[squid-users] ip setup
Hello, I have configured the squid proxy server. I have two lan card, one is configured with internal network with is proxy ip for client machines and other is configured with external network, but i found that lot of foreign IP connecting to the external ip, with connection ESTABLISHED and SYN_SENT. is there any security threat, because of this, can any one tell me how should be the proxy connection with two lan card. Devendra
[squid-users] NET too slow after squid
Hi, I have Squid2.5STABLE1 installed on a linux box which is in bettwen a Zyxel Router and the LAN connection. I am using pam _auth for authentication.Whenever people go through squid(around 200 people) the connection is fine for around 20-30 min.But eventually the speeds go very low. If the Router is restarted , the problem goes away and comes again after 20-30 min. Checked at the squid server, the memory usage was not very high, the CPU usage was also normal. The squid server also has apache/MailScanner/clamav/sendmail running on it. Cache is not enabled on it. The server is a Pentium 4 Processor and a 1 GB RAM in it. Can anybody suggest , what might be wrong? Regards, Boskey Chheda
[squid-users] user auth
Hi I am wondering if it is possible to auth by user name instead of IP. My main computer is a linux box which connects to the net, my sister connects from a windows machine and is allowed full access to the net. the problem is that my daughter also uses the windows machine and I want to limit the internet to only on certain days at certain times for her. Is this possible with squid? Thanks in advance B.Rumsey ps. If am newly convert windows user so I don't know to much about linux.
[squid-users] Uses a Windows NT authentication domain.
hi, i am new to squid, they are anyone who is knowing on using a Windows NT authentication for squid. pls, advise. thanks. Cheers, yenonn
Re: [squid-users] reverse proxy to improve HTTP responses?
On Sat, 21 Aug 2004 01:24:20 +0200 (CEST), Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > On Fri, 20 Aug 2004, Laurian Gridinoc wrote: > > > I wonder if squid in reverse proxy mode (probably with cache turned > > on) can improve the metadata that the web server is delivering: > > Not really no. > > > If my web server delivers only content-type and expires, no > > content-length or Etag; may squid add for a cached response the > > content-length so the client may pipeline data with the reverse proxy? > > ETag can only be constructed in a reliable manner by the origin server. > This header must not be taken lightly as it is a very fundamental header > of HTTP/1.1 operations. > > > may squid respond with 304 Not Modified if it is the case? may squid > > upgrade the communication to HTTP/1.1? > > For 304 responses it is sufficient to have a Last-Modified header. Almost > all web servers is capable of sending this header. Yes, if the page is a static document, imagine a CGI app. that knows only of Content-type (mandatory) and Expires; would squid not only serve the response from its cache while the response is still fresh, but reply with 304 if is the case? Thank you, -- Laurian Gridinoc Chief Developer GRAPEFRUIT DESIGN www.gd.ro
Re: [squid-users] can not access sites due to acl when using ntlm auth
On Fri, 20 Aug 2004, Merton Campbell Crockett wrote: The assumptions were stated in an ellided paragraph that the proxy was restricted to KIOSK users and that they were restricted to destinations specified in KIOSK.dstdomain. If there are other users of the proxy and they are permitted to access any destination, the following supports the condition. The last rule is for clarity and to show that all conditions have been enumerated. http_access allow !KIOSK http_access deny !KIOSK.dstdomain http_access allow KIOSK In my experience this is more confusing than what you gain. If your goal is to allow KIOSK access to certain domains then use the combination http_access allow KIOSK KIOSK.dstdomain http_access deny KIOSK If this does not work then at least one of the acls is wrongly defined and you won't see the desired ressult no matter how you rearrange the http_access rules. The first rule in your example (allow !KIOSK) is very dangerous as this allows everyone else in the whole world access. Such rules should not be used unless you have been very strict earlier up on what IP addresses may access the proxy. As a general rule of thumb only use full negations in http_access deny rules, such as http_access deny !our_networks or partial negations in combination with something else which makes sense http_access allow ournetworks !restricted_sites possibly followed by something like http_access allow our_networks privileged_users Negations are very poverful, but should be used carefully. Regards Henrik
Re: [squid-users] reverse proxy to improve HTTP responses?
On Fri, 20 Aug 2004, Laurian Gridinoc wrote: I wonder if squid in reverse proxy mode (probably with cache turned on) can improve the metadata that the web server is delivering: Not really no. If my web server delivers only content-type and expires, no content-length or Etag; may squid add for a cached response the content-length so the client may pipeline data with the reverse proxy? ETag can only be constructed in a reliable manner by the origin server. This header must not be taken lightly as it is a very fundamental header of HTTP/1.1 operations. may squid respond with 304 Not Modified if it is the case? may squid upgrade the communication to HTTP/1.1? For 304 responses it is sufficient to have a Last-Modified header. Almost all web servers is capable of sending this header. Regards Henrik
Re: [squid-users] Squid 3.0 SSL connection
On Fri, 20 Aug 2004, Rob O'Connor wrote: cache_peer 10.x.y.2 parent 80 0 no-query originserver cache_peer 10.x.y.135 parent 80 0 no-query originserver cache_peer 10.x.y.139 parent 80 0 no-query originserver cache_peer 10.x.y.2 parent 443 0 no-query ssl proxy-only originserver You have many peers defined, but I see no directives telling Squid when to use which peer. See the cache_peer_access directive. Regards Henrik
Re: [squid-users] conf squid to use a specific interface
On Fri, 20 Aug 2004, Wayne Cox wrote: I'd like to know how to [if possible] configure Squid to use one specific ethernet interface in the machine for outbound traffic to destination web sites? I have tried using "tcp_outgoing_address 12.219.10.10" but it doesn't seem to be working. Am I even on the right track with that one? You are on the right track. What you are missing is proper routing within your OS to make it route traffic assigned to that NIC out via the provider connected to that NIC. You did not tell what OS you are using but if using Linux see the Linux Advanced Routing Howto on how to create the required policy routes. You could also change the default route of your server, but this may have impact on other traffic. Regards Henrik
Re: [squid-users] How can i tell, if Squid is compiled with NTLM support?
squid -v Regards Henrik On Fri, 20 Aug 2004, Flavio Borup wrote: command ldd /usr/sbin/squid can help? command strings /usr/sbin/squid can help? (--enable-auth=ntlm,basic)
Re: Fwd: [squid-users] Block via mac address?
On Fri, 20 Aug 2004, Pablo Morante wrote: Yes, you can do an acl like: acl allow_mac arp 00:E0:02:EF:... and then in the http_access http_access allow allow_mac the mac support is implemented from version 2.5 (maybe?), before this version there where no mac support. The arp acl was added in version Squid-1.2.beta9 (Dec 5 19:30:03 1997) and exists in all Squid-2.X versions, provided it is enabled at compile time and supported on your OS. Regards Henrik
Re: [squid-users] Transparent config OK if not used?
