[squid-users] maxconn
Just tell me how it must work? acl localnet src 172.16.0.0/19 acl conn_15 maxconn 15 http_access deny localnet conn_15 It looks like it limits connections to 15 from all 172.16.0.0/19. It's not possible to limit connection numbers from one IP? -- Sem.
RE: [squid-users] maxconn
Will acl localnet src 172.16.0.0/19 acl ahost src 172.16.1.1 acl conn_15 maxconn 15 http_access deny ahost conn_15 http_access allow localnet or similar not work for you? -Original Message- From: Sergey Matveychuk [mailto:[EMAIL PROTECTED] Sent: Tuesday, 27 July 2004 3:28 PM To: [EMAIL PROTECTED] Subject: [squid-users] maxconn Just tell me how it must work? acl localnet src 172.16.0.0/19 acl conn_15 maxconn 15 http_access deny localnet conn_15 It looks like it limits connections to 15 from all 172.16.0.0/19. It's not possible to limit connection numbers from one IP? -- Sem.
Re: [squid-users] maxconn
Jay Turner wrote: Will acl localnet src 172.16.0.0/19 acl ahost src 172.16.1.1 acl conn_15 maxconn 15 http_access deny ahost conn_15 http_access allow localnet or similar not work for you? It works, but I have about five hundreds hosts in 172.16.0.0/19. No other way except add every host in squid.conf? -- Sem.
[squid-users] Action Canceled
Hello, We have been using Squid 2.4 STABLE6 since beginning of the year wthout any problem. Since sometimes now, we have problem with some HTML pages built by our ERP PeopleSoft. We get eror messages like ACTION CANCELED from IE 6SP1, and 5.0 too. I tried with some parameters like request_header_maww_size with no luck. The problem began to appear when the number of lines on the page reached a limit (?). Say, with 140 lines, was ok. With 141, problem is present. Has anyone seen problems like this? Thanks. == Pierre Yves Miroux Responsable Informatique SIN et STES 01 49 38 32 32 fax: 01 49 38 46 23 == xxx Ce message et toutes les pieces jointes (ci - apres le \message\ ) sont etablis a l'attention exclusive de ses destinataires et sont strictement confidentiels. Si vous n'etes pas le destinataire du message, il vous est interdit d'en faire la copie, de le faire suivre, d'en divulguer le contenu ou de l'utiliser en tout ou partie. Si vous avez recu ce message par erreur, merci d'en avertir immediatement l'expediteur et de le detruire. L'integrite du message n'est pas assuree sur Internet, chaque information pouvant etre interceptee, modifiee, perdue, subir un retard dans sa transmission ou contenir des virus. L'expediteur decline donc toute responsabilite pour toute alteration, deformation ou falsification subie par le message au cours de sa transmission. Toute opinion contenue dans ce message appartient a son auteur et ne peut engager la responsabilite de SIN-ET-STES ou de l'entite expeditrice du message, a moins que cela ait ete clairement specifie dans le message et qu'il soit verifie que son auteur etait en mesure d'engager SIN-ET-STES ou ladite entite. xxx This message and any attachments are confidential to the ordinary user of the e-mail address to which it was addressed and may also be privileged. If you are not the addressee you may not copy, forward, disclose or use any part of the message or its attachments and if you have received this message in error, please notify the sender immediately by return e-mail and delete it from your system. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message which arise as a result of Internet transmission. Any opinions contained in this message are those of the author and are not given or endorsed by SIN-ET-STES or office through which this message is sent unless otherwise clearly indicated in this message and the authority of the author to so bind SIN-ET-STES entity referred to is duly verified. xxx
RE: [squid-users] RE: User with Chinese LDAP CN does not work
Hello, For users with Chinese LDAP CN name in the windows 2000 AD, I tried squid_ldap_auth in the commmand line, but it does not work, I guess this is not a problem with IE setting, auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b dc=mtuzhuhai,dc=com -D cn =zpc9998t,ou=it,dc=mtuzhuhai,dc=com -w abcdefg -f ((sAMAccountName=%s)(obje ctclass=user)) -h 53.12.2.13 -p 389 -s sub -P yke0155 secretpassword ERR Notes: user name yke0155 has a Chinese LDAP CN name. Thanks David -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 2004726 14:49 To: Huang, David Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] RE: User with Chinese LDAP CN does not work On Mon, 26 Jul 2004, Huang, David wrote: 1) user has to enter username (UPN) and password I tried to use sAMAccountName, instead of userPrincipalName, it works fine in the command line for squid_ldap_auth, but NOT for using it in the configuration file. I dont know why! If it works from the command line then it must work from squid.conf as well. Make sure you use the exact same line in both. It is possible for the use do not need to enter the username and password, I mean it take the user name from system (IE?) Not automatically in Basic authentication. The closest you have here is the ability to have MSIE (and most other browsers) save the entered password. If you want fully transparent authentication then look into NTLM authentication via Samba-3. This is the Microsoft Integrated Login mechanism also supported by MS ISA and IIS. 2) users with Chinese CN does not work. For users with Chinese CN and displayName in the windows 2000 AD, squid_ldap_auth will not work even in the comman line. It is a bug or I need more configuration. Probably LDAP and your browser does not agree on what encoding to use for the user name. If I am not mistaken LDAP uses UTF-8. Please use log_mime_hdrs to inspect what your browser is sending. What you are looking for is the Proxy-Autorization header which carries the login and password in base64 encoding. Regards Henrik
RE: [squid-users] Action Canceled
Hello, We have been using Squid 2.4 STABLE6 since beginning of the year wthout any problem. Since sometimes now, we have problem with some HTML pages built by our ERP PeopleSoft. We get eror messages like ACTION CANCELED from IE 6SP1, and 5.0 too. I tried with some parameters like request_header_maww_size with no luck. The problem began to appear when the number of lines on the page reached a limit (?). Say, with 140 lines, was ok. With 141, problem is present. Seems more like a browser problem, versus an issue with squid : - Check squid's access log for those particular url's IE has problems with. - Check squid's cache.log for further error(s) if any. M.
