[squid-users] cache.log says "2004/12/01 15:53:46| User-Agent logging is disabled.
2004/12/01 15:53:46| Referer logging is disabled." Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Dear all, I have the following output from my cache.log: 2004/12/01 15:53:45| Starting Squid Cache version 2.5.STABLE3 for i386-redhat-linux-gnu... 2004/12/01 15:53:45| Process ID 6550 2004/12/01 15:53:45| With 1024 file descriptors available 2004/12/01 15:53:45| DNS Socket created at 0.0.0.0, port 32777, FD 4 2004/12/01 15:53:45| Adding nameserver 172.16.1.253 from /etc/resolv.conf *2004/12/01 15:53:45| helperOpenServers: Starting 5 'squidguard' processes 2004/12/01 15:53:45| helperOpenServers: Starting 5 'squid_ldap_auth' processes 2004/12/01 15:53:46| User-Agent logging is disabled. 2004/12/01 15:53:46| Referer logging is disabled.* 2004/12/01 15:53:46| Unlinkd pipe opened on FD 19 2004/12/01 15:53:46| Swap maxSize 102400 KB, estimated 7876 objects 2004/12/01 15:53:46| Target number of buckets: 393 2004/12/01 15:53:46| Using 8192 Store buckets 2004/12/01 15:53:46| Max Mem size: 8192 KB 2004/12/01 15:53:46| Max Swap size: 102400 KB 2004/12/01 15:53:46| Rebuilding storage in /var/spool/squid (CLEAN) 2004/12/01 15:53:46| Using Least Load store dir selection 2004/12/01 15:53:46| Set Current Directory to /var/spool/squid 2004/12/01 15:53:46| Loaded Icons. 2004/12/01 15:53:47| Accepting HTTP connections at 0.0.0.0, port 3128, FD 20. 2004/12/01 15:53:47| Accepting ICP messages at 0.0.0.0, port 3130, FD 21. 2004/12/01 15:53:47| WCCP Disabled. 2004/12/01 15:53:47| Ready to serve requests. 2004/12/01 15:53:50| Done scanning /var/spool/squid swaplog (0 entries) 2004/12/01 15:53:50| Finished rebuilding storage from disk. 2004/12/01 15:53:50| 0 Entries scanned 2004/12/01 15:53:50| 0 Invalid entries. 2004/12/01 15:53:50| 0 With invalid flags. 2004/12/01 15:53:50| 0 Objects loaded. 2004/12/01 15:53:50| 0 Objects expired. 2004/12/01 15:53:50| 0 Objects cancelled. 2004/12/01 15:53:50| 0 Duplicate URLs purged. 2004/12/01 15:53:50| 0 Swapfile clashes avoided. 2004/12/01 15:53:50| Took 3.8 seconds ( 0.0 objects/sec). 2004/12/01 15:53:50| Beginning Validation Procedure 2004/12/01 15:53:50| Completed Validation Procedure 2004/12/01 15:53:50| Validated 0 Entries 2004/12/01 15:53:50| store_swap_size = 0k 2004/12/01 15:53:51| storeLateRelease: released 0 objects The bolded highlighted section stated *2004/12/01 15:53:46| User-Agent logging is disabled. 2004/12/01 15:53:46| Referer logging is disabled. *its right after the authentication program part, wondering if it means something is wrong? has anyone got a properly running squid cache.log file output? I am just not sure if the things displayed on cache.log means if I am on the right track. Thanks all! regards Yong * *
RE: [squid-users] cache.log says "2004/12/01 15:53:46| User-Agent logging is disabled.
> Dear all, > > I have the following output from my cache.log: > > > 2004/12/01 15:53:45| Starting Squid Cache version 2.5.STABLE3 for > i386-redhat-linux-gnu... > 2004/12/01 15:53:45| Process ID 6550 > 2004/12/01 15:53:45| With 1024 file descriptors available > 2004/12/01 15:53:45| DNS Socket created at 0.0.0.0, port 32777, FD 4 > 2004/12/01 15:53:45| Adding nameserver 172.16.1.253 from > /etc/resolv.conf > *2004/12/01 15:53:45| helperOpenServers: Starting 5 > 'squidguard' processes > 2004/12/01 15:53:45| helperOpenServers: Starting 5 'squid_ldap_auth' > processes > 2004/12/01 15:53:46| User-Agent logging is disabled. > 2004/12/01 15:53:46| Referer logging is disabled.* > 2004/12/01 15:53:46| Unlinkd pipe opened on FD 19 > 2004/12/01 15:53:46| Swap maxSize 102400 KB, estimated 7876 objects > 2004/12/01 15:53:46| Target number of buckets: 393 > 2004/12/01 15:53:46| Using 8192 Store buckets > 2004/12/01 15:53:46| Max Mem size: 8192 KB > 2004/12/01 15:53:46| Max Swap size: 102400 KB > 2004/12/01 15:53:46| Rebuilding storage in /var/spool/squid (CLEAN) > 2004/12/01 15:53:46| Using Least Load store dir selection > 2004/12/01 15:53:46| Set Current Directory to /var/spool/squid > 2004/12/01 15:53:46| Loaded Icons. > 2004/12/01 15:53:47| Accepting HTTP connections at 0.0.0.0, > port 3128, > FD 20. > 2004/12/01 15:53:47| Accepting ICP messages at 0.0.0.0, port > 3130, FD 21. > 2004/12/01 15:53:47| WCCP Disabled. > 2004/12/01 15:53:47| Ready to serve requests. > 2004/12/01 15:53:50| Done scanning /var/spool/squid swaplog > (0 entries) > 2004/12/01 15:53:50| Finished rebuilding storage from disk. > 2004/12/01 15:53:50| 0 Entries scanned > 2004/12/01 15:53:50| 0 Invalid entries. > 2004/12/01 15:53:50| 0 With invalid flags. > 2004/12/01 15:53:50| 0 Objects loaded. > 2004/12/01 15:53:50| 0 Objects expired. > 2004/12/01 15:53:50| 0 Objects cancelled. > 2004/12/01 15:53:50| 0 Duplicate URLs purged. > 2004/12/01 15:53:50| 0 Swapfile clashes avoided. > 2004/12/01 15:53:50| Took 3.8 seconds ( 0.0 objects/sec). > 2004/12/01 15:53:50| Beginning Validation Procedure > 2004/12/01 15:53:50| Completed Validation Procedure > 2004/12/01 15:53:50| Validated 0 Entries > 2004/12/01 15:53:50| store_swap_size = 0k > 2004/12/01 15:53:51| storeLateRelease: released 0 objects > > The bolded highlighted section stated > *2004/12/01 15:53:46| User-Agent logging is disabled. > 2004/12/01 15:53:46| Referer logging is disabled. > *its right after the authentication program part, wondering > if it means > something is wrong? > > has anyone got a properly running squid cache.log file > output? I am just > not sure if the things displayed on cache.log means if I am > on the right > track. > User agent logging requires configure with : --enable-useragent-log as an option during the building stage(s) of SQUID. M.
[squid-users] wbinfo -t error
Hi, we are successfully using proxy authentication with an AD domain with Squid 2.5STABLE4 and Samba 2.2.8a. Now I'm trying to setup a test platform to migrate towards Samba 3. I've installed compiled and installed Samba 3.0.9 and Squid 2.5STABLE7 following squid FAQ: http://www1.fr.squid-cache.org/Doc/FAQ/FAQ-23.html#winbind Here is my smb.conf file: [global] workgroup = MYDOMAIN realm = MYREALM.IT password server = my_root_dc.mydomain.it security = ADS winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template shell = /bin/bash template homedir = /home/%D/%U log file = /var/log/samba/log.%m log level = 3 encrypt passwords = yes winbind separator = \\ I got stuck while trying wbinfo -t command. While wbinfo -u, -g and -p works fine, with -t i get the following error: checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret Oviously trying the ntlm_auth command it won't work (same error as above). I've joined the domain and I've checked also the kerberos configuration. I've also followed this paper and created a keytab for my linux box: http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp What else can I try ? p.s.: I remember a good waltrough on ITMANAGERS website but I cannot access the website anymore ? where is it gone ?