On Fri, 20 Aug 2004, Steve Snyder wrote: I understand that there are some problems associated with configuring Squid (2.5S6 + patches) as a transparent proxy. Are there any negative affects from having a transparent config even if the browsers are directly addressing the cache? Nope. The two happily coexists. Regards Henrik
RE: [squid-users] SSL and Reverse Proxy
On Fri, 20 Aug 2004, Brad Taylor wrote: 1. The browser opens an SSL connection directly to the origin server. I do not want this as I want to use the cache for images. 2. The browser tunnels the request through Squid with the CONNECT request method. 2 is not relevant in reverse proxies. Will caching work with this? How is this setup? Nope. What you need is Squid-3.0, or Squid-2.5 + SSL update + a bit of tweaking as Squid-2.5 does not have the same flexible reverse proxy configuration as Squid-3.0 does. Regards Henrik
RE: [squid-users] SSL and Reverse Proxy
On Fri, 20 Aug 2004, Chris Perreault wrote: https_port 443 vhost cert=/path_to_squid/squid/etc/squid_cert.pem key=/path_to_squid/squid/etc/squid_key.pem vhost vhost on an https_port? and twice? Most people run a single domain on each https_port. You probably should specify a defaultsite=... there instead. But if your SSL certificate is a wildcard certificate then vhost makes sense (in addition to defaultsite) Regards Henrik
Re: [squid-users] squid chroot jail no running copy error
On Fri, 20 Aug 2004, Rick G. Kilgore wrote: I'm not what you would call a Fedora pro, but I suspect you will need to chroot to the enviroment in order to run the squid -k reconfigure... E.g. chroot /wka usr/local/squidSTABLE6/sbin/squid -k reconfigure That works, would have never thought that this would be necessary. Now I have to know why. on a mission. Because you chroot:ed Squid when you started it, all paths opened by Squid is relative to the chroot, not the normal system root. If you do not chroot "squid -k ..." in the same manner "squid -k ..." runs in a different environment and won't find the correct paths to either your configuration file or the pid file as it's view is relative to the system root directory, not your chroot. Using the chroot_dir directive in squid.conf is generally adviseable over manual chrooting of Squid. This makes sure paths is always correct and also allows you to keep sensitive information such as the configuration file and Squid binary etc outside of the chroot. Regards Henrik
Re: [squid-users] squid chroot jail no running copy error
Manual chroot currently. On Sat, Aug 21, 2004 at 01:01:53AM +0200, Henrik Nordstrom wrote: > > > On Fri, 20 Aug 2004, Rick G. Kilgore wrote: > > > I am new to the squid proxy. I do like it allot and it has already been > > very useful. > > Problem I have put squid in a chroot jail. I tested the squid > > configuration and function prior to building the chroot volume. every > > thing seems to work ok logging and chaching. > > When I try to do a squid -k shutdown or rotate the system tells me that > > their is no running copy. > > Then "squid -k ..." does not find the pid file. > > > Are you doing manual chrooting or using the chroot_dir directive in > squid.conf? > > Regards > Henrik --
Re: [squid-users] squid chroot jail no running copy error
On Fri, 20 Aug 2004, Rick G. Kilgore wrote: I am new to the squid proxy. I do like it allot and it has already been very useful. Problem I have put squid in a chroot jail. I tested the squid configuration and function prior to building the chroot volume. every thing seems to work ok logging and chaching. When I try to do a squid -k shutdown or rotate the system tells me that their is no running copy. Then "squid -k ..." does not find the pid file. Are you doing manual chrooting or using the chroot_dir directive in squid.conf? Regards Henrik
Re: [squid-users] aufs question
On Fri, 20 Aug 2004, Costas Zacharopoulos wrote: what is the recommended aufs filesystem type? reiserfs, but ext2 also works good if it wasn't for those long fscks on power failures.. ext3 is not very good for cache. for a ide hard disk 4Gb partition which is the recommended aufs setting? L2 should always be 256 as it is in the default. L1 should be at least total size * 2 / ( L2 * L2 * 13KB ). Regards Henrik
Re: [squid-users] Squid restarting
On Fri, 20 Aug 2004 [EMAIL PROTECTED] wrote: That was for the default model , 2 other models are available : 32-bit Large Memory Model The large memory model is selected by specifing -bmaxdata:0xN000, where N may be 1-8. This allocates N memory segments for user data and also allows the user stack to completely occupy a segment. The maximum number of segments that can be used for user data is 8. Looks reasonable. 32-bit Very Large Memory Model The very large memory model is selected by specifing -bmaxdata:0xN000/DSA, where N may be 1-8. This allocates upto 8 memory segments for user data, but the segments are allocated dynamically. In AIX 5.2 the maximum number of segments increases to 10 with the stack having its own segment, or 13 if the stack segment is shared with shared library text and data. Under AIX 5.1 (current version running on p690) the limit is the same as for large memory model, 8. Not much difference are there? Pick one. The whole segmenting business is confusing. Why should applications need to be built specifying these details? Why not simply have the kernel and dynamic linker decide based on OS set limits like all other OS:es? 64-bit Memory Model Overkill for Squid, and changes things a bit too much generally. Regards Henrik
Re: [squid-users] getting fresh contents from site
On Fri, 20 Aug 2004, Payal Rathod wrote: My clock is very very accurate. But can you please explain what does this have to do with new contents being delivered. If the clocks are way off then the freshness controls done by Squid can give fals results, Regards Henrik
Re: [squid-users] hierarchy problerms
On Fri, 20 Aug 2004, Swaroop wrote: I got the first problem solved, with the child forwarding all requests to the parent. But the second problem still exists. My college does not run a dns server, could that be the problem? Or am i missing something in the configuration? Foll are the entries related to dns in my conf as I have kept them... If a squid is on a private network without internet connectivity except for a parent proxy never:direct MUST be used. If it is Squid does not require DNS access. Regards Henrik
[squid-users] reverse proxy to improve HTTP responses?
Hello, I wonder if squid in reverse proxy mode (probably with cache turned on) can improve the metadata that the web server is delivering: If my web server delivers only content-type and expires, no content-length or Etag; may squid add for a cached response the content-length so the client may pipeline data with the reverse proxy? may squid respond with 304 Not Modified if it is the case? may squid upgrade the communication to HTTP/1.1? Thank you, -- Laurian Gridinoc Chief Developer GRAPEFRUIT DESIGN www.gd.ro
[squid-users] conf squid to use a specific interface
Hi All, Running Squid 2.5-4 on a FreeBSD system. I'd like to know how to [if possible] configure Squid to use one specific ethernet interface in the machine for outbound traffic to destination web sites? I have tried using "tcp_outgoing_address 12.219.10.10" but it doesn't seem to be working. Am I even on the right track with that one? The primary NIC in the machine is connected to our LAN, along with the client PCs and the router that the machine's default route points to. The secondary NIC is connected to cheap incoming bandwidth from the cable company. I'd like to have Squid pulling in the requested web traffic over the secondary NIC only, to off-load our primary connection. Squid works ok, and serves and caches clients' requests just fine if I let it use the default interface. After adding the tcp_outgoing_address, the client web browser hangs for a minute or so, then displays a message from Squid: ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://www.whatever.net The following error was encountered: Connection Failed The system returned: (61) Connection refused The remote host or network may be down. Please try the request again. Any suggestions? Config options of interest are: http_port 208.62.177.40:3128[the primary connection, and default route] tcp_outgoing_address 12.219.10.10 [the 2nd NIC I want to use] -Thanks, WC
[squid-users] Squid 3.0 SSL connection
I am trying to make the following work client https -> squid https -> origin server I keep getting client https -> squid http -> origin server trying to make ssl connection to 10.x.y.2 here is what I have in squid.conf auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 563 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT acl all src 0.0.0.0/0.0.0.0 http_access deny !Safe_ports http_access allow all icp_access allow all http_reply_access allow all http_port 80 accel vhost cache_peer 10.x.y.2 parent 80 0 no-query originserver cache_peer 10.x.y.135 parent 80 0 no-query originserver cache_peer 10.x.y.139 parent 80 0 no-query originserver coredump_dir /usr/local/squid/var/cache https_port 443 vhost cert=/usr/local/squid/etc/servercert.pem key=/usr/local/squid/etc/serverkey.pem cafile=/usr/local/squid/etc/cacert.pem cache_peer 10.x.y.2 parent 443 0 no-query ssl proxy-only originserver login=PASS sslcert=/usr/local/squid/etc/servercert.pem sslkey=/usr/local/squid/etc/serverkey.pem sslflags=DONT_VERIFY_PEER front-end-https=on cache_effective_user squid cache_effective_group squid cache_mgr [EMAIL PROTECTED] ssl_unclean_shutdown on Thanks!
