[squid-users] Re: question about Squid
Please use the squid-users mailinglist for Squid configuration and usage questions. On Sat, 27 Nov 2004, hilal sonbol wrote: i'm hilal sonbol IT manager at IUT Institute University of Technology - Lebanon. what i'm preparing this semester is to transform our IT plateform essentially based on Windows environment to linux. i need to know if squid is capable to mange connexion over Dialup connection! Squid works fine in conjunction with a dialup connection. You need other software to manage the dialup connection, but all you need is included in all Linux distributions. Regards Henrik
[squid-users] allow one user to acces one website and deny all others (websites)
hi i need to do two level filtering for one guy i need to allow him to go everywhere three others persons can go on just one website and can t go anywhere else how can i do that with their proxy login? thx
[squid-users] allow one user to acces one website and deny all others (websites)
hi i need to do two level filtering for one guy i need to allow him to go everywhere three others persons can go on just one website and can t go anywhere else how can i do that with their proxy login? thx
AW: [squid-users] allow one user to acces one website and deny all others (websites)
hello, You have to write two acl rules. One defining which guy allowed surfing everywhere And one for the website all users should be allowed visiting. Then you should insert before http_access deny all another two rules. First the website everyone should be able to visit and then denying the other users from the created acl. Best regards Sebastian Pasch I think all this is explained in some FAQs too. -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Gesendet: Sonntag, 28. November 2004 11:56 An: [EMAIL PROTECTED] Betreff: [squid-users] allow one user to acces one website and deny all others (websites) hi i need to do two level filtering for one guy i need to allow him to go everywhere three others persons can go on just one website and can t go anywhere else how can i do that with their proxy login? thx
Re: [squid-users] SPEED LIMIT TO 10kbps
and suppuse if i try this example in DHCP and NCH_auth environment. what i edit in squid.conf Thankyou best regards, Shiraz Gul Khan (03002061179) Onezero Inc. _ Want to block unwanted pop-ups? Download the free MSN Toolbar now! http://toolbar.msn.co.uk/
[squid-users] Re: SPEED LIMIT TO 10kbps
Shiraz Gul Khan wrote: and suppuse if i try this example in DHCP and NCH_auth environment. what i edit in squid.conf In that case just use a proxy_auth acl to match on the authenticated usernames instead of matching on the source IP addres. Adam
[squid-users] squid_ldap_group authorisation of 2000 AD Groups
I'm trying to authorise users of the proxy by determining if they are a member of a certain Active Directory group or not. Yes, I've read the documentation, FAQ, mailing list archives and man pages but it is still confusing to me. The version in question is 2.5STABLE3. On the 2000 domain controller I have standard users in the Users container. The authorised internet users will also be a member of a group called Internet. So far I've been using ldapsearch to verify what sort of information will be coming out of the LDAP but I find it hard to make this correspond to the parameters I'm putting into squid_ldap_group. For example, here's an ldapsearch line that will give me the Internet group back with a list of members: ldapsearch -x -b cn=Internet,cn=Users,dc=domain,dc=local -D cn=Administrator,cn=Users,dc=domain,dc=local -W -h 192.168.150.100 Enter LDAP Password: # extended LDIF # # LDAPv3 # base cn=Internet,cn=Users,dc=domain,dc=local with scope sub # filter: (objectclass=*) # requesting: ALL # # Internet, Users, domain.local dn: CN=Internet,CN=Users,DC=domain,DC=local member: CN=Cameron,CN=Users,DC=domain,DC=local member: CN=Oliver,CN=Users,DC=domain,DC=local cn: Internet groupType: -2147483646 instanceType: 4 distinguishedName: CN=Internet,CN=Users,DC=domain,DC=local objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=domain,DC=local objectClass: top objectClass: group objectGUID:: I6No/vayb0iE8uD6mxvtzg== objectSid:: AQUAAAUVPeMITdvrDFCoN9ZlVAYAAA== name: Internet sAMAccountName: Internet sAMAccountType: 268435456 uSNChanged: 746952 uSNCreated: 742415 whenChanged: 20041128224030.0Z whenCreated: 20041126041439.0Z # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 How do I turn this into a useful line for squid_ldap_group? I've tried the following with no success: /usr/lib/squid/squid_ldap_group -b cn=Users,dc=domain,dc=local -f ((name=%g)(member=%u)(objectClass=group)) -D cn=Administrator,cn=Users,dc=domain,dc=local 192.168.150.100 Oliver Internet ERR CN=Oliver,CN=Users,DC=domain,DC=local Internet ERR Also the fact that 2000 doesn't allow you to view what is going on with the LDAP queries makes it even harder. Any help will be greatly appreciated. Regards, Oliver -- --- Oliver Hookins B.Sc(Computing and Information Systems) Exhibition IT Services Pty Ltd e: [EMAIL PROTECTED] p: +61 2 9882 1300 f: +61 2 9882 3377 This communication is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking any action in reliance on, this communication by persons or entities other than the intended recipient is prohibited. Exhibition IT Services Pty LTD makes no express or implied representation or warranty that this electronic communication or any attachment is free from computer viruses or other defects or conditions which could damage or interfere with the recipients data, hardware or software. This communication and any attachment may have been modified or otherwise interfered with in the course of transmission.