RE: [squid-users] Action Canceled
Hi, The problem is that, when i do not go through Squid, i have no problem. The page is displayed correctly through the browser (oops: forgot that crucial point). == Pierre Yves Miroux Responsable Informatique SIN et STES 01 49 38 32 32 fax: 01 49 38 46 23 == -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ]De la part de Elsen Marc Envoyé : mardi 27 juillet 2004 10:54 À : [EMAIL PROTECTED]; [EMAIL PROTECTED] Objet : RE: [squid-users] Action Canceled Hello, We have been using Squid 2.4 STABLE6 since beginning of the year wthout any problem. Since sometimes now, we have problem with some HTML pages built by our ERP PeopleSoft. We get eror messages like ACTION CANCELED from IE 6SP1, and 5.0 too. I tried with some parameters like request_header_maww_size with no luck. The problem began to appear when the number of lines on the page reached a limit (?). Say, with 140 lines, was ok. With 141, problem is present. Seems more like a browser problem, versus an issue with squid : - Check squid's access log for those particular url's IE has problems with. - Check squid's cache.log for further error(s) if any. M. xxx Ce message et toutes les pieces jointes (ci - apres le \message\ ) sont etablis a l'attention exclusive de ses destinataires et sont strictement confidentiels. Si vous n'etes pas le destinataire du message, il vous est interdit d'en faire la copie, de le faire suivre, d'en divulguer le contenu ou de l'utiliser en tout ou partie. Si vous avez recu ce message par erreur, merci d'en avertir immediatement l'expediteur et de le detruire. L'integrite du message n'est pas assuree sur Internet, chaque information pouvant etre interceptee, modifiee, perdue, subir un retard dans sa transmission ou contenir des virus. L'expediteur decline donc toute responsabilite pour toute alteration, deformation ou falsification subie par le message au cours de sa transmission. Toute opinion contenue dans ce message appartient a son auteur et ne peut engager la responsabilite de SIN-ET-STES ou de l'entite expeditrice du message, a moins que cela ait ete clairement specifie dans le message et qu'il soit verifie que son auteur etait en mesure d'engager SIN-ET-STES ou ladite entite. xxx This message and any attachments are confidential to the ordinary user of the e-mail address to which it was addressed and may also be privileged. If you are not the addressee you may not copy, forward, disclose or use any part of the message or its attachments and if you have received this message in error, please notify the sender immediately by return e-mail and delete it from your system. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message which arise as a result of Internet transmission. Any opinions contained in this message are those of the author and are not given or endorsed by SIN-ET-STES or office through which this message is sent unless otherwise clearly indicated in this message and the authority of the author to so bind SIN-ET-STES entity referred to is duly verified. xxx
[squid-users] acl based on NT groups
Hello, I have researched the documentation and have not quite been able to come up with a definitive answer to this question. I am trying to create various levels of access to users based on the NT group that they are in. I am successfully using NTLM auth and am on 2.5STABLE4. Is there a way? Thanks.
RE: [squid-users] Action Canceled
Hi, The problem is that, when i do not go through Squid, i have no problem. The page is displayed correctly through the browser (oops: forgot that crucial point). Ok, that does not mean that the indicative action(s) which I suggested are not meaningfull to execute and or verify. Also could you in IE - Tools - Internet Options - Advanced : * Uncheck : Show friendly HTTP error messages Does this lead to more extended error info in those particular cases which you encounter ? Last but not least : verify your problem against the latest STABLE Squid release. 2.4 is very old and virtually unsupported, even on the list. M.
Re: [squid-users] Re: Re: Re: More NTLM Problems
Yeah I have the perms on that dir to 0750 with squid as the group owner. Also have the user squid in the squid group. --- [EMAIL PROTECTED] wrote: Quoting Adam Aube [EMAIL PROTECTED]: Johnny Doe wrote: --- Adam Aube [EMAIL PROTECTED] wrote: Johnny Doe wrote: --- Adam Aube [EMAIL PROTECTED] wrote: To clarify: as the user Squid runs as, have you used wbinfo -a to perform an authentication test, and did you see success for both plaintext and challenge response authentication? Yes the wbinfo -a run as user squid gives me back plaintext password authentication succeeded challenge/response password authentication succeeded If I put squid-2.5-basic i get prompted for username/password and everything works fine, it's just squid-2.5-ntlmssp that I'm having problems with. Not sure if this help but in my winbindd.log I keep getting this: [2004/07/26 11:49:39, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1029) user 'squid' does not exist Odd. Can you post the exact command(s) you used to run the wbinfo -a test as the squid user? If the password is on the command line, you can munge that. -bash-2.05b$ wbinfo -a 465732%## plaintext password authentication succeeded challenge/response password authentication succeeded 465732 being the username and ## being the password Since you didn't explicitly show it, I'm going to guess that you did a su squid before running wbinfo. Have you added any winbind lines to nsswitch.conf or PAM? If all you are using winbind for is Squid integration with a Windows domain, you don't need those lines and can take them out. That might be the source of the odd lines in winbindd.log, but that still won't explain why NTLM auth isn't working. Just to be thorough, can you post your smb.conf file and the output of squid -v? Adam One thing that Adam pointed out to me when I was having similar problems was that the permissions on the winbind_privileged pipe need to be accessible by the user Squid runs as - I thought I had read and checked everything like yourself, but I had overlooked this important step. If I overlooked this, then I guess it is possible that others like yourself may do also :) It is mentioned in the FAQ http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 - just do a search on the page for winbind privileged pipe permissions Regards, Rob Hadfield __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail
[squid-users] Using RAID 0 for cache
Hi there, I am setting up Squid 2.5Stable5 at the moment, using four hard drives (2 mirrored for OS, 2 striped for squid cache). But I am not sure though for I have read that striping is not recommended for use with the cache squid gnerates. Is that true? And if it is, why is that? For I see only positive aspects in using striped hard drives within a cache... hope anyone is willing to explain that to me. Regards, Jens ### Diese Nachricht wurde von F-Secure Anti-Virus gescannt. This message has been scanned by F-Secure Anti-Virus.
