Feb 2004, Winanjaya wrote:
> > but yahoomessenger is smarter, it will check the opened port and then use
> > it
>
> Find what it is using and then block that.
>
> Regards
> Henrik

-- 

Serban Teodorescu.

[squid-users] Squid extremely slow in transparent mode

[Andriy Korud]

Hi,
I'vi noticed that in transp mode (usual Linux netfilter) Squid is very-y-y slow
however in proxy mode - ligting fast. Slowness is both in delays and transfer
speed.

Can you suggest anything?

Andriy Korud

RE: [squid-users] Squid extremely slow in transparent mode

[Elsen Marc]

 
> 
> Hi,
> I'vi noticed that in transp mode (usual Linux netfilter) 
> Squid is very-y-y slow
> however in proxy mode - ligting fast. Slowness is both in 
> delays and transfer
> speed.
> 
> Can you suggest anything?
 
   Squid version ?
   Os/platform/version ?
 
   M.

Re: [squid-users] Memory usage

[Henrik Nordstrom]

On Fri, 20 Feb 2004, Dave Raven wrote:

> Any suggestions as to why its using so much memory ?

Have you read the Squid FAQ chapter on memory usage?

Regards
Henrik

Re: [squid-users] FW: isee and squid

[Henrik Nordstrom]

On Fri, 20 Feb 2004, Emiel van Kalken wrote:

> 
> 190204 12:18:55.711 ERROR,[Comm] comm.cpp:989 NetworkException (10):
> Socket::rea
> d(): recv() timeout [[128.1.50.250]]

What is 128.1.50.250?

Anything in your Squid logs?

Regards
Henrik

[squid-users] Re: Malformed Urls

[Deepa D]

Hi All,
   Using strace I have noticed the following problem
:-
For the mentioned url, I get the HTTP/1.0 204
response at one time. But when the sam request is
given again, the request is serviced and the page
displays properly. 
 read(16, "GET http://www.google.com/url?sa";...,
4095) = 674
write(6, "http://www.google.com/url?sa=T&s";..., 121) =
121
read(6, "\n\n", 8192)   = 2
write(17, "GET /url?sa=T&start=5&url=http%3"..., 751)
= 751
read(17, "HTTP/1.0 204 No Content\r\nCache-c"...,
87380) = 173
write(16, "HTTP/1.0 204 No Content\r\nCache-C"...,
206) = 206
write(5, "1077176973.319   1100 10.10.10.1"..., 116) =
116
write(12, "1077176973.319 RELEASE -1 FF"..., 149)
= 149
read(16, 0x82937e0, 4095)   = -1 EAGAIN
(Resource temporarily unavailable)
read(16, 0xbffe7fc0, 87380) = -1
ECONNRESET (Connection reset by peer)

   Plz let me know as to why this happens.
   
  Regards and TIA,
Deepa


 --- Deepa D <[EMAIL PROTECTED]> wrote: > Hi,
>   Thanks for the info.
>   I am trying to do an strace. In the meanwhile, I
> am
> sending the log function for ur perusal :-
> void log(char *filename, char *msg , char * msg1) {
>   FILE *log;
>   char *date_str = NULL;
>   log = fopen(filename, "at");
>   if(log == NULL){
>   return;
>   }
>   date_str = getDate();
>   fprintf(log, "%s: %s %s\n", date_str, msg, msg1);
>   fflush(log);
>   free(date_str);
>   fclose(log);
> } 
> 
> char *getDate(void) {
>   time_t tp;
>   char *ascitime;
>   char *s;
>   tp = (time_t)time(NULL);
>   ascitime = (char *)ctime(&tp);
>   s = (char *)malloc(sizeof(char) *
> (strlen(ascitime)+1));
>   /* no use writing an error message, because this
> function
>   will keep getting called! */
>   if(s == NULL) {
> exit(3);
>   }
>   strcpy(s, ascitime);
>   s[strlen(ascitime) - 1] = '\0';
>   return s;
> }
> 
>Another problem that I am now facing is that
> eventhough the redirector program is writing a new
> line to the stdout(I figure this out from the log
> message), the squid is redirecting the page to the
> redirect url.
>Plz tell me if u know the solution to this
> problem.
> 
>Regards and TIA,
>   Deepa
> 
>  --- Henrik Nordstrom <[EMAIL PROTECTED]> wrote: >
> On Wed, 18 Feb 2004, Deepa D wrote:
> > 
> > > Hi,
> > >   Thanks for the response. 
> > >   access.log is listing the urls correctly.
> Sample
> > :-
> > >
> >
>
http://in.yimg.com/i/in/adv/hp/pbhp_84x28_blu_yahoo.gif
> > > 
> > >   The redirector code is as follows :-
> > > 
> > > char buff[MAX_BUFF] = "";
> > > setbuf(stdout, NULL);
> > >   memset(buff,'\0',MAX_BUFF);
> > > 
> > >   while(fgets(buff, MAX_BUFF, stdin) != NULL) {
> > > 
> > >  log(LOG_INFO," Client - read from stdin =
> ",
> > > buff);
> > > }
> > > 
> > 
> > What does the log function look like?
> > 
> > Also try strace/truss of the redirector process to
> > verify that what it 
> > logs matches what it reads from Squid.
> > 
> > Regards
> > Henrik



Yahoo! India Insurance Special: Be informed on the best policies, services, tools and 
more. 
Go to: http://in.insurance.yahoo.com/licspecial/index.html

RE: [squid-users] Squid + MSAD.