RE: [squid-users] SSL and Reverse Proxy
Because the web page is coded to require and redirect to HTTPS, I can not terminate at Squid without the development team recoding the page. That will be done at some point but I would like to test it first with allowing SSL to the back end server. I see from the FAQ page that I have these options: 1. The browser opens an SSL connection directly to the origin server. I do not want this as I want to use the cache for images. 2. The browser tunnels the request through Squid with the CONNECT request method. Will caching work with this? How is this setup? Thanks -Original Message- From: Chris Perreault [mailto:[EMAIL PROTECTED] Sent: Friday, August 20, 2004 9:56 AM To: Brad Taylor; [EMAIL PROTECTED] Subject: RE: [squid-users] SSL and Reverse Proxy You could use a private cert, or a commercial one. Squid needs to be configured with the ssl option. For a simple test you can type: openssl req -new -x509 -nodes -keyout squid_key.pem -out squid_cert.pem to generate a self signed cert. Do this in your squid's etc directory and then something like: https_port 443 vhost cert=/path_to_squid/squid/etc/squid_cert.pem key=/path_to_squid/squid/etc/squid_key.pem vhost We decided not to put SSL on the actual webserver. Traffic between our site and the end user is encrypted via the SSL so we saw no need to put an extra burden on the webserver too. The above is on squid-3, btw. Chris -Original Message- From: Brad Taylor [mailto:[EMAIL PROTECTED] Sent: Thursday, August 19, 2004 6:20 PM To: [EMAIL PROTECTED] Subject: RE: [squid-users] SSL and Reverse Proxy OK. What cert would I use for the SSL form Squid to the web server? The same cert? How would this be setup? I can't find any documentation about how to setup most of the SSL (HTTPS) configuration. I do have The Definitive Guide, but only a small section about SSL (HTTPS) on page 304. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Thursday, August 19, 2004 6:12 PM To: Brad Taylor Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] SSL and Reverse Proxy On Thu, 19 Aug 2004, Brad Taylor wrote: > I'm trying to setup Squid as a reverse proxy with SSL. I remember > seeing a post here that showed the 3 options for SSL reverse proxy but I > can't find it now. I would like to test without terminating the SSL at > the Squid box. You can't. To proxy the SSL needs to be terminated. What you can do if you do not want to terminate the SSL and have it running all the way back to the web server to tunnel the SSL using a simple TCP plug or NAT/Port-forwarded. > Can I have the cert on both the Squid and IIS web server but when I hit > the Squid box with https://IP_address_of_squid I get sent to > https://IP_address_of_IIS_web_server therefore it is not getting > anything from cache. This is possible with Squid-3 (or Squid-2.5 with SSL update and a bit of tinkering). But please note that in such configuration the SSL is terminated at the proxy and then a new SSL is opened between the proxy and the web server. In most configurations this second SSL is not really needed but you have the choice. Squid-2.5 (without SSL update) can only terminate SSL connections, acting as an SSL server. It can not initiate SSL connections. Regards Henrik
[squid-users] Re: How can i tell, if Squid is compiled with NTLM support?
Flavio Borup wrote: > (--enable-auth=ntlm,basic) squid -v Adam
Re: [squid-users] hierarchy problerms
I got the first problem solved, with the child forwarding all requests to the parent. But the second problem still exists. My college does not run a dns server, could that be the problem? Or am i missing something in the configuration? Foll are the entries related to dns in my conf as I have kept them... # cache_dns_program /usr/lib/squid/ # dns_children 5 # dns_retransmit_interval 5 seconds # dns_timeout 5 minutes # dns_defnames off dns_nameservers 10.0.1.1 negative_ttl 5 minutes # positive_dns_ttl 6 hours # negative_dns_ttl 5 minutes visible_hostname none #hostname_aliases none Thank You Dave Raven wrote: Add login=PASS to the end of your cache peer line, this will instruct it to pass up any login information in the request. -Original Message- From: Swaroop Shere [mailto:[EMAIL PROTECTED] Sent: 20 August 2004 09:40 AM To: [EMAIL PROTECTED] Subject: [squid-users] hierarchy problerms Importance: High Hello, I am a college student trying to implement a hierarchy of proxy servers as a part of a project. The parent is at 10.0.1.1, while the child is at 10.0.2.55. While, i am configuring the child, I have no control over the parent. (I have to give a written application for any services from the authorities wrt the parent) They have enabled the icp port. After my initial configuration, the child squid started successfully. I have kept no authentication at the child (comments kept at all authentication parameters), but the parent requires authentication, it uses some microsoft module (sorry, i am still a newbie). Now i have 2 problems. First: Whenever a browser configured to request the child tries to access a local website (eg http://10.0.0.222), it gets a prompt for username and password, whose title shows 10.0.2.55 and even if i enter the same username and passwd that i use for the parent, it gives me an authentication error. Through tcpdump, i found out that the child squid is not forwarding the username and password to the parent. The error page that the client recieves, shows that the error is generated by the parent squid (10.0.1.1). Also, all requests from the clients through the parent directly are served. Second: Whenever a browser configured to request the child squid tries to access a remote website (eg www.google.com), the client does not get any prompt for proxy username and password, and finally gives an error, that the page is not found. If the same client is configured to request the parent (10.0.1.1), it gets the pages. What could be this problem? Please help, Thank you. ___ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
[squid-users] How can i tell, if Squid is compiled with NTLM support?
command ldd /usr/sbin/squid can help? command strings /usr/sbin/squid can help? (--enable-auth=ntlm,basic)
[squid-users] Re: getting fresh contents from site
Payal Rathod wrote: > On Fri, Aug 20, 2004 at 01:49:34PM +0200, Henrik Nordstrom wrote: >> Make sure the clock of your proxy is reasonably correct, and have the >> clients configured to use the proxy. A click on the Reload button then >> makes sure the new content is delivered like normal. > My clock is very very accurate. But can you please explain what does > this have to do with new contents being delivered. Squid compares system time to the content's Expires time and/or Last Modified time to determine if the content is new. Adam
Fwd: [squid-users] Block via mac address?
Yes, you can do an acl like: acl allow_mac arp 00:E0:02:EF:... and then in the http_access http_access allow allow_mac the mac support is implemented from version 2.5 (maybe?), before this version there where no mac support. Excuse my english. Pablo. -- Forwarded message -- From: Rick Whitley <[EMAIL PROTECTED]> Date: Fri, 20 Aug 2004 11:05:35 -0500 Subject: [squid-users] Block via mac address? To: [EMAIL PROTECTED] Is it possible to block net access via the mac address of the user? I realize this is an open ended question, I want to know if this is possible with squid? thanks rick... Rom.5:8
Re: [squid-users] Block via mac address?
See the FAQ on www.squid-cache.org section 10.20 Rick Whitley wrote: Is it possible to block net access via the mac address of the user? I realize this is an open ended question, I want to know if this is possible with squid? thanks rick... Rom.5:8 -- Hoy es: viernes julio veintedos des miles y cuatro fase del dia > coma esta usted --- how are you This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. Este mensaje esta' para el recipiente sen~alado solamente y puede contener la informacio'n privilegiada, propietaria, o de otra manera privada. Si usted lo ha recibido en error, notifique por favor el remitente inmediatamente y suprima la original. Cualquier otro uso del email de usted se prohi'be. Rick G. Kilgore State of Colorado Department of Revenue IT/CSTARS (DDP/CCR/RWOC) E-Mail: [EMAIL PROTECTED] Phone: (303) 205-5659 Fax: (303) 205-5715
RE: [squid-users] Block via mac address?
One of many examples located by a search of "mac address" through the search box at www.squid-cache.org http://www.squid-cache.org/mail-archive/squid-users/200205/0618.html Or http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.20 Chris -Original Message- From: Rick Whitley [mailto:[EMAIL PROTECTED] Sent: Friday, August 20, 2004 12:06 PM To: [EMAIL PROTECTED] Subject: [squid-users] Block via mac address? Is it possible to block net access via the mac address of the user? I realize this is an open ended question, I want to know if this is possible with squid? thanks rick... Rom.5:8
[squid-users] Block via mac address?