RE: [squid-users] Using RAID 0 for cache
Hi there, I am setting up Squid 2.5Stable5 at the moment, using four hard drives (2 mirrored for OS, 2 striped for squid cache). But I am not sure though for I have read that striping is not recommended for use with the cache squid gnerates. Is that true? And if it is, why is that? For I see only positive aspects in using striped hard drives within a cache... hope anyone is willing to explain that to me. http://www.squid-cache.org/Doc/FAQ/FAQ-3.html#ss3.11 M.
RE: [squid-users] ldap auth testing
I restarted squid with the command options listed, but I don't get any ldap info. I don't get any info at all. Here is what the access.log file lists: 1090917920.55722 10.5.200.201 TCP_DENIED/407 1765 GET http://www.mozilla.org/products/firefox/start/ ctdlaptop NONE/- text/html The login dialog box returns pretty quick. Is there a way to determine if I am even talking to the ldap server? rick... Rom.5:8 Chris Perreault [EMAIL PROTECTED] 7/26/2004 10:53:25 AM I usually start squid with a ./squid -N -d1 While testing stuff out. It make for a simple ctrl-c to stop it and change the config file around. Your squid/var/log or wherever you specified you wanted log files to go will have info too. Chris -Original Message- From: Rick Whitley [mailto:[EMAIL PROTECTED] Sent: Monday, July 26, 2004 9:49 AM To: [EMAIL PROTECTED] Subject: [squid-users] ldap auth testing I am running squid2.5.stable5 on suse 9.0. I am trying to test my ldap connection. Is there a log file somewhere that I can see what is going on with the connection? I read a post the other day where they had re-compiled squid with debug markers (probably not the right term). Do I need to do that for ldap? The ldap source has messages, are they being written somewhere? rick... Rom.5:8
RE: [squid-users] ldap auth testing
Go to the source code's helper/basic_auth/LDAP directory and check out the README there. Run the ldap auth helper outside of squid, and see if you are reaching the ldap server or do a ldapsearch to make sure you can reach the ldap directory. (man ldapsearch) From my experience, and from what I've read in this list, it makes sense to make sure the helper works outside of the squid process. If it doesn't work there, it sure won't work within squid:) Chris -Original Message- From: Rick Whitley [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 27, 2004 10:52 AM To: [EMAIL PROTECTED]; Chris Perreault Subject: RE: [squid-users] ldap auth testing I restarted squid with the command options listed, but I don't get any ldap info. I don't get any info at all. Here is what the access.log file lists: 1090917920.55722 10.5.200.201 TCP_DENIED/407 1765 GET http://www.mozilla.org/products/firefox/start/ ctdlaptop NONE/- text/html The login dialog box returns pretty quick. Is there a way to determine if I am even talking to the ldap server? rick... Rom.5:8 Chris Perreault [EMAIL PROTECTED] 7/26/2004 10:53:25 AM I usually start squid with a ./squid -N -d1 While testing stuff out. It make for a simple ctrl-c to stop it and change the config file around. Your squid/var/log or wherever you specified you wanted log files to go will have info too. Chris -Original Message- From: Rick Whitley [mailto:[EMAIL PROTECTED] Sent: Monday, July 26, 2004 9:49 AM To: [EMAIL PROTECTED] Subject: [squid-users] ldap auth testing I am running squid2.5.stable5 on suse 9.0. I am trying to test my ldap connection. Is there a log file somewhere that I can see what is going on with the connection? I read a post the other day where they had re-compiled squid with debug markers (probably not the right term). Do I need to do that for ldap? The ldap source has messages, are they being written somewhere? rick... Rom.5:8
RE: [squid-users] ldap auth testing
Thanks for the info. When I run ldapsearch I get the following message: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: unknown authentication method (86) additional info: SASL(-4): no mechanism available: Any thoughts? rick... Rom.5:8 Chris Perreault [EMAIL PROTECTED] 7/27/2004 10:00:01 AM Go to the source code's helper/basic_auth/LDAP directory and check out the README there. Run the ldap auth helper outside of squid, and see if you are reaching the ldap server or do a ldapsearch to make sure you can reach the ldap directory. (man ldapsearch) From my experience, and from what I've read in this list, it makes sense to make sure the helper works outside of the squid process. If it doesn't work there, it sure won't work within squid:) Chris -Original Message- From: Rick Whitley [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 27, 2004 10:52 AM To: [EMAIL PROTECTED]; Chris Perreault Subject: RE: [squid-users] ldap auth testing I restarted squid with the command options listed, but I don't get any ldap info. I don't get any info at all. Here is what the access.log file lists: 1090917920.55722 10.5.200.201 TCP_DENIED/407 1765 GET