[Ampugnani, Fernando]

Hi Henrik,
In squid_ldap_auth the filter as I configure looks like...

-f "(&(sAMAccountName=%u)(object-Class=user))"

is ok?

How many way of configure it there are? In man page I didn?t find many
variants of this.

Thanks & Regards,
Fernando.


-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 19, 2004 11:49
To: Ampugnani, Fernando
Cc: Henrik Nordstrom
Subject: RE: [squid-users] Squid + MSAD.


On Thu, 19 Feb 2004, Ampugnani, Fernando wrote:

> OK Henrik, thanks now I understand how work squid_ldap_auth +
> squid_ldap_group, so I don?t test it from cmd line isnt?t it?

There is no problem tesing squid_ldap_group from the command line. It 
expects username  groupname as input.


It then uses the optional user search filter (-F) to locate the users DN
like the -f flag for squid_ldap_auth, and finally looks via the 
group search filter (-f) if there is a group where this user is 
member.

Regards
Henrik

[squid-users] one website denies access

[Mrvka Andreas]

hi,

i have a standard config of squid.conf
and surfing to every public website on the world works good
except one!

http://www.gmp-navigator.com


normally, i surf with ntlm authentication (challenge and response)
so that i access.log there is first access denied because of
no username information and on the next step squid gets an username
and finally the user has access to the sites.

BUT, at the link above i only get a log entry for the first access
without a username. nothing more!

and so the site is forever denied.

can anybody explain & help me?

regards
Andrew


Squid Cache: Version 2.5.STABLE1
configure options:
  --prefix=/usr/local/squid2
  --bindir=/usr/local/squid2/bin
  --enable-icmp
  --enable-kill-parent-hack
  --enable-default-err-language=German '
  --enable-err-languages=German English' '
  --enable-auth=basic ntlm' '
  --enable-basic-auth-helpers=SMB multi-domain-NTLM winbind MSNT' '
  --enable-ntlm-auth-helpers=SMB winbind no_check'
  --enable-ntlm-fail-open '
  --enable-external-acl-helpers=wbinfo_group winbind_group'

[squid-users] Password after a onnection idle time

[Leo]

Hi all,

I'm using squid with password authentication.
Can somebody me explain how I can disconnect a idle session after a certain
time.
Or better I want the user needs to put the password again after that certain
idle time

X-LINK TELECOM LTDA
Leo van Bussel
Departamento Técnico de T.I.
End : R: Camoes ,1684 Curitiba - Parana
Tel/Fax : (041) 352-0707 ramal:205
E-mail : [EMAIL PROTECTED]

<>

RE: [squid-users] Squid extremely slow in transparent mode

[Andriy Korud]

Цитую Elsen Marc <[EMAIL PROTECTED]>:

> 
>  
> > 
> > Hi,
> > I'vi noticed that in transp mode (usual Linux netfilter) 
> > Squid is very-y-y slow
> > however in proxy mode - ligting fast. Slowness is both in 
> > delays and transfer
> > speed.
> > 
> > Can you suggest anything?
>  
>Squid version ?
>Os/platform/version ?
>  
2.5STABLE4, OS Linux (both 2.4.24 and 2.6.3 were tested). 
Was testes on single client - so proxy load was 0.

Andriy.

[squid-users] Re: Malformed Urls

[Henrik Nordstrom]

On Fri, 20 Feb 2004, Deepa D wrote:

> Hi All,
>Using strace I have noticed the following problem
> :-
> For the mentioned url, I get the HTTP/1.0 204
> response at one time. But when the sam request is
> given again, the request is serviced and the page
> displays properly. 
>  read(16, "GET http://www.google.com/url?sa";...,
> 4095) = 674
> write(6, "http://www.google.com/url?sa=T&s";..., 121) =
> 121
> read(6, "\n\n", 8192)   = 2

I asked you to strace the redirector, not Squid.

as for the 204 question, see output of ngrep or other network sniffer to 
see if the traffic between Squid and the server differs in any way between 
the two requests.

But what can be said is that in the above the URL is sent correctly to the 
redirector (the write 6, ...) and if this got logged as a malformed URL by 
your redirector then the redirector is broken.

Regards
Henrik

RE: [squid-users] Squid + MSAD.

[Henrik Nordstrom]

On Fri, 20 Feb 2004, Ampugnani, Fernando wrote:

> Hi Henrik,
>   In squid_ldap_auth the filter as I configure looks like...
> 
> -f "(&(sAMAccountName=%u)(object-Class=user))"
> 
> is ok?

Almost. You need to use %s for the username in user filters and there is
no - in objectClass.

It is only in group filters to squid_ldap_group that %u is
used for the username.

Other than this it looks ok even if I would use the more general 
objectClass=Person.

> How many way of configure it there are? In man page I didn?t find many
> variants of this.

There is as many ways as there is LDAP directories and tastes in how to 
organise the LDAP structure.

The main problem is that there is no globally accepted standard on which
LDAP attribute the login name should be stored into.

Microsoft uses sAMAccountName (Pre-2000 login name alone) and
userPrincipalName (ADS login name including ADS domain name).

