[squid-users] SMP support

[Olsson Mattias]

Hi all!
Im running squid on machines with dual cpuÅ. Looking into top it looks 
like squid is just rinning on one cpu.
How do i enable smp support withing squid when running ./configure?

Thanks guys!
/Mattias

RE: [squid-users] SMP support

[Elsen Marc]

 
> Hi all!
> 
> Im running squid on machines with dual cpuÅ. Looking into top 
> it looks 
> like squid is just rinning on one cpu.
> How do i enable smp support withing squid when running ./configure?
> 
 
 Squid doesn't 'use' SMP.

 M.

Re: [squid-users] squid_ldap_auth problem after W2003 upgrade

[Henrik Nordstrom]

On Wed, 13 Oct 2004, Mark Krawec wrote:
ldapsearch -D [EMAIL PROTECTED]  -w password -b "DC=scif,DC=com" -H
ldaps://fddc02.scif.com:636/ -S /usr/local/ssl/certs -x
"(SamAccountName=Squid1)" cn
version: 2
#
# filter: (SamAccountName=Squid1)
# requesting: cn
#
# Squid1 Proxy, FD, Fairfield, scif, com
dn: CN=Squid1 Proxy,OU=FD,OU=Fairfield,DC=scif,DC=com
cn: Squid1 Proxy
echo "squid password" | /usr/local/squid/libexec/squid_ldap_auth -H
ldaps://fddc02.scif.com:636/  -D "squid" -w "password" -P -b "DC=scif,DC=com"
-f "(SamAccountName=Squid1)"
squid_ldap_auth: WARNING, LDAP search error 'Operations error'
ERR
The search bind DN is not correct, and does not match your 
successful ldapsearch

To be least confusing your should specify a LDAP DN in both. Relying on 
the LDAP server to understand shorthand aliases like [EMAIL PROTECTED] can be 
a little confusing.

Regards
Henrik

Re: [squid-users] ldap_auth protocol error Msg

[Henrik Nordstrom]

On Wed, 13 Oct 2004, Digitalfx wrote:
Im getting this squid cache log error while trying to validate squid users 
using slapd
"squid_ldap_auth: WARNING, could not bind to binddn 'Protocol error' "
Can you bind to the DN using ldapsearch?
ldapsearch -b dc=mydomain,dc=com -D cn=admin,dc=mydomain,dc=com -w pass -h 
192.168.2.107 uid=a_login_name
Regards
Henrik

Re: [squid-users] SMTP server

[Henrik Nordstrom]

On Thu, 14 Oct 2004, Rahul Sinha wrote:
I'll give a scenario.
System#1 is running squid and no sendmail
System#2 is running sendmail or any other smtp server
System#1 wants to send email to [EMAIL PROTECTED] once the cache is full
thru ( cache_mgr option in squid.conf)
How do i configure System#1 to send email at [EMAIL PROTECTED]
By configuring the local MTA of System#1 to send all mail via System#2.
This is not a Squid question.
Note: Squid does NOT send emails when the cache is full, it simply starts 
deleting old no longer interesting stuff to make room for new more 
interesting objects to cache.

Regards
Henrik

Re: [squid-users] Questions about large files

[Henrik Nordstrom]

On Wed, 13 Oct 2004, Brennon Church wrote:
I'm downloading a CD image at 600M.  Part-way through a download, the 
download manager will tell me that the file is done. When I look at the file, 
I see that it's not, it could be 20 Megs it could be 500 Megs
Anything in cache.log?
What is said in access.log?
2) After those times where a larger file (again, 600M or so) succeeds, the 
object is there, and I'm able to download the file again from the cache 
rather than directly from the site.  Shortly afterwards, however, the object 
is overwritten by something else.
What cache_replacement_policy are you using?
Also enable log_mime_hdrs and make sure it is not your client which forces 
Squid to disregard the cache (the latter can be determined from 
access.log with log_mime_hdrs enabled).

It could also be that the server publishing the large file puts limit on 
how long it may be cached, or a matter of your refresh_pattern settings.

Verify the object with the cacheability check engine if unsure. This 
explains a lot of the details on how caches determines how long an object 
may be cached.

Regards
Henrik

Re: [squid-users] Questions about large files

[Henrik Nordstrom]

On Wed, 13 Oct 2004, Brennon Church wrote:
Nope.  The cache has plenty of space.  I've got it set to allow up to 10 
gigs, and I'm the only one using it, and it's nowhere near 10 gigs.

I've tried using the standard lru and heap LFUDA.  Both have the same 
problem.
Ok. So the problem is then either
 a) Your client forced Sqiud to fetch a new copy
 b) The object freshness lifetime had expired, and the server hosting the 
file does not allow Squid to query if the file has been modified or not.

Regards
Henrik

Re: [squid-users] How to enable SSL connect on httpd-accelerator mode?

[杨顶]

I download the ssl patch and patched it.
 How can I do to configure the squid to do this?
 Browser<--ssl-->squid  squid <--ssl-->webserver ?
 Now my squid still use http connect to web server.I 


>   I use squid 2.5 stable6 . Work on httpd-accelerator mode.and I use
> --enable-ssl to make the squid.Then I set "https_port 443
> cert=/etc/squid/squid.pem" in squid.conf .Now my Squid can accept https
> request.but when squid server recerve https request ,he  connect the real
> web server USE http.

Correct.

>  My question is:how to configure squid to just 'tunelling' the https
> request

You can't use a reverse-proxy to tunnel https. For this you need to use 
NAT or simple TCP plugs / port forwarder.

What you can do with Squid is to reverse-proxy https. There is then 
different SSL connections between the browser<->squid and 
squid<->webserver. This functionality is however not available in the 
Squid-2.5 distribution, but is available in the SSL update patch from 
http://devel.squid-cache.org/ (also available in the upcoming Squid-3.0 
release).

Regards
Henrik

Re: [squid-users] How to enable SSL connect on httpd-accelerator mode?

[杨顶]

I download the ssl patch and patched it.
 How can I do to configure the squid to do this?
 Browser<--ssl-->squid  squid <--ssl-->webserver ?
 Now my squid still use http connect to web server.I 


>   I use squid 2.5 stable6 . Work on httpd-accelerator mode.and I use
> --enable-ssl to make the squid.Then I set "https_port 443
> cert=/etc/squid/squid.pem" in squid.conf .Now my Squid can accept https
> request.but when squid server recerve https request ,he  connect the real
> web server USE http.

Correct.

>  My question is:how to configure squid to just 'tunelling' the https
> request

You can't use a reverse-proxy to tunnel https. For this you need to use 
NAT or simple TCP plugs / port forwarder.

What you can do with Squid is to reverse-proxy https. There is then 
different SSL connections between the browser<->squid and 
squid<->webserver. This functionality is however not available in the 
Squid-2.5 distribution, but is available in the SSL update patch from 
http://devel.squid-cache.org/ (also available in the upcoming Squid-3.0 
release).

Regards
Henrik

Re: [squid-users] Why squid can not cache a file which a client use multi session download?

[Vinod Patel]

> But when i use multi
> session(some tool such as 'FlashGet' can support this) download a file,It
> will can not be cache in hard driver,How do i resolve this problem?Thanks

Squid does not support caching ranges (i.e. multi-sessions).

Re: [squid-users] Web radio and WMP9

[Stefano]

Il mer, 2004-10-13 alle 18:04, [EMAIL PROTECTED] ha scritto:

> But...
> Launch Windows Media Player 9
> Select File, Open URL, type the address in the box 'http://bbwms.libero.it/lifegate'
> and I LISTEN STREAMING RADIO WITH NO TROUBLE
> 
> Why??
> 
> I've used an italian tip too:
>   acl WMP browser Windows-Media-Player/*
>   http_access deny WMP 
> but it doesn't work at all.

is enable the "--enable-useragent-log" features in your Squid version?

bye

S.