Re: [squid-users] cache.log says "2004/12/01 15:53:46| User-Agent logging is disabled.
On Wed, 2004-12-01 at 16:54, Yong Bong Fong wrote: > 2004/12/01 15:53:46| Referer logging is disabled." > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Content-Transfer-Encoding: 7bit > > Dear all, > > I have the following output from my cache.log: > > > 2004/12/01 15:53:45| Starting Squid Cache version 2.5.STABLE3 for > i386-redhat-linux-gnu... > 2004/12/01 15:53:45| Process ID 6550 > 2004/12/01 15:53:45| With 1024 file descriptors available > 2004/12/01 15:53:45| DNS Socket created at 0.0.0.0, port 32777, FD 4 > 2004/12/01 15:53:45| Adding nameserver 172.16.1.253 from /etc/resolv.conf > *2004/12/01 15:53:45| helperOpenServers: Starting 5 'squidguard' processes > 2004/12/01 15:53:45| helperOpenServers: Starting 5 'squid_ldap_auth' > processes > 2004/12/01 15:53:46| User-Agent logging is disabled. > 2004/12/01 15:53:46| Referer logging is disabled.* > The bolded highlighted section stated > *2004/12/01 15:53:46| User-Agent logging is disabled. > 2004/12/01 15:53:46| Referer logging is disabled. > *its right after the authentication program part, wondering if it means > something is wrong? > That just means that squid will not log the user_agents (browsers) that connects to it. > has anyone got a properly running squid cache.log file output? I am just > not sure if the things displayed on cache.log means if I am on the right > track. 2004/10/18 18:02:05| Squid Cache (Version 2.5.STABLE5): Exiting normally. 2004/10/19 09:25:08| Starting Squid Cache version 2.5.STABLE5 for i386-redhat-linux-gnu... 2004/10/19 09:25:08| Process ID 4131 2004/10/19 09:25:08| With 1024 file descriptors available 2004/10/19 09:25:08| DNS Socket created at 0.0.0.0, port 32768, FD 4 2004/10/19 09:25:08| helperOpenServers: Starting 5 'squid_redirect' processes 2004/10/19 09:25:09| User-Agent logging is disabled. 2004/10/19 09:25:09| Referer logging is disabled. > > Thanks all! > > regards > Yong > > * > * > > -- Ow Mun Heng Gentoo/Linux on D600 1.4Ghz Neuromancer 18:12:38 up 8:48, 7 users, 0.20, 0.12, 0.12
Re: [squid-users] cache.log says "2004/12/01 15:53:46| User-Agent logging is disabled.
On Wed, 2004-12-01 at 18:14, Ow Mun Heng wrote: > On Wed, 2004-12-01 at 16:54, Yong Bong Fong wrote: > > 2004/12/01 15:53:46| Referer logging is disabled." > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Content-Transfer-Encoding: 7bit > > > > Dear all, > > > > I have the following output from my cache.log: > > > > > > 2004/12/01 15:53:45| Starting Squid Cache version 2.5.STABLE3 for > > i386-redhat-linux-gnu... > > 2004/12/01 15:53:45| Process ID 6550 > > 2004/12/01 15:53:45| With 1024 file descriptors available > > 2004/12/01 15:53:45| DNS Socket created at 0.0.0.0, port 32777, FD 4 > > 2004/12/01 15:53:45| Adding nameserver 172.16.1.253 from /etc/resolv.conf > > *2004/12/01 15:53:45| helperOpenServers: Starting 5 'squidguard' processes > > 2004/12/01 15:53:45| helperOpenServers: Starting 5 'squid_ldap_auth' > > processes > > 2004/12/01 15:53:46| User-Agent logging is disabled. > > 2004/12/01 15:53:46| Referer logging is disabled.* > > > The bolded highlighted section stated > > *2004/12/01 15:53:46| User-Agent logging is disabled. > > 2004/12/01 15:53:46| Referer logging is disabled. > > *its right after the authentication program part, wondering if it means > > something is wrong? > > > That just means that squid will not log the user_agents (browsers) that > connects to it. > > > has anyone got a properly running squid cache.log file output? I am just > > not sure if the things displayed on cache.log means if I am on the right > > track. > > > 2004/10/18 18:02:05| Squid Cache (Version 2.5.STABLE5): Exiting normally. > 2004/10/19 09:25:08| Starting Squid Cache version 2.5.STABLE5 for > i386-redhat-linux-gnu... > 2004/10/19 09:25:08| Process ID 4131 > 2004/10/19 09:25:08| With 1024 file descriptors available > 2004/10/19 09:25:08| DNS Socket created at 0.0.0.0, port 32768, FD 4 > 2004/10/19 09:25:08| helperOpenServers: Starting 5 'squid_redirect' processes > 2004/10/19 09:25:09| User-Agent logging is disabled. > 2004/10/19 09:25:09| Referer logging is disabled. > one more thing, ensure that you have squid compiled with --enable-useragent-log -- Ow Mun Heng Gentoo/Linux on D600 1.4Ghz Neuromancer 18:16:51 up 8:52, 7 users, 0.25, 0.22, 0.17
Re: [squid-users] Re: I'm having problems when squid starts on ubuntu
On Tue, 2004-11-30 at 22:45, Juan Pablo Pincheira wrote: > Hi. I'm having problems when squid starts on ubuntu, I installed squid > by ubuntu debian package. Here is the installation and program > beginning: > > [EMAIL PROTECTED]:~ # apt-get install squid [snip] > Creating squid spool directory structure > FATAL: Could not determine fully qualified hostname. Please set > 'visible_hostna me' There's your problem. check your squid.conf file and set visible_hostname Also check if your /etc/hosts file has your squid server's name > Squid Cache (Version 2.5.STABLE5): Terminated abnormally. > CPU Usage: 0.014 seconds = 0.009 user + 0.005 sys > Maximum Resident Size: 0 KB > Page faults with physical i/o: 0 > /var/lib/dpkg/info/squid.postinst: line 181: 21666 Abortado >/usr/ sbin/squid -z > Starting proxy server: Creating squid spool directory structure > FATAL: Could not determine fully qualified hostname. Please set > 'visible_hostna me' > > Squid Cache (Version 2.5.STABLE5): Terminated abnormally. > CPU Usage: 0.014 seconds = 0.010 user + 0.004 sys > Maximum Resident Size: 0 KB > Page faults with physical i/o: 0 > /etc/init.d/squid: line 175: 21696 Abortado/usr/sbin/squid -z > FATAL: Could not determine fully qualified hostname. Please set > 'visible_hostna me' > > Squid Cache (Version 2.5.STABLE5): Terminated abnormally. > CPU Usage: 0.014 seconds = 0.008 user + 0.006 sys > Maximum Resident Size: 0 KB > Page faults with physical i/o: 0 > /etc/init.d/squid: line 175: 21702 Abortado > start-stop-daemon --q uiet --start --pidfile $PIDFILE --exec $DAEMON > -- $SQUID_ARGS squid. > > [EMAIL PROTECTED]:~ # > > -- > > I have never had this problem installing squid :( > > Thanks to all. -- Ow Mun Heng Gentoo/Linux on D600 1.4Ghz Neuromancer 18:22:03 up 8:58, 7 users, 0.17, 0.17, 0.16
[squid-users] PLZ HELP 4 DELAY_POOLS
dear list, hi, i have 256CIR DSL line and i have 100 users. i want to use DELAY_POOLS for slowing downloading speed at user end, with the download file extention .exe .dat .zip .avi. please help me. Thankyou & best regards, Shiraz Gul Khan (03002061179) Onezero Inc. _ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger
[squid-users] Re: squid-2.5 s7 polygraph benchmarking
On Tue, 30 Nov 2004, Muthukumar wrote: When I tried to benchmark squid 2.5 stable 7, getting problem with TIME_WAIT on polygraph server. If TIME_WAIT really is a problem for you on the polygraph server then your Polygraph server OS is not correctly tuned. Have you completed the no-proxy test of your polygraph benchmark setup successfully? 1. what is the problem to get "X-Squid-Error: ERR_CONNECT_FAIL 113" / HTTP/1.0 503 Service Unavailable? This indicates the requested server could not be reached or was not listening for requests. 2. Do we have to tune kernel parameters for benchmarking squid? You need to tune polygraph servers and clients correctly according to the polygraph documnentation. You may also need to tune the proxy server, but usually not. Suggest easy & good way of benchmarking squid! Polygraph is relatively easy and very good, but it takes a while to get the initial networking setup correct when using the newer workloads (polymix4 or later). Regards Henrik
[squid-users] ftp client
HI all: Somebody knows some FTP client to use behind SQUID? I need to make UPLOADS via FTP. I use NON TRANSPARENT proxy configuration. Thanks, loop.-
RE: [squid-users] ftp client
> > HI all: > > > Somebody knows some FTP client to use behind SQUID? > I need to make UPLOADS via FTP. > - A browser , and for uploads, only Mozilla + Netscape , using ftp url's. Squid can not be used as a native ftp proxy. It handles ftp url's, returning only html for ftp requests. M.