Most of the rest of the world uses uid.

Some use other attributes.

Some have the login attribute in the DN of the user object to uniquely
identify user objects by their login name. This is quite common the case
when uid is used for the login name, but not always the case.

Some (such as ADS) have the common name in the DN instead of using the 
login name.

Personally I prefer having the login name in the DN as this is less likely 
to change over time than the human name of the person. Changing the DN of 
an existing object is a very complex operation as all references to this 
object in all related LDAP directories need to be updated.

Regards
Henrik

RE: [squid-users] Squid extremely slow in transparent mode

[Henrik Nordstrom]

On Fri, 20 Feb 2004, Andriy Korud wrote:

> 2.5STABLE4, OS Linux (both 2.4.24 and 2.6.3 were tested). 
> Was testes on single client - so proxy load was 0.

Ok, some more data required

* Does it work fine if no interception rules are installed and the client 
is configured to use the proxy?

* Does work fine if interception rules are installed but the client is
still configured to use the proxy?

* How are you redirecting the traffic to the proxy?

* What is the MTU to your client? If any part of the path to the client 
uses a smaller MTU then MTU discovery will most likely work unless the 
interception is done very carefully.  Transparently intercepting traffic 
IS violating a number of Internet standards.

Regards
Henrik

Re: [squid-users] Password after a onnection idle time

[Henrik Nordstrom]

On Fri, 20 Feb 2004, Leo wrote:

> Can somebody me explain how I can disconnect a idle session after a certain
> time.

There is no sessions in HTTP. What you see as a login session is purely a 
session beteen the browser and it's user. To the proxy the login is 
performed on each and every request.

> Or better I want the user needs to put the password again after that certain
> idle time

Only by having the browser configured to automatically log out the user on 
inactivity.

Regards
Henrik

[squid-users] Squid blocking the site..

[Khan]

Hi,

I am using Squid2.5 stable 1  , Squid is not allowing the below mentioned
site.

http://olivercom.com:85

Pls help ..


Thanks In Advance
Khan.

Re: [squid-users] Squid, transparent proxy, and logs

[jwebb]

>
> Which exact Squid and kernel versions? (including patches).
>
> Squid configure flags uses? (Output of "squid -v")
>
> Regards
> Henrik

It's squid 2.5.STABLE4.  Configure options are just --enable-linux-netfilter.

I'm running a vanilla version of Linux 2.4.22 with the bare essentials to
make Netfilter/sysctl/network work.

[squid-users] ZSR - Stable 4

[Dan Brita]

I am running Squid 2.5 stable 4 behind a Cisco PIX 525 running firewall IOS 6.3(1). I 
am still getting Zero Sized Reply errors when navigating to AOL webmail, Gateway's 
support site and others. I thought that the problem that the PIX causes had been fixed 
in stable 4 but maybe not. The new patch has fixed the problems with Yahoo and 
Hotmail. Does anyone have any suggestions on what to try? We are not interested in 
access control to the internet, just the caching of web pages. Is it possible to turn 
off the proxy feature, thus leaving the original header in place? I doubt it, but I 
figured I would ask.
Any help is greatly appreciated. 
Dan

RE: [squid-users] Squid blocking the site..

[Elsen Marc]

  
> Hi,
> 
> I am using Squid2.5 stable 1  , Squid is not allowing the 
> below mentioned
> site.
> 
> http://olivercom.com:85
> 
> Pls help ..
 
  You will probably need to add port 85 to your
'Safe ports' acl in squid.conf

  M.

[squid-users] Fw: Please help

[Milind]

Damm Why this bounced.

I'm forwarding again

- Original Message -
From: Milind
To: [EMAIL PROTECTED]
Sent: Thursday, February 19, 2004 16:13
Subject: Please help


I had squid running on default port(3128), If I configure the browser for
3128 port then it works fine but Whenever I configure the iptables for
transporant proxying, for all the address it gives the error as...

 ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: /

The following error was encountered:

* Invalid URL

Some aspect of the requested URL is incorrect. Possible problems:

* Missing or incorrect access protocol (should be `http://'' or similar)
* Missing hostname
* Illegal double-escape in the URL-Path
* Illegal character in hostname; underscores are not allowed

Your cache administrator is root.


Pls can you help about it...

Miles

RE: [squid-users] Fw: Please help

[Elsen Marc]

 
> I had squid running on default port(3128), If I configure the 
> browser for
> 3128 port then it works fine but Whenever I configure the iptables for
> transporant proxying, for all the address it gives the error as...
> 
>  ERROR
> The requested URL could not be retrieved
> 
> While trying to retrieve the URL: /
> 
> The following error was encountered:
> 
> * Invalid URL
> 
> Some aspect of the requested URL is incorrect. Possible problems:
> 
> * Missing or incorrect access protocol (should be 
> `http://'' or similar)
> * Missing hostname
> * Illegal double-escape in the URL-Path
> * Illegal character in hostname; underscores are not allowed
> 
> Your cache administrator is root.
> 
> 
> Pls can you help about it...
> 
> Miles
> 
   http://www.squid-cache.org/Doc/FAQ/FAQ-17.html

   Checkout item 2.

   M.
 