Is it possible to block net access via the mac address of the user? I realize this is an open ended question, I want to know if this is possible with squid? thanks rick... Rom.5:8
RE: [squid-users] Transparent config OK if not used?
As long as your iptables rules only affect traffic that's not destined to your squid port, you should be fine -Original Message- From: Steve Snyder [mailto:[EMAIL PROTECTED] Sent: 20 August 2004 04:06 PM To: [EMAIL PROTECTED] Subject: [squid-users] Transparent config OK if not used? I understand that there are some problems associated with configuring Squid (2.5S6 + patches) as a transparent proxy. Are there any negative affects from having a transparent config even if the browsers are directly addressing the cache? On my (Linux, RedHat v9) LAN the browsers should all be configured to point to the Squid proxy. However there is the occasional lapse, such as from newly-installed browser or a guest system on the network. I would like to have a transparent config in place to ensure that all HTTP traffic goes through the proxy, but not at the cost of introducing problems for all the correctly configured browsers. So, if I enable transparent proxying with these options: httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on (together with an iptables rule) will there be problems on the browsers that are already explicitly configured to address the proxy? Thanks.
Re: [squid-users] can not access sites due to acl when using ntlm auth
On Fri, 20 Aug 2004, Henrik Nordstrom wrote: > On Thu, 19 Aug 2004, Merton Campbell Crockett wrote: > > > Perhaps it would be clearer and simpler to write this as two access rules. > > > > http_access deny !KIOSK.dstdomain > > http_access allow KIOSK > > No, this won't work either as this restricts all users to the KIOSK.dstdomain > destinations, not only the KIOSK users. The assumptions were stated in an ellided paragraph that the proxy was restricted to KIOSK users and that they were restricted to destinations specified in KIOSK.dstdomain. If there are other users of the proxy and they are permitted to access any destination, the following supports the condition. The last rule is for clarity and to show that all conditions have been enumerated. http_access allow !KIOSK http_access deny !KIOSK.dstdomain http_access allow KIOSK If there are multiple conditional destination domain cases, one possible solution is to define another proxy to handle the set of destination domains in order to simplify the problem. These could run on the same system but use different ports. Merton Campbell Crockett -- BEGIN: vcard VERSION:3.0 FN: Merton Campbell Crockett ORG:General Dynamics Advanced Information Systems; Intelligence and Exploitation Systems N: Crockett;Merton;Campbell EMAIL;TYPE=internet:[EMAIL PROTECTED] TEL;TYPE=work,voice,msg,pref: +1(805)497-5045 TEL;TYPE=work,fax: +1(805)497-5050 TEL;TYPE=cell,voice,msg:+1(805)377-6762 END:vcard
Re: [squid-users] squid chroot jail no running copy error
That works, would have never thought that this would be necessary. Now I have to know why. on a mission. Thank you for you help and time. Dave Raven wrote: I'm not what you would call a Fedora pro, but I suspect you will need to chroot to the enviroment in order to run the squid -k reconfigure... E.g. chroot /wka usr/local/squidSTABLE6/sbin/squid -k reconfigure ? -Original Message- From: Rick G. Kilgore [mailto:[EMAIL PROTECTED] Sent: 20 August 2004 04:02 PM To: Mohsin Khan Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] squid chroot jail no running copy error I am starting squid via the /etc/rc.d/rc3.d/S99local init file right now. the command in the file is "chroot /wka usr/local/squidSTABLE6/sbin/squid -sD I can see the process running as squid with ps -ef | grep squid. The pid from ps matches the pid in the squid.pid in the logs directory. OS type Fedora core 1. Mohsin Khan wrote: do you run the squid from jail chroot enviroment. ? Do you see the process when you do ps awux. --- "Rick G. Kilgore" <[EMAIL PROTECTED]> wrote: Hello all, I am new to the squid proxy. I do like it allot and it has already been very useful. Problem I have put squid in a chroot jail. I tested the squid configuration and function prior to building the chroot volume. every thing seems to work ok logging and chaching. When I try to do a squid -k shutdown or rotate the system tells me that their is no running copy. I did look at the FAQ and did try the solution for 11.43, did not help. squid pid is on the correct volume in the correct place. I was unable to locate anything in the mail archive. Hopefully I am not This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. Este mensaje esta' para el recipiente sen~alado solamente y puede contener la informacio'n privilegiada, propietaria, o de otra manera privada. Si usted lo ha recibido en error, notifique por favor el remitente inmediatamente y suprima la original. Cualquier otro uso del email de usted se prohi'be. Rick G. Kilgore State of Colorado Department of Revenue IT/CSTARS (DDP/CCR/RWOC) E-Mail: [EMAIL PROTECTED] Phone: (303) 205-5659 Fax: (303) 205-5715 = Regards, Mohsin Khan CCNA ( Cisco Certified Network Associate 2.0 ) http://pk.aaghaz.net Happy is the one who can smile<<< __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail -- Hoy es: viernes julio veintedos des miles y cuatro fase del dia > coma esta usted --- how are you This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. Este mensaje esta' para el recipiente sen~alado solamente y puede contener la informacio'n privilegiada, propietaria, o de otra manera privada. Si usted lo ha recibido en error, notifique por favor el remitente inmediatamente y suprima la original. Cualquier otro uso del email de usted se prohi'be. Rick G. Kilgore State of Colorado Department of Revenue IT/CSTARS (DDP/CCR/RWOC) E-Mail: [EMAIL PROTECTED] Phone: (303) 205-5659 Fax: (303) 205-5715
RE: [squid-users] squid chroot jail no running copy error
I'm not what you would call a Fedora pro, but I suspect you will need to chroot to the enviroment in order to run the squid -k reconfigure... E.g. chroot /wka usr/local/squidSTABLE6/sbin/squid -k reconfigure ? -Original Message- From: Rick G. Kilgore [mailto:[EMAIL PROTECTED] Sent: 20 August 2004 04:02 PM To: Mohsin Khan Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] squid chroot jail no running copy error I am starting squid via the /etc/rc.d/rc3.d/S99local init file right now. the command in the file is "chroot /wka usr/local/squidSTABLE6/sbin/squid -sD I can see the process running as squid with ps -ef | grep squid. The pid from ps matches the pid in the squid.pid in the logs directory. OS type Fedora core 1. Mohsin Khan wrote: > do you run the squid from jail chroot enviroment. ? Do > you see the process when you do ps awux. > --- "Rick G. Kilgore" <[EMAIL PROTECTED]> > wrote: > > >>Hello all, >> >>I am new to the squid proxy. I do like it allot and >>it has already been >>very useful. >>Problem I have put squid in a chroot jail. I tested >>the squid >>configuration and function prior to building the >>chroot volume. every >>thing seems to work ok logging and chaching. >>When I try to do a squid -k shutdown or rotate the >>system tells me that >>their is no running copy. >>I did look at the FAQ and did try the solution for >>11.43, did not help. >>squid pid is on the correct volume in the correct >>place. >>I was unable to locate anything in the mail archive. >>Hopefully I am not >> >> >> >>This message is for the designated recipient only >>and may contain >>privileged, proprietary, or otherwise private >>information. If you have >>received it in error, please notify the sender >>immediately and delete >>the original. >>Any other use of the email by you is prohibited. >> >> >>Este mensaje esta' para el recipiente sen~alado >>solamente y puede contener >>la informacio'n privilegiada, propietaria, o de otra >>manera privada. Si >>usted lo ha recibido en error, notifique por favor >>el remitente >>inmediatamente y suprima la original. Cualquier otro >>uso del email de >>usted se prohi'be. >> >> >>Rick G. Kilgore >>State of Colorado Department of Revenue IT/CSTARS >>(DDP/CCR/RWOC) >>E-Mail: [EMAIL PROTECTED] >>Phone: (303) 205-5659 >>Fax: (303) 205-5715 >> >> > > > > = > Regards, > Mohsin Khan > CCNA ( Cisco Certified Network Associate 2.0 ) > http://pk.aaghaz.net > > Happy is the one who can smile<<< >>> > > > > > > > > > __ > Do you Yahoo!? > Yahoo! Mail Address AutoComplete - You start. We finish. > http://promotions.yahoo.com/new_mail > -- Hoy es: viernes julio veintedos des miles y cuatro fase del dia > coma esta usted --- how are you This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. Este mensaje esta' para el recipiente sen~alado solamente y puede contener la informacio'n privilegiada, propietaria, o de otra manera privada. Si usted lo ha recibido en error, notifique por favor el remitente inmediatamente y suprima la original. Cualquier otro uso del email de usted se prohi'be. Rick G. Kilgore State of Colorado Department of Revenue IT/CSTARS (DDP/CCR/RWOC) E-Mail: [EMAIL PROTECTED] Phone: (303) 205-5659 Fax: (303) 205-5715
[squid-users] Transparent config OK if not used?