[squid-users] Fw: squid_ldap_group config
Hi all, I hope this has not been addressed anywhere in the mailing lists. I did a search and couldn't find anything, and I've already RTFM'd. I don't understand how to set up the squid_ldap_group external acl type. We are running Novell eDirectory and using various LDAP groups to (hopefully) control internet access for our various high school campuses. We want to have different control lists based upon the user. Students are denied ftp downloads and are sent to a redirector/content filter, while we IT people don't go to the redirector and get ftp downloads. The man page for external_acl_type doesn't seem clear to me. This is what I've got so far: external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b -D -w -f "(&(cn=%v)(groupMembership=cn=))" -h ldap.host external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b -D -w -f "(&(cn=%v)(groupMembership=cn=))" -h ldap.host acl Restricted port 20 21 1025-65535 acl external ldap_group deny Restricted acl external ldap_group allow Restricted I'm certain I am doing something wrong with my "acl external" lines. How do I differentiate the two different groups? How exactly is the external_acl_type line used? Is ldap_group a reserved phrase that has to follow external_acl_type? How do I return to squid the group membership token for the user? Thanks for any illumination... Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED]
Re: [squid-users] Fw: squid_ldap_group config
Kelly, The intent of the Squid mechanism, is, I think, a bit obscure--hopefully the authors will step forward and show how you set up the two distinct external auth mechanisms it appears you need in order for Squid to a) authenticate to LDAP b) do the group check. However, our solution (which resembles that used in a commercial K12 proxy solution which I shall not name), is as follows: 1. We use one external authenticator, the squid_ldap_auth program 2. All traffic is sent to a customized Squidguard redirect_program--our version combines a bunch of extant modifications, including LDAP group-based ACLs, and a modified logging feature used to drive reporting 3. Any sort of authorization rule, including one forbidding specific users/groups to visit FTP urls, would happen here. For example, your source group might be "kids," and the destination group anything matching an "^ftp://"; regex. We have some tweaks to Webmin, a real-time log parser, and reporting tool we're releasing, that organize all this. Matt [EMAIL PROTECTED] wrote: Hi all, I hope this has not been addressed anywhere in the mailing lists. I did a search and couldn't find anything, and I've already RTFM'd. I don't understand how to set up the squid_ldap_group external acl type. We are running Novell eDirectory and using various LDAP groups to (hopefully) control internet access for our various high school campuses. We want to have different control lists based upon the user. Students are denied ftp downloads and are sent to a redirector/content filter, while we IT people don't go to the redirector and get ftp downloads. The man page for external_acl_type doesn't seem clear to me. This is what I've got so far: external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b -D -w -f "(&(cn=%v)(groupMembership=cn=))" -h ldap.host external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b -D -w -f "(&(cn=%v)(groupMembership=cn=))" -h ldap.host acl Restricted port 20 21 1025-65535 acl external ldap_group deny Restricted acl external ldap_group allow Restricted I'm certain I am doing something wrong with my "acl external" lines. How do I differentiate the two different groups? How exactly is the external_acl_type line used? Is ldap_group a reserved phrase that has to follow external_acl_type? How do I return to squid the group membership token for the user? Thanks for any illumination... Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED]
Re: [squid-users] Fw: squid_ldap_group config
I am trying to do a similiar thing. I tried to install squid_ldap_auth but it keeps failing during make. At first, it could not findsome of the include files, but I think I fixed that by adding some simbolic links for each file from the /usr/local/include directory to the /usr/include directory. These were various ldap include files. I am using FreeBSD 4.10 if it makes a difference. After I made those links, the make continued for a while but ultimately failed with numerous errors of empty declaration and uselss keyword or type name in empty declaration. Any ideas? Thanks! Carissa On Wed, 01 Dec 2004 12:39:49 -0500, Matt Benjamin <[EMAIL PROTECTED]> wrote: > Kelly, > > The intent of the Squid mechanism, is, I think, a bit obscure--hopefully > the authors will step forward and show how you set up the two distinct > external auth mechanisms it appears you need in order for Squid to a) > authenticate to LDAP b) do the group check. > > However, our solution (which resembles that used in a commercial K12 > proxy solution which I shall not name), is as follows: > > 1. We use one external authenticator, the squid_ldap_auth program > 2. All traffic is sent to a customized Squidguard redirect_program--our > version combines a bunch of extant modifications, including LDAP > group-based ACLs, and a modified logging feature used to drive reporting > 3. Any sort of authorization rule, including one forbidding specific > users/groups to visit FTP urls, would happen here. For example, your > source group might be "kids," and the destination group anything > matching an "^ftp://"; regex. > > We have some tweaks to Webmin, a real-time log parser, and reporting > tool we're releasing, that organize all this. > > Matt > > > > [EMAIL PROTECTED] wrote: > > > > >Hi all, > > > >I hope this has not been addressed anywhere in the mailing lists. I did a > >search and couldn't find anything, and I've already RTFM'd. > > > >I don't understand how to set up the squid_ldap_group external acl type. > > > >We are running Novell eDirectory and using various LDAP groups to > >(hopefully) control internet access for our various high school campuses. > >We want to have different control lists based upon the user. Students are > >denied ftp downloads and are sent to a redirector/content filter, while we > >IT people don't go to the redirector and get ftp downloads. > > > >The man page for external_acl_type doesn't seem clear to me. > > > >This is what I've got so far: > > > >external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b > >-D -w -f > >"(&(cn=%v)(groupMembership=cn=))" -h ldap.host > >external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b > >-D -w -f > >"(&(cn=%v)(groupMembership=cn=))" -h ldap.host > > > >acl Restricted port 20 21 1025-65535 > > > >acl external ldap_group deny Restricted > >acl external ldap_group allow Restricted > > > >I'm certain I am doing something wrong with my "acl external" lines. How > >do I differentiate the two different groups? How exactly is the > >external_acl_type line used? Is ldap_group a reserved phrase that has to > >follow external_acl_type? How do I return to squid the group membership > >token for the user? > > > >Thanks for any illumination... > > > > > >Kelly Connor > >Network Technician > >Gilbert Unified School District > >[EMAIL PROTECTED] > > > > > > > > -- * Carissa Srugis [EMAIL PROTECTED]
Re: [squid-users] Fw: squid_ldap_group config
