[squid-users] how does 'delay_pool' work ??
Hi there.. I've been wondering about this for quite sometimes.. searching the internet doesn't come up good.. for instance i have this design: the Internet - router -- squid-proxy --- clients I know that delay_pool could directy control the bandwidth between the proxy and clients. But how does delay_pool control the bandwidth between the internet and the proxy server ?? Thanks in advance
RE: [squid-users] how does 'delay_pool' work ??
Hi there.. I've been wondering about this for quite sometimes.. searching the internet doesn't come up good.. for instance i have this design: the Internet - router -- squid-proxy --- clients I know that delay_pool could directy control the bandwidth between the proxy and clients. But how does delay_pool control the bandwidth between the internet and the proxy server ?? It's the reverse ! M.
Re: [squid-users] how does 'delay_pool' work ??
Elsen Marc wrote: Hi there.. I've been wondering about this for quite sometimes.. searching the internet doesn't come up good.. for instance i have this design: the Internet - router -- squid-proxy --- clients I know that delay_pool could directy control the bandwidth between the proxy and clients. But how does delay_pool control the bandwidth between the internet and the proxy server ?? It's the reverse ! sorry, i don't follow.. what do you mean 'it's the reverse' ??
RE: [squid-users] how does 'delay_pool' work ??
... ... I know that delay_pool could directy control the bandwidth between the proxy and clients. But how does delay_pool control the bandwidth between the internet and the proxy server ?? It's the reverse ! sorry, i don't follow.. what do you mean 'it's the reverse' ?? I mean that delay pools control the bandwith between the proxy and the Internet. M.
Re: [squid-users] ip_wccp kernel patch for 2.6.x
--- Henrik Nordstrom [EMAIL PROTECTED] wrote: It may also be worth noticing that the Linux IP/GRE module finally is getting WCCP support, so soon there won't be any need to patch the Linux kernel or use cludgy modules like ip_wccp in order to use WCCP. oh now this is some great news.. any ideas on when this might be, or better yet, which kernel release..?.. Mark. Regards Henrik ___ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
Re: [squid-users] how does 'delay_pool' work ??
Elsen Marc wrote: It's the reverse ! sorry, i don't follow.. what do you mean 'it's the reverse' ?? I mean that delay pools control the bandwith between the proxy and the Internet. M. hmm.. how ?? how do you tell the remote servers how fast they should send data ??
[squid-users] ntlmssp_server_auth: failed to parse NTLMSSP
Hi Squid People, Debian testing Squid 2.5.6-8 Samba/Winbindd 3.0.7-1 From squid.conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 20 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm admin auth_param basic credentialsttl 2 hours From cache.log: [2004/10/04 10:13:36, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(549) ntlmssp_server_auth: failed to parse NTLMSSP: [2004/10/04 10:13:36, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(549) ntlmssp_server_auth: failed to parse NTLMSSP: [2004/10/04 10:13:36, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(549) ntlmssp_server_auth: failed to parse NTLMSSP: [2004/10/04 10:13:36, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(549) ntlmssp_server_auth: failed to parse NTLMSSP: [2004/10/04 10:13:36, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(549) ntlmssp_server_auth: failed to parse NTLMSSP: [2004/10/04 10:13:36, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(549) ntlmssp_server_auth: failed to parse NTLMSSP: [2004/10/04 10:13:37, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(549) ntlmssp_server_auth: failed to parse NTLMSSP: [2004/10/04 10:13:37, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(549) ntlmssp_server_auth: failed to parse NTLMSSP: [2004/10/04 10:13:37, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(549) ntlmssp_server_auth: failed to parse NTLMSSP: [2004/10/04 10:13:38, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(549) ntlmssp_server_auth: failed to parse NTLMSSP: [2004/10/04 10:13:39, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(549) ntlmssp_server_auth: failed to parse NTLMSSP: The ntlm authentication seems to be working but the above logs have me worried all the same. I've seen this asked before in the archives but have yet to see any resolution. Am I just being blind? Does anyone know what is causing this and have a fix for it? Hopefully someone can just send me away with a link to the faq and a flea in my ear. ;-) Cheers, David. This email is confidential and is intended solely for the use of the parties to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly forbidden. If you have received this email in error please contact the sender. Any views or opinions presented are solely those of the author and do not necessarily represent the views of Newcastle College. Although this email and it’s attachments are believed to be free of any virus or other defects which might affect any computer or I.T. system into which they are received, no responsibility is accepted by Newcastle College or any of it’s associated companies for any loss or damage arising in any way from the receipt or use thereof.
RE: [squid-users] how does 'delay_pool' work ??
hmm.. how ?? how do you tell the remote servers how fast they should send data ?? Really, how do you tell the Internet how fast to serve your SQUID ? Sorry , the idea for delay pools is to limit ,if needed or wanted, bw. resources that clients can allocate from your Internet connection. M.