I understand that there are some problems associated with configuring Squid (2.5S6 + patches) as a transparent proxy. Are there any negative affects from having a transparent config even if the browsers are directly addressing the cache? On my (Linux, RedHat v9) LAN the browsers should all be configured to point to the Squid proxy. However there is the occasional lapse, such as from newly-installed browser or a guest system on the network. I would like to have a transparent config in place to ensure that all HTTP traffic goes through the proxy, but not at the cost of introducing problems for all the correctly configured browsers. So, if I enable transparent proxying with these options: httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on (together with an iptables rule) will there be problems on the browsers that are already explicitly configured to address the proxy? Thanks.
Re: [squid-users] squid chroot jail no running copy error
I am starting squid via the /etc/rc.d/rc3.d/S99local init file right now. the command in the file is "chroot /wka usr/local/squidSTABLE6/sbin/squid -sD I can see the process running as squid with ps -ef | grep squid. The pid from ps matches the pid in the squid.pid in the logs directory. OS type Fedora core 1. Mohsin Khan wrote: do you run the squid from jail chroot enviroment. ? Do you see the process when you do ps awux. --- "Rick G. Kilgore" <[EMAIL PROTECTED]> wrote: Hello all, I am new to the squid proxy. I do like it allot and it has already been very useful. Problem I have put squid in a chroot jail. I tested the squid configuration and function prior to building the chroot volume. every thing seems to work ok logging and chaching. When I try to do a squid -k shutdown or rotate the system tells me that their is no running copy. I did look at the FAQ and did try the solution for 11.43, did not help. squid pid is on the correct volume in the correct place. I was unable to locate anything in the mail archive. Hopefully I am not This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. Este mensaje esta' para el recipiente sen~alado solamente y puede contener la informacio'n privilegiada, propietaria, o de otra manera privada. Si usted lo ha recibido en error, notifique por favor el remitente inmediatamente y suprima la original. Cualquier otro uso del email de usted se prohi'be. Rick G. Kilgore State of Colorado Department of Revenue IT/CSTARS (DDP/CCR/RWOC) E-Mail: [EMAIL PROTECTED] Phone: (303) 205-5659 Fax: (303) 205-5715 = Regards, Mohsin Khan CCNA ( Cisco Certified Network Associate 2.0 ) http://pk.aaghaz.net Happy is the one who can smile<<< __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail -- Hoy es: viernes julio veintedos des miles y cuatro fase del dia > coma esta usted --- how are you This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. Este mensaje esta' para el recipiente sen~alado solamente y puede contener la informacio'n privilegiada, propietaria, o de otra manera privada. Si usted lo ha recibido en error, notifique por favor el remitente inmediatamente y suprima la original. Cualquier otro uso del email de usted se prohi'be. Rick G. Kilgore State of Colorado Department of Revenue IT/CSTARS (DDP/CCR/RWOC) E-Mail: [EMAIL PROTECTED] Phone: (303) 205-5659 Fax: (303) 205-5715
RE: [squid-users] SSL and Reverse Proxy
You could use a private cert, or a commercial one. Squid needs to be configured with the ssl option. For a simple test you can type: openssl req -new -x509 -nodes -keyout squid_key.pem -out squid_cert.pem to generate a self signed cert. Do this in your squid's etc directory and then something like: https_port 443 vhost cert=/path_to_squid/squid/etc/squid_cert.pem key=/path_to_squid/squid/etc/squid_key.pem vhost We decided not to put SSL on the actual webserver. Traffic between our site and the end user is encrypted via the SSL so we saw no need to put an extra burden on the webserver too. The above is on squid-3, btw. Chris -Original Message- From: Brad Taylor [mailto:[EMAIL PROTECTED] Sent: Thursday, August 19, 2004 6:20 PM To: [EMAIL PROTECTED] Subject: RE: [squid-users] SSL and Reverse Proxy OK. What cert would I use for the SSL form Squid to the web server? The same cert? How would this be setup? I can't find any documentation about how to setup most of the SSL (HTTPS) configuration. I do have The Definitive Guide, but only a small section about SSL (HTTPS) on page 304. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Thursday, August 19, 2004 6:12 PM To: Brad Taylor Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] SSL and Reverse Proxy On Thu, 19 Aug 2004, Brad Taylor wrote: > I'm trying to setup Squid as a reverse proxy with SSL. I remember > seeing a post here that showed the 3 options for SSL reverse proxy but I > can't find it now. I would like to test without terminating the SSL at > the Squid box. You can't. To proxy the SSL needs to be terminated. What you can do if you do not want to terminate the SSL and have it running all the way back to the web server to tunnel the SSL using a simple TCP plug or NAT/Port-forwarded. > Can I have the cert on both the Squid and IIS web server but when I hit > the Squid box with https://IP_address_of_squid I get sent to > https://IP_address_of_IIS_web_server therefore it is not getting > anything from cache. This is possible with Squid-3 (or Squid-2.5 with SSL update and a bit of tinkering). But please note that in such configuration the SSL is terminated at the proxy and then a new SSL is opened between the proxy and the web server. In most configurations this second SSL is not really needed but you have the choice. Squid-2.5 (without SSL update) can only terminate SSL connections, acting as an SSL server. It can not initiate SSL connections. Regards Henrik
RE: [squid-users] getting fresh contents from site
-Original Message- From: Payal Rathod [mailto:[EMAIL PROTECTED] Sent: Friday, August 20, 2004 9:35 AM To: Henrik Nordstrom Cc: Squid ML Subject: Re: [squid-users] getting fresh contents from site On Fri, Aug 20, 2004 at 01:49:34PM +0200, Henrik Nordstrom wrote: > On Fri, 20 Aug 2004, Payal Rathod wrote: > > >A few of our clients put their designs on their sites and update them > >regularly. Now I am behind squid server. My users are complaining > >they can see the old designs and not new ones. Is there anything I > >can do about it? > > Make sure the clock of your proxy is reasonably correct, and have the > clients configured to use the proxy. A click on the Reload button then > makes sure the new content is delivered like normal. My clock is very very accurate. But can you please explain what does this have to do with new contents being delivered. -Payal Logic would say that if I am a proxy that is caching data and I go to check to see if there is something new/updated out on the web I'd check by the time/date of the file If my check showed a file out on the web had a timestamp of 1pm August 4th, 2004 on it and my server clock said it was August 5th, then that newer file would not appear to be newer to me. That's why he said "reasonably accurate". Chris
Re: [squid-users] squid chroot jail no running copy error