Re: [squid-users] Web radio and WMP9

[gfvarone]

Resolved:

1. Aggiunte le estensioni .wma and .wmv alla seguente riga
acl BloccoExt url_regex -i \.mp3$ \.asx$ \.wma$ \.wmv$ \.avi$ \.mpeg$ \.mpg$
\.qt$ \.ram$ \.rm$ \.iso$ \.wav$ \.exe$

2. Ho creato le acl anche per gli altri 2 mime type (anche se forse non
servivano)
acl webRadioReq1 req_mime_type -i ^video/x-ms-asf$
acl webRadioReq2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl webRadioReq3 req_mime_type -i ^application/x-mms-framed$
acl webRadioRep1 rep_mime_type -i ^video/x-ms-asf$
acl webRadioRep2 rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl webRadioRep3 rep_mime_type -i ^application/x-mms-framed$

3. Ho aggiunto pure questa...
acl WMP browser Windows-Media-Player/*

4. Create le regole
http_access deny BloccoExt !UtentiGold
http_access deny WMP !UtentiGold
http_access deny webRadioReq1 !UtentiGold
http_access deny webRadioReq2 !UtentiGold
http_access deny webRadioReq3 !UtentiGold

http_reply_access deny webRadioRep1 !UtentiGold
http_reply_access deny webRadioRep2 !UtentiGold
http_reply_access deny webRadioRep3 !UtentiGold

N.B. La lista UtentiGold e' un elenco di ip delle macchine di dirigenti,
capi ufficio, ecc.

In questo modo non riesco ad aprire una webradio (ad es. Radio Deejay o
Lifegate) sia da IE6, che da WMP9...cliccando su link oppure digitando l'URL

Re: [squid-users] Transparent Cache

[Henrik Nordstrom]

On Wed, 13 Oct 2004, Alejandro Barcena wrote:
Thanks for replying to my mail.
It's very slow... and most of clients aren't getting back the page they asked 
for, they just can't browse... but some do.

I've analized the log files, and I don't stop getting the:
2004/10/13 20:18:09| WARNING! Your cache is running out of filedescriptors
2004/10/13 20:18:25| WARNING! Your cache is running out of filedescriptors
2004/10/13 20:18:41| WARNING! Your cache is running out of filedescriptors
2004/10/13 20:18:57| WARNING! Your cache is running out of filedescriptors
2004/10/13 20:19:13| WARNING! Your cache is running out of filedescriptors

There can be a number of reasons to this
a) Your squid is really running out of file descriptors. This will happen 
if you trow a couple of thousand users at a Squid cache without tuning the 
number of filedescriptors (see FAQ).

b) Your Squid is overloaded, or most likely your cache_dir is. If using 
the default "ufs" cache_dir type then speed will be very much limited by 
the speed of your harddrive, and when this limit is reached performance 
quickly spirals down. Use "aufs/diskd" cache_dir types, and design the 
hardware correctly for the load you are planning.

Regards
Henrik

Re: [squid-users] problems with HTTP acceleration

[Henrik Nordstrom]

On Wed, 13 Oct 2004, Octopus wrote:
==> /var/log/squid/store.log <==
1097694326.802 RELEASE -1  5C70CA242C6B8B71BE14082A80D515C5  304
1097694336-1-1 unknown -1/0 GET
http://HOST/webnativedoc/NEW/top_header.gif
Clear your browser cache before you start testing.
==> /var/log/squid/access.log <==
1097694562.077326 192.168.2.1 TCP_MISS/200 4586 GET
http://HOST/webnative/getimage?-small+/mnt/IDERAID_01/tsi_1/current/covers/Jun2003.eps 
- DIRECT/X.X.X.X image/jpeg
http://www.mnot.net/cacheability/
Also note that Squid won't cache requests requiring authentication unless 
the server says the content is public (Cache-Control: public). This is 
mandated by the HTTP RFC 2616.

 > root # curl --head
http://LOGIN:[EMAIL PROTECTED]/webnativedoc/images/NEW/wn_high.gif
HTTP/1.1 200 OK
Date: Wed, 13 Oct 2004 18:56:02 GMT
Server: Apache/1.3.14 (Unix)
Last-Modified: Fri, 09 Jan 2004 02:18:29 GMT
ETag: "2c117ba-175-3ffe0f75"
Accept-Ranges: bytes
Content-Length: 373
Content-Type: image/gif
This would have been cached if it wasn't for the fact that authentication 
is required and the server has not indicated the response is public.

root # curl --head
http://LOGIN:[EMAIL 
PROTECTED]/webnative/getimage?-small+/mnt/IDERAID_01/tsi_1/current/covers/Jun2003.eps
HTTP/1.1 200 OK
Date: Wed, 13 Oct 2004 19:08:33 GMT
Server: Apache/1.3.14 (Unix)
Content-length: 4301
Content-Type: image/jpeg ; name="Jun2003.eps"

This normally won't be cached as there is no information to base freshness 
upon. No Expires, not Last-Modified, not Cache-Control: max-age. Nothing.

On both, see refresh_pattern, but you still need to solve the "public" 
criteria.

Regards
Henrik

RE: [squid-users] problem with cache store

[Nont Banditwong]

Thank you for your response, I have removed swap.state many time
as this mailinglist advise but warning message still appear, and
the system didn't crash before this message appear.

Re: > 
Re: > Dear group
Re: > 
Re: > I have 2 squid 2.5.STABLE3 server on P-IV 2.8E ASUS P4P800-SE
Re: > RAM 2GB , 2 IDE harddisk 120GB for system and first cache_dir
Re: > and 40GB for cache only. Client request is about 400req/s and 2 cache 
Re: > use the same squid configuration.
Re: > 
Re: > The problem is a cache is after I found many warning message as below  :
Re: 
Re: > 2004/10/12 22:46:08| WARNING: newer swaplog entry for dirno 1, fileno
Re: > 8176
Re: >...
Re: >...
Re:  
Re: > 2004/10/14 10:04:36| storeAufsOpenDone: (2) No such file or directory
Re: > 2004/10/14 10:04:36|/var/cache/squid2/09/1F/00171F92
Re: > 
Re: 
Re: These message(s) may result from corrupted swap.state file(s) in one
Re: or more cache directories as a result of a system crash (e.g).
Re: You may try :
Re:  
Re: 1) shutdown SQUID
Re: 2) Remove swap.state file(s) in each cache directory
Re: 3) StartSQUID
Re: 
Re: Squid will rebuild this files based on objects 'really' available
Re: in the cache.
Re: Then these messages may disappear and or become much less
Re: frequent.
Re: 
Re: M.
Re: 

-- 
__
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze

RE: [squid-users] problem with cache store

[Elsen Marc]

 
> 
> Thank you for your response, I have removed swap.state many time
> as this mailinglist advise but warning message still appear, and
> the system didn't crash before this message appear.
>...
 

 You might try a more 'virgin' rebuild of the swap.state file(s),
 using :

   % squid -S -F

 when starting squid, after the swap.state file was earlier deleted.
 
 But that will  probably take some time, as SQUID will not serve
 any requests, then while this phase is running.

 M.

Re: [squid-users] Web radio and WMP9

[gfvarone]

Mi spiace, ma non ho le conoscenze per ricompilare Squid.
Infatti, utilizzo le versioni gia' compilate per Windows fornito dal buon
Serassio, col quale mi trovo divinamente.

Ovviamente questa soluzione non risolve pienamente il problema, perche'
potrei utilizzare Real One Player ed ascoltare le radio che utilizzano questo
streaming (ad es. RIN).

Tuttavia, se vuoi citare la mia soluzione nello Squid Book sappi che ne
sono onorato...hai il mio pieno consenso.