[squid-users] Compiling Squid With Sun LDAP SDK 5.2
Any tips on compiling Squid with the Sun Directory Server SDK? We want to use the Auth_LDAP helper but we would like to use the Sun Directory Server SDK. Thanks Mitch
Re: [squid-users] ip_wccp kernel patch for 2.6.x
On Mon, 4 Oct 2004, Mark Tinka wrote: oh now this is some great news.. any ideas on when this might be, or better yet, which kernel release..?.. The next 2.6 release.. (2.6.9 if I am not mistaken) Regards Henrik
Re: [squid-users] header is tranprant squid
Hello Kashif, On Sat, Oct 02, 2004 at 07:57:49PM -0700, Kashif Ali Bukhari wrote: the problem is that when i check proxy from http://www.all-nettools.com/toolbox i get my server IP on u come from why don't i am getting clint PC IP That should be what you get since the proxy resends your request and makes it look like it came from the server. Transparent mode just hides (to an extent) the existence of the proxy from the user. If you want to see your own IP, try this site: http://www.showmyip.com/ though that still shows your proxy's details. -- A. Sajjad Zaidi http://www.sajjadzaidi.com/ GnuPG Key ID: 0xD7AD0E13 They redundantly repeated themselves over and over again incessantly without end -- anon
Re: [squid-users] how does 'delay_pool' work ??
On Mon, 4 Oct 2004, Arianto C Nugroho wrote: I know that delay_pool could directy control the bandwidth between the proxy and clients. But how does delay_pool control the bandwidth between the internet and the proxy server ?? This is what delay pools controls, amount of traffic each client downloads from the Internet via the proxy. Regards Henrik
Re: [squid-users] how does 'delay_pool' work ??
On Mon, 4 Oct 2004, Arianto C Nugroho wrote: hmm.. how ?? how do you tell the remote servers how fast they should send data ?? By not reading data from the TCP connection faster than the delay pool allows such data to be delivered to the client (or actual delivery speed to client if less). Regards Henrik
Re: [squid-users] ntlmssp_server_auth: failed to parse NTLMSSP
On Mon, 4 Oct 2004, David wrote: [2004/10/04 10:13:36, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(549) ntlmssp_server_auth: failed to parse NTLMSSP: I've seen this asked before in the archives but have yet to see any resolution. Am I just being blind? Does anyone know what is causing this and have a fix for it? There is two possible caused by this: a) A client sent a malformed NTLMSSP authentication packet to your Squid, maybe in attempt to exploit bugs in other NTLMSSP implementations or by application error.. b) You have clients sending largeish NTLMSSP packets and your Squid is not in shape to deal with this url:http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-ntlmtruncated If 'b' I would guess authentication is not successful for such clients. If you see these very often then you should be able to make a pattern of which clients is causing this by matching the cache.log timestamps with requests in access.log (/407) Regards Henrik
[squid-users] Data-Transfer on blocked URL's?
Hello, how can I understand this? In access.Log every TCP/DENIED line shows about 1400 bytes Data-Transfer. So I had 226 MB (!) TCP/DENIED-Traffic during the last month. (200 Users) What does squid do here? Greetings, Peter
Re: [squid-users] Compiling Squid With Sun LDAP SDK 5.2
On Mon, 4 Oct 2004, Lewars, Mitchell (EM, PTL) wrote: Any tips on compiling Squid with the Sun Directory Server SDK? Assuming the Sun Directory Server SDK implements the standard C interfaces to LDAP then it should work just fine, but as always it may need some small adjustments to compile with another SDK than used by the developers (we use OpenLDAP). We want to use the Auth_LDAP helper but we would like to use the Sun Directory Server SDK. Is there any specific reason to why you do not use the OpenLDAP SDK? Regards Henrik
Re: [squid-users] Compiling Squid With Sun LDAP SDK 5.2
Why do you need to compile additional helpers. The standard squid_ldap_auth and squid_ldap_group helpers work fine against the SunONE Directory server 5.2. I have been using Squid 2.5 STABLE 5 since January against SunONE Directory Server 5.2. Here are some snippets from my Squid config file. --- auth_param basic program /usr/lib/squid/squid_ldap_auth -h ldap_host.your_domain.org -p ldap_port -P -b o=base_ou -f (|(uid=%s)(mail=%s)) auth_param basic children 20 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 5 minute external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -h ldap_host.your_domain.org -p ldap_port -P -b o=base_ou -F (|(uid=%s)(mail=%s)) -f ((cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames)) --- I recently added to the LDAP query the ability to authenticate with the user's E-Mail address. This allowed for the distinguishing of duplicate users in the LDAP database. JDough of sub-company-A verses JDough of sub-company-B. The user enters their ID as [EMAIL PROTECTED] Biggest things to watch for are DNS (/etc/hosts) resolution of the LDAP host, and your understanding of the structure of your LDAP schema. Initially I had trouble with querying the LDAP schema. I was trying to make it too complex. No point in chasing encryption of the LDAP binds (unless you absolutely have to), currently none of the common browers support encryption for proxy challenges. Tim --- Timothy E. Neto Computer Systems Engineer Komatsu Canada Limited Ph#: 905-625-6292 x2651725B Sismet Road Fax: 905-625-6348 Mississauga, Canada E-Mail: [EMAIL PROTECTED] L4W 1P9 --- Lewars, Mitchell (EM, PTL) wrote: Any tips on compiling Squid with the Sun Directory Server SDK? We want to use the Auth_LDAP helper but we would like to use the Sun Directory Server SDK. Thanks Mitch
[squid-users] Unable to retrieve files via FTP
All, I am having trouble being able to retrieve files in the form of: ftp://ftp.redhat.com/pub/redhat/updates/6.2/i386/libtiff-3.5.5-2.i386.rpm From IE. My settings in squid are: acl FTP_allowed proto FTP acl Safe_ports port 21 # ftp acl Safe_ports port 2121# proxied ftp http_access allow FTP_allowed all I have changed my IE settings to use ports 2121 and 21 but I am still getting Cannot find server Netstat shows nothing listening on either ports. What else should I look for? Regards, Adam
RE: [squid-users] Unable to retrieve files via FTP
All, I am having trouble being able to retrieve files in the form of: ftp://ftp.redhat.com/pub/redhat/updates/6.2/i386/libtiff-3.5.5 -2.i386.rpm ... What else should I look for? Depends what the error in the browser was. I tried , but in Mozilla, Squid replies that the given directory does not exist. Things to take into account for IE : In advanced internet options : - Disable folder view for ftp sites - Disable show friendly error messages. MS has it's own idea about what 'friendly' means to the Internet world :-). M.