do you run the squid from jail chroot enviroment. ? Do you see the process when you do ps awux. --- "Rick G. Kilgore" <[EMAIL PROTECTED]> wrote: > Hello all, > > I am new to the squid proxy. I do like it allot and > it has already been > very useful. > Problem I have put squid in a chroot jail. I tested > the squid > configuration and function prior to building the > chroot volume. every > thing seems to work ok logging and chaching. > When I try to do a squid -k shutdown or rotate the > system tells me that > their is no running copy. > I did look at the FAQ and did try the solution for > 11.43, did not help. > squid pid is on the correct volume in the correct > place. > I was unable to locate anything in the mail archive. > Hopefully I am not > > > > This message is for the designated recipient only > and may contain > privileged, proprietary, or otherwise private > information. If you have > received it in error, please notify the sender > immediately and delete > the original. > Any other use of the email by you is prohibited. > > > Este mensaje está para el recipiente señalado > solamente y puede contener > la información privilegiada, propietaria, o de otra > manera privada. Si > usted lo ha recibido en error, notifique por favor > el remitente > inmediatamente y suprima la original. Cualquier otro > uso del email de > usted se prohíbe. > > > Rick G. Kilgore > State of Colorado Department of Revenue IT/CSTARS > (DDP/CCR/RWOC) > E-Mail: [EMAIL PROTECTED] > Phone: (303) 205-5659 > Fax: (303) 205-5715 > > = Regards, Mohsin Khan CCNA ( Cisco Certified Network Associate 2.0 ) http://pk.aaghaz.net >>>Happy is the one who can smile<<< __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail
Re: [squid-users] squid chroot jail no running copy error
Version 2.5.STABLE6 Elsen Marc wrote: Hello all, I am new to the squid proxy. I do like it allot and it has already been very useful. Problem I have put squid in a chroot jail. I tested the squid configuration and function prior to building the chroot volume. every thing seems to work ok logging and chaching. When I try to do a squid -k shutdown or rotate the system tells me that their is no running copy. I did look at the FAQ and did try the solution for 11.43, did not help. squid pid is on the correct volume in the correct place. I was unable to locate anything in the mail archive. Hopefully I am not Squid version ? M. -- Hoy es: viernes julio veintedos des miles y cuatro fase del dia > coma esta usted --- how are you This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. Este mensaje está para el recipiente señalado solamente y puede contener la información privilegiada, propietaria, o de otra manera privada. Si usted lo ha recibido en error, notifique por favor el remitente inmediatamente y suprima la original. Cualquier otro uso del email de usted se prohíbe. Rick G. Kilgore State of Colorado Department of Revenue IT/CSTARS (DDP/CCR/RWOC) E-Mail: [EMAIL PROTECTED] Phone: (303) 205-5659 Fax: (303) 205-5715
Re: [squid-users] getting fresh contents from site
On Fri, Aug 20, 2004 at 01:49:34PM +0200, Henrik Nordstrom wrote: > On Fri, 20 Aug 2004, Payal Rathod wrote: > > >A few of our clients put their designs on their sites and update them > >regularly. Now I am behind squid server. My users are complaining they > >can see the old designs and not new ones. Is there anything I can do > >about it? > > Make sure the clock of your proxy is reasonably correct, and have the > clients configured to use the proxy. A click on the Reload button then > makes sure the new content is delivered like normal. My clock is very very accurate. But can you please explain what does this have to do with new contents being delivered. -Payal
RE: [squid-users] squid chroot jail no running copy error
> Hello all, > > I am new to the squid proxy. I do like it allot and it has > already been > very useful. > Problem I have put squid in a chroot jail. I tested the squid > configuration and function prior to building the chroot volume. every > thing seems to work ok logging and chaching. > When I try to do a squid -k shutdown or rotate the system > tells me that > their is no running copy. > I did look at the FAQ and did try the solution for 11.43, did > not help. > squid pid is on the correct volume in the correct place. > I was unable to locate anything in the mail archive. > Hopefully I am not > Squid version ? M.
[squid-users] squid chroot jail no running copy error
Hello all, I am new to the squid proxy. I do like it allot and it has already been very useful. Problem I have put squid in a chroot jail. I tested the squid configuration and function prior to building the chroot volume. every thing seems to work ok logging and chaching. When I try to do a squid -k shutdown or rotate the system tells me that their is no running copy. I did look at the FAQ and did try the solution for 11.43, did not help. squid pid is on the correct volume in the correct place. I was unable to locate anything in the mail archive. Hopefully I am not This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. Este mensaje está para el recipiente señalado solamente y puede contener la información privilegiada, propietaria, o de otra manera privada. Si usted lo ha recibido en error, notifique por favor el remitente inmediatamente y suprima la original. Cualquier otro uso del email de usted se prohíbe. Rick G. Kilgore State of Colorado Department of Revenue IT/CSTARS (DDP/CCR/RWOC) E-Mail: [EMAIL PROTECTED] Phone: (303) 205-5659 Fax: (303) 205-5715
Re: [squid-users] aufs question
Well ist depents of what you going to do with the PC -- Jose Campos SanchezB Programador - Administrador de sistemas www.systemnetinformatica.com www.fuertemovil.com Telfs.: +34928533071 - +34676466069
Re: [squid-users] Squid restarting
> > remaining segments are available to use as shared memory segments. Since > user > > stack and data share a 256 MB segment in this model, user data is > restricted to > > 128 MB to allow room for the stack within the segment." > > This puts a rather harsh limitation on how large your Squid can become.. > > Regards > Henrik > That was for the default model , 2 other models are available : 32-bit Large Memory Model The large memory model is selected by specifing -bmaxdata:0xN000, where N may be 1-8. This allocates N memory segments for user data and also allows the user stack to completely occupy a segment. The maximum number of segments that can be used for user data is 8. 32-bit Very Large Memory Model The very large memory model is selected by specifing -bmaxdata:0xN000/DSA, where N may be 1-8. This allocates upto 8 memory segments for user data, but the segments are allocated dynamically. In AIX 5.2 the maximum number of segments increases to 10 with the stack having its own segment, or 13 if the stack segment is shared with shared library text and data. Under AIX 5.1 (current version running on p690) the limit is the same as for large memory model, 8. 64-bit Memory Model 64-bit memory model can address up to 1 Exabyte of memory. 256 MB memory segments are still used, but ~4,300,000,000 segments are available instead of 16. Segments are dynamically allocated within specified ranges for various uses. User data can occupy up to 448 Petabytes of memory. The 64-bit memory model is selected by specifing -q64. Best Regards, Andrew.
RE: [squid-users] aufs question
> what is the recommended aufs filesystem type? > for a ide hard disk 4Gb partition which is the > recommended aufs setting? aufs is not a filesystemtype nor one of it's properties. aufs denotes the way squid optimizes disk/IO by making use of threads. M.
[squid-users] aufs question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 what is the recommended aufs filesystem type? for a ide hard disk 4Gb partition which is the recommended aufs setting? -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBJe0mbKZ5WTJlMpgRAkbqAJkBiiPRl9RZg4/duknJrqw4JVGbDgCdE/b/ XK/0pFNOErUCBzqgR4fa4lM= =J00t -END PGP SIGNATURE-
[squid-users] Re: Information Required
On Fri, 20 Aug 2004, Evgeny Kotsuba wrote: But how two squids can distinguish signals via -k signal option ? By you telling it the correct configuration file when you run suqid -k, or having the two installed in different prefixes.. (different default configuration files) Regards Henrik
Re: [squid-users] Squid restarting
On Fri, 20 Aug 2004 [EMAIL PROTECTED] wrote: remaining segments are available to use as shared memory segments. Since user stack and data share a 256 MB segment in this model, user data is restricted to 128 MB to allow room for the stack within the segment." This puts a rather harsh limitation on how large your Squid can become.. Regards Henrik
Re: [squid-users] diskd or coss?