Saluti/GfV
>-- Messaggio originale --
>Subject: Re: [squid-users] Web radio and WMP9
>From: Stefano <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Date: Thu, 14 Oct 2004 12:23:27 +0200
>
>
>Il gio, 2004-10-14 alle 12:00, [EMAIL PROTECTED] ha scritto:
>
>Ciao,
>
>> Resolved:
>>
>> 1. Aggiunte le estensioni .wma and .wmv alla seguente riga
>> acl BloccoExt url_regex -i \.mp3$ \.asx$ \.wma$ \.wmv$ \.avi$ \.mpeg$
\.mpg$
>> \.qt$ \.ram$ \.rm$ \.iso$ \.wav$ \.exe$
>>
>> 2. Ho creato le acl anche per gli altri 2 mime type (anche se forse non
>> servivano)
>> acl webRadioReq1 req_mime_type -i ^video/x-ms-asf$
>> acl webRadioReq2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
>> acl webRadioReq3 req_mime_type -i ^application/x-mms-framed$
>> acl webRadioRep1 rep_mime_type -i ^video/x-ms-asf$
>> acl webRadioRep2 rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
>> acl webRadioRep3 rep_mime_type -i ^application/x-mms-framed$
>>
>> 3. Ho aggiunto pure questa...
>> acl WMP browser Windows-Media-Player/*
>>
>> 4. Create le regole
>> http_access deny BloccoExt !UtentiGold
>> http_access deny WMP !UtentiGold
>> http_access deny webRadioReq1 !UtentiGold
>> http_access deny webRadioReq2 !UtentiGold
>> http_access deny webRadioReq3 !UtentiGold
>>
>> http_reply_access deny webRadioRep1 !UtentiGold
>> http_reply_access deny webRadioRep2 !UtentiGold
>> http_reply_access deny webRadioRep3 !UtentiGold
>>
>> N.B. La lista UtentiGold e' un elenco di ip delle macchine di dirigenti,
>> capi ufficio, ecc.
>>
>> In questo modo non riesco ad aprire una webradio (ad es. Radio Deejay
o
>> Lifegate) sia da IE6, che da WMP9...cliccando su link oppure digitando
>l'URL
>
>ma hai provato a ricompilare Squid con l'opzione --enable-useragent-log?
>
>ad ogni buon conto, se mi dai il consenso, citero' la tua soluzione
>nello Squid-Book
>
>Ciao
>
>S.
>
>

Re: [squid-users] Web radio and WMP9

[gfvarone]

English Version ;-)

Resolved:

1. Added the extensions .wma and .wmv at the following line, so it's impossible
to dowlonload these file types
acl BloccoExt url_regex -i \.mp3$ \.asx$ \.wma$ \.wmv$ \.avi$ \.mpeg$ \.mpg$
\.qt$ \.ram$ \.rm$ \.iso$ \.wav$ \.exe$

2. Created acl for the other two 2 mime types (maybe not necessary)
acl webRadioReq1 req_mime_type -i ^video/x-ms-asf$
acl webRadioReq2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl webRadioReq3 req_mime_type -i ^application/x-mms-framed$
acl webRadioRep1 rep_mime_type -i ^video/x-ms-asf$
acl webRadioRep2 rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl webRadioRep3 rep_mime_type -i ^application/x-mms-framed$

3. Added this too...
acl WMP browser Windows-Media-Player/*

4. Created following rules
http_access deny BloccoExt !UtentiGold
http_access deny WMP !UtentiGold
http_access deny webRadioReq1 !UtentiGold
http_access deny webRadioReq2 !UtentiGold
http_access deny webRadioReq3 !UtentiGold

http_reply_access deny webRadioRep1 !UtentiGold
http_reply_access deny webRadioRep2 !UtentiGold
http_reply_access deny webRadioRep3 !UtentiGold

Notes:UtentiGold is an ip list of privileged users (CEO, ecc.)

In this mode, if I'm not a privileged user, I'm not able to open web radio
(example http://bbwms.libero.it/lifegate) with IE6 and WMP9, clicking on
a link or typing the url

Saluti/GfV

Re: [squid-users] icap_access and external_acl does not work

[Christoph Haas]

On Wed, Oct 13, 2004 at 04:38:46PM +0200, Stephane DAVY wrote:
> Well, it works for me.
> I have something like that:
> 
> external_acl_type ldap_group %LOGIN bla-bla ldap bla
> 
> acl one_group external  ldap_group group_in_ldap
> http_access allow one_group
> 
> 
> icap_class one_class bla-bla
> icap_access one_class allow one_group
> 
> The trick is that you really need "http_access allow one_group", it is
> not enough to put http_access allow all

Yay, godlike! I never would have thought there would be a workaround for
this one. But in fact it works like a charm. This should perhaps become
an FAQ item (if the FAQ is still maintained). I found it very confusing
that the ACL was just plainly ignored even without any warning in the
cache.log.

Am I right that your solution makes Squid do the external_acl lookup and
store that information in the cache where other ACLs can read from? It
sounds like icap_access can handle both the mysterious "fast ACLs" and
the internal external_acl cache - but not the "slow external ACLs". Right?

Thanks a lot. This is the solution I've been searching for.

 Christoph

-- 
~
~
".signature" [Modified] 3 lines --100%--3,41 All

[squid-users] ldap_auth protocol error Msg

[digitalfx]

 yes i can, using ldapsearch with -x  option (simple authentication)
ldapsearch -x -b dc=mydomain,dc=com -D cn=admin,dc=mydomain,dc=com -w
pass -h 192.168.2.107 uid=a_login_name
otherwise i get this bind msg: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed

slapd ver is 2.1.30-2


 - Original Message - 
 From: "Henrik Nordstrom" <[EMAIL PROTECTED]>
 To: "Digitalfx" <[EMAIL PROTECTED]>
 Cc: <[EMAIL PROTECTED]>
 Sent: Thursday, October 14, 2004 5:14 AM
 Subject: Re: [squid-users] ldap_auth protocol error Msg


 On Wed, 13 Oct 2004, Digitalfx wrote:
Im getting this squid cache log error while trying to validate squid users
using slapd
"squid_ldap_auth: WARNING, could not bind to binddn 'Protocol error' "
>
> Can you bind to the DN using ldapsearch?
>
> ldapsearch -b dc=mydomain,dc=com -D cn=admin,dc=mydomain,dc=com -w pass -h
192.168.2.107 uid=a_login_name
>
> Regards
> Henrik
>

[squid-users] problem with SSL logins

[Clemson, Chris]

Hello All!
I've just installed a new linux machine (SuSE 9.1) with squid Version
2.5.STABLE5, and i'm having a problem getting to a particular SSL site.

when i use this new machine, https sites seem to work fine, including
https://mail.salesforce.com, yet when you go to
https://mail.salesforce.com/exchange (which should display a prompt for a
login and password), it just fails with a server error 503 page.

when i try it using our old proxy (2.5.STABLE6), this site correctly
displays the login and password dialog.
i'm planning to upgrade the 2.5.STABLE5 server with 2.5.STABLE7 later, but
we used to use 2.5.STABLE5 on our old proxy and no-one reported any problems
with it.
am i right in thinking it's just a configuration problem?

i amended the squid.conf file that came with suse 9.1 slightly so it looks
more like our old proxy config, but nothing should be significantly
different.

Does anyone have any idea why the browser would not display the login and
password dialog and throw up the error?

thanks,

chris

-- 
The content of this e-mail is confidential, may contain privileged material
and is intended solely for the recipient(s) named above. If you receive this
in error, please notify Software AG immediately and delete this e-mail.

Software AG (UK) Limited
Registered in England & Wales 1310740
Registered Office: Hudson House, Hudson Way,
Pride Park, Derby DE24 8HS

RE: [squid-users] problem with SSL logins

[Elsen Marc]

 
> 
> Hello All!
> I've just installed a new linux machine (SuSE 9.1) with squid Version
> 2.5.STABLE5, and i'm having a problem getting to a particular 
> SSL site.
> 
> when i use this new machine, https sites seem to work fine, including
> https://mail.salesforce.com, yet when you go to
> https://mail.salesforce.com/exchange (which should display a 
> prompt for a
> login and password), it just fails with a server error 503 page.
> 
>
>...
 