Hi Matt - Your solution sounds pretty cool, but my boss is really "pro-vendor" software and I have won a big point getting squid into our district. However, he is dead set on keeping Websense as our content filter, and does not want our internet system to become difficult to support if someone leaves the department. If I use the squid_ldap_auth, program, I can only use one group and I am stuck in an accept/deny internet filtering role. I had this working for a while, but it does not fit our organization quite right. I stumbled upon squid_ldap_group and it sounds like it works perfectly, but I am really confused as to how to use and external_acl_type role, and how to bring this group information back to squid for potential redirection, ftp filtering or user denial. Is there anyone on this list who currently uses squid_ldap_group to segregate internet traffic permission? Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED] Matt Benjamin <[EMAIL PROTECTED] m> To [EMAIL PROTECTED] 12/01/2004 10:39 cc AM[EMAIL PROTECTED], "Adam D. Gorski" <[EMAIL PROTECTED]> Subject Re: [squid-users] Fw: squid_ldap_group config Kelly, The intent of the Squid mechanism, is, I think, a bit obscure--hopefully the authors will step forward and show how you set up the two distinct external auth mechanisms it appears you need in order for Squid to a) authenticate to LDAP b) do the group check. However, our solution (which resembles that used in a commercial K12 proxy solution which I shall not name), is as follows: 1. We use one external authenticator, the squid_ldap_auth program 2. All traffic is sent to a customized Squidguard redirect_program--our version combines a bunch of extant modifications, including LDAP group-based ACLs, and a modified logging feature used to drive reporting 3. Any sort of authorization rule, including one forbidding specific users/groups to visit FTP urls, would happen here. For example, your source group might be "kids," and the destination group anything matching an "^ftp://"; regex. We have some tweaks to Webmin, a real-time log parser, and reporting tool we're releasing, that organize all this. Matt [EMAIL PROTECTED] wrote: > >Hi all, > >I hope this has not been addressed anywhere in the mailing lists. I did a >search and couldn't find anything, and I've already RTFM'd. > >I don't understand how to set up the squid_ldap_group external acl type. > >We are running Novell eDirectory and using various LDAP groups to >(hopefully) control internet access for our various high school campuses. >We want to have different control lists based upon the user. Students are >denied ftp downloads and are sent to a redirector/content filter, while we >IT people don't go to the redirector and get ftp downloads. > >The man page for external_acl_type doesn't seem clear to me. > >This is what I've got so far: > >external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b >-D -w -f >"(&(cn=%v)(groupMembership=cn=))" -h ldap.host >external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b >-D -w -f >"(&(cn=%v)(groupMembership=cn=))" -h ldap.host > >acl Restricted port 20 21 1025-65535 > >acl external ldap_group deny Restricted >acl external ldap_group allow Restricted > >I'm certain I am doing something wrong with my "acl external" lines. How >do I differentiate the two different groups? How exactly is the >external_acl_type line used? Is ldap_group a reserved phrase that has to >follow external_acl_type? How do I return to squid the group membership >token for the user? > >Thanks for any illumination... > > >Kelly Connor >Network Technician >Gilbert Unified School District >[EMAIL PROTECTED] > > >
Re: [squid-users] cache.log says "2004/12/01 15:53:46| User-Agent logging is disabled.
Hi, At 09.54 01/12/2004, Yong Bong Fong wrote: 2004/12/01 15:53:46| User-Agent logging is disabled. 2004/12/01 15:53:46| Referer logging is disabled. Nothing wrong here: This means that your Squid was compiled with --enable-useragent-log and --enable-referrer-log configure options, but in squid.conf the useragent_log and referer_log options are not specified (this is the default). Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Gorizia, 69 10136 - Torino - ITALY Tel. : +39.011.3249426 Fax. : +39.011.3293665 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
RE: [squid-users] Problems with ntlm_auth
I set it to root:squid and everything seemed to work properly. Now I've upgraded to Samba 3.0.9-1 on Fedora Core and it's not working regardless of the pipe ownership. -Original Message- From: Ian Large [mailto:[EMAIL PROTECTED] Sent: Friday, October 29, 2004 5:49 AM To: [EMAIL PROTECTED] Subject: [squid-users] Problems with ntlm_auth Hi all Environment: RHEL WS 3.0 Samba 3.0.7-1.3E (Red Hat RPM version) Squid 2.5.STABLE3-6.3E.2 (Red Hat RPM version) I posted a question a couple of days ago which got me finally pointed in the right direction to make this work. Thanks to those who responded. However I find myself with a little issue that I can't seem to get around. Once again, I find myself in a position where I have a working proxy but as soon as I attempt to add authentication I get failures. The line I use in squid.conf is: auth_param ntlm program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp Every time I try to run it I get: 2004/10/29 09:04:42| helperStatefulOpenServers: Starting 30 'ntlm_auth' processes (ntlm_auth): invalid option -- - unknown option: -?. Exiting (ntlm_auth) usage: (ntlm_auth) [-b] [-f] [-d] [-l] domain\controller [domain\controller ...] -b enables load-balancing among controllers -f enables failover among controllers (DEPRECATED and always active) -l changes behavior on domain controller failyures to last-ditch. -d enables debugging statements if DEBUG was defined at build-time. I have tried adding a domain/controller entry inbetween "ntlm_auth" and "--helper..." and at the end of the line, I've tried putting the slashes both ways and putting it in quotes. I cannot think of any other permutations that I can do. Winbind appears to be working well as does Samba in general regarding access to shares. I am wondering if the issue is "-"...the domain/controller is (like) IT-DOM\srv-1234 and I have found other places in Linux where dashes are not exactly helpful. One thing I was told last time was to check the permissions on the pipe directory; the docs I found suggested that the squid user should be the owner but on my server it was root/root. I changed the ownership to squid/squid and winbind stopped working, despite adding 777 permissions. Is this correct? Should the ownership be squid/root? -- Ian Large <[EMAIL PROTECTED]> IT Department, Christian Salvesen, Lodge Way, New Duston, Northampton NN5 7SL, United Kingdom Tel: +44 1604 737100 x760 Fax: +44 1604 737111 For information on Christian Salvesen visit our website at www.salvesen.com. The information contained in this e-mail is strictly confidential and for the use of the addressee only; it may also be legally privileged and / or price sensitive. Notice is hereby given that any disclosure, use or copying of the information by anyone other than the intended recipient is prohibited and may be illegal. If you have received this message in error, please notify the sender immediately by return e-mail. Christian Salvesen has taken every reasonable precaution to ensure that any attachment to this e-mail has been swept for viruses. However, we cannot accept liability for any damage sustained as a result of software viruses and would advise that you carry out your own virus checks before opening any attachment. Christian Salvesen is a trading name of the Christian Salvesen Group. Christian Salvesen PLC (Company number SC7173) is the ultimate holding company within the Christian Salvesen Group whose registered office is at 16 Charlotte Square, Edinburgh EH2 4DF.
[squid-users] Squid and Antivirus
Hi all !!! What schema and software do you recommend for using squid 2.5s4 with antivirus capabilities. Thanks. Diego -- Real Users never know what they want, but they always know when your system doesn't deliver it.