Re: [squid-users] Deny yahoo messager

[Muthukumar]

> 
> Block the entire IP classes of those hosts for the respective ports (be aware, 
> a hostname usually point to several IPs).
> 

Yes. Do it with the acl ident or acl ident_regex

acl block url_regex "Location of messenger.txt"
acl yahoo ident hostname (or in a file)

http_access deny yahoo block 

or use the acl ident_regex  to recognize the particular pattern as hostname.

Or else

You can use the ident_lookup_access to look-up the identity of the client's ip-address 
and block them
to use the yahoo messenger!

> This is how i managed to allow yahoo messenger (by allowing that traffic).
> 
> Don't forget to check from time to time is any of the host has a new IP.

Refer this for more://
To know more about giving access denial in trasparent proxy
http://www.maynidea.com/squidguard/ident.html

Regards,
Muthukumar.

[squid-users] Cannot block https sites

[h35 . office]

I want to block adminsites with ssl on my local webserver.
But when i try this
http_access allow admins adminsites
http_access deny adminsites

The acls for admin and adminsites are correct

No admins cannot go to non https sites on my local webserver. (thats ok)
But non admins can still go to https sites.

Why? Any suggestions
mfg

Paul

Re: [squid-users] Cannot block https sites

[Muthukumar]

> http_access allow admins adminsites
> http_access deny adminsites
> 
http_access deny non-admins adminsites
..

http_access deny all


Regards,
Muthukumar.

[squid-users] Problems with POST using squid V2.5 Stable

[bob . walker]

Hi,

I'm having trouble with a site when we need to enter data into a form.

Reading the site is OK. See extract from access log below

1077279754.746  2 128.1.45.113 TCP_HIT/200 4863 GET
http://ws1info.companieshouse.gov.uk/images/chhome.gif - NONE/- image/gif
1077279754.762  2 128.1.45.113 TCP_HIT/200 2307 GET
http://ws1info.companieshouse.gov.uk/images/info_but.gif - NONE/- image/gif
1077279754.878  3 128.1.45.113 TCP_HIT/200 2416 GET
http://ws1info.companieshouse.gov.uk/images/search_but.gif - NONE/-
image/gif
1077279754.896  2 128.1.45.113 TCP_HIT/200 2343 GET
http://ws1info.companieshouse.gov.uk/images/clear_but.gif - NONE/- image/gif

As soon as I try to post I get a "URL cannot be retrieved"

While trying to retrieve the URL:
 
The following error was encountered: 
Unable to determine IP address from host name for
ws1info.companieshouse.gov.uk 
The dnsserver returned: 
No DNS records 


1077279768.870  4 128.1.45.113 TCP_MISS/503 1530 POST
http://ws1info.companieshouse.gov.uk/info/do_search.cgi - NONE/- text/html
1077284719.735 13 128.1.45.113 TCP_MISS/503 1530 POST
http://ws1info.companieshouse.gov.uk/info/do_search.cgi - NONE/- text/html

I've stuck the following in squid.conf

acl broken_post url_regex http://ws1info.companieshouse.gov.uk
broken_posts allow broken_post

But still no joy !!!

I've heard squid can be a bit fussy with POST requests. Can anyone help 



Bob Walker
UNIX Infrastructure Specialist
Web Access Services
ISS Cross Platform Services
Floor 2C
Barclays House
Poole

Tel: 01202 648760
INT: 7-4100-8760
Fax 01202 648793


Internet communications are not secure and therefore the Barclays Group
does not accept legal responsibility for the contents of this message.
Although the Barclays Group operates anti-virus programmes, it does not
accept responsibility for any damage whatsoever that is caused by
viruses being passed.  Any views or opinions presented are solely those
of the author and do not necessarily represent those of the Barclays
Group.  Replies to this email may be monitored by the Barclays Group
for operational or business reasons.

Re: [squid-users] Cannot block https sites

[h35 . office]

Thanks, but it doesnt work.
I want do block https://servername.domain.d/log

I see in access.log if i connect to the https site this:
https://servername.domain.d:443

So in my adminsites.txt are following
.domain.d/log
1.1.1.1/log
.domain.d:443/log


mfg

Paul

Re: [squid-users] Problems with POST using squid V2.5 Stable

[Muthukumar]

> 
>> http://ws1info.companieshouse.gov.uk/images/clear_but.gif - NONE/- image/gif
> 
> As soon as I try to post I get a "URL cannot be retrieved"
> 
> While trying to retrieve the URL:
>  
> The following error was encountered: 
> Unable to determine IP address from host name for
> ws1info.companieshouse.gov.uk 
> The dnsserver returned: 
> No DNS records 
> 
>>>

The problem is because of the IP address logging on the access.log.See the field 
NONE/-.
Here "-" is the problem.So no ident information is available.

Refer the ident_lookup_access TAG in squid.conf file.

RE: [squid-users] FW: Squid memory utilization

[Scott Phalen]

Ok, I have been all over the memory FAQs and still can't figure out why my
server is consuming all it's RAM.  I have 2GIG of DDR RAM and the only
service running on this server is Squid.  My cache_mem is set to 64MB and
cache_dir is 1 16 256.  During peak hours my RAM is consumed very fast.
Is there something else I should be configuring besides cache_mem and
cache_dir to minimize memory use?

Any help would be greatly appreciated!