Re: [squid-users] Unable to retrieve files via FTP
You need to add in squid.conf the following. acl Safe_ports port 20 # ftp-date acl Safe_ports port 1023-65535 # unregistered ports RG, Klodi - Original Message - From: Adam Engel [EMAIL PROTECTED] To: Squid (E-mail) [EMAIL PROTECTED] Sent: Monday, October 04, 2004 3:19 PM Subject: [squid-users] Unable to retrieve files via FTP All, I am having trouble being able to retrieve files in the form of: ftp://ftp.redhat.com/pub/redhat/updates/6.2/i386/libtiff-3.5.5-2.i386.rpm From IE. My settings in squid are: acl FTP_allowed proto FTP acl Safe_ports port 21 # ftp acl Safe_ports port 2121# proxied ftp http_access allow FTP_allowed all I have changed my IE settings to use ports 2121 and 21 but I am still getting Cannot find server Netstat shows nothing listening on either ports. What else should I look for? Regards, Adam This message contains privileged and confidential information and is intended only for the individual named. If you are not the intended recepient you should not disseminate, distribute, store, print, copy or deliver this message. Please notify the sender immediately by e-mail if you have received this e-mail by mistake, and immediately delete this e-mail from your system
[squid-users] Patch for load-balancing et HA in Squid-ICAP client
Hello, please find below a message posted on the squid-icapClient ML. Actually, there is not so much activity on this list even if people are interested in ICAP stuff in Squid. This message deals with HA and load-balancing, and testing is needed so any feedback is welcome. Thanks, Stéphane Objet: [squid-icapClient] Patch for load-balancing et HA Date: Mon, 04 Oct 2004 14:54:34 +0200 Hello all, here is a patch from Luc Saillard (Alcove company) which implements load-balancing and HA. You can define a service using different serveurs, and for each request we take the next server if this one is reachable: icap_service service_1 reqmod_precache icap://server1:1344/wwreqmod icap_service service_1 reqmod_precache icap://server2:1344/wwreqmod icap_service service_1 reqmod_precache icap://server3:1344/wwreqmod The patch should be applied against the latest tarball available here: http://www.squid-cache.org/~wessels/squid-icap-2.5/ Dont' forget to run bootstrap.sh before configure Feedback is welcome at the following address: [EMAIL PROTECTED] and of course on this ML Enjoy! -- Stephane DAVY [EMAIL PROTECTED] --- squid-icap-2.5-200409161544.orig/src/cache_cf.c Wed Aug 4 21:47:58 2004 +++ squid-icap-2.5-200409161544/src/cache_cf.c Tue Sep 28 15:44:03 2004 @@ -2299,13 +2299,27 @@ */ static void -icap_service_list_add(icap_service_list ** isl, icap_service * service) +icap_service_list_add(icap_service_list ** isl, char * service_name) { icap_service_list **iter; icap_service_list *new; +icap_service *gbl_service; +int i; +int max_services; new = memAllocate(MEM_ICAP_SERVICE_LIST); -new-service = service; +/* Found all services with that name, and add to the array */ +max_services = sizeof(new-services)/sizeof(icap_service *); +gbl_service = Config.icapcfg.service_head; +i=0; +while(gbl_service i max_services) { + if (!strcmp(service_name, gbl_service-name)) { + new-services[i++] = gbl_service; + break; + } + gbl_service = gbl_service-next; +} +new-nservices = i; if (*isl) { iter = isl; @@ -2400,7 +2414,7 @@ for (iter = c-services; iter; iter = iter-next) { service = icap_service_lookup(iter-key); if (service) { - icap_service_list_add(isl, service); + icap_service_list_add(isl, iter-key); } else { debug(3, 0) (icap_class_process (line %d): skipping service %s in class %s\n, config_lineno, iter-key, c-name); } @@ -2493,7 +2507,9 @@ c-hidden = 1; wordlistAdd(c-services, A-service_name); c-isl = memAllocate(MEM_ICAP_SERVICE_LIST); - c-isl-service = s; + /* FIXME:luc: check what access do */ + c-isl-services[0] = s; + c-isl-nservices = 1; icap_class_add(c); A-class = c; } else { @@ -2592,7 +2608,9 @@ printf( %s: \n, c_iter-name); printf(services = \n); for (isl_iter = c_iter-isl; isl_iter; isl_iter = isl_iter-next) { - printf( %s\n, isl_iter-service-name); + int i; + for (i = 0; i isl_iter-nservices; i++) + printf( %s\n, isl_iter-services[i]-name); } } debug(3, 0) (IcapConfig: access =\n); --- squid-icap-2.5-200409161544.orig/src/icap_common.c Sat Apr 3 23:12:55 2004 +++ squid-icap-2.5-200409161544/src/icap_common.c Tue Sep 28 15:36:03 2004 @@ -140,6 +140,8 @@ icapService(icap_service_t type, request_t * r) { icap_service_list *isl_iter; +int is_iter; + debug(81, 8) (icapService: type=%s\n, icapServiceToStr(type)); if (NULL == r) { debug(81, 8) (icapService: no request_t\n); @@ -150,10 +152,27 @@ return NULL; } for (isl_iter = r-class-isl; isl_iter; isl_iter = isl_iter-next) { - if (type == isl_iter-service-type) { - debug(81, 8) (icapService: found service %s\n, isl_iter-service-name); - return isl_iter-service; - } +/* TODO:luc: Do a round-robin, choose a random value ? + * For now, we use a simple round robin with checking is the + * icap server is available */ + is_iter = isl_iter-last_service_used; + do + { + is_iter = (is_iter + 1) % isl_iter-nservices; + debug(81, 9) (icapService: checking service %s/id=%d\n,isl_iter-services[is_iter]-name,is_iter); + if (type == isl_iter-services[is_iter]-type) + { + if (!isl_iter-services[is_iter]-unreachable) + { + debug(81, 8) (icapService: found service %s/id=%d\n, isl_iter-services[is_iter]-name,is_iter); + isl_iter-last_service_used = is_iter; + return isl_iter-services[is_iter]; + } + debug(81, 8) (icapService: found service %s/id=%d, but it's unreachable. I don't want to use it\n, isl_iter-services[is_iter]-name,is_iter); + /* FIXME:luc: in response mod, if we return an NULL pointer, user can bypass + * the filter, is it normal ? */ + } + } while (is_iter != isl_iter-last_service_used); } debug(81, 8) (icapService: no service found\n); return NULL; ---
RE: [squid-users] Unable to retrieve files via FTP
At 03:26 PM 10/4/2004 +0200, Elsen Marc wrote: All, I am having trouble being able to retrieve files in the form of: ftp://ftp.redhat.com/pub/redhat/updates/6.2/i386/libtiff-3.5.5 -2.i386.rpm ... What else should I look for? Things to take into account for IE : In advanced internet options : - Disable folder view for ftp sites - Disable show friendly error messages. MS has it's own idea about what 'friendly' means to the Internet world :-). M. I added port 20, like the previous post suggested. However I am still unable to get files from an ftp link from a website. Because of your comment about Mozilla not being able to retrieve the file, I tried a different file from freshrpms.net. Without the 'friendly' error message, the page just said Done. No file was retrieved. There is nothing in the log files about this. I dont see an entry in access.log either. Anything else I am missing? Adam
Re: [squid-users] Unable to retrieve files via FTP
Do yopu have any firewall or router with access-lists in front of your squid box? If yes, check rules on this equipments. - Original Message - From: Adam Engel [EMAIL PROTECTED] To: Squid (E-mail) [EMAIL PROTECTED] Sent: Monday, October 04, 2004 5:12 PM Subject: RE: [squid-users] Unable to retrieve files via FTP At 03:26 PM 10/4/2004 +0200, Elsen Marc wrote: All, I am having trouble being able to retrieve files in the form of: ftp://ftp.redhat.com/pub/redhat/updates/6.2/i386/libtiff-3.5.5 -2.i386.rpm ... What else should I look for? Things to take into account for IE : In advanced internet options : - Disable folder view for ftp sites - Disable show friendly error messages. MS has it's own idea about what 'friendly' means to the Internet world :-). M. I added port 20, like the previous post suggested. However I am still unable to get files from an ftp link from a website. Because of your comment about Mozilla not being able to retrieve the file, I tried a different file from freshrpms.net. Without the 'friendly' error message, the page just said Done. No file was retrieved. There is nothing in the log files about this. I dont see an entry in access.log either. Anything else I am missing? Adam This message contains privileged and confidential information and is intended only for the individual named. If you are not the intended recepient you should not disseminate, distribute, store, print, copy or deliver this message. Please notify the sender immediately by e-mail if you have received this e-mail by mistake, and immediately delete this e-mail from your system
Re: [squid-users] Data-Transfer on blocked URL's?