http://www.mozilla.org/products/firefox/start/ ctdlaptop NONE/- text/html The login dialog box returns pretty quick. Is there a way to determine if I am even talking to the ldap server? rick... Rom.5:8 Chris Perreault [EMAIL PROTECTED] 7/26/2004 10:53:25 AM I usually start squid with a ./squid -N -d1 While testing stuff out. It make for a simple ctrl-c to stop it and change the config file around. Your squid/var/log or wherever you specified you wanted log files to go will have info too. Chris -Original Message- From: Rick Whitley [mailto:[EMAIL PROTECTED] Sent: Monday, July 26, 2004 9:49 AM To: [EMAIL PROTECTED] Subject: [squid-users] ldap auth testing I am running squid2.5.stable5 on suse 9.0. I am trying to test my ldap connection. Is there a log file somewhere that I can see what is going on with the connection? I read a post the other day where they had re-compiled squid with debug markers (probably not the right term). Do I need to do that for ldap? The ldap source has messages, are they being written somewhere? rick... Rom.5:8
RE: [squid-users] ldap auth testing
What did you type at the prompt? It seems like a parameter is missing. (perhaps the authentication method) ldapsearch --help gives a list of options. Chris -Original Message- From: Rick Whitley [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 27, 2004 11:42 AM To: [EMAIL PROTECTED]; Chris Perreault Subject: RE: [squid-users] ldap auth testing Thanks for the info. When I run ldapsearch I get the following message: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: unknown authentication method (86) additional info: SASL(-4): no mechanism available: Any thoughts? rick... Rom.5:8 Chris Perreault [EMAIL PROTECTED] 7/27/2004 10:00:01 AM Go to the source code's helper/basic_auth/LDAP directory and check out the README there. Run the ldap auth helper outside of squid, and see if you are reaching the ldap server or do a ldapsearch to make sure you can reach the ldap directory. (man ldapsearch) From my experience, and from what I've read in this list, it makes sense to make sure the helper works outside of the squid process. If it doesn't work there, it sure won't work within squid:) Chris -Original Message- From: Rick Whitley [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 27, 2004 10:52 AM To: [EMAIL PROTECTED]; Chris Perreault Subject: RE: [squid-users] ldap auth testing I restarted squid with the command options listed, but I don't get any ldap info. I don't get any info at all. Here is what the access.log file lists: 1090917920.55722 10.5.200.201 TCP_DENIED/407 1765 GET http://www.mozilla.org/products/firefox/start/ ctdlaptop NONE/- text/html The login dialog box returns pretty quick. Is there a way to determine if I am even talking to the ldap server? rick... Rom.5:8 Chris Perreault [EMAIL PROTECTED] 7/26/2004 10:53:25 AM I usually start squid with a ./squid -N -d1 While testing stuff out. It make for a simple ctrl-c to stop it and change the config file around. Your squid/var/log or wherever you specified you wanted log files to go will have info too. Chris -Original Message- From: Rick Whitley [mailto:[EMAIL PROTECTED] Sent: Monday, July 26, 2004 9:49 AM To: [EMAIL PROTECTED] Subject: [squid-users] ldap auth testing I am running squid2.5.stable5 on suse 9.0. I am trying to test my ldap connection. Is there a log file somewhere that I can see what is going on with the connection? I read a post the other day where they had re-compiled squid with debug markers (probably not the right term). Do I need to do that for ldap? The ldap source has messages, are they being written somewhere? rick... Rom.5:8
[squid-users] IWSS + squid-icap
Hello all, Saw some mention on the lists of a patch needed to use IWSS, is it possible to just change an option on the Trend server to fix it? Or do we defiantly need the patch? If so, please can someone tell me how to get the patch - on the list it says email protected for the contact Hendrik posted.. Thanks Dave P.s. please copy me on replies (not on the list)
[squid-users] IWSS + squid-icap
Hello all, Saw some mention on the lists of a patch needed to use IWSS, is it possible to just change an option on the Trend server to fix it? Or do we defiantly need the patch? If so, please can someone tell me how to get the patch - on the list it says email protected for the contact Hendrik posted.. Thanks Dave
[squid-users] slackware question
What is the prefered cache_dir option for a ext2 filesystem on a slackware machine?
Re: [squid-users] slackware question
On Tue, Jul 27, 2004 at 07:05:38PM +0300, Costas Zacharopoulos wrote: What is the prefered cache_dir option for a ext2 filesystem on a slackware machine? Depends on your number of users, the disk size, the RAID system, the disk controller, your expected traffic... http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.14 Christoph -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
[squid-users] Hardware spec.