Scott Phalen

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 18, 2004 1:11 PM
To: Mouque, Eric
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] FW: Squid memory utilization

On Wed, 18 Feb 2004, Mouque, Eric wrote:
>
>   1/ What can I do to reduce Squid's memory usage ?

First step is to figure out what part of Squid is using a lot of memory.
The Memory Utilization page in cachemgr is a good start.

>   2/ How do you collect Squid statistics ? Should I use cache manager
> for doing so ?

I prefer colleding runtime statistics with SNMP and plot them using MRTG
or RRDTOOL.

For usage statistics use one of the log analyzis packages for Squid. Which
one to use depends a little on what kind of statistics you are interested
in.

>   3/ How to you tune Squid to avoid such memory utilization issue ? The
> memory chapter in the Squid FAQ is pretty old. Is it still valid for
> Squid Version 2.5 ?

The FAQ chapter is still valid to most parts.

>   4/  Squid.conf file contains the following parameters, do you have any
> recommendation with regards to those parameters ?
>   cache_mem 16 MB cache_dir null  /mnt/aplocaldisk/var/null

There is not much to do about these parameters. Already set for very
restrictive memory usage.

Regards
Henrik

RE: [squid-users] FW: Squid memory utilization

[Duane Wessels]

On Fri, 20 Feb 2004, Scott Phalen wrote:

> Ok, I have been all over the memory FAQs and still can't figure out why my
> server is consuming all it's RAM.  I have 2GIG of DDR RAM and the only
> service running on this server is Squid.  My cache_mem is set to 64MB and
> cache_dir is 1 16 256.  During peak hours my RAM is consumed very fast.
> Is there something else I should be configuring besides cache_mem and
> cache_dir to minimize memory use?
>
> Any help would be greatly appreciated!

how much memory is Squid using?  Show us the output from:

squidclient mgr:info

that looks like this:

Resource usage for squid:
...
Process Data Segment Size via sbrk(): 141206 KB
Maximum Resident Size: 150620 KB
Page faults with physical i/o: 5
Memory accounted for:
Total accounted:89475 KB
memPoolAlloc calls: 337571214
memPoolFree calls: 334378229

Duane W.

RE: [squid-users] FW: Squid memory utilization

[Scott Phalen]

Thanks for showing me that command.  Here is the info you asked for.
Anything I should be concerned about in here?

Resource usage for squid:
UP Time:13526.773 seconds
CPU Time:   1184.000 seconds
CPU Usage:  8.75%
CPU Usage, 5 minute avg:14.68%
CPU Usage, 60 minute avg:   12.46%
Process Data Segment Size via sbrk(): 153436 KB
Maximum Resident Size: 0 KB
Page faults with physical i/o: 473

Memory accounted for:
Total accounted:   114009 KB
memPoolAlloc calls: 36193911
memPoolFree calls: 34404245

Connection information for squid:
Number of clients accessing cache:  607
Number of HTTP requests received:   273414
Number of ICP messages received:0
Number of ICP messages sent:0
Number of queued ICP replies:   0
Request failure ratio:   0.00
Average HTTP requests per minute since start:   1212.8
Average ICP messages per minute since start:0.0
Select loop called: 2145209 times, 6.306 ms avg

-Original Message-
From: Duane Wessels [mailto:[EMAIL PROTECTED]
Sent: Friday, February 20, 2004 12:21 PM
To: Scott Phalen
Cc: [EMAIL PROTECTED]
Subject: RE: [squid-users] FW: Squid memory utilization



On Fri, 20 Feb 2004, Scott Phalen wrote:

> Ok, I have been all over the memory FAQs and still can't figure out why my
> server is consuming all it's RAM.  I have 2GIG of DDR RAM and the only
> service running on this server is Squid.  My cache_mem is set to 64MB and
> cache_dir is 1 16 256.  During peak hours my RAM is consumed very
fast.
> Is there something else I should be configuring besides cache_mem and
> cache_dir to minimize memory use?
>
> Any help would be greatly appreciated!

how much memory is Squid using?  Show us the output from:

squidclient mgr:info

that looks like this:

Resource usage for squid:
...
Process Data Segment Size via sbrk(): 141206 KB
Maximum Resident Size: 150620 KB
Page faults with physical i/o: 5
Memory accounted for:
Total accounted:89475 KB
memPoolAlloc calls: 337571214
memPoolFree calls: 334378229

Duane W.

RE: [squid-users] FW: Squid memory utilization

[Duane Wessels]

On Fri, 20 Feb 2004, Scott Phalen wrote:

> Thanks for showing me that command.  Here is the info you asked for.
> Anything I should be concerned about in here?
>
> Resource usage for squid:
> UP Time:13526.773 seconds
> CPU Time:   1184.000 seconds
> CPU Usage:  8.75%
> CPU Usage, 5 minute avg:14.68%
> CPU Usage, 60 minute avg:   12.46%
> Process Data Segment Size via sbrk(): 153436 KB
> Maximum Resident Size: 0 KB
> Page faults with physical i/o: 473

According to this, the Squid process size is 153MB.

Now, why do you say that your "server is consuming all it's RAM"?
If you are looking at top and the value for "Free" then you need
to understand that your system's RAM is being used for other things,
such as disk I/O buffers.

Duane W.