RE: [squid-users] Proxy Benchmarks
>> > From: Ow Mun Heng [mailto:[EMAIL PROTECTED] >> > On Tue, 2004-11-30 at 03:10, Chris Robertson wrote: >> > Do you have any experience with load_balance?? >> >> I have some. I have somewhere between 150 and 200 remote sites each with >> their own squid server that all have to pass traffic by a collection point >> at the central office. > > I'm thinking more like a distributed collection point and not only 1 > Central Location. > > eg: X number of Remote server farms and X+1 number of squid servers. As far as I know ICP or Digest exchange should work. ICP is a very constant communication, and seems far better suited to peers that are very close (same network segment), whereas digest is an occasional transfer, and seems better suited to distant peers. > > >> At the CO we have three Squid servers. Two are >> acting as load balancing peers (each running one squid process) > OK > > >> and the >> third is a parent for the two (running two Squid processes on a dual proc >> box) > > Why 2 instances of Squid Processes? Squid can't natively take advantage of multiple processors. In the interest of not overwhelming the parent with requests from two children, and in the interest of taking advantage of the second processor, while still having all requests come from one IP address, I have the two children round robin between the two processes on the parent squid box. If I had it to do over again, I would set the three up as a virtual server (http://www.linuxvirtualserver.org/). But if it ain't broke, don't fix it. > >> to give the world a single IP address that our traffic comes from. > Is this advisable? Maybe for a private establishment, but may not be so > for end-users (eg: ISP) > At first we just had the three central proxies acting as round-robin parents for the remote sites. There are some web applications (some banking, other educational) that don't like seeing a single client's "session" coming from multiple IP addresses. >> If >> the parent dies, the two load balancers will surf direct. > Surf Direct? What do you mean? No Squid proxy at all? Doesn't the 2, > load balancers become the failover for the parent? > If the parent dies, the client sites continue to round-robin through the children. If one of the children dies, the clients surf through the remaining one. If the internet link to the children dies, the sites don't have internet access. Hopefully that answers your question. >> It's not the most >> graceful solution, but it has been working for several months. >> >> Currently traffic is peaking about 100 requests/sec and 1.5MB/sec, with CPU >> usage under 50% on all processors (Intel Xeon 3.0GHz, 2GB RAM on the peers >> 4GB on the parent). > > Wow. how big is your cache_dir then? 10MB per 1GB of space.. you have > what 200GB of Cache_dir on the peers? > Actually, I only have about 6 GB of disk cache on each central proxy. Much of the RAM is being used to store hot objects, but these servers are not really used for caching. The majority of my customers access the internet over satellite, so the majority of the caching is done at the customer's presence. > Reiserfs on aufs? > ext2 and aufs on the central children proxies, the parent is currently running FreeBSD. > What's your max_object_size? > After using an awk script (scalar.awk http://scalar.risk.az/scalar091/scalar.awk) I saw that the vast majority of requests (over 90%) were for objects less than 10KB in size, so that's what I set the central proxy server's max_object_size to. At the client sites, it's set to 50MB. > Thanks Glad to be what help I can.
Re: [squid-users] Fw: squid_ldap_group config
Hello, While I'm not using a Novell LDAP server, here is a snippet from the configuration I have working. Note: KCL uses a SunONE Directory Server. - auth_param basic program /usr/lib/squid/squid_ldap_auth -h ldap.komatsu.ca -p 389 -P -b o=komatsu -f "(|(uid=%s)(mail=%s))" auth_param basic children 20 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 5 minute external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -h ldap.komatsu.ca -p 389 -P -b o=komatsu -F "(|(uid=%s)(mail=%s))" -f "(&(cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames))" refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern .020%4320 # -- # Default Squid ACL's acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 21 acl Safe_ports port 70 acl Safe_ports port 80 acl Safe_ports port 81 acl Safe_ports port 89 acl Safe_ports port 210 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 443 563 acl Safe_ports port 591 acl Safe_ports port 777 acl Safe_ports port 1025-65535 acl CONNECT method CONNECT # -- # KCL Defined ACL's and http_access definitions. acl kcl_users proxy_auth REQUIRED acl kcl_networks src 192.168.0.0/16 # LDAP group acl definitions. # # Puro acl puro_groups external ldap_group puro puro_a puro_c puro_e puro_f puro_k puro_kr puro_te puro_tr puro_w # # Proxy acl proxy_groups external ldap_group proxy proxy_a proxy_c proxy_e proxy_f proxy_k proxy_kr proxy_te proxy_tr proxy_w # # I left these for individual divisional controls, just in case they are needed. acl proxy_a external ldap_group proxy_a acl proxy_c external ldap_group proxy_c acl proxy_e external ldap_group proxy_e acl proxy_f external ldap_group proxy_f acl proxy_kexternal ldap_group proxy_k acl proxy_kr external ldap_group proxy_kr acl proxy_teexternal ldap_group proxy_te acl proxy_trexternal ldap_group proxy_tr acl proxy_wexternal ldap_group proxy_w http_access allow manager localhost http_access allow manager kcl_networks http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # -- # Note: KCL deny rules must exist before any allow rules. # acl no_kazaa dstdomain .kazaa.com acl no_puretracks dstdomain .puretracks.com http_access deny no_kazaa http_access deny no_puretracks # -- # Puro group allowed list of web sites. # ACLs # acl puro_denharco_com dstdomain .denharco.com acl puro_emeryworld_com dstdomain .emeryworld.com acl puro_emeryworldwide_com dstdomain .emeryworldwide.com acl puro_fedex_com dstdomain .fedex.com acl puro_fleetguard_com dstdomain .fleetguard.com acl puro_hexaware_com dstdomain .hexaware.com acl puro_hrparts_com dstdomain .hrparts.com acl puro_komatsu_co_jp dstdomain .komatsu.co.jp acl puro_komatsu_com dstdomain .komatsu.com acl puro_machinerytrader_com dstdomain .machinerytrader.com acl puro_machinetrader_com dstdomain .machinetrader.com acl puro_mailposte_ca dstdomain .mailposte.ca acl puro_ups_ca dstdomain .ups.ca acl puro_ups_com dstdomain .ups.com # -- # Access enablers # # Group: puro_groups http_access allow kcl_networks puro_groups puro_denharco_com http_access allow kcl_networks puro_groups puro_emeryworld_com http_access allow kcl_networks puro_groups puro_emeryworldwide_com http_access allow kcl_networks puro_groups puro_fedex_com http_access allow kcl_networks puro_groups puro_fleetguard_com http_access allow kcl_networks puro_groups puro_hexaware_com http_access allow kcl_networks puro_groups puro_hrparts_com http_access allow kcl_networks puro_groups puro_komatsu_co_jp http_access allow kcl_networks puro_groups puro_komatsu_com http_access allow kcl_networks puro_groups puro_machinerytrader_com http_access allow kcl_networks puro_groups puro_machinetrader_com http_access allow kcl_networks puro_groups puro_mailposte_ca http_access allow kcl_networks puro_groups puro_ups_ca http_access allow kcl_networks puro_groups puro_ups_com # # -- # Allow all proxy users to all web addresses. # # http_access allow kcl_networks proxy_a # http_access allow kcl_networks proxy_c # http_access allow kcl_networks proxy_e # http_access allow kcl_networks proxy_f # http_access allow kcl_networks proxy_k # http_access allow kcl_networks proxy_k
[squid-users] Squid 3 vhost setup
I'm having trouble finding good docs on vhost accelerator configuration in Squid3. I have Squid3-PRE3, compiled on cygwin, running on a Windows box. I have several other servers running on the same box that I want to accelerate and have appear on port 80, via Squid. I have this working with a redirect script, and it's passing the request to right server -- but it's passing the request as a HTTP 1.0 request w/o the correct host header for the backend server to determine what site to serve. I've tried a number of variants, but basic config settings are...but is there something I'm missing that forces squid to pass along host header info? g.