 Normally, as it says 503, is an error coming from the remote webserver.
 Some service unavailable error.

 Are you sure this was not a temp. hickup of the remote webserver ?

 Well, at least here , on 2.5.STABLE7-RC2, it prompts for
 username/password (too).

 M.

[squid-users] Squid Cannot Support WebDAV

[Patrick Eng]

I have a network with more than 20 PCs going through
the squid proxy server installed on a linux partition.
The problem happen when the PC wanted to access
Outlook Web Access (OWA) it only can enter the page
with the icons all missing and under the inbox, it
will show "loading" and it stay like that forever.
The browser tested were IE 5.5 and above. When I use
Netscape and Mozilla FireFox, the messages in the
inbox appear but the icons still missing. I have look
into the net and found that squid is not able to
support WebDAV extension. 

The solutions I tried include

1. Installing Squid 2.5 Stable 6 since it is reported
that the latest version support all the extension
methods needed.

2. Secondly, I configure the squid myself by adding 



__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[squid-users] Squid Cannot Support WebDAV

[Patrick Eng]

I have a network with more than 20 PCs going through
the squid proxy server installed on a linux partition.
The problem happen when the PC wanted to access
Outlook Web Access (OWA) it only can enter the page
with the icons all missing and under the inbox, it
will show "loading" and it stay like that forever.
The browser tested were IE 5.5 and above. When I use
Netscape and Mozilla FireFox, the messages in the
inbox appear but the icons still missing. I have look
into the net and found that squid is not able to
support WebDAV extension. 

The solutions I tried include

1. Installing Squid 2.5 Stable 6 since it is reported
that the latest version support all the extension
methods needed.

2. Secondly, I configure the squid myself by adding 
extension_methods into squid.conf. These methods
includ PROPPATCH,DELETE, BDELETE, MOVE, BMOVE and etc
as posted in this forum itself.

However, all this method fail. I hope that there is a
better method to allow WebDAV to pass  the squid proxy
without bypassing it. Another question is does Squid
support WebDAV methods? Id so, why the messages cannot
view in the mailbox? Or izzit becoz of Delta V
extension? Is there a solution for this problem? 
Please help me...THANX ...

Patrick




___
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

RE: [squid-users] problem with SSL logins

[Clemson, Chris]

> > Hello All!
> > I've just installed a new linux machine (SuSE 9.1) with 
> squid Version
> > 2.5.STABLE5, and i'm having a problem getting to a particular 
> > SSL site.
> > 
> > when i use this new machine, https sites seem to work fine, 
> including
> > https://mail.salesforce.com, yet when you go to
> > https://mail.salesforce.com/exchange (which should display a 
> > prompt for a
> > login and password), it just fails with a server error 503 page.
> > 
> >
> >...
>  
>  Normally, as it says 503, is an error coming from the remote 
> webserver.
>  Some service unavailable error.
> 
>  Are you sure this was not a temp. hickup of the remote webserver ?

well, i thought so at first, yet after i'd got it to work successfully on
the "old" proxy, i went back to the "new" one which wasn't working before,
and even restarting IE etc. it still didn't work.

>  Well, at least here , on 2.5.STABLE7-RC2, it prompts for
>  username/password (too).

hmm, thanks for the reply. i'll try the new version later and see if that
does the trick.
thanks again,

chris

-- 
The content of this e-mail is confidential, may contain privileged material
and is intended solely for the recipient(s) named above. If you receive this
in error, please notify Software AG immediately and delete this e-mail.

Software AG (UK) Limited
Registered in England & Wales 1310740
Registered Office: Hudson House, Hudson Way,
Pride Park, Derby DE24 8HS

[squid-users] Many squids one point of authentication

[Angela Williams]

Hello!
I have a rather different request!
I have currently 3 squid servers 2.5stable3 and stable6. I currently use the 
sps.pac proxy autoconfig script togther with standard NCSA authentication.
One problem has arisen and that is the need  for all my customers to 
authenticate 3 times! Any ideas as to being able to reduce this to a single 
authentication?
I have a basic LDAP server setup and have compiled squid2.5stable6 with 
support for LDAP and NCSA - well once I put the ldap libs in the right place! 
- if that might be of help. 

Cheers
Ang 
-- 
Angela Williams Enterprise Outsourcing
SCO Unix/Linux & Cisco spoken here! Bedfordview
[EMAIL PROTECTED]   Gauteng South Africa

Smile!! Jesus Loves You!!

Re: [squid-users] SMTP server

[Henrik Nordstrom]

On Thu, 14 Oct 2004, Rahul Sinha wrote:
Hi Henrik,
This is regarding

Tag : cache_mgr
Email address of local cache manager who will receive mail if the
cache dies. The default is "webmaster"
*
cache_mgr [EMAIL PROTECTED]# eg. #
Here if there is no sendmail running on squid machine how will the
mail wil be deleivered to [EMAIL PROTECTED]
If you do not have a local MTA (Mail Transport Agent) then mail can not be 
delivered by the server.  Having a local MTA does not neccesarily require 
sendmail, but sendmail does include the capability to act as a local MTA.

Regards
Henrik

Re: [squid-users] icap_access and external_acl does not work

[Henrik Nordstrom]

On Thu, 14 Oct 2004, Christoph Haas wrote:
Yay, godlike! I never would have thought there would be a workaround for
this one. But in fact it works like a charm. This should perhaps become
an FAQ item (if the FAQ is still maintained).
The FAQ is maintained, but very much relies on users submitting 
additions/changes.  The developers are all buzy maintaining the Squid 
sources for you.

Am I right that your solution makes Squid do the external_acl lookup and
store that information in the cache where other ACLs can read from?
Yes, depending on the ttl.
It sounds like icap_access can handle both the mysterious "fast ACLs" 
and the internal external_acl cache - but not the "slow external ACLs". 
Right?
No, icap_access can only handle fast ACL lookups where all needed 
information is priorly known.

external acls where the lookup has completed and is fresh (ttl not 
expired) is included in this category. The same also applies to any other 
ACL type requiring external lookups (I..e DNS dependent acls such as dst / 
dstdomain / srcdomain)

The workaround is not 100% reliable. There is a small window where the ttl 
of the information the acl depends on may expire between http_access and 
icap_access (or whatever other "only fast acls" directive). But with 
properly selected ttls, and graceful fallbacks if the acl lookup fails 
then this shouldn't be much of an issue.

Regards
Henrik

Re: [squid-users] ldap_auth protocol error Msg

[Henrik Nordstrom]

On Thu, 14 Oct 2004, digitalfx wrote:
yes i can, using ldapsearch with -x  option (simple authentication)
ldapsearch -x -b dc=mydomain,dc=com -D cn=admin,dc=mydomain,dc=com -w
pass -h 192.168.2.107 uid=a_login_name
otherwise i get this bind msg: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed
Odd. If ldapsearch works then squid_ldap_auth should work as well.
Does your directory really require binding to search? Does the following 
work?

  ldapsearch -x -b dc=mydomain,dc=com -h 192.168.2.107 uid=a_login_name
If it does, try using squid_ldap_auth in the same manner
  squid_ldap_auth -f uid=%s -b dc=mydomain,dc=com 192.168.2.107
You can also try using the -1 option (oneshot).
Regards
Henrik

Re: [squid-users] problem with SSL logins

[Henrik Nordstrom]

On Thu, 14 Oct 2004, Clemson, Chris wrote:
when i use this new machine, https sites seem to work fine, including
https://mail.salesforce.com, yet when you go to
https://mail.salesforce.com/exchange (which should display a prompt for a
login and password), it just fails with a server error 503 page.
Anything in cache.log?
What is said in access.log?
Regards
Henrik

Re: [squid-users] Squid Cannot Support WebDAV

[Henrik Nordstrom]

On Thu, 14 Oct 2004, Patrick Eng wrote:
I have a network with more than 20 PCs going through
the squid proxy server installed on a linux partition.
The problem happen when the PC wanted to access
Outlook Web Access (OWA) it only can enter the page
with the icons all missing and under the inbox, it
will show "loading" and it stay like that forever.
Anything in cache.log?
Regards
Henrik

Re: [squid-users] Many squids one point of authentication

[Henrik Nordstrom]

On Thu, 14 Oct 2004, Angela Williams wrote:
One problem has arisen and that is the need  for all my customers to
authenticate 3 times! Any ideas as to being able to reduce this to a single
authentication?