RE: [squid-users] FW: Squid memory utilization

[Scott Phalen]

I understand that there are other processes that will run just from turning
on the server.  I am using "TOP" to verify RAM utilization.  When squid
isn't running there is not more than 200MB of RAM used.  I turn on squid and
within 6 hours I am at the point you see in "TOP" below:

12:47pm  up  6:06,  4 users,  load average: 0.21, 0.23, 0.18
49 processes: 46 sleeping, 3 running, 0 zombie, 0 stopped
CPU states:  5.6% user, 11.4% system,  0.0% nice, 83.0% idle
Mem:  2059416K av, 1798476K used,  260940K free, 292K shrd,  136604K
buff
Swap: 2096400K av,   0K used, 2096400K free 1392716K
cached

  PID USER PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
 2886 nobody15   0  153M 153M  1684 R14.9  7.6  22:11 squid


Keep in mind I am a novice linux guy.  If I am reading top wrong then my
bad.  I don't know what the "buff" and "cached" mean to the far right.
Maybe that is where my issue is.  Or maybe I have a memory leak.  I have no
clue how to check for that.  I am using the latest stable version of squid,
I read there were memory leak issues in previous posts, do I need to patch
this version of squid?

Scott

-Original Message-
From: Duane Wessels [mailto:[EMAIL PROTECTED]
Sent: Friday, February 20, 2004 12:46 PM
To: Scott Phalen
Cc: [EMAIL PROTECTED]
Subject: RE: [squid-users] FW: Squid memory utilization



On Fri, 20 Feb 2004, Scott Phalen wrote:

> Thanks for showing me that command.  Here is the info you asked for.
> Anything I should be concerned about in here?
>
> Resource usage for squid:
> UP Time:13526.773 seconds
> CPU Time:   1184.000 seconds
> CPU Usage:  8.75%
> CPU Usage, 5 minute avg:14.68%
> CPU Usage, 60 minute avg:   12.46%
> Process Data Segment Size via sbrk(): 153436 KB
> Maximum Resident Size: 0 KB
> Page faults with physical i/o: 473

According to this, the Squid process size is 153MB.

Now, why do you say that your "server is consuming all it's RAM"?
If you are looking at top and the value for "Free" then you need
to understand that your system's RAM is being used for other things,
such as disk I/O buffers.

Duane W.

[squid-users] Master Cache Server Feeding Client Cache Servers

[OTR Comm]

Hello,

Is it possible to have a master cache server that updates client cache
servers based upon queries sent from the clients to the master?

That is, if a query to a client cache server has a MISS, then the client
will query the master server for data.

Along similar lines, is it possible to have a master cache server update
client servers on a scheduled basis (say nightly)?

Thanks,

Murrah Boswell

[squid-users] ACL question

[Ballou, Matthew]

Hello,
Could someone give me an example of the synatax in setting up squid
to prevent downloads of certain files (Zip, Exe for example).
I checked out the Archive posts but I dont seem to have it right.

acl Downloads urlpath_regex .\exe$  


http_access deny Downloads





Thanks,
Matt

[squid-users] Reverse Proxy of OWA/Exchange 2000

[Eric Kahklen]

I've read through the past posts and haven't been able to pull together 
enought to get my config working.  I am borrowing a config sent to me 
and  trying to get it to work.  Please keep in mind that I haven't set 
the acl's or http_access yet to help eliminate those as problems.  This 
is also in a testing environment so it is not effecting a production 
mail system.  At this point, I get the confirmation of the SSL cert, 
Windows username/password box and enter the test account and password.  
It appears to authenticate to Windows but the screen only shows the 
frames and tries to bring up the OWA page but errors out with Action 
canceled - Internet Explorer was unable to link to the Web page you 
requested.  I am  very  new to Squid, but was told that Squid is the 
ONLY way to user a reverse proxy with OWA/SSL.

I know my squid.conf file is not pretty, but I need to know if I have 
something completely wrong or not.  Some of what is in the original conf 
file I couldn't find documentation on.  I have put all my comments in 
upercase.  I am only looking for help on the OWA issue at this point so 
the ACL stuff doesn't need input at this point unless you have time.  
Any help would be appreciated

Thanks alot,

Eric

#SQUID 3.0
# I HAD TO PUT THESE IN PLACE DUE TO ERRORS I GOT WHEN TRYING TO START 
SQUID. 
#I DIDN'T COMPILE IT MYSELF, I USED THE PACKAGE
# THAT CAME WITH sUSE 9.0 PROFESSIONAL
cache_replacement_policy heap
memory_replacement_policy heap

# THIS IS A TEST TO SEE IF I COULD GET TO A SIMPLE HTML PAGE IN A 
DIFFERENT IIS DIRECTORY
http_port 80 defaultsite=owaserver/squid

# AS I UNDERSTAND IT, THIS IS WHAT REPLACED THE HTTPD_ACCEL* REFERENCES
https_port 443 cert=/etc/squid/key-cert.pem defaultsite=owaserver/exchange
cache_peer owaserver parent 80 0 proxy-only front-end-https=on login=pass
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
log_fqdn off
check_hostnames off
redirect_rewrites_host_header off
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 10 minutes
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern .020%4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443 563# https, snews
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow all
http_access allow localhost
http_reply_access allow all
icp_access deny all
#NOT SURE IF I NEED THESE, FROM THE DOCS IT DON'T THINK I DO
#visible_hostname webaccess.mydomain.com
#hostname_aliases squid.mydomain.com