[squid-users] Reverse proxy performance in FreeBSD 5.3
howdy, I've got a dual proc AMD64 (2gHz) FreeBSD 5.3 system running two squid processes (to take advantage of both CPUs). Each process is doing around 195 req/s, and the total bandwidth is ~40Mb/s (gig nic via bge driver). All content is being served out of memory (very little disk activity). Top shows CPU states: 16.0% user, 0.0% nice, 42.7% system, 7.6% interrupt, 33.6% idle Mem: 898M Active, 569M Inact, 179M Wired, 214M Buf, 171M Free Swap: 4069M Total, 4069M Free PID USERNAME PRI NICE SIZERES STATE C TIME WCPUCPU COMMAND 14598 squid1080 463M 459M select 0 39.2H 59.96% 59.96% squid 14605 squid1050 421M 416M CPU0 1 38.4H 49.95% 49.95% squid but the % system time can fluctuate up to 60 at times. My question is if this is about the type of performance I could expect, or if people have seen better. I was expecting to see much better performance, seeing how everything is being served out of memory, but maybe I'm asking too much? Is this a FreeBSD issue (anybody else with similar experience)? A majority of the cpu time being spent in system would seem to indictate such. Any help/pointers/remarks appreciated Jeff
RE: [squid-users] Fw: squid_ldap_group config
For clarification, I don't use the squid_ldap_group external acl, so I may be completely off base, but that's never stopped me from giving suggestions before. :o) All the following advice assumes that you have the arguments to squid_ldap_group correct. I think you want to change your external acl lines to something like: external_acl_type allowed_group %LOGIN /usr/sbin/squid_ldap_group -b \ -D -w -f "(&(cn=%v)(groupMembership=cn=))" \ -h ldap.host external_acl_type denied_group %LOGIN (yadda, yadda) The second argument to external_acl_type is the title of the external acl, which you use to reference it when you make a (non external) acl. It's a bit confusing to be sure, but I certainly can't think of a better way to do it. Now that you have your external acls named, set the acl lines up like: acl Restricted port 20 21 1025-65535 # (no change) acl allowedGroup external allowed_group acl deniedGroup external denied_group Now you can use the acl names "Restricted", "allowedGroup" and "deniedGroup" to route traffic to the redirectors or whatever. In the next line, I've set it up such that deniedGroup can't access the restricted ports. http_access deny deniedGroup Restricted Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 8:57 AM To: Matt Benjamin Cc: Adam D. Gorski; [EMAIL PROTECTED] Subject: Re: [squid-users] Fw: squid_ldap_group config Hi Matt - Your solution sounds pretty cool, but my boss is really "pro-vendor" software and I have won a big point getting squid into our district. However, he is dead set on keeping Websense as our content filter, and does not want our internet system to become difficult to support if someone leaves the department. If I use the squid_ldap_auth, program, I can only use one group and I am stuck in an accept/deny internet filtering role. I had this working for a while, but it does not fit our organization quite right. I stumbled upon squid_ldap_group and it sounds like it works perfectly, but I am really confused as to how to use and external_acl_type role, and how to bring this group information back to squid for potential redirection, ftp filtering or user denial. Is there anyone on this list who currently uses squid_ldap_group to segregate internet traffic permission? Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED] Matt Benjamin <[EMAIL PROTECTED] m> To [EMAIL PROTECTED] 12/01/2004 10:39 cc AM[EMAIL PROTECTED], "Adam D. Gorski" <[EMAIL PROTECTED]> Subject Re: [squid-users] Fw: squid_ldap_group config Kelly, The intent of the Squid mechanism, is, I think, a bit obscure--hopefully the authors will step forward and show how you set up the two distinct external auth mechanisms it appears you need in order for Squid to a) authenticate to LDAP b) do the group check. However, our solution (which resembles that used in a commercial K12 proxy solution which I shall not name), is as follows: 1. We use one external authenticator, the squid_ldap_auth program 2. All traffic is sent to a customized Squidguard redirect_program--our version combines a bunch of extant modifications, including LDAP group-based ACLs, and a modified logging feature used to drive reporting 3. Any sort of authorization rule, including one forbidding specific users/groups to visit FTP urls, would happen here. For example, your source group might be "kids," and the destination group anything matching an "^ftp://"; regex. We have some tweaks to Webmin, a real-time log parser, and reporting tool we're releasing, that organize all this. Matt [EMAIL PROTECTED] wrote: > >Hi all, > >I hope this has not been addressed anywhere in the mailing lists. I did a >search and couldn't find anything, and I've already RTFM'd. > >I don't understand how to set up the squid_ldap_group external acl type. > >We are running Nove
Re: [squid-users] Reverse proxy performance in FreeBSD 5.3
I get similar performance out of a Linux dual P3-500 Xeon box, but I run about 50 redirectors off it and have about 24Mb bandwidth. Are you running diskd? Do you have SCSI/RAID? How many peer caches are subordinate to this one? Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED] Jeff Behl <[EMAIL PROTECTED] com> To [EMAIL PROTECTED] 12/01/2004 01:00 cc PM Subject [squid-users] Reverse proxy performance in FreeBSD 5.3 howdy, I've got a dual proc AMD64 (2gHz) FreeBSD 5.3 system running two squid processes (to take advantage of both CPUs). Each process is doing around 195 req/s, and the total bandwidth is ~40Mb/s (gig nic via bge driver). All content is being served out of memory (very little disk activity). Top shows CPU states: 16.0% user, 0.0% nice, 42.7% system, 7.6% interrupt, 33.6% idle Mem: 898M Active, 569M Inact, 179M Wired, 214M Buf, 171M Free Swap: 4069M Total, 4069M Free PID USERNAME PRI NICE SIZERES STATE C TIME WCPUCPU COMMAND 14598 squid1080 463M 459M select 0 39.2H 59.96% 59.96% squid 14605 squid1050 421M 416M CPU0 1 38.4H 49.95% 49.95% squid but the % system time can fluctuate up to 60 at times. My question is if this is about the type of performance I could expect, or if people have seen better. I was expecting to see much better performance, seeing how everything is being served out of memory, but maybe I'm asking too much? Is this a FreeBSD issue (anybody else with similar experience)? A majority of the cpu time being spent in system would seem to indictate such. Any help/pointers/remarks appreciated Jeff
[squid-users] cache dir files
Hello - I am having some difficulties using some cache purging utilities and noticed a couple things. I have squid setup as a reverse proxy and when I view one of my cached sites I see TCP_HIT:NONE in my access log but I cannot find any files being written to my cache dirs that would contain this HIT. From what I can tell the purge scripts I have found, scan your cache dirs and use squidclient to purge every instance in cache containing the variable you gave the purge script. But without files being written to the cache_dir I don't think it can do anything. Does anybody have any ideas on why my cached HITS wouldn't be written to disk? and what is the difference between TCP_MEM_HIT and TCP_HIT:NONE Thanks, Nick
Re: [squid-users] Reverse proxy performance in FreeBSD 5.3