On Mon, 4 Oct 2004, Peter Schulz-Kraus wrote: In access.Log every TCP/DENIED line shows about 1400 bytes Data-Transfer. This is the error message telling the user access was denied. If you are using NTLM authentication you will see quite many of these due to the nature of the NTLM authentication protocol. So I had 226 MB (!) TCP/DENIED-Traffic during the last month. (200 Users) Between the clients and your Squid yes. 0 of this is Internet traffic. Regards Henrik
RE: [squid-users] Unable to retrieve files via FTP
On Mon, 4 Oct 2004, Adam Engel wrote: I added port 20, like the previous post suggested. However I am still unable to get files from an ftp link from a website. Because of your comment about Mozilla not being able to retrieve the file, I tried a different file from freshrpms.net. Without the 'friendly' error message, the page just said Done. No file was retrieved. There is nothing in the log files about this. I dont see an entry in access.log either. Is your browser configured to use the proxy for ftp:// requests? Regards Henrik
[squid-users] Problems with Java and NTML authenication (java.io.IOException when using NTLM authenication)
This message is simply to be used for searching in the future as I have found many people asking this question and not getting a concise answer back. This is my contribution to the problem. Environment: squid-2.5.STABLE5-4 samba-3.0.7 Squid is configured to use NTLM authenication for all outbound http connections to the Internet. squid.conf contains the following: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 15 auth_param basic realm Some Domain Name auth_param basic credentialsttl 2 hours Problem: If Squid is configured to use auth_param ntlm only (so auth_param basic lines are not present or commented out, unlike the above example), sites that use java applets such as http://javatester.org/version.html, will error out with a java.io.IOException in the java console. This seems to apply to older (pre 1.4 ??) versions of java. We ran into the problem using Oracle's JInitiator Control Panel 1.1.8.16. Solution: Ensure you have the following in your squid.conf auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 15 auth_param basic realm Some Domain Name auth_param basic credentialsttl 2 hours This will then prompt the user for username and password. Please feel free to add comments to this but in attempting to troubleshoot this particular problem, I found several people asking the questions and no answers were given.
[squid-users] add a header to each page?
Hi All I'm wondering if the following is possible: I'd like to place a banner at the top of all pages that are served up via my caching server. Similar to what happens when you click on an outside link in a hotmail message. What happens is you are taken to the page, but a hotmail header is added to the top part of the page. We've tried a few things, but haven't managed to get it to work just right yet. Any ideas? Thanks Matt [EMAIL PROTECTED]
[squid-users] Squid x AD - performace problem
Hello masters, I need a help. I have a Squid server where the users are acessing the Internet without authetication, and I have configured the Squid to authenticate with Active Directory and it is working fine in the Lab environment, but when I tryed to use during the business time I have some problems that I guess to be just hardware limitation, but I am not sure about that and maybe I can get a better configuration than this. I have tried to use the follow conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 1 auth_param ntlm max_challenge_lifetime 20 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours external_acl_type wbinfo_group_helper %LOGIN /usr/local/squid/libexec/wbinfo_group.pl acl proxy_users external wbinfo_group_helper proxy_users acl users_AD proxy_auth REQUIRED http_access allow user_AD proxy_users http_access deny all When I use the conf like that I got the follow error message: aclMatchExternal: 'wbinfo_group_helper' queue overload. Request rejected. aclMatchExternal: 'wbinfo_group_helper' queue overload. Request rejected. aclMatchExternal: 'wbinfo_group_helper' queue overload. Request rejected. WARNING: All ntlmauthenticator processes are busy. and some users could authenticate on the AD but others had problem. I incresed the numbers of childrens for the auth_ntlm and external_acl gradually until the error has gone: ( I have about 4000 users). auth_param ntlm children 50 auth_param basic children 50 external_acl_type wbinfo_group_helper ttl=900 children=125 %LOGIN /usr/local/squid/libexec/wbinfo_group.pl The problem after that was that de CPU utilization went to 100%, and he users got stucked due access performace. The average proccess number of the server went to 400. I have tryed something to decrease the CPU utilization, as stripped the header of wbinfo, and took of logging, but without success. So, I did a fallback and I am figuring out how to solve that. Thanks in advance for any help. Rodrigo D.
Re: [squid-users] X-Authenticated-User without ICAP?
On Sun, Oct 03, 2004 at 11:12:12PM +0200, Henrik Nordstrom wrote: On Sun, 3 Oct 2004, Christoph Haas wrote: is there a patch for Squid that adds something like an X-Authenticated-User header to outgoing requests? I'm using a parent proxy that needs that information. X-Forwarded-For only seems to provide the IP address. I'm using LDAP authentication (so no foul tricks with NTLM). :) See the login= cache_peer option. D'oh. This was too obvious for me. Using squid for six years and I still don't know all options. :) Thanks. This seems to save me from ICAP trouble. Christoph -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
Re: [squid-users] add a header to each page?