RE: [squid-users] FW: Squid memory utilization

[Duane Wessels]

On Fri, 20 Feb 2004, Scott Phalen wrote:

> I understand that there are other processes that will run just from turning
> on the server.  I am using "TOP" to verify RAM utilization.  When squid
> isn't running there is not more than 200MB of RAM used.  I turn on squid and
> within 6 hours I am at the point you see in "TOP" below:
>
> 12:47pm  up  6:06,  4 users,  load average: 0.21, 0.23, 0.18
> 49 processes: 46 sleeping, 3 running, 0 zombie, 0 stopped
> CPU states:  5.6% user, 11.4% system,  0.0% nice, 83.0% idle
> Mem:  2059416K av, 1798476K used,  260940K free, 292K shrd,  136604K
> buff
> Swap: 2096400K av,   0K used, 2096400K free 1392716K
> cached
>
>   PID USER PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
>  2886 nobody15   0  153M 153M  1684 R14.9  7.6  22:11 squid
>
>
> Keep in mind I am a novice linux guy.  If I am reading top wrong then my
> bad.  I don't know what the "buff" and "cached" mean to the far right.
> Maybe that is where my issue is.  Or maybe I have a memory leak.  I have no
> clue how to check for that.  I am using the latest stable version of squid,
> I read there were memory leak issues in previous posts, do I need to patch
> this version of squid?

You do not have a memory leak.  Squid's process size is only 153M, as shown
in the SIZE and RSS columns.  The other memory is being used by your operating
system and/or other processes.

Duane W.

Re: [squid-users] ACL question

[Duane Wessels]

On Fri, 20 Feb 2004, Ballou, Matthew wrote:

> Hello,
>   Could someone give me an example of the synatax in setting up squid
> to prevent downloads of certain files (Zip, Exe for example).
> I checked out the Archive posts but I dont seem to have it right.
>
> acl Downloads urlpath_regex .\exe$
>
>
> http_access deny Downloads

thats pretty close.  You probably want \.exe instead.
Other than that it should work, although it does depend on
where you put the "deny Downloads" line in relation to all
of the other http_access lines.

Duane W.

[squid-users] Problem with authfixes patch

[Jim Richey]

After installing the squid-2.5.STABLE4-authfixes.patch I'm having a 
problem with NTLM authentication. When not logged into the domain the 
pop-up authentication window keeps coming up for every requested object.

[squid-users] ACL/restriction of OS-version/-type

[Frank Fegert]

Hi folks,

i'm using squid_ldap_auth to authenticate users againts an ADS at one
site, which works fine. By security policy i'm required to process only
request by Win2k oder WinXP clients. Win9x clients should be denied. I
had two ideas how this could be accomplished:

1.) Assuming that the browser submits browsertype and OS-version at
each request, i could use this information. The question is how
i would access the information and pass it to an ACL?

2.) Taken from the squid logs the client submits it's IP upon each
request. I would resolve the IP to a hostname, and look up if a
workstation object of the same name exists in the ADS by using
ldapsearch. Regarding the use of ldapsearch i would add the code
to squid_ldap_auth.

Could anyone comment this, give me some pointers how this an be solved
more easily or has even come up with a solution in the past?

Regards,

Frank

-- 
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...)
jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++



-- 
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...)
jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++

[squid-users] Another Try with OWA

[Eric Kahklen]

Okay, hopefully this is less of a nightmare for people to read.  I am 
trying to get Squid to "reverese proxy" for my Exchange 2000 OWA 
interface.  I understand there are many configuration options, but these 
seem to be the most relivant to the Accelerator mode I am looking for.

https_port 443 cert=/etc/squid/key-cert.pem 
defaultsite=exchange.mail.org/exchange
cache_peer 10.0.0.5 parent 80 0 proxy-only no-query no-digest 
front-end-https=on

Regardless of what I try, I keep getting the error: Action canceled - 
Internet Explorer was unable to link to the Web page you requested.

I ran into this when I tried using Apache as a reverse proxy. The reason 
to move to Squid was that I was told that this is fixed in Squid 3.0. 
Can someone please help me??? I am new to squid so any kind points in 
the right direction would be much appreciated.

Thanks again,

Eric

[squid-users] auth of IE clients: autoauth with domain login?

[fire-eyes]

I'm using smb_auth to a win2k domain controller. I've got it to the 
point where when clients try to use the proxy they are asked their 
username and password, they ender their domain login info and it works fine.

However we'd like to carry over the same values as domain logon time 
over to IE, so users do not have to enter their username and password a 
second time. Not even a first time, so simply having IE remember 
passwords doesn't work here.

Any ideas?

Thanks gang.

[squid-users] Squid: The Definitive Guide

[OTR Comm]

Hello,

For anyone who is interested, amazon.com just shipped my copy of 'Squid:
The Definitive Guid,' Duane Wessells a month earlier than they
origionally expected.

Murrah Boswell

Re: [squid-users] Squid: The Definitive Guide

[Eric Kahklen]

I got my copy the other day!! So far I am quite happy with the book!! 
Great purchase.