On Fri, 20 Aug 2004, Costas Zacharopoulos wrote: I have slackware linux and a ext3fs partition for squid cache. Which cache type has better performance ? For Linux you should be using the aufs cache_dir type. diskd is mainly for FreeBSD and alikes. coss is still under development and not yet very useable. Regards Henrik
Re: [squid-users] getting fresh contents from site
On Fri, 20 Aug 2004, Payal Rathod wrote: A few of our clients put their designs on their sites and update them regularly. Now I am behind squid server. My users are complaining they can see the old designs and not new ones. Is there anything I can do about it? Make sure the clock of your proxy is reasonably correct, and have the clients configured to use the proxy. A click on the Reload button then makes sure the new content is delivered like normal. Regards Henrik
Re: [squid-users] hierarchy problerms
On Fri, 20 Aug 2004, [iso-8859-1] Swaroop Shere wrote: parent, it gives me an authentication error. Through tcpdump, i found out that the child squid is not forwarding the username and password to the parent. See the cache_peer directive. Whenever a browser configured to request the child squid tries to access a remote website (eg www.google.com), the client does not get any prompt for proxy username and password, and finally gives an error, that the page is not found. If the same client is configured to request the parent (10.0.1.1), it gets the pages. What could be this problem? Probably you are missing never_direct or something like that. Regards Henrik
RE: [squid-users] Change outgoing IP
On Fri, 20 Aug 2004, [iso-8859-1] Mark Tinka wrote: how about if you want to map a source IP address from a user/customer to be the same IP address squid requests the remote web page as e.g. user's actual IP as assigned by administrator is 192.168.0.1, squid IP is 192.168.0.5, but squid will send the http request with a source IP of 192.168.0.1... Then you need a NAT engine to help aligning the addresses. Regards Henrik
Re: [squid-users] Change outgoing IP
On Fri, 20 Aug 2004, Gert Brits wrote: When we go through the proxy server, we want to go out as 100.100.100.10 for instance. See tcp_outgoing_address The IP needs to first be configured on the server as an alias. Regards Henrik
RE: [squid-users] LDAP groups with a redirector
On Fri, 20 Aug 2004, Dave Raven wrote: NTLM authentication passes domain and user information to squidGuard, I think in the format domain/username or visa versa. NTLM authentication passes the users login name which includes the domain. The NT Domain thing is very different from groups. NT Domains declare where the user is defined, not his permissions (groups). Would it be possible/worthwhile (with group_ldap - and perhaps some code changes from us) to pass username/group to the redirector, at which stage we'll handle splitting it etc? No. This information is not available in the login name. It is the same issue if you want a NT Group to be sent. Regards Henrik
[squid-users] Re:[squid-users] getting fresh contents from site
There could be two solutions of this: 1. Ask the developer of the site to send a "Pragma:no-cache" in the header so that the squid would not cache that site. 2. Use "ie_refresh on" in squid.conf and ask your clients to use CRTL+F5 to refresh the page and see the updated content. > Hi, > A few of our clients put their designs on their sites and update them > regularly. Now I am behind squid server. My users are complaining they > can see the old designs and not new ones. Is there anything I can do > about it? Right now I told them (allowed them) to bypass proxy to access > the net. But that is a crude solution. Is there any other way they can > get fresh contents? They use IE on MS-Windows or Mozilla when on Linux. > > With warm regards, > -Payal /Naeem ___ Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now. http://promotions.yahoo.com/goldrush
Re: [squid-users] Squid restarting
> What is said in your system messages log? The messages from the OS are at the bottom, aren't very helpful though. ulimit -a , and ulimit -aH don't show any limit at 256MB. But by watching the mem usage through "mrtg", I could clearly see the graphics hitting a ceiling at 256. Then, using an equiv. of "top" ,I could predict a crash to happen in the next few seconds. It might be this : (from http://www.ncsu.edu/itd/hpc/Documents/AIXMemoryModels.php) "32-bit Memory Models : AIX divides memory into 256 MB segments. The default memory model allocates a segment for kernel text and data associated with the user process, a segment for user text, a segment for user stack and data, a segment for shared library text, a segment for library data, and the remaining segments are available to use as shared memory segments. Since user stack and data share a 256 MB segment in this model, user data is restricted to 128 MB to allow room for the stack within the segment." and More info there : http://www-106.ibm.com/developerworks/eserver/articles/aix4java1.html#IDACDSKH > > Should I put it back to 8MB, or is 128 MB allright ? > > You should only make it larger than the default if you know for certain > there is plenty of free memory and the process size is not in danger of > hitting an OS limit. Well, I think I'll lower the value until I get to a stable situation. 128MB, then 64, etc ... Best Regards, Andrew. the LOGS : >From syslog : Aug 20 11:00:35 srvuxrox squid[9390]: Squid Parent: child process 10924 exited d ue to signal 4 Aug 20 11:00:38 srvuxrox squid[9390]: Squid Parent: child process 19718 started >From AIX Errorlog : LABEL: CORE_DUMP IDENTIFIER: B6048838 Date/Time: Fri Aug 20 11:00:35 2004 Sequence Number: 506 Machine Id: 004652BA4C00 Node Id: srvuxrox Class: S Type:PERM Resource Name: SYSPROC Description SOFTWARE PROGRAM ABNORMALLY TERMINATED Probable Causes SOFTWARE PROGRAM User Causes USER GENERATED SIGNAL Recommended Actions CORRECT THEN RETRY Failure Causes SOFTWARE PROGRAM Recommended Actions RERUN THE APPLICATION PROGRAM IF PROBLEM PERSISTS THEN DO THE FOLLOWING CONTACT APPROPRIATE SERVICE REPRESENTATIVE Detail Data SIGNAL NUMBER 4 USER'S PROCESS ID: 10924 FILE SYSTEM SERIAL NUMBER 5 INODE NUMBER 2 PROCESSOR ID 1 CORE FILE NAME /tmp/core PROGRAM NAME squid ADDITIONAL INFORMATION ?? ?? Impossible de g-E9-n-E9-rer une cha-EE-ne de sympt-F4-mes. ---
[squid-users] diskd or coss?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have slackware linux and a ext3fs partition for squid cache. Which cache type has better performance ? -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBJcwJbKZ5WTJlMpgRArcdAJ0fXMjjVLauPIzV6HyeWWiUlqmRIQCgurvH 5hO8+YMwwf4oJleKVbmHe4Q= =OCsu -END PGP SIGNATURE-
[squid-users] getting fresh contents from site
Hi, A few of our clients put their designs on their sites and update them regularly. Now I am behind squid server. My users are complaining they can see the old designs and not new ones. Is there anything I can do about it? Right now I told them (allowed them) to bypass proxy to access the net. But that is a crude solution. Is there any other way they can get fresh contents? They use IE on MS-Windows or Mozilla when on Linux. With warm regards, -Payal
RE: [squid-users] Change outgoing IP
--- Gert Brits <[EMAIL PROTECTED]> wrote: > Found it > > tcp_outgoing_address 100.100.100.10 MYNETWORK > tcp_outgoing_address 100.100.100.11 MYNETWORK2 > tcp_outgoing_address 100.100.100.12 MYNETWORK3 > tcp_outgoing_address 100.100.100.1 how about if you want to map a source IP address from a user/customer to be the same IP address squid requests the remote web page as e.g. user's actual IP as assigned by administrator is 192.168.0.1, squid IP is 192.168.0.5, but squid will send the http request with a source IP of 192.168.0.1... Mark. ___ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
Re: [squid-users] Logging username with upstream authenticated proxy
On Fri, 20 Aug 2004, Kiran Maraju wrote: --- Client > squid Box > proxy ( apache ) -> real server user authentication --- This is my configuration. whatever client requests squid forwards to upsteam proxy , there user authentication is at proxy(apache) . In squid logs i could only able to see the "-" in the user name filed. User name is coming in apache.log.(proxy log ). Q1) Is there any way to get Username in squid access log. how to achieve this, if not whaere the coding modifications should take place..? You can write an external_acl helper automatically decoding the username of basic or digest authentication and returning it in the user attribute. This will make Squid log it in access.log. Q2) i tried to use log_mime_hdrs on. there i could get encoded string of user authentication. i am using basic authentication. how to decode the string.. basic authentication is simply base64 encoded login:password. Regards Henrik
RE: [squid-users] hierarchy problerms