On Mon, Oct 04, 2004 at 01:40:02PM -0300, Matt Ashfield wrote: I'd like to place a banner at the top of all pages that are served up via my caching server. Similar to what happens when you click on an outside link in a hotmail message. What happens is you are taken to the page, but a hotmail header is added to the top part of the page. Squid cannot (yet) do content-altering so you are out of luck here. But have you looked at privoxy? It has mechanisms for doing anything you like to the content of a page. Christoph -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
Re: [squid-users] Blocking mixed URLs
Didn't work... The squid DENY any requisition to the PERMIT sites, after remove the character ^ of each entry from the file txtgeneral2.txt everything back to normal... Do I need change anything else ? - Original Message - From: Andreas Pettersson [EMAIL PROTECTED] To: Christian Ricardo dos Santos [EMAIL PROTECTED] Cc: squid-users [EMAIL PROTECTED] Sent: Thursday, September 30, 2004 5:58 PM Subject: Re: [squid-users] Blocking mixed URLs Sorry but I am a begginer, I never ever heard about this dstdomain. How about this # sed 's/^/\^/' txtgeneral.txt ? I should use it instead http_access allow txtlan general !download ? No no :) sed is basically a utility used to manipulate text. Running this (in a shell): sed 's/^/\^/' txtgeneral.txt txtgeneral2.txt will add ^ in front of each line in txtgeneral.txt and put the result in txtgeneral2.txt. You can then use the new file in the url_regex acl. Do not change the http_access row. For more details regarding access control, check out http://www.squid-cache.org/Doc/FAQ/FAQ-10.html /Andreas
[squid-users] wbinfo_group_helper queue overload
Hello guys, I need a help. I have a Squid server where the users are acessing the Internet without authetication, and I have configured the Squid to authenticate with Active Directory and it is working fine in the Lab environment, but when I tryed to use during the business time I have some problems that I guess to be just hardware limitation, but I am not sure about that and maybe I can get a better configuration than this. I have tried to use the follow conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 1 auth_param ntlm max_challenge_lifetime 20 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours external_acl_type wbinfo_group_helper %LOGIN /usr/local/squid/libexec/wbinfo_group.pl acl proxy_users external wbinfo_group_helper proxy_users acl users_AD proxy_auth REQUIRED http_access allow user_AD proxy_users http_access deny all When I use the conf like that I got the follow error message: aclMatchExternal: 'wbinfo_group_helper' queue overload. Request rejected. aclMatchExternal: 'wbinfo_group_helper' queue overload. Request rejected. aclMatchExternal: 'wbinfo_group_helper' queue overload. Request rejected. WARNING: All ntlmauthenticator processes are busy. and some users could authenticate on the AD but others had problem. I incresed the numbers of childrens for the auth_ntlm and external_acl gradually until the error has gone: ( I have about 4000 users). auth_param ntlm children 50 auth_param basic children 50 external_acl_type wbinfo_group_helper ttl=900 children=125 %LOGIN /usr/local/squid/libexec/wbinfo_group.pl The problem after that was that de CPU utilization went to 100%, and he users got stucked due access performace. The average proccess number of the server went to 400. I have tryed something to decrease the CPU utilization, as stripped the header of wbinfo, and took of logging, but without success. I would like to understand de parameters in the line of external_acl_type. Should I use children command or concurrency ? What is the diference ? And how ttl parameter works ? So, I did a fallback and I wonder if I can solve it changing my configuration. Thanks in advance for any help. Rodrigo D.
[squid-users] Uploading files
Currently I´m using Squid 2.5 stable5 in Fedora Core2. It´s a rpm upgraded using yum. I have one access list that let all my local network access any location. I´m having problems uploading files to yahoo mail, for example. I use yahoo webmail and try to attach a file it takes a long time and do not attach it. When I remove proxy settings from my IE it works fine and fast. I have a fw rule(iptables) in my squid box that let just squid and ssh in and new, related and established out. Any help or idea will be great. Thanks. José Costa ___ Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora! http://br.acesso.yahoo.com/
[squid-users] reduce wan link traffic-- query
Dear squid gurus, I have configured squid cache server for my organization. Idea behind this is to reduce wan link traffic so that i can utilize that bandwidth for other new customers. Now i want to test wheather it is reducing the overall bandwidth or not. my squidclient mgr_client_list tell me this HTTP: 195075 Requests, 57193 Hits ( 29%) So i guess hits is the bandwidth saving. M i right ? if not then plz let me know i m wrong. I want to test wheather my wan bandwidth has reduced the traffic or not? How do i test? I have kept mrtg on squid cache server on both lan and wan ethernet. and i have kept mrtg on other router connected through squid server. monitoring it tells me some similar values so i m stuck up that my squid is caching or not and wheather i have reduced my wan link usage. Any ideas... Any help will be greatly appreciated. -- Joel N.Solanki Network Administrator Mobile: 91-9426353268 Phone No: 0265-550001/2/3/4/5 Ext: 211/212 Digtial 2 Virtual Internet Service Provider. http://www.packetraptor.com/ http://www.d2visp.com/ Gujarat (India)
Re: [squid-users] Uploading files
On Mon, Oct 04, 2004 at 03:27:09PM -0300, Jose Costa wrote: Currently I?m using Squid 2.5 stable5 in Fedora Core2. It?s a rpm upgraded using yum. I have one access list that let all my local network access any location. I?m having problems uploading files to yahoo mail, for example. I use yahoo webmail and try to attach a file it takes a long time and do not attach it. When I remove proxy settings from my IE it works fine and fast. I have a fw rule(iptables) in my squid box that let just squid and ssh in and new, related and established out. Check your request_body_max_size. It defines how large requests (like in forms (like in uploads)) may be. You should see something in your access.log by the way that could help. Christoph -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
[squid-users] AD2003 +Squid NTLM Auth.