I have a network with 8,000 users. I look to purchase two boxes to put on the for high aviablity. But I wanted to know how to determain what type a box to get, dual p4?, 1gig mem, 80gig, etc. I read on squid site that squid does not benefit from a dual box. What have you guys notice in the field. __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail
[squid-users] Fw: Re: Re: Re: More NTLM Problems
Please reply to the list and not to me personally. Johnny Doe wrote: --- Adam Aube [EMAIL PROTECTED] wrote: Since you didn't explicitly show it, I'm going to guess that you did a su squid before running wbinfo. Have you added any winbind lines to nsswitch.conf or PAM? If all you are using winbind for is Squid integration with a Windows domain, you don't need those lines and can take them out. Just to be thorough, can you post your smb.conf file and the output of squid -v? Yes I did su over to squid before running that command. I'm not sure you ment by the if I changed pam but here is the squid file from the /etc/pam.d #%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth Here is a copy of my nsswitch.conf passwd: files nisplus shadow: files nisplus group: files nisplus hosts: files nisplus dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files winbind nisplus rpc: files services: files winbind nisplus netgroup: files winbind nisplus publickey: nisplus automount: files winbind nisplus aliases: files nisplus smb.conf [global] workgroup = SMC server string = SMCSquid Samba Server winbind uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /home/winnt/%D/%U template shell = /bin/bash printcap name = /etc/printcap load printers = yes log file = /var/log/samba/%m.log max log size = 50 security = domain password server = smcnt3 encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no os level = 33 dns proxy = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind use default domain = yes password server = smcnt3 [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes squid -v Squid Cache: Version 2.5.STABLE5 configure options: --host=i386-redhat-linux --build=i386-redhat-linux --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid --enable-poll --enable-snmp --enable-removal-policies=heap,lru --enable-storeio=aufs,coss,diskd,null,ufs --enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools --enable-linux-netfilter --with-pthreads --enable-ntlm-auth-helpers=SMB,winbind --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group, winbind_group --enable-auth=basic,ntlm --with-winbind-auth-challenge --enable-useragent-log --enable-referer-log --disable-dependency-tracking --enable-cachemgr-hostname=localhost --disable-ident-lookups --enable-truncate --enable-underscores --datadir=/usr/share --enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam, multi-domain-NTLM,SASL,winbind
[squid-users] Re: Hardware spec.
spivkid wrote: I have a network with 8,000 users. I look to purchase two boxes to put on the for high aviablity. But I wanted to know how to determain what type a box to get, dual p4?, 1gig mem, 80gig, etc. The two biggest considerations for Squid boxes are RAM and disks, because Squid will generally bottleneck there first. 1) Size your RAM based on the guidelines in the this FAQ http://www.squid-cache.org/Doc/FAQ/FAQ-8.html#ss8.11 2) Get the fastest disks you can afford - SCSI preferred over IDE. Ideally, dedicate a physical disk to just the Squid cache. Squid's cache does not benefit from RAID, and some types (RAID 5 in particular) will kill disk performance. I read on squid site that squid does not benefit from a dual box. What have you guys notice in the field. Squid itself does not benefit from a dual-CPU setup. However, one CPU can be running Squid while the other CPU runs the async-IO programs, Squid helpers, and processes from other parts of the system, so there is some benefit to a multi-CPU system. However, RAM and fast SCSI disks will give you the most benefit for cost. Adam
[squid-users] Re: maxconn
Sergey Matveychuk wrote: Just tell me how it must work? acl localnet src 172.16.0.0/19 acl conn_15 maxconn 15 http_access deny localnet conn_15 It looks like it limits connections to 15 from all 172.16.0.0/19. It's not possible to limit connection numbers from one IP? With those acls, each address in the 172.16.0.0/19 range will have its own limit of 15 connections to the proxy. If you want to give different address different connection limits, or give connection limits to only a few IP addresses, you will need multiple acl sets, as has already been pointed out. Adam
Re: [squid-users] acl based on NT groups
Hi, At 13.34 27/07/2004, Jeff Heckart wrote: Hello, I have researched the documentation and have not quite been able to come up with a definitive answer to this question. I am trying to create various levels of access to users based on the NT group that they are in. I am successfully using NTLM auth and am on 2.5STABLE4. Is there a way? Yes, what you need is to add an external ACL helper to your configuration. If you are using a Samba 2 back-end, you can use wbinfo_group or winbind_group. If you are using a Samba 3 back-end, you can use wbinfo_group only. See Squid FAQs for more details: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Gorizia, 69 10136 - Torino - ITALY Tel. : +39.011.3249426 Fax. : +39.011.3293665 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
[squid-users] Re: acl based on NT groups
Jeff Heckart wrote: I am trying to create various levels of access to users based on the NT group that they are in. I am successfully using NTLM auth and am on 2.5STABLE4. Use the appropriate external_acl group helper - wb_group for Samba 2.2.x and wbinfo_group for Samba 3. This is (somewhat) in the Winbind FAQ: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 Adam
Re: [squid-users] Fw: Re: Re: Re: More NTLM Problems