Add login=PASS to the end of your cache peer line, this will instruct it to pass up any login information in the request. -Original Message- From: Swaroop Shere [mailto:[EMAIL PROTECTED] Sent: 20 August 2004 09:40 AM To: [EMAIL PROTECTED] Subject: [squid-users] hierarchy problerms Importance: High Hello, I am a college student trying to implement a hierarchy of proxy servers as a part of a project. The parent is at 10.0.1.1, while the child is at 10.0.2.55. While, i am configuring the child, I have no control over the parent. (I have to give a written application for any services from the authorities wrt the parent) They have enabled the icp port. After my initial configuration, the child squid started successfully. I have kept no authentication at the child (comments kept at all authentication parameters), but the parent requires authentication, it uses some microsoft module (sorry, i am still a newbie). Now i have 2 problems. First: Whenever a browser configured to request the child tries to access a local website (eg http://10.0.0.222), it gets a prompt for username and password, whose title shows 10.0.2.55 and even if i enter the same username and passwd that i use for the parent, it gives me an authentication error. Through tcpdump, i found out that the child squid is not forwarding the username and password to the parent. The error page that the client recieves, shows that the error is generated by the parent squid (10.0.1.1). Also, all requests from the clients through the parent directly are served. Second: Whenever a browser configured to request the child squid tries to access a remote website (eg www.google.com), the client does not get any prompt for proxy username and password, and finally gives an error, that the page is not found. If the same client is configured to request the parent (10.0.1.1), it gets the pages. What could be this problem? Please help, Thank you. ___ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
[squid-users] hierarchy problerms
Hello, I am a college student trying to implement a hierarchy of proxy servers as a part of a project. The parent is at 10.0.1.1, while the child is at 10.0.2.55. While, i am configuring the child, I have no control over the parent. (I have to give a written application for any services from the authorities wrt the parent) They have enabled the icp port. After my initial configuration, the child squid started successfully. I have kept no authentication at the child (comments kept at all authentication parameters), but the parent requires authentication, it uses some microsoft module (sorry, i am still a newbie). Now i have 2 problems. First: Whenever a browser configured to request the child tries to access a local website (eg http://10.0.0.222), it gets a prompt for username and password, whose title shows 10.0.2.55 and even if i enter the same username and passwd that i use for the parent, it gives me an authentication error. Through tcpdump, i found out that the child squid is not forwarding the username and password to the parent. The error page that the client recieves, shows that the error is generated by the parent squid (10.0.1.1). Also, all requests from the clients through the parent directly are served. Second: Whenever a browser configured to request the child squid tries to access a remote website (eg www.google.com), the client does not get any prompt for proxy username and password, and finally gives an error, that the page is not found. If the same client is configured to request the parent (10.0.1.1), it gets the pages. What could be this problem? Please help, Thank you. ___ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
[squid-users] Logging username with upstream authenticated proxy
--- Client > squid Box > proxy ( apache ) -> real server user authentication --- This is my configuration. whatever client requests squid forwards to upsteam proxy , there user authentication is at proxy(apache) . In squid logs i could only able to see the "-" in the user name filed. User name is coming in apache.log.(proxy log ). Q1) Is there any way to get Username in squid access log. how to achieve this, if not whaere the coding modifications should take place..? Q2) i tried to use log_mime_hdrs on. there i could get encoded string of user authentication. i am using basic authentication. how to decode the string.. is there any way to get usernames at the squid itself? R there any tools available to achive username at the squil level..? Thanks & Regards kiran --- Quoting Henrik Nordstrom <[EMAIL PROTECTED]>: > On Tue, 17 Aug 2004, Hutton, Benjamin wrote: > > > I currently have Squid & Dansguardian setup. Squid is setup as a > downstream to our governing organizations proxy which requires > authentication. > > In such case the username is never really known to Squid, just passed > along to the parent.. > > but is should be possible with the help of the custom logformats patch to > extend Squid to log the forwarded username. At a minimum (no changes > required) it can log the Proxy-Authorization header as-is allowing > logprocessing software to decode the login name from there but with some > small amount of programming Squid can be extended to automatically extract > the login for use in the log file. > > To extract it for use in redirectors is a little harder as the user has > not authenticated to your Squid, only to the parent. But it is not > technically impossible to implement. > > Regards > Henrik
RE: [squid-users] Change outgoing IP
Found it tcp_outgoing_address 100.100.100.10 MYNETWORK tcp_outgoing_address 100.100.100.11 MYNETWORK2 tcp_outgoing_address 100.100.100.12 MYNETWORK3 tcp_outgoing_address 100.100.100.1 Regards Gert Brits -Original Message- From: Gert Brits [mailto:[EMAIL PROTECTED] Sent: Friday, August 20, 2004 9:23 AM To: [EMAIL PROTECTED] Org Subject: [squid-users] Change outgoing IP Hi All I have a proxy server that serves about 200 clients. We want OUR range ip address ( 10.0.1.0/24 ) to go out as another IP address, and not the proxy server's ip address. For instance, our public ip address for our proxy server is 100.100.100.1 When we go through the proxy server, we want to go out as 100.100.100.10 for instance. Thanks Regards Gert Brits
Re: [squid-users] maximum_object_size 2 GB
On Fri, 20 Aug 2004, Glatzel Tino wrote: if the parameter maximum_object_size 2 GB is set squid dont cache files on the disk. Why ? The squid is squid-2.5.STABLE6 with the ufs-patch. Probably you are using a 32-bit CPU and some variable overflows... Slightly less than 2 GB (i.e. 2046 MB) should work better. On a 32-bit CPU normal variables can only have values up to 2 GB - 1 byte. Above that the value becomes negative and above 4 GB is wraps around to 0 again.. Regards Henrik
[squid-users] Change outgoing IP
Hi All I have a proxy server that serves about 200 clients. We want OUR range ip address ( 10.0.1.0/24 ) to go out as another IP address, and not the proxy server's ip address. For instance, our public ip address for our proxy server is 100.100.100.1 When we go through the proxy server, we want to go out as 100.100.100.10 for instance. Thanks Regards Gert Brits
RE: [squid-users] LDAP groups with a redirector
Hi, NTLM authentication passes domain and user information to squidGuard, I think in the format domain/username or visa versa. Would it be possible/worthwhile (with group_ldap - and perhaps some code changes from us) to pass username/group to the redirector, at which stage we'll handle splitting it etc? Thanks again Dave -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 19 August 2004 02:56 PM To: Dave Raven Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] LDAP groups with a redirector On Thu, 19 Aug 2004, Dave Raven wrote: > I have been looking into the group_ldap acl's in squid, and they > look great. My problem is, are there any redirectors or ways to pass the > group to a redirector, that will act on these ldap groups. Or ones with ldap > support? At the moment I'm using squidguard and its not looking likely The external_acl information can not be passed to redirectors. But you should be able to extend your redirector to perform the required lookups. Not very efficient thou.. What is needed for this to work is some kind of tagging mechanism where http_access can assign a tag to the request and this passed to redirectors etc. Regards Henrik
Re: [squid-users] can not access sites due to acl when using ntlm auth
On Thu, 19 Aug 2004, Merton Campbell Crockett wrote: Perhaps it would be clearer and simpler to write this as two access rules. http_access deny !KIOSK.dstdomain http_access allow KIOSK No, this won't work either as this restricts all users to the KIOSK.dstdomain destinations, not only the KIOSK users. At the end of each rule set there is an implicit deny all. This may not be entirely accurate. I recall Duane Wessels mentioning somewhere that the implied last rule is the inverse of the last explicit rule. Based on the above example, the implicit rule would be the following. http_access deny !KIOSK It is strongly recommended to always have an explicit "http_access deny all" at the end. Relying on the implicit inverse rule when there is no matching rule can be confusing. Regards Henrik