The problem you are seeing is that Basic proxy authentication is per 
proxy. The browser won't send the same login+password to another proxy 
without first asking the user.

To solve this you need to either use Digest authentication with the same 
realm on all proxies (and hope the browsers handle this correctly), or use 
a DNS round-robin entry to distribute the clients among the caches and 
return only this DNS entry in proxy.pac. You could also set up the 
proxy.pac to statically select only one of the proxies for the duration of 
the session.

Regards
Henrik

Re: [squid-users] Many squids one point of authentication

[Henrik Nordstrom]

On Thu, 14 Oct 2004, Henrik Nordstrom wrote:
To solve this you need to either use Digest authentication with the same 
realm on all proxies (and hope the browsers handle this correctly)
My error. Digest authentication does not support multi-proxy 
authentication, and like Basic the authentication is per proxy.

Regards
Henrik

Re: [squid-users] squid_ldap_auth problem after W2003 upgrade

[Mark Krawec]

I think I'm using a consistent search bind DN and still getting an error after
the 2003 upgrade.

Successful ldapsearch query:
ldapsearch -b "DC=scif, DC=com"  -D "CN=Squid1, OU=FD, OU=Fairfield, DC=scif,
DC=com" -w "password" -H ldaps://fddc02.scif.com:636/ -S /usr/local/ssl/certs
-x "(SamAccountName=Squid1)" cn
version: 2

#
# filter: (SamAccountName=Squid1)
# requesting: cn
#

# Squid1 Proxy, FD, Fairfield, scif, com
dn: CN=Squid1 Proxy,OU=FD,OU=Fairfield,DC=scif,DC=com
cn: Squid1 Proxy

squid_ldap_auth query fails:
echo "Squid1 password" | /usr/local/squid/libexec/squid_ldap_auth -H
ldaps://fddc02.scif.com:636/  -D "CN=Squid1, OU=FD, OU=Fairfield, DC=scif,
DC=com" -w "password" -P -b "DC=scif,DC=com" -f "(SamAccountName=Squid1)"
squid_ldap_auth: WARNING, LDAP search error 'Operations error'
ERR

Any ideas on why squid_ldap_auth fails and ldapsearch succeeds?  The same
squid_ldap_auth query was working until our domain controllers were upgraded
to 2003.

Thanks,

Mark

On Thu, 14 Oct 2004 10:12:43 +0200 (CEST), Henrik Nordstrom wrote
> 
> The search bind DN is not correct, and does not match your 
> successful ldapsearch
> 
> To be least confusing your should specify a LDAP DN in both. Relying 
> on the LDAP server to understand shorthand aliases like 
> [EMAIL PROTECTED] can be a little confusing.
> 
> Regards
> Henrik


___
Mark Krawec  [EMAIL PROTECTED]
"Earth First"(We'll strip mine the other planets later)

Re: [squid-users] problems with HTTP acceleration

[Octopus]

Thank  you so much Henrik!

> > ==> /var/log/squid/access.log <==
> > 1097694562.077326 192.168.2.1 TCP_MISS/200 4586 GET
> > http://HOST/webnative/getimage?-small+/mnt/IDERAID_01/tsi_1/current/covers/Jun2003.eps
> >  - DIRECT/X.X.X.X image/jpeg
> 
> http://www.mnot.net/cacheability/
> 
> Also note that Squid won't cache requests requiring authentication unless 
> the server says the content is public (Cache-Control: public). This is 
> mandated by the HTTP RFC 2616.

Is there some way to override this behavior in squid outside of me
hacking the code?

> > root # curl --head
> > http://LOGIN:[EMAIL 
> > PROTECTED]/webnative/getimage?-small+/mnt/IDERAID_01/tsi_1/current/covers/Jun2003.eps
> > HTTP/1.1 200 OK
> > Date: Wed, 13 Oct 2004 19:08:33 GMT 
> > Server: Apache/1.3.14 (Unix)
> > Content-length: 4301
> > Content-Type: image/jpeg ; name="Jun2003.eps"
> 
> 
> This normally won't be cached as there is no information to base freshness 
> upon. No Expires, not Last-Modified, not Cache-Control: max-age. Nothing.
> 
> On both, see refresh_pattern, but you still need to solve the "public" 
> criteria.

Excellent: refresh_pattern looks perfect.  Assuming I get the public
issue resolved and the refresh pattern acceptable, will squid be able to
handle these dynamic pages give than the actual unique file name is
AFTER the "?" in the URL?  By default the logs truncate everything after
the "?" and I worry that it might also truncate the rest of the URL when
doing the hash algorithm for cached objects

Thanks,
Octo

[squid-users] Active Directory

[Strickland, Lawrence P]

Can I user Active Directory authentication with Squid?

[squid-users] ldap_auth protocol error Msg

[digitalfx]

  ldapsearch -x -b dc=mydomain,dc=com -h 192.168.2.107 uid=a_login_name
  and
  ldapsearch -x -b dc=mydomain,dc=com -D cn=admin,dc=mydomain,dc=com -w
  pass -h 192.168.2.107 uid=a_login_name

  Works perfect.

  There is no "squid_ldap_auth" command

  If i use:
  ldap_auth -b dc=mydomain,dc=com -D cn=admin,dc=mydomain,dc=com -w
  pass -h 192.168.2.107 uid=a_login_name i get the err.

  If I use:
  ldap_auth -x -b dc=mydomain,dc=com -D cn=admin,dc=mydomain,dc=com -w
  pass -h 192.168.2.107 uid=a_login_name
  it says:
  squid_ldap_auth: ERR: Unknown command line option 'x'

  i dont have any idea why i can bind from command line to ldap server,
and the ldap_auth module can't.

  PD: ldap_auth module doesnt list "-1" as an option

  Regards.




  On Thu, 14 Oct 2004, digitalfx wrote:


yes i can, using ldapsearch with -x  option (simple
authentication)
ldapsearch -x -b dc=mydomain,dc=com -D
cn=admin,dc=mydomain,dc=com -w
pass -h 192.168.2.107 uid=a_login_name
otherwise i get this bind msg: Server is unwilling to perform
(53)
additional info: unauthenticated bind (DN with no password)
disallowed



  Odd. If ldapsearch works then squid_ldap_auth should work as well.

  Does your directory really require binding to search? Does the
following work?

  ldapsearch -x -b dc=mydomain,dc=com -h 192.168.2.107 uid=a_login_name

  If it does, try using squid_ldap_auth in the same manner

  squid_ldap_auth -f uid=%s -b dc=mydomain,dc=com 192.168.2.107

  You can also try using the -1 option (oneshot).

  Regards
  Henrik

From: Henrik Nordstrom <[EMAIL PROTECTED]>
To: digitalfx <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] ldap_auth protocol error Msg
Sent: Thursday, October 14, 2004 4:22:44 PM

- Original Message - 
From: "Henrik Nordstrom" <[EMAIL PROTECTED]>
To: "Digitalfx" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, October 14, 2004 5:14 AM
Subject: Re: [squid-users] ldap_auth protocol error Msg


>
>
> On Wed, 13 Oct 2004, Digitalfx wrote:
>
> > Im getting this squid cache log error while trying to validate squid
users
> > using slapd
> > "squid_ldap_auth: WARNING, could not bind to binddn 'Protocol error' "
>
> Can you bind to the DN using ldapsearch?
>
> ldapsearch -b dc=mydomain,dc=com -D cn=admin,dc=mydomain,dc=com -w pass -h
192.168.2.107 uid=a_login_name
>
> Regards
> Henrik
>

Re: [squid-users] icap_access and external_acl does not work

[Christoph Haas]

On Thu, Oct 14, 2004 at 06:20:07PM +0200, Henrik Nordstrom wrote:
> The FAQ is maintained, but very much relies on users submitting 
> additions/changes.  The developers are all buzy maintaining the Squid 
> sources for you.