I'm not sure whats going on. I just put a clean fedora 2 install on the box and I am getting the same exact problem. I have no idea what I'm doing wrong but there is def something wrong. The only thing I find wierd is that I am trying to use this with dansguardian and if I stop dansguardian and comment out the auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp it still doenst let me out. I keep getting denied in the access log. --- Adam Aube [EMAIL PROTECTED] wrote: Please reply to the list and not to me personally. Johnny Doe wrote: --- Adam Aube [EMAIL PROTECTED] wrote: Since you didn't explicitly show it, I'm going to guess that you did a su squid before running wbinfo. Have you added any winbind lines to nsswitch.conf or PAM? If all you are using winbind for is Squid integration with a Windows domain, you don't need those lines and can take them out. Just to be thorough, can you post your smb.conf file and the output of squid -v? Yes I did su over to squid before running that command. I'm not sure you ment by the if I changed pam but here is the squid file from the /etc/pam.d #%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth Here is a copy of my nsswitch.conf passwd: files nisplus shadow: files nisplus group: files nisplus hosts: files nisplus dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files winbind nisplus rpc: files services: files winbind nisplus netgroup: files winbind nisplus publickey: nisplus automount: files winbind nisplus aliases: files nisplus smb.conf [global] workgroup = SMC server string = SMCSquid Samba Server winbind uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /home/winnt/%D/%U template shell = /bin/bash printcap name = /etc/printcap load printers = yes log file = /var/log/samba/%m.log max log size = 50 security = domain password server = smcnt3 encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no os level = 33 dns proxy = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind use default domain = yes password server = smcnt3 [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes squid -v Squid Cache: Version 2.5.STABLE5 configure options: --host=i386-redhat-linux --build=i386-redhat-linux --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid --enable-poll --enable-snmp --enable-removal-policies=heap,lru --enable-storeio=aufs,coss,diskd,null,ufs --enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools --enable-linux-netfilter --with-pthreads --enable-ntlm-auth-helpers=SMB,winbind --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group, winbind_group --enable-auth=basic,ntlm --with-winbind-auth-challenge --enable-useragent-log --enable-referer-log --disable-dependency-tracking --enable-cachemgr-hostname=localhost --disable-ident-lookups --enable-truncate --enable-underscores --datadir=/usr/share --enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam, multi-domain-NTLM,SASL,winbind __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail
Re: [squid-users] How to increase TCP-HIT ratio
maes wrote: ... My worst problem is about images. I realy don't have any idea, why some images are not loaded :-( Do You think taht cache size a memory uasge can be a reason ? What logged for those images in your access.log ? Can you show us some entries ? Hello, i'm back. I make some tests and here is result. I can simulate problem. I ran this commands on other machine to simulate huge trafic on proxy server $ export http_proxy=http://10.0.0.226:3128; $ for i in www.seznam.cz www.yahoo.com www.centrum.cz www.lupa.cz www.bbc.cz www.cnn.com www.msn.com www.amazon.com www.root.cz www.linux.cz $ do $ wget -r -q $i $ done On proxy server i changed settings of debuging to ALL,3 Than on different machine i tried to get www.centrum.cz pages and ... bingo ! Second hit i got two pictures was not loaded. When i tried to grep URL of those unloaded images ( http://img.centrum.cz/2/vrtad/pl21_1090824345.jpg ) i got this ( time is right ! ) Tue Jul 27 14:54:17 2004 10 10.0.0.220 TCP_HIT/200 1347 GET http://img.centrum.cz/2/vrtad/pl21_1090824345.jpg - NONE/- image/jpeg Than i tried to find this URL in cache.log , found this : 2004/07/27 14:54:17| The request GET http://img.centrum.cz/2/vrtad/pl21_1090824345.jpg is ALLOWED, because it matched 'localnet' 2004/07/27 14:54:17| cbdataAdd: 0x852f190 2004/07/27 14:54:17| cbdataLock: 0x822e9b0 2004/07/27 14:54:17| cbdataLock: 0x88580c0 2004/07/27 14:54:17| cbdataLock: 0x882d320 2004/07/27 14:54:17| cbdataValid: 0x822e9b0 2004/07/27 14:54:17| aclCheck: checking 'no_cache deny QUERY' 2004/07/27 14:54:17| aclMatchAclList: checking QUERY 2004/07/27 14:54:17| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?' 2004/07/27 14:54:17| aclMatchRegex: checking '/2/vrtad/pl21_1090824345.jpg' 2004/07/27 14:54:17| aclMatchRegex: looking for 'cgi-bin' 2004/07/27 14:54:17| aclMatchRegex: looking for '\?' 2004/07/27 14:54:17| aclMatchAclList: returning 0 2004/07/27 14:54:17| cbdataUnlock: 0x822e9b0 2004/07/27 14:54:17| aclCheck: NO match found, returning 1 2004/07/27 14:54:17| aclCheckCallback: answer=1 2004/07/27 14:54:17| cbdataValid: 0x882d320 2004/07/27 14:54:17| storeGet: looking up 942A79FACE6DD2216C5C6728E42E4459 2004/07/27 14:54:17| clientProcessRequest2: default HIT 2004/07/27 14:54:17| storeLockObject: key '942A79FACE6DD2216C5C6728E42E4459' count=1 2004/07/27 14:54:17| storeDiskdDirRefObj: referencing 0x879e930 0/32056 2004/07/27 14:54:17| new_MemObject: returning 0x8a28698 2004/07/27 14:54:17| cbdataAdd: 0x8859a90 2004/07/27 14:54:17| cbdataLock: 0x882d320 2004/07/27 14:54:17| storeClientCopy: 942A79FACE6DD2216C5C6728E42E4459, seen 0, want 0, size 4096, cb 0x805c2b0, cbdata 0x882d320 2004/07/27 14:54:17| cbdataLock: 0x8859a90 2004/07/27 14:54:17| storeClientCopy2: 942A79FACE6DD2216C5C6728E42E4459 2004/07/27 14:54:17| storeClientCopy3: Need to open swap in file 2004/07/27 