Hmm...well that's not very heartening that you get the same out of a p3-500, but I am doing 16 Mb/s more. My setup is real simple: no diskd, scsi hard disk (but again, everything is being served out of memory), no peers. It's just a straight, single purpose reverse proxy... disk i/o should be the cause: www1# iostat 1 tty da0pass0pass1 cpu tin tout KB/t tps MB/s KB/t tps MB/s KB/t tps MB/s us ni sy in id 0 50 14.89 1 0.02 0.00 0 0.00 0.00 0 0.00 3 0 7 2 88 0 231 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 0 0 0 0 0 0 77 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 0 0 0 0 0 0 77 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 0 0 0 0 0 0 77 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 0 0 0 0 0 0 77 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 0 0 0 0 0 0 77 16.00 9 0.14 0.00 0 0.00 0.00 0 0.00 0 0 0 0 0 0 77 16.00 35 0.55 0.00 0 0.00 0.00 0 0.00 0 0 0 0 0 0 77 16.00 7 0.11 0.00 0 0.00 0.00 0 0.00 0 0 0 0 0 0 77 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 0 0 0 0 0 0 77 16.00 3 0.05 0.00 0 0.00 0.00 0 0.00 0 0 0 0 0 0 77 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 0 0 0 0 0 0 77 7.14 7 0.05 0.00 0 0.00 0.00 0 0.00 0 0 0 0 0 0 77 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 0 0 0 0 0 sigh... Jeff [EMAIL PROTECTED] wrote: I get similar performance out of a Linux dual P3-500 Xeon box, but I run about 50 redirectors off it and have about 24Mb bandwidth. Are you running diskd? Do you have SCSI/RAID? How many peer caches are subordinate to this one? Kelly Connor Network Technician Gilbert Unified School District [EMAIL PROTECTED] Jeff Behl <[EMAIL PROTECTED] com> To [EMAIL PROTECTED] 12/01/2004 01:00 cc PM Subject [squid-users] Reverse proxy performance in FreeBSD 5.3 howdy, I've got a dual proc AMD64 (2gHz) FreeBSD 5.3 system running two squid processes (to take advantage of both CPUs). Each process is doing around 195 req/s, and the total bandwidth is ~40Mb/s (gig nic via bge driver). All content is being served out of memory (very little disk activity). Top shows CPU states: 16.0% user, 0.0% nice, 42.7% system, 7.6% interrupt, 33.6% idle Mem: 898M Active, 569M Inact, 179M Wired, 214M Buf, 171M Free Swap: 4069M Total, 4069M Free PID USERNAME PRI NICE SIZERES STATE C TIME WCPUCPU COMMAND 14598 squid1080 463M 459M select 0 39.2H 59.96% 59.96% squid 14605 squid1050 421M 416M CPU0 1 38.4H 49.95% 49.95% squid but the % system time can fluctuate up to 60 at times. My question is if this is about the type of performance I could expect, or if people have seen better. I was expecting to see much better performance, seeing how everything is being served out of memory, but maybe I'm asking too much? Is this a FreeBSD issue (anybody else with similar experience)? A majority of the cpu time being spent in system would seem to indictate such. Any help/pointers/remarks appreciated Jeff
Re: [squid-users] Faked NTLM authentication
Nevermind, I found fakeauth_auth and am using that. It works well with the -S parameter on squid_ldap_group. Oliver Oliver Hookins wrote: Hendrik, you mentioned quite a while ago on http://squid.sourceforge.net/ntlm/ the following: "Squid can "easily" fetch the logged in username from a faked NTLM authentication session." This would be useful for me to grab the user's username via NTLM for group authorisation without having to go through the rigmarole of setting everything up actual NTLM authentication from a domain controller. Can it actually be done as easily as you thought? What would be involved? Thanks, Oliver --- Oliver Hookins B.Sc(Computing and Information Systems) Exhibition IT Services Pty Ltd e: [EMAIL PROTECTED] p: +61 2 9882 1300 f: +61 2 9882 3377 This communication is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking any action in reliance on, this communication by persons or entities other than the intended recipient is prohibited. Exhibition IT Services Pty LTD makes no express or implied representation or warranty that this electronic communication or any attachment is free from computer viruses or other defects or conditions which could damage or interfere with the recipients data, hardware or software. This communication and any attachment may have been modified or otherwise interfered with in the course of transmission. This communication is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking any action in reliance on, this communication by persons or entities other than the intended recipient is prohibited. Exhibition IT Services Pty LTD makes no express or implied representation or warranty that this electronic communication or any attachment is free from computer viruses or other defects or conditions which could damage or interfere with the recipients data, hardware or software. This communication and any attachment may have been modified or otherwise interfered with in the course of transmission.
[squid-users] How to test if my squidguard and LDAP authentication works from the command line
Dear all, I have configured squidguard and squid_ldap_auth on my squid. From the cache and webmin it there seems to have no error message. But I just want to find out if there is any way I can test the squidguard and squid_ldap_auth from the command line without connecting to internet. Or is it the only way to test if my squid, squidguard, squid_ldap_auth work, is to connect the computer (with squid) to the internet and check it from the client computers that it serves? Thanks all!
Re: [squid-users] How to test if my squidguard and LDAP authentication works from the command line
You can test squid_ldap_auth from the command line by just entering the actual command and its parameters as in your external_acl_type line. Then you just enter usernames and passwords separated by a space on each line - it will confirm the authentication with either ERR or OK. I couldn't tell you how to test squid itself or squidguard without internet access. It can of course proxy for webservers on your local network so you could use that. Regards, Oliver Yong Bong Fong wrote: Dear all, I have configured squidguard and squid_ldap_auth on my squid. From the cache and webmin it there seems to have no error message. But I just want to find out if there is any way I can test the squidguard and squid_ldap_auth from the command line without connecting to internet. Or is it the only way to test if my squid, squidguard, squid_ldap_auth work, is to connect the computer (with squid) to the internet and check it from the client computers that it serves? Thanks all! This communication is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking any action in reliance on, this communication by persons or entities other than the intended recipient is prohibited. Exhibition IT Services Pty LTD makes no express or implied representation or warranty that this electronic communication or any attachment is free from computer viruses or other defects or conditions which could damage or interfere with the recipients data, hardware or software. This communication and any attachment may have been modified or otherwise interfered with in the course of transmission.
[squid-users] squid_ldap_group with users in several OUs
OK this is my last question about this I swear... but I really need to know the answer to this one. I've just found out that where I'll be implementing the squid_ldap_group authorisation has several OUs for containing the user accounts on the 2000 AD. At the moment my command line for the squid_ldap_group is as follows: external_acl_type ldap_group ttl=120 negative_ttl=120 %LOGIN /usr/lib/squid/squid_ldap_group -b cn=Users,dc=domain,dc=local -f "(&(cn=%g)(member=%u)(objectClass=group))" -B cn=Users,dc=domain,dc=local -F "samaccountname=%s" -D cn=Oliver,cn=Users,dc=domain,dc=local -w password -S 192.168.150.100 This obviously just looks in the Users container for groups and users and any subtrees. I tried shortening the Base DN for both users and groups to just dc=domain,dc=local but it doesn't appear to work, I suspect because of the filters or something. How can I specify a base DN and filter when the users may be in one of any number of OUs? (even OUs nested within others) Thanks in advance, Oliver --- Oliver Hookins B.Sc(Computing and Information Systems) Exhibition IT Services Pty Ltd e: [EMAIL PROTECTED] p: +61 2 9882 1300 f: +61 2 9882 3377 This communication is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking any action in reliance on, this communication by persons or entities other than the intended recipient is prohibited. Exhibition IT Services Pty LTD makes no express or implied representation or warranty that this electronic communication or any attachment is free from computer viruses or other defects or conditions which could damage or interfere with the recipients data, hardware or software. This communication and any attachment may have been modified or otherwise interfered with in the course of transmission.