For me personally? Great. ;) Seriously... I'll prepare a paragraph.

> No, icap_access can only handle fast ACL lookups where all needed 
> information is priorly known.
> 
> external acls where the lookup has completed and is fresh (ttl not 
> expired) is included in this category. The same also applies to any other 
> ACL type requiring external lookups (I..e DNS dependent acls such as dst / 
> dstdomain / srcdomain)
> 
> The workaround is not 100% reliable. There is a small window where the ttl 
> of the information the acl depends on may expire between http_access and 
> icap_access (or whatever other "only fast acls" directive). But with 
> properly selected ttls, and graceful fallbacks if the acl lookup fails 
> then this shouldn't be much of an issue.

Just to be sure: when I run through an "http_access allow ldapgroup42"
wouldn't then the cache be refreshed? So if I do the icap_access right
after that I would always have this information in the cache, right?
(Assumed that the TTL is greater than the time needed to lookup the LDAP
group. My TTL is set to 60 seconds.)

I also assume that this behavior will not be removed shortly. Right?

I'm about to use this setup in production that's why I'd like to make it
clear for myself. Thanks.

 Christoph

-- 
~
~
".signature" [Modified] 3 lines --100%--3,41 All

Re: [squid-users] problems with HTTP acceleration

[Henrik Nordstrom]

On Thu, 14 Oct 2004, Octopus wrote:
Is there some way to override this behavior in squid outside of me
hacking the code?
No.
Byt there was a patch posted some weeks back which added options for this 
to refresh_pattern IIRC.

Excellent: refresh_pattern looks perfect.  Assuming I get the public
issue resolved and the refresh pattern acceptable, will squid be able to
handle these dynamic pages give than the actual unique file name is
AFTER the "?" in the URL?
Yes, unless you also tell Squid to explicitly not cache such URLs (see 
squid.conf documentation).

By default the logs truncate everything after the "?" and I worry that 
it might also truncate the rest of the URL when doing the hash algorithm 
for cached objects
See squid.conf documentation. This is a security measure to avoid having 
too much sensitive information in the access.log.

Regards
Henrik

Re: [squid-users] squid_ldap_auth problem after W2003 upgrade

[Henrik Nordstrom]

On Thu, 14 Oct 2004, Mark Krawec wrote:
Any ideas on why squid_ldap_auth fails and ldapsearch succeeds?  The same
squid_ldap_auth query was working until our domain controllers were upgraded
to 2003.
You could try using the -O (once) option to squid_ldap_auth. (in a 
previous message I said -1, meant -O). I know this was required to operate 
properly with Novell NDS and I would not be supriced if it is required in 
other directories as well.

Squid-2.5.STABLE7 required as the option is fairly new.
Regards
Henrik

Re: [squid-users] Active Directory

[Henrik Nordstrom]

On Thu, 14 Oct 2004, Strickland, Lawrence P wrote:
Can I user Active Directory authentication with Squid?
Yes, either by accessing Activer Directory using LDAP, or via Samba 
member server services (winbind).

Regards
Henrik

Re: [squid-users] icap_access and external_acl does not work

[Henrik Nordstrom]

On Thu, 14 Oct 2004, Christoph Haas wrote:
Just to be sure: when I run through an "http_access allow ldapgroup42"
wouldn't then the cache be refreshed?
Yes, at the time of http_access.
So if I do the icap_access right
after that I would always have this information in the cache, right?
Provided there is absolutely nothing else withing Squid which delays the 
request until icap_access is reached. I am not 100% familiar with where 
icap_access is in the code but there is numerous points where requests may 
be delayed within Squid

  - http_access acl processing
  - redirectors
  - peer selection
  - and many more.
If I am not mistaken the icap_access is after redirectors, so if you use 
redirectors there is an window while the request is being processd by the 
redirector where the cached acl infomration may expire between http_access 
and icap_access.

(Assumed that the TTL is greater than the time needed to lookup the LDAP
group. My TTL is set to 60 seconds.)
The TTL is counted from the time the answer arrives.
I also assume that this behavior will not be removed shortly. Right?
Which?
The TTL is there permanently.
Over time more and more of the "fast only" acl lookups gets converted to 
full acl lookups, allowing Squid to postpone the processing of the request 
until the required information is available.

Regards
Henrik

Re: [squid-users] Transparent Cache

[Alejandro Barcena]

Henrik Nordstrom wrote:

There can be a number of reasons to this
a) Your squid is really running out of file descriptors. This will 
happen if you trow a couple of thousand users at a Squid cache without 
tuning the number of filedescriptors (see FAQ).

b) Your Squid is overloaded, or most likely your cache_dir is. If using 
the default "ufs" cache_dir type then speed will be very much limited by 
the speed of your harddrive, and when this limit is reached performance 
quickly spirals down. Use "aufs/diskd" cache_dir types, and design the 
hardware correctly for the load you are planning.

Regards
Henrik

I have read the FAQ.
[EMAIL PROTECTED] squid]# ulimit -n
1024
[EMAIL PROTECTED] root]# cat /proc/sys/fs/file-max
 104854
[EMAIL PROTECTED] root]# ulimit -HSn 10
[EMAIL PROTECTED] root]# ulimit -n
10
Then I edit the /etc/squid/squid.conf and change the max_open_disk_fds:
 max_open_disk_fds 10
[EMAIL PROTECTED] root]# /etc/init.d/squid restart
[EMAIL PROTECTED] root]# cat /var/log/squid/cache.log |grep descriptors
 2004/10/14 16:00:18| With 1024 file descriptors
I understand that squid needs to be recompiled, could someone help me 
with the parameters for recompiling squid? I'm trying to give 
transparent cache for a lot of users.

In the mean while, I reduced the users conected to squid, and the 
"WARNING! Your cache is running out of filedescriptors" doesn't appeared 
anymore but I still have users that don't get a response from the 
transparent cache.

Thanks,
Alejandro

Re: [squid-users] squid_ldap_auth problem after W2003 upgrade

[Mark Krawec]

I'm using the 3.0 helper so it was easy to try this with -O and I still get
the error.  I tried it with and without -P and it still throws an error.  Am I
the only person having this problem?  To summarize Squid 2.5STABLE6 on RH7.3
using squid_ldap_auth to authenticate.  I now get the error below when trying
to authenticate after our domain controllers were upgraded to W2003.  The same
query worked against W2000 domain controllers.  A similar ldapsearch query
with the same settings works fine.

echo "Squid1 password" | /usr/local/squid/libexec/squid_ldap_auth -O -H
ldaps://fddc02.scif.com:636/  -D "CN=Squid1 Proxy, OU=FD, OU=Fairfield,
DC=scif, DC=com" -w "password"  -b "DC=scif,DC=com" -f "(SamAccountName=Squid1)"
squid_ldap_auth: WARNING, LDAP search error 'Operations error'
ERR

Thanks again for the help,

Mark

On Thu, 14 Oct 2004 22:57:45 +0200 (CEST), Henrik Nordstrom wrote

> You could try using the -O (once) option to squid_ldap_auth. (in a 
> previous message I said -1, meant -O). I know this was required to 
> operate properly with Novell NDS and I would not be supriced if it 
> is required in other directories as well.
> 
> Squid-2.5.STABLE7 required as the option is fairly new.
> 
> Regards
> Henrik