14:54:17| storeSwapInStart: called for 0 7D38 942A79FACE6DD2216C5C6728E42E4459 2004/07/27 14:54:17| storeSwapInStart: Opening fileno 7D38 2004/07/27 14:54:17| storeDiskdOpen: fileno 7D38 2004/07/27 14:54:17| cbdataAdd: 0x845d720 2004/07/27 14:54:17| cbdataLock: 0x8859a90 2004/07/27 14:54:17| cbdataLock: 0x845d720 2004/07/27 14:54:17| cbdataLock: 0x845d720 2004/07/27 14:54:17| storeClientCopy3: reading from STORE 2004/07/27 14:54:17| storeDiskdRead: dirno 0, fileno 7D38 2004/07/27 14:54:17| cbdataValid: 0x845d720 2004/07/27 14:54:17| cbdataLock: 0x8859a90 2004/07/27 14:54:17| cbdataLock: 0x845d720 2004/07/27 14:54:17| cbdataUnlock: 0x8859a90 2004/07/27 14:54:17| cbdataUnlock: 0x882d320 2004/07/27 14:54:17| cbdataUnlock: 0x88580c0 2004/07/27 14:54:17| cbdataFree: 0x852f190 2004/07/27 14:54:17| cbdataReallyFree: Freeing 0x852f190 2004/07/27 14:54:17| cbdataUnlock: 0x882d320 2004/07/27 14:54:17| cbdataUnlock: 0x88580c0 2004/07/27 14:54:17| cbdataFree: 0x852f0b0 2004/07/27 14:54:17| cbdataReallyFree: Freeing 0x852f0b0 2004/07/27 14:54:17| cbdataValid: 0x845d720 2004/07/27 14:54:17| cbdataUnlock: 0x845d720 2004/07/27 14:54:17| storeDiskdOpenDone: dirno 0, fileno 7d38 status 4 2004/07/27 14:54:17| commSetTimeout: FD 13 timeout 900 2004/07/27 14:54:17| InvokeHandlers: CB307558C66FA4E5E5185938A618DF25 2004/07/27 14:54:17| InvokeHandlers: checking client #0 2004/07/27 14:54:17| cbdataLock: 0x882d670 2004/07/27 14:54:17| storeClientCopy2: CB307558C66FA4E5E5185938A618DF25 2004/07/27 14:54:17| storeClientCopy3: Copying from memory 2004/07/27 14:54:17| cbdataValid: 0x8859508 2004/07/27 14:54:17| cbdataLock: 0x8859508 2004/07/27 14:54:17| cbdataUnlock: 0x882d670 2004/07/27 14:54:17| httpPconnTransferDone: FD 13 2004/07/27 14:54:17| commSetTimeout: FD 13 timeout -1 2004/07/27 14:54:17| cbdataUnlock: 0x8860710 2004/07/27 14:54:17| fwdUnregister: http://i.ck.cz/f/107/36p.jpg 2004/07/27 14:54:17| cbdataUnlock: 0x8857018 2004/07/27 14:54:17| pconnNew: adding i.ck.cz.80 2004/07/27 14:54:17| commSetTimeout: FD 13 timeout 120 2004/07/27 14:54:17| pconnPush: pushed FD 13 for
Re: [squid-users] squid_ldap_auth
Right. The LDAP Helpers update patch to 2.5.STABLE6 was quite broken. Should be fixed now (Bug #1018). Regards Henrik On Mon, 26 Jul 2004, Neil Wilson wrote: I have tried using a non daily autogenerated realease, but a stable 2.5 version and now I dont get the same problem. Thanks! Neil Wilson DcData/LinuxBox S.A. - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Neil Wilson [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; David Wilson [EMAIL PROTECTED] Sent: Monday, July 26, 2004 3:48 PM Subject: Re: [squid-users] squid_ldap_auth On Mon, 26 Jul 2004, Neil Wilson wrote: Error: squid_ldap_auth: sasl.c:83: ldap_sasl_bind: Assertion `ld != ((void *)0)' failed. Wtf... squid_ldap_auth asks for a simple bind, not a sasl bind. Looks like the OpenLDAP version you are using is broken or they have changed the API in manners seriously incompatible with earlier versions or other LDAP libraries (which I doubt). Regards Henrik
Re: [squid-users] Fedora Core 2 and Wccp 1 support
On Mon, 26 Jul 2004, unixware wrote: 4) then in /root directory modprobe ip_wccp i get following error modprobe ip_wccp FATAL: Module ip_wccp not found. module is automatically copied to /lib/modules/2.6.5-1.358custom/extra/ip_wccp.ko and what kernel are you currently running? You MUST compile and run your own kernel to build third-party modules in a sane manner. Regards Henrik
Re: [squid-users] IWSS + squid-icap
On Tue, 27 Jul 2004, Dave Raven wrote: Saw some mention on the lists of a patch needed to use IWSS, is it possible to just change an option on the Trend server to fix it? IWSS has additional demands on the ICAP implementation which can not be fulfilled by the ICAP patch published by HP Labs in a sane manner. Because of this MARA wrote a new ICAP patch to fulfull the needs of IWSS. Unfortunately due to some events outside the scope of this list the original customer never paid for this patch and hence the patch has not yet been published until there is a customer willing to pay for the development of this patch. Or do we defiantly need the patch? If so, please can someone tell me how to get the patch If you want seamless integration of IWSS ICAP you need the patch. Access to the patch including support can be bought from MARA Systems by contacting [EMAIL PROTECTED] Regards Henrik
RE: [squid-users] ldap auth testing
On Tue, 27 Jul 2004, Rick Whitley wrote: Thanks for the info. When I run ldapsearch I get the following message: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: unknown authentication method (86) additional info: SASL(-4): no mechanism available: man ldapsearch, look for sasl. (-x option) Regards Henrik
Re: [squid-users] maxconn
On Tue, 27 Jul 2004, Sergey Matveychuk wrote: It works, but I have about five hundreds hosts in 172.16.0.0/19. No other way except add every host in squid.conf? Your first attempt makes a limit of 15 connections PER IP, and is what you want. Regards Henrik
RE: [squid-users] RE: User with Chinese LDAP CN does not work
On Tue, 27 Jul 2004, Huang, David wrote: For users with Chinese LDAP CN name in the windows 2000 AD, I tried squid_ldap_auth in the commmand line, but it does not work, I guess this is not a problem with IE setting, auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b dc=mtuzhuhai,dc=com -D cn =zpc9998t,ou=it,dc=mtuzhuhai,dc=com -w abcdefg -f ((sAMAccountName=%s)(obje ctclass=user)) -h 53.12.2.13 -p 389 -s sub -P yke0155 secretpassword ERR This indeed rules out any browser dependencies. How long is the users DN in UTF-8? There is a upper limit of 256 octets in squid_ldap_auth, maybe this is the problem? Try using the '-d' option to make squid_ldap_auth a bit more verbose about what it is doing. Regards Henrik
Re: [squid-users] Linux 2.6 Kernel. Any benefits?