Authenticating Server: 2003 with Active Directory Enabled Squid Server: FreeBSD 5.1 Samba: 3.0.7,1 Other package info in package list at bottom. The DNS server is on the 2003 Server with the proper kerberos and ldap entries in the DNS server. (Passes Active Directory DNS utility tests) Responses are sent in LM, NTLM, NTLM2 when negotiated. Signing requirements are not configured. (Choices: Enable, or not configured). Have read, and followed to best of my ability the squid FAQ and winbind/nmb/samba man pages. Things that work: All of the command line based tests work, as you will see when you look below. But when I try to authenticate with a browser I get denied, and the following info in cache.log and log.winbindd. If I modify the permissions on /var/db/samba/winbindd_privileged, that breaks the wbinfo tests saying that the permissions on that file are incorrect. Note: when I went to build samba --with-ads on freebsd it complaind about KRB5 and asked for HEIMDAL instead...so I am actually using HEIMDAL not KRB5, as Samba refused to compile with KRB5 but compiled fine with HEIMDAL. Squid works great unauthenticated, but fails all auth tests when using an actual browser. The squid-helper passes basic auth tests from the command line, but when using a browser such as netscape which should use BASIC auth mode, it denies with the same messages in the logs as IE failing on challenge/response. -tail of access.log--- 1096907971.215 4 192.168.1.110 TCP_DENIED/407 3715 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908014.779 3 192.168.1.110 TCP_DENIED/407 3674 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908014.840 11 192.168.1.110 TCP_DENIED/407 3701 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908014.848 7 192.168.1.110 TCP_DENIED/407 3674 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908017.003 7 192.168.1.110 TCP_DENIED/407 3701 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908017.010 6 192.168.1.110 TCP_DENIED/407 3674 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908017.487 6 192.168.1.110 TCP_DENIED/407 3701 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908017.493 6 192.168.1.110 TCP_DENIED/407 3674 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908018.007 6 192.168.1.110 TCP_DENIED/407 3701 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908018.013 6 192.168.1.110 TCP_DENIED/407 3674 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html --- --tail of cache.log [2004/10/04 11:40:17, 0] utils/ntlm_auth.c:winbind_pw_check(439) Login for user [EMAIL PROTECTED] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/db/samba/winbindd_privileged are set correctly.] [2004/10/04 11:40:17, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(612) NTLMSSP BH: NT_STATUS_ACCESS_DENIED 2004/10/04 11:40:17| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' [2004/10/04 11:40:18, 0] utils/ntlm_auth.c:winbind_pw_check(439) Login for user [EMAIL PROTECTED] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/db/samba/winbindd_privileged are set correctly.] [2004/10/04 11:40:18, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(612) NTLMSSP BH: NT_STATUS_ACCESS_DENIED 2004/10/04 11:40:18| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' -tail of log.winbindd-- [2004/10/04 11:42:00, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759) Kinit failed: Unknown error -1765328228 [2004/10/04 11:42:00, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759) Kinit failed: Unknown error -1765328228 [2004/10/04 11:43:01, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) krb5_cc_get_principal failed (No such file or directory) [2004/10/04 11:43:01, 0] libads/kerberos.c:ads_kinit_password(136) kerberos_kinit_password host/HOST@ failed: Unknown error -1765328228 [2004/10/04 11:43:01, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain DOMAIN failed: Unknown error -1765328228 - - wbinfo -a host:~ # wbinfo -a gooduser%goodpass plaintext password authentication succeeded challenge/response password authentication succeeded - --wbinfo
Re: [squid-users] Re: performance
From: Matus UHLAR - fantomas [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [squid-users] Re: performance Date: Sun, 3 Oct 2004 13:53:59 +0200 azeem ahmad wrote: since the day i got my cache full (two partitions of 3 gb each) i m facing the problem of low speed. On 02.10 20:29, Adam Aube wrote: If the proxy is slow after the cache fills up, then your system is likely running out of RAM and beginning to swap. What is the output of free? another possibility is that he filled up the filesystem too much, filesystems usually slow up when they are filled over 90%. the swap is being used on my system but a little bit like upto 15MB. its a dual 667 pentium machine with 18GB 1RPM SCSI and 256 RD RAM. there are only 12 clients. is it not enough for 12 clients. there are two cache disks /cache1 and /cache2 both are seperate partitions of 2950MB each and free space is 163MB on both disks. what should i do now. i have set cache_mem 32MB. plz help me out Regards Azeem _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
[squid-users] Browser auto-complete and squid
On most web browsers have URL auto-completion. If put a single word URL in the location bar. If the DNS lookup fails, the browser prepends www. and appends .com to the name then tries again. If the new URL DNS lookup matches, the URL is loaded. So, if I type in BBC into the location bar, bbc fails. The browser then tries www.bbc.com. This is valid. Mozilla will then take me to www.bbc.com (which in this case, immediately re-directs me to bbc.co.uk) When the browser points to a caching proxy, it never fails a DNS lookup so the browser auto-complete never cuts in. I can't think of any browser level solution, however, this functionality could easily be employed at the caching proxy level. I would like a way to set squid so that if it received a one-word URL, it first tries to resolve the URL (It may be a valid hostname on the local network). If resolution fails, it tries prepending www and appending .com to the URL. If the new URL is valid, sends a redirect to the web browser to the new URL. This is important where I have deployed a cybercafe with Squid as the caching proxy; many users expect the URL auto-complete to work. Any ideas how I could add this functionality to squid would be great.