Re: [squid-users] Squid limits and hardware spec
Hello guys, I have been playing with Squid under a heavy load and there are some stats. I am trying to maximise the Byte Hit Ratio value. I got 13% average, but I am not happy about this number - I want it higher (how to do it?). There are thousands of ADSL clients using the cache and I want to know what the Squid limits are. USED HARDWARE: Processor: P4 1.8GHz Memory:1 GB Hardisk: 40 GB IDE 7200rpm Controler: Serverworks Chipset Ethernet card: Broadcom TG3 ACHIEVED PERFORMANCE: Requests: 180 req/sec (peak), 60 req/sec (day average). Server In: 1400 kBytes/sec (peak), 600 kBytes/sec (day average) Request Hit Ratio: 37% day average Byte Hit Ratio: 13% (TOO LOW !!!) Average service time: - Cache Hits: 0.01 sec - Cache Miss: 0.5 sec Mem Usage: 120 MBytes CPU Usage: 50% (server is dedicated to Squid) Server LOAD (gathered from uptime): 2.5 average, 3.7 peak (I saved some load by switching klogd off) USED CONFIGURATION: maximum_object_size 51200 KB (SHOULD I MAKE IT HIGHER ???) cache_dir aufs /cache 25000 16 256 (one ide disk, see the spec above) cache_mem 8 MB The Squid is configured as a transparet proxy, so: httpd_accel_uses_host_header on httpd_accel_with_proxy OFF (yes, transparent) httpd_accel_port 80 httpd_accel_host virtual Tell me if you are interested in other settings. The bottleneck of the system is the disk at the moment, because it is only IDE. The average system load is 2.5, when I route more users to the cache, load goes up close to 4 and the Cache Miss response time goes to 1 sec. Under this load, you cannot do anything else, e.g. gzip logfiles - it affects the actual Squid performance. I noticed the klogd took 30% of CPU in peaks, because of the TPROXY module which logs a lot. I had the debug info switched off by a syslog.conf rule, so is was not being logged, but the module kept sending log messages to the log daemon so klogd took 30% of CPU anyway. I switched the klogd off and the performance change was visible. I am going to install a new box with SCSI disks so I will report to you how the performance will change. Any ideas how to get higher Byte Hit Ratio from actual 13 % ? Have a nice week, Marji Martin Marji Cermak wrote: Hello Guys, I am going to run a Squid box for a lot of users. I want to handle as much users as possible (thousands - I work for a small ISP). Unfortunately, I am not sure what the Squid limits are and my boss asked me to specify the hardware I wanted him to buy. Please, answer my folowing questions: 1) What are the Sqids's limits? (I got to 100 client HTTP request/seconds so far) 2) What hardware would you recommend for its maximal performance? I am going to dedicate a Debian linux box for Squid, there will be no other services. 3) What maximum_object_size whould you use, considering I want to save as much bandwidth as possible? (I have : maximum_object_size 51200 KB at the moment, together with : cache_diraufs /cache 25000 16 256 and I got close to 15% Byte Hit Ratio) Thank you, guys, Marji
RE: [squid-users] Squid limits and hardware spec
You probably need more disk space for squid? thanks Qinghong -Original Message- From: Martin Marji Cermak [mailto:[EMAIL PROTECTED] Sent: Monday, November 29, 2004 2:32 PM To: Squid-List Subject: Re: [squid-users] Squid limits and hardware spec Hello guys, I have been playing with Squid under a heavy load and there are some stats. I am trying to maximise the Byte Hit Ratio value. I got 13% average, but I am not happy about this number - I want it higher (how to do it?). There are thousands of ADSL clients using the cache and I want to know what the Squid limits are. USED HARDWARE: Processor: P4 1.8GHz Memory:1 GB Hardisk: 40 GB IDE 7200rpm Controler: Serverworks Chipset Ethernet card: Broadcom TG3 ACHIEVED PERFORMANCE: Requests: 180 req/sec (peak), 60 req/sec (day average). Server In: 1400 kBytes/sec (peak), 600 kBytes/sec (day average) Request Hit Ratio: 37% day average Byte Hit Ratio: 13% (TOO LOW !!!) Average service time: - Cache Hits: 0.01 sec - Cache Miss: 0.5 sec Mem Usage: 120 MBytes CPU Usage: 50% (server is dedicated to Squid) Server LOAD (gathered from uptime): 2.5 average, 3.7 peak (I saved some load by switching klogd off) USED CONFIGURATION: maximum_object_size 51200 KB (SHOULD I MAKE IT HIGHER ???) cache_dir aufs /cache 25000 16 256 (one ide disk, see the spec above) cache_mem 8 MB The Squid is configured as a transparet proxy, so: httpd_accel_uses_host_header on httpd_accel_with_proxy OFF (yes, transparent) httpd_accel_port 80 httpd_accel_host virtual Tell me if you are interested in other settings. The bottleneck of the system is the disk at the moment, because it is only IDE. The average system load is 2.5, when I route more users to the cache, load goes up close to 4 and the Cache Miss response time goes to 1 sec. Under this load, you cannot do