Re: [squid-users] Squid limits and hardware spec
Ow Mun Heng wrote: On Mon, 2004-11-29 at 11:32, Martin Marji Cermak wrote: Hello guys, I have been playing with Squid under a heavy load and there are some stats. I am trying to maximise the "Byte Hit Ratio" value. I got 13% average, but I am not happy about this number - I want it higher (how to do it?). There are thousands of ADSL clients using the cache and I want to know what the Squid limits are. USED HARDWARE: Processor: P4 1.8GHz Memory:1 GB Hardisk: 40 GB IDE 7200rpm Controler: Serverworks Chipset Ethernet card: Broadcom TG3 ACHIEVED PERFORMANCE: Byte Hit Ratio: 13% (TOO LOW !!!) You want to save bandwidth or you want speed?? Yes, I want to Save bandwidth. USED CONFIGURATION: maximum_object_size 51200 KB (SHOULD I MAKE IT HIGHER ???) I made mine to cache up to 40MB only. If you really want to have more byte hit ratio, then by all means, up the max_obj_size. OK, now I have: maximum_object_size 200 MB cache_dir aufs /cache 25000 16 256 (one ide disk, see the spec above) This seems too low. I used 40GB of the 80GB drive OK, I changed it to cache_dir aufs /cache 92000 16 256 cache_mem 8 MB 200 MB. More being cached to memory. Faster retrieval. Thank you, nice. I just hope it does not start swaping :-) The Squid is configured as a transparet proxy, so: httpd_accel_uses_host_header on httpd_accel_with_proxy OFF (yes, transparent) httpd_accel_port 80 httpd_accel_host virtual Say.. do you have any experience running a load balanced squid? I'm wondering, since it's transparent, what happens if Squid Goes down? (for X Reasons?) What happens to your ADSL users? (in the thousands??) I am in a testing phase, trying to find out what can just one squid handle - what are its limits. Then I will install a little Squid farm. If Squid goes down, it drops all established connections. So, I am supposed to have my Squid in a good shape :-), stable and running without stopping/crashing. The "thousands" means approx. 3500 users at the moment. Are you logging a lot of things? If you are, your IDE disk may not be able to sustain the throughput. Yes, you are righ, I was logging quite a lot. I modified the debug module a bit (I can set a debug level for each module, e.g.: debug_options ALL,1;14,2;99,4 ) so now I log only info I need And another interesting thing: My median Byte Hit Ratio has reached 17% (200 MB max file, 95 GB cache). So I drecompiled squid with --enable-removal-policies and set: cache_replacement_policy heap LFUDA It looks I can gain a couple of percent (LFUDA should have a bit better Byte Hit Ratio than lfu). I will report some stats to the list, when I have more info (after I run squid in this configuration for more days). Have a nice day, Marji
Re: [squid-users] Squid limits and hardware spec
On Thu, 2004-12-02 at 13:13, Martin Marji Cermak wrote: > Ow Mun Heng wrote: > > On Mon, 2004-11-29 at 11:32, Martin Marji Cermak wrote: > >>USED CONFIGURATION: > >>maximum_object_size 51200 KB (SHOULD I MAKE IT HIGHER ???) > > > > I made mine to cache up to 40MB only. If you really want to have more > > byte hit ratio, then by all means, up the max_obj_size. > > OK, now I have: >maximum_object_size 200 MB That means your cache will store up to 200MB of each file. You can even store ISO files if your users download Linux ISOs. Just need to up that 200MB to say 800MB. > > >>cache_dir aufs /cache 25000 16 256 > >> (one ide disk, see the spec above) > > > > > > This seems too low. I used 40GB of the 80GB drive > OK, I changed it to >cache_dir aufs /cache 92000 16 256 YOu might also want to change your L1 directories, for a 90GB cache, only having 16 L1 directories may be overkill. How to calculate L1 Dir: (30GB Cache) x=Size of cache dir in KB (i.e. 30GB=~30,000,000KB) y=Average object size (just use 15KB z=Number of directories per first level directory (((x / y) / 256) / 256) * 2 = # of directories 30,000,000 / 15 = 200 / 256 = 7812.5 / 256 = 30 * 2 = 60 cache_dir aufs /squidcache/cache1 3 60 256 Just out of curiousity, what is your cache's filesystem? Ext3? reiserfs? Do you expect to have more _large_ files or more small files? I use reiserfs. (anticipate more small files caches) You can query the cache, but I can't rememeber what was the 'form' of the query. > > > >>cache_mem 8 MB > > 200 MB. More being cached to memory. Faster retrieval. > Thank you, nice. I just hope it does not start swaping :-) How much of memory do yo have?? for a 90GB cache, and assuming 10MB RAM per 1GB cache, you better have like 900MB RAM > > > > Say.. do you have any experience running a load balanced squid? I'm > > wondering, since it's transparent, what happens if Squid Goes down? (for > > X Reasons?) What happens to your ADSL users? (in the thousands??) > I am in a testing phase, trying to find out what can just one squid > handle - what are its limits. Then I will install a little Squid farm. > > If Squid goes down, it drops all established connections. Yeah.. I figgured as much. My very own fear. > So, I am > supposed to have my Squid in a good shape :-), stable and running > without stopping/crashing. > The "thousands" means approx. 3500 users at the moment. OK.. and they're all accessing 1 cache? Wow. > > > > Are you logging a lot of things? If you are, your IDE disk may not be > > able to sustain the throughput. > Yes, you are righ, I was logging quite a lot. I modified the debug > module a bit (I can set a debug level for each module, e.g.: >debug_options ALL,1;14,2;99,4 > ) so now I log only info I need Good on you. > I will report some stats to the list, when I have more info (after I run > squid in this configuration for more days). Please do tell. I looking into how to implement squid in such an environment. I'm also looking into ultramonkey.org and linuxvirtualserver.org as a means for load-balancing. But again, If not mistaken, the Ultramonkey/LVS box will be the bottleneck/single point of failure. > > Have a nice day, If you post back the results, I sure will. > Marji -- Ow Mun Heng Gentoo/Linux on D600 1.4Ghz Neuromancer 13:58:24 up 4:09, 7 users, 0.51, 0.43, 0.23
[squid-users] ClamAV information needed, any recommendation?
Dear all, I am trying to find a good step by step or How-to guide about installation and everything about ClamAV, does anyone know where can I get it? I found the official site of ClamAV but seems like the information in there is quite limited. Thanks all
Re: [squid-users] ClamAV information needed, any recommendation?
On Thursday 02 Dec 2004 06:18, Yong Bong Fong wrote: > Dear all, > >I am trying to find a good step by step or How-to guide about > installation and everything about ClamAV, does anyone know where can I > get it? I found the official site of ClamAV but seems like the > information in there is quite limited. You'll find lots of help on the clamav-users mailing list, see www.clamav.net for details. > Thanks all -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk
RE: [squid-users] cache dir files
> > Hello - I am having some difficulties using some cache purging > utilities and noticed a couple things. I have squid setup as a > reverse proxy and when I view one of my cached sites I see > TCP_HIT:NONE in my access log but I cannot find any files being > written to my cache dirs that would contain this HIT. From what I can > tell the purge scripts I have found, scan your cache dirs and use > squidclient to purge every instance in cache containing the variable > you gave the purge script. But without files being written to the > cache_dir I don't think it can do anything. > Does anybody have any ideas on why my cached HITS wouldn't be > written to disk? HIT means that the object is already in the cache and or on the disk as you write. So in that case the object has to be read, nothing has to be written. > > and what is the difference between TCP_MEM_HIT and TCP_HIT:NONE http://www.squid-cache.org/Doc/FAQ/FAQ-6.html#ss6.7 M.
[squid-users] DELAY_POOLS plz help
dear list, hi, i have 256CIR DSL line and i have 100 users. i want to use DELAY_POOLS for slowing downloading speed at user end, with the download file extention .exe .dat .zip .avi. please help me. Thankyou & best regards, Shiraz Gul Khan (03002061179) Onezero Inc. _ Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger
RE: [squid-users] DELAY_POOLS plz help
> > dear list, hi, > > i have 256CIR DSL line and i have 100 users. i want to use > DELAY_POOLS for > slowing downloading speed at user end, with the download file > extention .exe > .dat .zip .avi. > Check the examples in the FAQ for starters. M.