Eric

OTR Comm wrote:

Hello,

For anyone who is interested, amazon.com just shipped my copy of 'Squid:
The Definitive Guid,' Duane Wessells a month earlier than they
origionally expected.
Murrah Boswell

.

 

[squid-users] Lack of a BSD lib at SLack : squid compilation

[Thomas TS]

Greetings all,

   I am trying to compile the last stable squid in a Slackware box
system but this is preventing the building:

... 
gcc  -g -O2 -Wall  -g -o cf_gen  cf_gen.o -L../lib -lmiscutil -lm
-lresolv -lbsd -lnsl 
/usr/lib/gcc-lib/i486-slackware-linux/3.2.3/../../../../i486-slackware-linux/bin/ld: 
cannot find -lbsd < 
collect2: ld returned 1 exit status 
make[1]: *** [cf_gen] Error 1 
make[1]: Leaving directory `/home/squid/squid-2.5.STABLE4/src' 

I believe that it is about the lack of /usr/lib/libbsd.a witch, in a Red
Hat system, is provided by glibc-devel-2.3.2-27.9.7, for instance... 

My Slack has installed all glic stuff I could find (CDs and Inet) ! 

Any tip about it ?

PS: please, I a not in the squid mailing list, if anyone would reply, do
it privately.


signature.asc
Description: This is a digitally signed message part

[squid-users] acl for parent cache

[Shahriar Mokhtari]

Hi there,

My squid is using a parent cache including the option prefer_direct. 
However I do not want squid to send requests in the form http://n.n.n.n/ 
to the parent where 'n' is a number. I am setting up an acl in the form of

acl by_ip url_regex http://[\d,.]\{8,15\}/
cache_peer my_parent_cache parent 3128 3130  prefer_direct
cache_peer_access my_parent_cache deny by_ip
cache_peer_access my_parent_cache allow all
before i change the squid configuration I need to make sure about two 
things. First does the regex look OK? I have read the meta character 
\{i,j\} may not be supported by all applications. Is it supported by 
squid-2.4 in linux platform?

The other question I have is that the above block of acl can be placed 
anywhere in squid.conf?

S. Mokhtari

Re: [squid-users] Deny yahoo messager

[trainier]

Doesn't yahoo use the same machine (ip address) for login requests?  If 
you don't know it, run a sniffer on a machine and identify it.
Then, simply block the machine(s) using the dst acl directective.

Tim Rainier





"Winanjaya" <[EMAIL PROTECTED]>
02/19/2004 09:34 PM
Please respond to "Winanjaya"
 
To: "Henrik Nordstrom" <[EMAIL PROTECTED]>
cc: <[EMAIL PROTECTED]>
Subject:Re: [squid-users] Deny yahoo messager


below is my /etc/iptables

iptables -A INPUT -s 172.16.1.88--dport 80 -j ACCEPT
iptables -A INPUT -s 172.16.1.88--dport 25 -j ACCEPT
iptables -A INPUT -s 172.16.1.88--dport 110 -j ACCEPT
iptables -A INPUT -s 172.16.1.88-j DROP
iptables -A FORWARD -s 172.16.1.88--dport 80 -j ACCEPT
iptables -A FORWARD -s 172.16.1.88--dport 25 -j ACCEPT
iptables -A FORWARD -s 172.16.1.88--dport 110 -j ACCEPT
iptables -A FORWARD -s 172.16.1.88-j DROP
iptables -A FORWARD -i eth1 -j ACCEPT

but yahoomessenger is smarter, it will check the opened port and then use 
it
..

I need advice .. thanks

Re: [squid-users] Deny yahoo messager

[Davinder Sachdeva]

what bat a deco envy ?

- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, February 21, 2004 12:38 PM
Subject: Re: [squid-users] Deny yahoo messager


> Doesn't yahoo use the same machine (ip address) for login requests?  If
> you don't know it, run a sniffer on a machine and identify it.
> Then, simply block the machine(s) using the dst acl directective.
>
> Tim Rainier
>
>
>
>
>
> "Winanjaya" <[EMAIL PROTECTED]>
> 02/19/2004 09:34 PM
> Please respond to "Winanjaya"
>
> To: "Henrik Nordstrom" <[EMAIL PROTECTED]>
> cc: <[EMAIL PROTECTED]>
> Subject:Re: [squid-users] Deny yahoo messager
>
>
> below is my /etc/iptables
>
> iptables -A INPUT -s 172.16.1.88--dport 80 -j ACCEPT
> iptables -A INPUT -s 172.16.1.88--dport 25 -j ACCEPT
> iptables -A INPUT -s 172.16.1.88--dport 110 -j ACCEPT
> iptables -A INPUT -s 172.16.1.88-j DROP
> iptables -A FORWARD -s 172.16.1.88--dport 80 -j ACCEPT
> iptables -A FORWARD -s 172.16.1.88--dport 25 -j ACCEPT
> iptables -A FORWARD -s 172.16.1.88--dport 110 -j ACCEPT
> iptables -A FORWARD -s 172.16.1.88-j DROP
> iptables -A FORWARD -i eth1 -j ACCEPT
>
> but yahoomessenger is smarter, it will check the opened port and then use
> it
> ..
>
> I need advice .. thanks
>
>
>
>
>
>
>