anything else, e.g. gzip logfiles - it affects the actual Squid performance. I noticed the klogd took 30% of CPU in peaks, because of the TPROXY module which logs a lot. I had the debug info switched off by a syslog.conf rule, so is was not being logged, but the module kept sending log messages to the log daemon so klogd took 30% of CPU anyway. I switched the klogd off and the performance change was visible. I am going to install a new box with SCSI disks so I will report to you how the performance will change. Any ideas how to get higher Byte Hit Ratio from actual 13 % ? Have a nice week, Marji Martin Marji Cermak wrote: Hello Guys, I am going to run a Squid box for a lot of users. I want to handle as much users as possible (thousands - I work for a small ISP). Unfortunately, I am not sure what the Squid limits are and my boss asked me to specify the hardware I wanted him to buy. Please, answer my folowing questions: 1) What are the Sqids's limits? (I got to 100 client HTTP request/seconds so far) 2) What hardware would you recommend for its maximal performance? I am going to dedicate a Debian linux box for Squid, there will be no other services. 3) What maximum_object_size whould you use, considering I want to save as much bandwidth as possible? (I have : maximum_object_size 51200 KB at the moment, together with : cache_diraufs /cache 25000 16 256 and I got close to 15% Byte Hit Ratio) Thank you, guys, Marji
Re: [squid-users] allow one user to acces one website and deny all others (websites)
With the proper setup of ACL setting and http_access rules, we can achieve this. Example Setup: # ACL - one user to everywhere acl user1 proxy_auth user1 # ACL - two users to one site acl group proxy_auth user2 user3 # ACL - specific site acl site dstdomain .visolve.com # Access rules # Allow one specific user to everywhere http_access allow user1 # Allow others users to only specific site http_access allow group site # Deny other http_access deny all for one guy i need to allow him to go everywhere three others persons can go on just one website and can t go anywhere else how can i do that with their proxy login? Best wishes Visolve Squid Development Team. --- Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004
Re: [squid-users] cookies with redirector
Hi All, Sorry for such a delayed response. The redirector is only rewriting the url but even then cookies are not retained while url rewriting is happening. Kindly tell me what the problem could be. Regards and TIA, Deepa --- Henrik Nordstrom [EMAIL PROTECTED] wrote: On Fri, 29 Oct 2004, Deepa D wrote: I am using squid-2.5STABLE5 with redirectors. I have a requirement wherein when the redirector returns back a different url for squid to service the cookies received from the browser should also be passed to that request. Redirectors only change the URL, not cookies. Make sure your redirector do not return a browser redirect, it should just rewrite the URL. Regards Henrik Yahoo! India Matrimony: Find your life partner online Go to: http://yahoo.shaadi.com/india-matrimony
Re: [squid-users] More flexible logging options?
hello Shawn, yes, I can see your problem, I have to log a lot myself because of my squid performance testing and I found the squid logging quite inflexible as well. Anyway, there are some hints, although they are probably not exactly the right ones you are waiting for: - for the info I am really interested in I created a new logfile called focus.log and let squid handle it as the others logs (e.g. log file rotating, close/open when restart and so on). Instead of using the debug macro I use my fdebug macro witch writes to the focus log - I extended the squid.conf debug_options parameter so you can set a different level of verbosity for each module. For example, my current setting is debug_options ALL,1;14,5;99,4 - I decided to use ext2fs with noatime mounting option for my debug partition to not slowing Squid down because of huge debugging - I wrote a watcher in bash which is run from cron, it checks the size of cache.log and if it exceeds the pre-set size, it sends SIGUSR1 to Squid to rotate its logs so I am sure my log partition will not be filled up. If anything from my list sounds interesting to you, I can send you a patch/script/more info. Best Regards Marji During times when our proxy is being assaulted by spyware, it spends a great deal of CPU time logging these denials. I would like to explore the possibility of one or more of the following: -handing off the logging to a separate process such as multilog -finding some way to place log limits where multiple lines from a single host would otherwise fill the logs. ie: maximum 5 denials logged per second per host, with a burst of 20. -limiting max # of connections allocated to a single IP per minute, since delay pools won't help when all the connections are denials (I don't think).