[squid-users] problem in https sites
Hi All, After successfully configuring squid for NTLM authentication. I am not able to access https sites.ie. For the first time when I type the https URL in the IE browser it says Invalid URL ( though the url is correct ). And for the second time it is going successfully after pressing the Go link in the IE. Is there any option need to be set in squid configuration. Anybody faced this kind of problem.Can anybody please help me. Thanks in advance. ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
[squid-users] Re: reduce wan link traffic-- query
Joel n.solanki wrote: Now i want to test wheather it is reducing the overall bandwidth or not. my squidclient mgr_client_list tell me this HTTP: 195075 Requests, 57193 Hits ( 29%) So i guess hits is the bandwidth saving. M i right ? No. This is the percentage of requests, not bytes, that have been served from the cache. For bandwidth savings, you need to measure the bytes. I would suggest using Calamaris (linked to from the Squid website, under Logfile Analysis). It parses your access.log and gives a variety of useful statistics, including bandwidth savings (the byte percentage of HITs). Adam
[squid-users] Re: problem in https sites
Subramanian Narayanan wrote: After successfully configuring squid for NTLM authentication. I am not able to access https sites.ie. For the first time when I type the https URL in the IE browser it says Invalid URL ( though the url is correct ). And for the second time it is going successfully after pressing the Go link in the IE. Check under Internet Options - Advanced and make sure that IE is not set to use HTTP 1.1 through proxy connections. Adam
[squid-users] GET/PUT Question - AGAIN
Hello, I managed to get squid to accept a single file that I can push to it from a MS Windows application that I am developing. Now I am trying to send two during the same session. But I am having problems. BTW: squid is listening on 216.19.43.110:3128, and my Windows platform is pushing from 192.168.1.254 When I push the first file, squid comes back with 'HTTP/1.0 200 OK' Using snort to monitor port 3128, I get: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/04-19:06:13.740922 216.19.43.110:3128 - 192.168.1.254:2160 TCP TTL:64 TOS:0x0 ID:34359 IpLen:20 DgmLen:40 DF ***A Seq: 0x40A75EE0 Ack: 0x7701A35C Win: 0x2DA0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/04-19:06:13.744075 216.19.43.110:3128 - 192.168.1.254:2160 TCP TTL:64 TOS:0x0 ID:34360 IpLen:20 DgmLen:58 DF ***AP*** Seq: 0x40A75EE0 Ack: 0x7701A35C Win: 0x2DA0 TcpLen: 20 48 54 54 50 2F 31 2E 30 20 32 30 30 20 4F 4B 0D HTTP/1.0 200 OK. 0A 00.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/04-19:06:13.744403 216.19.43.110:3128 - 192.168.1.254:2160 TCP TTL:64 TOS:0x0 ID:34361 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x40A75EF2 Ack: 0x7701A35C Win: 0x2DA0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/04-19:06:13.744573 192.168.1.254:2160 - 216.19.43.110:3128 TCP TTL:128 TOS:0x0 ID:60795 IpLen:20 DgmLen:40 DF ***A Seq: 0x7701A35C Ack: 0x40A75EF3 Win: 0xFADE TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ afer squid recives and caches the first file. Then when I send the second file, I see it go past in snort, but squid doesn't acknowledge that it came in. No errors, nothing shows up as I am tailing on the cache.log (with custom debugging hooks), and nothing shows up in store.log or access.log. The file sizes are correct, and the 'PUT' header contains the correct Content-Length for the second file, but it will not cache. What I see in snort after the second file transfers is a response back from squid: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/04-19:06:22.789730 216.19.43.110:3128 - 192.168.1.254:2160 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF *R** Seq: 0x40A75EF3 Ack: 0x0 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ I don't know why squid is sending back ID:0, Ack:0x0, and Win:0x0 Am I missing something that my PUSH client is suppose to send squid to tell it to get ready for another file? Thanks, Murrah Boswell