___
Mark Krawec  [EMAIL PROTECTED]
"Earth First"(We'll strip mine the other planets later)

Re: [squid-users] Transparent Cache

[Henrik Nordstrom]

On Thu, 14 Oct 2004, Alejandro Barcena wrote:
I have read the FAQ.
[EMAIL PROTECTED] squid]# ulimit -n
1024
[EMAIL PROTECTED] root]# cat /proc/sys/fs/file-max
104854
[EMAIL PROTECTED] root]# ulimit -HSn 10
[EMAIL PROTECTED] root]# ulimit -n
10
Then I edit the /etc/squid/squid.conf and change the max_open_disk_fds:
max_open_disk_fds 10
read the FAQ again. This parameter is not related.
I understand that squid needs to be recompiled, could someone help me with 
the parameters for recompiling squid? I'm trying to give transparent cache 
for a lot of users.
See the INSTALL file.
Regards
Henrik

Re: [squid-users] squid_ldap_auth problem after W2003 upgrade

[Henrik Nordstrom]

On Thu, 14 Oct 2004, Mark Krawec wrote:
I'm using the 3.0 helper so it was easy to try this with -O and I still get
the error.
Please try with the helper from 2.5.STABLE7. Not 100% sure how up to date 
the 3.0 helper is at the moment (probably is, but just to be sure..)

Regards
Henrik

Re: [squid-users] squid_ldap_auth problem after W2003 upgrade

[Mark Krawec]

I tried it with the helper from 2.5.STABLE7 and get the same error:

echo "Squid1 password" | /usr/local/squid/libexec/squid_ldap_auth -O -H
ldaps://fddc02.scif.com:636/  -D "CN=Squid1 Proxy, OU=FD, OU=Fairfield,
DC=scif, DC=com" -w "password"  -b "DC=scif,DC=com" -f "(SamAccountName=Squid1)"
squid_ldap_auth: WARNING, LDAP search error 'Operations error'
ERR

Let me know if you any other ideas or want me to run any more tests.

Thanks,

Mark


On Thu, 14 Oct 2004 23:36:55 +0200 (CEST), Henrik Nordstrom wrote

> 
> Please try with the helper from 2.5.STABLE7. Not 100% sure how up to 
> date the 3.0 helper is at the moment (probably is, but just to be 
> sure..)
> 
> Regards
> Henrik


___
Mark Krawec  [EMAIL PROTECTED]
"Earth First"(We'll strip mine the other planets later)

Re: [squid-users] squid_ldap_auth problem after W2003 upgrade

[Henrik Nordstrom]

On Thu, 14 Oct 2004, Mark Krawec wrote:
I tried it with the helper from 2.5.STABLE7 and get the same error:
echo "Squid1 password" | /usr/local/squid/libexec/squid_ldap_auth -O -H
ldaps://fddc02.scif.com:636/  -D "CN=Squid1 Proxy, OU=FD, OU=Fairfield,
DC=scif, DC=com" -w "password"  -b "DC=scif,DC=com" -f "(SamAccountName=Squid1)"
squid_ldap_auth: WARNING, LDAP search error 'Operations error'
ERR
Let me know if you any other ideas or want me to run any more tests.
And you are positively sure that ldapsearch -x using the exact same data 
works?

Regards
Henrik

Re: [squid-users] New exploit? Two squid proxies simultaneously spike to 99 percent CPU utilization.

[Henrik Nordstrom]

On Mon, 11 Oct 2004, Spam wrote:
I use Big Sister to monitor my networks.  Earlier today, I began getting 
CPU utilization messages on two of my proxies.  Each proxy was reporting 
99 percent utilization, caused by the squid process. These = proxies are 
located at completely different businesses located on opposite ends = of 
town, and they have no affiliation with each other.
This harmless problem have now been identified and fixed thanks to the 
hints collected about MSN not being reachable at the time etc.

  http://www.squid-cache.org/Versions/v2/2.5/bugs/
The problem exists in all Squid-2.5 releases, maybe earlier as well.
Regards
Henrik

[squid-users] NTLM Auth Problem.

[Hal Douglas]

 
Hi all.
 
I need some help sorting out a problem I've got with ntlm_auth using squid
and winbind.  I'm using Squid-2.5.STABLE6 and Samba 3.0.7.
 
I've setup squid and samba from source, and configured them, all according
to the documentation found here:
 
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5
 
I'm sure I've done everything right, according to the docco, but when the
user requests a site, the challenge/response auth fails, and the user is
prompted for a username and password (using basic auth as a fallback), which
succeeds.
 
I've done a lot of troubleshooting, and tried a lot of things to get this
working.  I'm running on Debian 3.0r2, but I had much the same problem on
FC2.  Eveything during setup seemed to work.  The following gives the
result:
 
# wbinfo -t
checking the trust secret via RPC calls succeeded
 
# wbinfo -a username%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

However, if I do as per the docs I'm following:
 
# wbinfo -a mydomain\\username%password
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error messsage was: No such user
Could not authenticate user mydomain\username%password with plaintext
password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error messsage was: No such user
Could not authenticate user mydomain\username with challenge/response
 
But, doing:
 
# /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic
mydomain+username password
OK
 
Seems to be working there, but the browser still doesn't authenticate.  With
the debugging turned on, I get this in the cache log:
 
2004/10/14 16:15:59| aclMatchAclList: checking AuthorizedUsers
2004/10/14 16:15:59| aclMatchAcl: checking 'acl AuthorizedUsers proxy_auth
REQUIRED'
2004/10/14 16:15:59| authenticateValidateUser: Auth_user_request was NULL!
2004/10/14 16:15:59| authenticateAuthenticate: broken auth or no proxy_auth
header. Requesting auth header.
2004/10/14 16:15:59| aclMatchAcl: returning 0 sending authentication
challenge.
2004/10/14 16:15:59| aclMatchAclList: no match, returning 0
2004/10/14 16:15:59| aclCheck: match found, returning 2
2004/10/14 16:15:59| cbdataUnlock: 0x81eadf8
2004/10/14 16:15:59| aclCheckCallback: answer=2
2004/10/14 16:15:59| cbdataValid: 0x83d7430
2004/10/14 16:15:59| The request GET http://slashdot.org/ is DENIED, because
it matched 'AuthorizedUsers'
 
Searching around for that error I found that someone had suggested this was
due to squid not being able to access winbinds privileged pipe, however,
squid runs as the user and group "squid", and these are the perms on the
directory in question:
 
drwxr-s---2 root squid4096 Oct 14 15:09
/usr/local/samba/var/locks/winbindd_privileged 
 
Seems okay to me, and consistent with the info on giving squid access to
winbinds privileged pipe in the squid FAQ mentioned above.
 
So, does anyone know what I've done wrong here, if anything?  It seems to me
that it SHOULD be working, unless I've got something wrong in the squid or
samba .conf files.  I wont post those, because this email is long enough
already, but I'll provide links to them.
 
Squid.conf:
 
http://users.bigpond.com/xdouglas/stuff/4work/squid.conf
 
Smb.conf:
 
http://users.bigpond.com/xdouglas/stuff/4work/smb.conf
 
Any help with this problem would be greatly appreciated.
 
Thanks.


 


---
Hal Douglas
I.T. Administrator
Marist Regional College
Email: [EMAIL PROTECTED]  
---

This e-mail message and any attached files are intended solely for the
addressee/s identified herein. It may contain confidential and/or legally
privileged information and may not necessarily represent the opinion of
Marist Regional College. If you receive this message in error, please
immediately notify the sender and delete it since you are not authorised to
use, disclose, distribute, print or copy all or part of the contained
information. 


 
 

Re: [squid-users] Squid Cannot Support WebDAV

[Patrick Eng]

Hi MR Henrik,

Thank for your reply to my post. I have check the
cache log and I only found these:

2004/10/15 09:11:37| Starting Squid Cache version
2.5.STABLE6 for i686-pc-linux-gnu...
2004/10/15 09:11:37| Process ID 1029
2004/10/15 09:11:37| With 1024 file descriptors
available
2004/10/15 09:11:37| Performing DNS Tests...
2004/10/15 09:11:37| Successful DNS name lookup
tests...
2004/10/15 09:11:37| DNS Socket created at 0.0.0.0,
port 1026, FD 4
2004/10/15 09:11:37| Adding nameserver 200.71.122.100
from /etc/resolv.conf
2004/10/15 09:11:37| Adding nameserver 200.71.122.99
from /etc/resolv.conf
2004/10/15 09:11:37| Unlinkd pipe opened on FD 9
2004/10/15 09:11:37| Swap maxSize 102400 KB, estimated
7876 objects
2004/10/15 09:11:37| Target number of buckets: 393
2004/10/15 09:11:37| Using 8192 Store buckets
2004/10/15 09:11:37| Max Mem  size: 8192 KB
2004/10/15 09:11:37| Max Swap size: 102400 KB
2004/10/15 09:11:37| Rebuilding storage in
/var/spool/squid (DIRTY)
2004/10/15 09:11:37| Using Least Load store dir
selection
2004/10/15 09:11:37| Current Directory is /
2004/10/15 09:11:37| Loaded Icons.
2004/10/15 09:11:37| Accepting HTTP connections at
0.0.0.0, port 3128, FD 11.
2004/10/15 09:11:37| Accepting ICP messages at
0.0.0.0, port 3130, FD 12.
2004/10/15 09:11:37| WCCP Disabled.
2004/10/15 09:11:37| Ready to serve requests.
2004/10/15 09:11:40| Done reading /var/spool/squid
swaplog (1381 entries)
2004/10/15 09:11:40| Finished rebuilding storage from
disk.
2004/10/15 09:11:40|  1381 Entries scanned
2004/10/15 09:11:40| 0 Invalid entries.
2004/10/15 09:11:40| 0 With invalid flags.
2004/10/15 09:11:40|  1381 Objects loaded.
2004/10/15 09:11:40| 0 Objects expired.
2004/10/15 09:11:40| 0 Objects cancelled.
2004/10/15 09:11:40| 0 Duplicate URLs purged.
2004/10/15 09:11:40| 0 Swapfile clashes
avoided.
2004/10/15 09:11:40|   Took 2.1 seconds ( 642.6
objects/sec).
2004/10/15 09:11:40| Beginning Validation Procedure
2004/10/15 09:11:40|   Completed Validation Procedure
2004/10/15 09:11:40|   Validated 1381 Entries
2004/10/15 09:11:40|   store_swap_size = 16800k
2004/10/15 09:11:40| storeLateRelease: released 0
objects

I cant find any clue related to WebDAV. While in the
access log I found these:

1095653986.471682 192.168.0.3 TCP_MISS/401 273 GET
http://200.126.70.241/exchange - DIRECT/200.126.70.241
text/html
1095654013.098480 192.168.0.3 TCP_MISS/302 367 GET
http://200.126.70.241/exchange - DIRECT/200.126.70.241
text/html
1095654013.201102 192.168.0.3 TCP_MISS/200 1337
GET http://200.126.70.241/exchange/ -
DIRECT/200.126.70.241 text/html
1095654013.327125 192.168.0.3 TCP_MISS/200 9333
GET http://200.126.70.241/exchange/patrick.eng/? -
DIRECT/200.126.70.241 text/html
1095654013.381 43 192.168.0.3 TCP_MISS/200 18101
GET http://200.126.70.241/exchange/patrick.eng/Inbox/?
- DIRECT/200.126.70.241 text/html
1095654016.862383 192.168.0.3 TCP_MISS/200 382
SUBSCRIBE
http://200.126.70.241/exchange/patrick.eng/Calendar -
DIRECT/200.126.70.241 -
1095654016.864 31 192.168.0.3 TCP_MISS/200 427
SUBSCRIBE
http://200.126.70.241/exchange/patrick.eng/Inbox -
DIRECT/200.126.70.241 - 


Hopefully these log could give you some clue on my
problem.Anyway, THANX .

Patrick Eng



__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: [squid-users] Why squid can not cache a file which a client use multi session download?

[yang jianzhou]

   Then,How do i resolve my problem?I try use maxconn to limit to only one 
connection for some download file(such as a mp3 file),It can work(Now,My 
client can only use one session to download these file),But it can not work 
well(some time may failed,and can download only one file each time despite 
they are different file).Have you some other suggestion?

From: "Vinod Patel" <[EMAIL PROTECTED]>
To: "yang jianzhou" <[EMAIL PROTECTED]>
Subject: Re: [squid-users] Why squid can not cache a file which a client 
use multi session download?
Date: Thu, 14 Oct 2004 11:53:21 +0530
This type of http requests are called range requests and squid does
not support caching of range requests.
Rgds,
Vinod
- Original Message -
From: "yang jianzhou" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 14, 2004 11:34 AM
Subject: [squid-users] Why squid can not cache a file which a client use
multi session download?
> I use squid-2.5.STABLE7,When i use one session download a file(such 
as
> a mp3 file),It can be cache in hard driver,But when i use multi
> session(some tool such as 'FlashGet' can support this) download a 
file,It
> will can not be cache in hard driver,How do i resolve this 
problem?Thanks
> for any reply!
>
> _
> 免费下载 MSN Explorer:   http://explorer.msn.com/lccn
>
>
_
免费下载 MSN Explorer:   http://explorer.msn.com/lccn/  

[squid-users] IIS Authentication Error

[Jay Turner]

Hi All,

I have a client who is trying to connect to an IIS website that requires
user authentication. When they bypass the Squid-2.5STABLE2 proxy it works
fine and they are prompted to enter their login details.

When they go through the proxy, which is using the LDAP helper to
authenticate them via Novell, they get the following error returned from the
destination webserver:

==
You are not authorized to view this page

You do not have permission to view this directory or page using the
credentials
that you supplied because your Web Browser is sending a WWW-Authenticate
header field that the web server is not configured to accept.

...

HTTP Error 401.2 - Unauthorized: Access is denied due to server
configuration.
Internet Information Services (IIS)

==

I tried adding an acl destination for the site and setting
no_cache deny thesite
http_access allow thesite

to stop the page being cached and allow access to it before Squid requires
Authentication but that didn't resolve it.

Does anyone have any ideas? IIRC isn't there an issue that IIS NTLM
authentication cannot be proxied? Could that be the case here?

Thanks in advance

Regards
Jay Turner

--
EOM

NOTICE - This message contains information intended only
for the use of the addressee named above.  It may also be
confidential and/or privileged.  If you are not the intended
recipient of this message you are hereby notified that you must
not disseminate, copy or take any action in reliance on it.
All care has been taken to ensure that this message and any
attachments are virus free although we accept no
responsibility for any virus infections caused by receipt
of this message.

[squid-users] http and sasl

[Diego Woitasen]

somebody knows about any standard or implementation of SASL and HTTP?


-- 
DiegoWS
LANUX

Re: [squid-users] Transparent Cache

[Stefano]

Il gio, 2004-10-14 alle 23:10, Alejandro Barcena ha scritto:

> I understand that squid needs to be recompiled, could someone help me 
> with the parameters for recompiling squid? I'm trying to give 
> transparent cache for a lot of users.

on root prompt type 

# ulimit -Hn 8192
# ulimit -n 8192

this command set the file descriptors value to 8192 and then

# ./configure --more-options.

look at the configure process, and you can see checking Default
FD_SETSIZE value...8192

# make
# make install
.

now modify the squid boot script (/etc/rc.d/init.d/squid or other file
in your Linux distribution) and put this line

ulimit -HSn 8192

when Squid start always use 8192 file descriptors, Linux run a lot of
process and you must use some and some FD, now modify yuor
/etc/sysctr.conf file and put this line

fs.file-max = 102400

then

# sysctl -p

Ciao

S.