I'm running smoothly a RH 9 server with kernel 2.6.6 and squid 2.5 stable 4, with great improvements on VM handling , before kernel 2.6 it use to swap even thou I don't have a memory shortage . []'s On Wed, 23 Jun 2004 06:11:25 +, Lizzy Dizzy [EMAIL PROTECTED] wrote: Hi All, I am keen to switch my kernel to 2.6.7, due to reports that it is much more efficient that the current 2.4 kernel. I am currently using Squid 2.5-S4. Has anybody switched from a 2.4 kernel to a 2.6 kernel? Do you really see a performance boost in squid? Thanks Liz _ Take a break! Find destinations on MSN Travel. http://www.msn.com.sg/travel/ -- If you really want something in this life, you have to work for it. Now, quiet! They're about to announce the lottery numbers... - Homer Simpson
RE: [squid-users] RE: User with Chinese LDAP CN does not work
Hello, the feedback after using -d [EMAIL PROTECTED] libexec]# ./squid_ldap_auth -d -R -b dc=mtuzhuhai,dc=com -D cn=zpc9998t,ou=it,dc=mtuzhuhai,dc=com -w abcdefg -h 53.12.2.13 -p 389 -f ((sAMAccountName=%s)(objectclass=user)) zpc9996t secretpassword user filter '((sAMAccountName=zpc9996t)(objectclass=user))', searchbase 'dc=mtuzhuhai,dc=com' attempting to bind to user 'CN=ZPC9996T,OU=IT,DC=mtuzhuhai,DC=com' OK yke0155 secretpassword user filter '((sAMAccountName=yke0155)(objectclass=user))', searchbase 'dc=mtuzhuhai,dc=com' attempting to bind to user 'CN=???,OU=IT,DC=mtuzhuhai,DC=com' ERR 1) User CN is all 6 octets, then mean user DN will not be short than 256 octets. 2) ??? should be chinese Thanks David -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 2004728 6:36 To: Huang, David () Cc: [EMAIL PROTECTED] Subject: RE: [squid-users] RE: User with Chinese LDAP CN does not work On Tue, 27 Jul 2004, Huang, David wrote: For users with Chinese LDAP CN name in the windows 2000 AD, I tried squid_ldap_auth in the commmand line, but it does not work, I guess this is not a problem with IE setting, auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b dc=mtuzhuhai,dc=com -D cn =zpc9998t,ou=it,dc=mtuzhuhai,dc=com -w abcdefg -f ((sAMAccountName=%s)(obje ctclass=user)) -h 53.12.2.13 -p 389 -s sub -P yke0155 secretpassword ERR This indeed rules out any browser dependencies. How long is the users DN in UTF-8? There is a upper limit of 256 octets in squid_ldap_auth, maybe this is the problem? Try using the '-d' option to make squid_ldap_auth a bit more verbose about what it is doing. Regards Henrik
[squid-users] Blocking Virus
Dear all, Can anybody tell me how to install free anti virus for squid server. (in mailserver i already install free AV Clamav). Thank's David
[squid-users] can i use SQUID for Caching Only..
Hi ppl, can i get the solutions for the following questions.pls.help me out... Browser(Clients ) Squid box proxy box(apache) --- Real servers( Internet) 1) i am running apache as proxy server. i want to use squid only for caching not for proxying. is it possible? how to do this? 2) In the above figure how can i pass clients requests received at the squid box port no:8090 can be passed to proxy box ( other system) with port no: 8081 .. is there any redirct available such that web requests can be passed to proxy system and which in turn passed to real server. Thanx Regards Kiran
Re: [squid-users] Fedora Core 2 and Wccp 1 support
FATAL: Module ip_wccp not found. module is automatically copied to /lib/modules/2.6.5-1.358custom/extra/ip_wccp.ko and what kernel are you currently running? You MUST compile and run your own kernel to build third-party modules in a sane manner. i am using default kernel the comes with Fedora 2 ( 2.6.5-1.358) what if i try puting line in /lib/modules/2.6.5-1.358custom/extra/ip_wccp.ko in modules.dep file Thanks and Regards UX __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail
