Re: [squid-users] Squid and Firewall on Gateway
On Thu, 2004-12-16 at 15:37, Shafyx wrote: > Hello > > > I have installed on my a debian machine that acts as a > gateway to my lan. The job of the gateway to to > provide a caching server for my lan as well as a > firewall. Here is my architecture: > > eth1 eth0 > ADSL <---> [Gateway] <---> LAN > > eth1 = 192.168.192.70, eth0 = 192.168.1.1, > LAN = 192.168.1.0/24 > > On the Gateway, i have squid 2.5.STABLE7 and it > authenticates all the users connecting to the > internet. Thus, it is not a transparent proxy. I am > also using iptables to build the firewall. Proxy > listen on port 3128. > > here what access.log says: > 1103182301.857 1 192.168.1.23 TCP_DENIED/407 1761 > GET http://www.yahoo.com/ - NONE/- text/html Determine if you've placed the correct acls in Squid.conf. something like acl Int_net src 192.168.1.0/255.255.255.0 http_access allow Int_net -- Ow Mun Heng Gentoo/Linux on D600 1.4Ghz 98% Microsoft(tm) Free!! Neuromancer 16:06:27 up 6:33, 7 users, 0.15, 0.37, 0.44
Re: [squid-users] Digest Authentication
Hello Henrik, Did try to look around to see how to proceed, but did not reach the desired outcome. Saw the code for the text_backend.c file and realised that you need to insert an additional parameter '-c' in the squid.conf file for tthe 'digest_auth program ' parameter. Still things did not work, but it was obviously not using name:password any more, so probably something wrong with the password encryption scheme. The code mentions MD5 passwords. So does this mean that htdigest passwords are not the same? Can you provide some more direct help please? Even if there is a link to some detailed docs it may help, since this is not my area of expertise. I have searched a fair bit on the web, in the conf file and experimented a bit as well but have been unable to reach the intended goal. Thanks Glenn Baptista Henrik Nordstrom wrote: On Wed, 15 Dec 2004, Glenn Baptista wrote: I compiled version 3 like before and copied the 'digest_pw_auth' program into the ../libexec directory. I included the realm statement in squid.conf to read 'Test' I created the password file using htdigest .../passwd Test userName What am I doing wrong? Try the built-in "help" .../libexec/digest_pw_auth Regards Henrik
[squid-users] problems with squid 2.5.Stable7 in accelerator mode with https
Hello list, i want to use my squid in accelerator mode to secure the access to our Exchange Server (Outlook Webaccess). If i use port 80 to connect to the squid, it works fine. All traffic to the Exchange Server will be routed to the squid. With netstat -an i can see it. If i connect with port 443 to the squid, i see a message like this: the side contains secure and unsecure objects. Do you want to display the unsecure objects ? When i press the YES button, my workstation connect to the Exchange Server direct. I see it with netstat -an. This is my configuration: Debian GNU Linux woody Squid-2.5.Stable7 Usersystem HTTPS Squid -HTTP Exchange Server owa.testnetz.de exchange.testnetz.de Request:192.168.20.10 192.168.20.20 https://owa.testnetz.de/exchangeCertificate is generated for owa.testnetz.de /opt/squid/etc/squid.conf http_port 80 https_port 443 cert=/opt/squid/etc/server.crt key=/opt/squid/etc/server.key httpd_accel_host 192.168.20.20 httpd_accel_port 80 httpd_accel_uses_host_header on httpd_accel_single_host off cache_mgr [EMAIL PROTECTED] visible_hostname owa.testnetz.de dns_testnames owa.testnetz.de debug_options ALL,2 logfile_rotate 5 cache_log /opt/squid/var/logs/cache.log cache_access_log /opt/squid/var/logs/access.log cache_store_log /opt/squid/var/logs/store.log coredump_dir /opt/squid/var/logs/ pid_filename /opt/squid/var/logs/squid.pid error_directory /opt/squid/share/errors/German cache_replacement_policy lru cache_dir ufs /opt/squid/var/cache 1024 64 256 cache_swap_low 90 cache_swap_high 95 maximum_object_size 2046 MB store_dir_select_algorithm least-load cache_mem 64 MB maximum_object_size_in_memory 64 KB memory_replacement_policy lru mime_table /opt/squid/etc/mime.conf ipcache_size 1 ipcache_low 90 ipcache_high 95 fqdncache_size 1024 refresh_pattern . 0 20% 4320 acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl Exchange_IP dst 192.168.20.20 acl SSL_ports port 443 acl Safe_ports port 443 # https acl Safe_ports port 80 # http acl Exchange_Port port 80 acl CONNECT method CONNECT always_direct allow all http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access allow all Exchange_IP http_access deny all http_reply_access allow all icp_access deny all cache_effective_user squid cache_effective_group squid /etc/hosts edm:~# cat /etc/hosts 127.0.0.1 localhost 192.168.20.20 owa.testnetz.de owa can anyone help me ?? tino Mit freundlichen Grüssen Tino Glatzel badenIT Innovationstechnologie für Ihre Zukunft Tino Glatzel badenIT GmbH System Support Tullastr. 70 D-79108 Freiburg Tel. +49 761 279-2804 Fax +49 761 279-572804 mailto:[EMAIL PROTECTED] www.badenIT.de
[squid-users] Transparent proxy
Hi, We are using Lucent Cellpipe 20 Series xDSL router and users are on Win9x. Is there a way to use transparent proxy so that users cannot use the router's LAN IP as gatewat? Thanks.
RE: [squid-users] Transparent proxy
> Hi, > > We are using Lucent Cellpipe 20 Series xDSL router and users are on > Win9x. Is there a way to use transparent proxy so that users > cannot use > the router's LAN IP as gatewat? > That's unrelated. It's still possible to intercept http traffic even if the default gateway at IP level is set in that way. Check the FAQ on guidelines for different kind of transp. proxying setups. But transp. proxying is has it's drawbacks. There are subtle issues were it can lead to problems. Because http expects to work in the standard TCP/Ip networking model, where if not proxied ,it thinks it is talking directly to the remote server. M.
Re: [squid-users] async-io and threads
Hi Henrik: Are you asking your ps command to include threads information? Yep :) Did I misunderstand the docs? :) -- []'s Lucas Brasilino [EMAIL PROTECTED] http://www.recife.pe.gov.br Emprel -Empresa Municipal de Informatica (pt_BR) Municipal Computing Enterprise (en_US) Recife - Pernambuco - Brasil Fone: +55-81-32327078
[squid-users] Java applet loading and caching problems with Squid
Dear Group, my contacts with squid go back about 5 years. Currently squid is not part of my personal tasks I´writing today beacause of a problem that migth be related with squid. I hope someone on the list has ideas where I could continus with the troubleshooting. Here is the case: We are running a Jave based web application under Windwos 2000 Server. There are two applets delivered to the clients. In the past we had some problems when a new version of the applet came out and the old version still remained in the proxy caches of our customers. With a simple deletion of the applets from the cache, the problem was solved. Now, we have a new case that is far more disturbing. Some clients who used successfully the application in the past only get the first applett and then can´t go on. The process is as follows: Client requsts the Login-Applet. The applet is loading The user enters his data and sends them back. After authentication the second applett is loaded. Now we have a number of users, where the first applett is successfully loaded, but once they try to authenticate, the second applet won´t load. This scanario appears only with users having a Proxy in their network. Some of the users have successfully connected to the application (applett2) once they skipped the proxy. We recorded the network traffic and had strange findings: The applet tries to connect to port 65535 instead of port 80. Now the question is: How can squid influence the behavior of the two applets? What do the developpers have to change in the applet to avoid caching problems with squid? How could one configure squid, to let the applets pass? Did anyone have similar problems, and how could they be solved? What are the importend config directions to make sure the applets are not chached (for both squid and the application)? What relation between the request of port 65535 can there be in relation to squid? Thanks very much for any hints and your help. I appreciate all comments and suggestions, where to look, and what do try. Thanks in advance. Beste regards from Munich Tilmann Haug
[squid-users] bypass domain through squid
Hi squid users, I am running transparent proxy and facing a strange problem that could not browse hotmail.com through squid. How can I bypass this domain from squid . Any help will be highly appreciated. Kind regards, eswari
[squid-users] RE: bypass domain through squid
> > Hi squid users, > I am running transparent proxy and facing a strange problem > that could not > browse hotmail.com through squid. How can I bypass this > domain from squid . > You have to do this by putting the domain in an exception list at the "interception point" (let through) before the request is send to SQUID. M.
[squid-users] User Authentication
Hi. I would like to know if there is a way to transmit authentication information to squid from a web page [login page] instead of calling the traditional pop-up window? will be grateful if someone could guide me. Thank you. Shoaib Irtaza -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm
[squid-users] Upstream Proxy problem
I have a local squid proxy that passes all requests to an upstream proxy at our ISP. Normal web pages are fine, but a thick client application that is proxy aware fails to work if I point it at our local proxy. If I point it directly at the ISP's proxy, it works perfectly. How do I diagnose what is not getting through? I've tried various levels of debugging, but can make little sense of it. regards Martyn Bright TRML 01455 850444
Re: [squid-users] Upstream Proxy problem
Instead of permitting only the safe ports try to let every port through for that particular client and see if that helps. If it works than you know it is some extra ports besides the safe_ports which you have to open for that particular client. On 12/16/04 2:32 PM, "Martyn Bright" <[EMAIL PROTECTED]> wrote: > I have a local squid proxy that passes all requests to an upstream proxy > at our ISP. Normal web pages are fine, but a thick client application > that is proxy aware fails to work if I point it at our local proxy. If > I point it directly at the ISP's proxy, it works perfectly. How do I > diagnose what is not getting through? I've tried various levels of > debugging, but can make little sense of it. > > regards > > Martyn Bright > TRML > 01455 850444 > >
RE: [squid-users] follow_xff rpm?
Would I also need to add the "--enable-follow-x-forwarded-for" option under %configure? -Devon -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 15, 2004 7:11 PM To: Harding, Devon Cc: Chris Robertson; [EMAIL PROTECTED] Subject: RE: [squid-users] follow_xff rpm? On Wed, 15 Dec 2004, Harding, Devon wrote: > Hmm...when I patch and re-install the rpm, I get the following error: > > 2004/12/15 17:16:28| parseConfigFile: line 2332 unrecognized: > 'follow_x_forwarded_for allow localhost' The patch was not included in the build. > "Patch110: > http://devel.squid-cache.org/follow_xff/follow_xff-2.5.patch";. You also need a matching %patch line in the %prep section. Regards Henrik
[squid-users] Extremly high duration value in access.log
Hello squid users, I'm experiencing some strange timeout problems, that causes pictures not to be loaded from our backend machines. We are running squid 2.5STABLE7 as a reverse proxy. In front of this proxy operates an apache-2.0.5x to handle some redirects etc. Most requests are forwarded to the squid who forwards the request to a backend cluster via a load balancer. In our squid access.log we have lines like: 1103204869.900 1 10.1.10.1 TCP_IMS_HIT/304 251 GET http://www.rp-online.de/image1.jpg - NONE/- image/jpeg 1103204870.586 300081 10.1.10.1 TCP_MISS/200 2929 GET http://www.rp-online.de/image1.jpg - NONE/- image/jpeg The second field is the "duration". But what does a value > 300.000 mean? Might this be the cause for the spurious timeouts? The problems only occur, when requesting the pages via reverse proxy. Fetching directly through the loadbalancer works fine. Any suggestions? Thank you all in advance Stefan
RE: [squid-users] Upstream Proxy problem
> > I have a local squid proxy that passes all requests to an > upstream proxy > at our ISP. Normal web pages are fine, but a thick client application > that is proxy aware fails to work if I point it at our local > proxy. If > I point it directly at the ISP's proxy, it works perfectly. How do I > diagnose what is not getting through? I've tried various levels of > debugging, but can make little sense of it. There's more info needed to go into this. Local Squid version ? Os/platform version ? What is 'fails to work' ? What happens more exact ? How are all requests passed to the upstream proxy ? (config setting). Determine (show) access log entries in Squid for objects which can't be loaded (e.g). These should be compared with log entries, from the Upstream Proxy, when the upstream proxy is being used directly. Perhaps some conclusions can be drawn , then M.
[squid-users] How do I use client certificates to authenticate to the Squid server?
RE: [squid-users] follow_xff rpm?
Ok, here's what I've added to squid.spec Release: 4.fc2.2a Patch111: http://devel.squid-cache.org/follow_xff/follow_xff-2.5.patch %patch111 -p1 --enable-follow-x-forwarded-for \ When I run rpmbuild -bb /usr/src/redhat/SPECS/squid.spec, I get the following message: + echo 'Patch #110 (squid-2.5.STABLE5-proxy_abuse.patch):' Patch #110 (squid-2.5.STABLE5-proxy_abuse.patch): + patch -p1 -s + echo 'Patch #111 (follow_xff-2.5.patch):' Patch #111 (follow_xff-2.5.patch): + patch -p1 -s missing header for unified diff at line 4 of patch The text leading up to this was: -- |Index: acconfig.h |--- acconfig.h 1 Jul 2002 17:24:48 - 1.13.2.3 |+++ acconfig.h 23 Nov 2003 14:20:06 - -- File to patch: What am I missing? -Devon -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 15, 2004 7:11 PM To: Harding, Devon Cc: Chris Robertson; [EMAIL PROTECTED] Subject: RE: [squid-users] follow_xff rpm? On Wed, 15 Dec 2004, Harding, Devon wrote: > Hmm...when I patch and re-install the rpm, I get the following error: > > 2004/12/15 17:16:28| parseConfigFile: line 2332 unrecognized: > 'follow_x_forwarded_for allow localhost' The patch was not included in the build. > "Patch110: > http://devel.squid-cache.org/follow_xff/follow_xff-2.5.patch";. You also need a matching %patch line in the %prep section. Regards Henrik
[squid-users] Bypassing authentication for intranet
Hello, I am using NCSA for authenticating users. However, I need to bypass the authentication when browsing our company's intranet site. Is there a way to do this? Many thanks. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com **
RE: [squid-users] Bypassing authentication for intranet
> > Hello, > > I am using NCSA for authenticating users. However, I need to > bypass the > authentication when browsing our company's intranet site. Is > there a way to > do this? Yes, by using proper access controls in squid. Check the FAQ on access controls. M.
RE: [squid-users] Upstream Proxy problem
> > Local Squid version ? > > Os/platform version ? > Squid 2.5 Stable 6 on Fedora 2 Optional, advisable : try with the latest stable release. > > > > > What is 'fails to work' ? > > What happens more exact ? > The application (to which I have no debug control) reports a failed > internet connection whilst trying to retreive data from an > http server. > > > > How are all requests passed to the upstream proxy ? > > (config setting). > The line from the config file is:- > cache_peer proxy.easynet.net parent 3128 0 OK, but if the ISP parent is the only one with Internet access , and your local squid hasn't; then you need never_direct allow all in squid.conf. > > > > > Determine (show) access log entries in Squid for objects which > > can't be loaded (e.g). > > These should be compared with log entries, from the > Upstream Proxy, > > when the upstream proxy is being used directly. > I have no access to the logs from the upstream proxy, so > can't tell what > goes to it. It should be needed, if you can't figure it out further. Otherwise it's a black hole, in the possible information elements which may help you solve this issue. > As far as I can tell, my proxy is not reporting any > failures. > > The only other thing I could do is provide a tcpdump of the traffic to > each of the proxies. Is there a log setting in squid that will show > failed connections? The access.log entries from the application would be sufficient. Check the acces status for each object accessed through squid. Look for status-es indication failures , if any. > > >
RE: [squid-users] Upstream Proxy problem
> > The line from the config file is:- > > cache_peer proxy.easynet.net parent 3128 0 > > > OK, but if the ISP parent is the only one > with Internet access , and your local squid hasn't; then you need > >never_direct allow all Yes, I have that. > > The access.log entries from the application would be sufficient. > Check the acces status for each object accessed through squid. > Look for status-es indication failures , if any. There are only 2 lines in the access log for each failed attempt. 1103202409.748237 192.168.0.10 TCP_MISS/200 376 GET http://de4.autotrader.co.uk/DealerEditv4/services/DealerEdit - FIRST_UP_PARENT/proxy.easynet.net text/html 1103202409.999169 192.168.0.10 TCP_MISS/100 154 POST http://de4.autotrader.co.uk/DealerEditv4/services/DealerEdit - FIRST_UP_PARENT/proxy.easynet.net - I'm afraid I don't understand what they mean. > > > > > > >
RE: [squid-users] Upstream Proxy problem
> > Instead of permitting only the safe ports try to let every port through > for > that particular client and see if that helps. If it works than you know it > is some extra ports besides the safe_ports which you have to open for that > particular client. > I added acl Safe_ports port 1-65535 but it made no difference.
RE: [squid-users] Upstream Proxy problem
> I added > > acl Safe_ports port 1-65535 > > but it made no difference. > > Don't ! That suggestion was useless since everything is send to your upstream proxy. M.
RE: [squid-users] Upstream Proxy problem
> There are only 2 lines in the access log for each failed attempt. > > 1103202409.748237 192.168.0.10 TCP_MISS/200 376 GET > http://de4.autotrader.co.uk/DealerEditv4/services/DealerEdit - > FIRST_UP_PARENT/proxy.easynet.net text/html > > 1103202409.999169 192.168.0.10 TCP_MISS/100 154 POST > http://de4.autotrader.co.uk/DealerEditv4/services/DealerEdit - > FIRST_UP_PARENT/proxy.easynet.net - > > I'm afraid I don't understand what they mean. > >... It's no error and means that the request(s) was(were) forwarded to the first defined parent. AFAIK, it doesn't tell why it does not work, through your local SQUID. M.
[squid-users] Re: Squid and Firewall on Gateway
Shafyx wrote: > I have installed on my a debian machine that acts as a > gateway to my lan. The job of the gateway to to > provide a caching server for my lan as well as a > firewall. > On the Gateway, i have squid 2.5.STABLE7 and it > authenticates all the users connecting to the > internet. Thus, it is not a transparent proxy. I am > also using iptables to build the firewall. Proxy > listen on port 3128. > When i browse without activating proxy on my browser, > I can surf on the internet but when i activate the > proxy, it gives: > The requested URL could not be retrieved > > While trying to retrieve the URL: > http://www.yahoo.com/ > > The following error was encountered: > > Unable to determine IP address from host name for > www.yahoo.com > > The dnsserver returned: > > Timeout Your firewall is misconfigured and isn't letting DNS queries out. You need to allow UDP port 53 on your OUTPUT chain. Adam
[squid-users] [Fwd: Re: Access Still DENIED]]
I have tried all of these suggestions, including starting with the basic squid.conf and adding my rules at the maked location in the file. I have also enabled loggin with debug_options ALL, 1, 33, 2 Squid is not gernerating ANY log files. So no help there. One question. I installed squid with the aufs file system, could this be part of the issue? Original Message Subject: Re: [squid-users] Access Still DENIED] Date: Wed, 15 Dec 2004 13:07:45 +0100 (CET) From: Henrik Nordstrom <[EMAIL PROTECTED]> To: Lucio Jankok <[EMAIL PROTECTED]> CC: TopGun Technician <[EMAIL PROTECTED]>, [EMAIL PROTECTED] References: <[EMAIL PROTECTED]> On Wed, 15 Dec 2004, Lucio Jankok wrote: Remove this http_access allow !Safe_ports And set this http_access allow Safe_ports No, it should be http_access deny !Safe_ports as it is in the default squid.conf shipped with Squid. Your suggestion above is very dangerous and makes Squid an open proxy, as this rule basically "allows anyone to go anywhere" without restrictions. Regards Henrik
Re: [squid-users] Digest Authentication
On Thu, 16 Dec 2004, Glenn Baptista wrote:
Can you provide some more direct help please?
Create the password file using htdigest
start the helper with -c option.
Works for me last time I tested, but it has admittedly been a while since
I tried this.
Another option is to edit the encrypted password file and add the tag
{HHA1} in front of the encrypted password. This makes Squid-3
digest_pw_auth recognise the encrypted password even if -c is not
specified and may be useful if you need to mix both encrypted and
plaintext passwords in the same file for some strange reason.
Regards
Henrik
Re: [squid-users] Digest Authentication
On Thu, 16 Dec 2004, Glenn Baptista wrote: Did try to look around to see how to proceed, but did not reach the desired outcome. Saw the code for the text_backend.c file and realised that you need to insert an additional parameter '-c' in the squid.conf file for tthe 'digest_auth program ' parameter. You can verify the operation of the helper by starting it interactively from a shell and the type the username. If everything works you should be given back the encrypted password string. Regards Henrik
[squid-users] Re: [Fwd: Re: Access Still DENIED]]
TopGun Technician wrote: > I have tried all of these suggestions, including starting with the basic > squid.conf and adding my rules at the maked location in the file. > I have also enabled loggin with > debug_options ALL, 1, 33, 2 This is wrong - remove the comma after the 1. > Squid is not gernerating ANY log files. So no help there. Both cache.log and access.log are completely empty? This indicates a separate problem. > One question. I installed squid with the aufs file system, could this > be part of the issue? No, that shouldn't be a problem - aufs works fine. Adam
RE: [squid-users] follow_xff rpm?
On Thu, 16 Dec 2004, Harding, Devon wrote: Would I also need to add the "--enable-follow-x-forwarded-for" option under %configure? Probably, if the patch requires this. Regards Henrik
[squid-users] Redirectors and reverse proxy
All -
I'm trying to configure a redirector to change certain URL's from http:// to
https:// and send a redirect back to the client - very similar to FAQ note
#15.5.
I've copy/pasted the perl script in the FAQ and modified it as appropriate
but it doesn't seem to do anything.
What am I missing?
Thanks,
Ben
#!/usr/bin/perl
$|=1;
while (<>) {
@X = split;
$url = $X[0];
if ($url =~ /^http:\/\/www\.domainname\.com\/apply/) {
$url =~ s/^http/https/;
print "302:$url\n";
} else {
print "$url\n";
}
}
Re: [squid-users] Redirectors and reverse proxy
Oh, and I added this to my conf file:
redirect_program /etc/squid/redirect.www.pl
The perl script included below is /etc/squid/redirect.www.pl with 755
permissions
On Thu, 16 Dec 2004 14:58:16 -0400, R. Benjamin Kessler wrote
> All -
>
> I'm trying to configure a redirector to change certain URL's from
> http:// to https:// and send a redirect back to the client - very
> similar to FAQ note
> #15.5.
>
> I've copy/pasted the perl script in the FAQ and modified it as
> appropriate but it doesn't seem to do anything.
>
> What am I missing?
>
> Thanks,
>
> Ben
>
> #!/usr/bin/perl
> $|=1;
> while (<>) {
> @X = split;
> $url = $X[0];
>if ($url =~ /^http:\/\/www\.domainname\.com\/apply/) {
>$url =~ s/^http/https/;
>print "302:$url\n";
> } else {
> print "$url\n";
> }
> }
[squid-users] Upstream proxy errors
I have a local squid proxy that passes all requests to an upstream proxy at our ISP. Normal web pages are fine, but a thick client application that is proxy aware fails to work if I point it at our local proxy. If I point it directly at the ISP's proxy, it works perfectly. I have been doing some packet sniffing. I think I have found the problem - or at least the symptoms of a problem. Packets sent from the client to the server via both proxies include this:- POST http://de4.autotrader.co.uk/DealerEditv4/services/DealerEdit HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 1.1.4322.573) Content-Type: text/xml; charset=utf-8 SOAPAction: "" Content-Length: 1966 Expect: 100-continue Host: de4.autotrader.co.uk Via: 1.1 jfc:3128 (squid/2.5.STABLE6) X-Forwarded-For: 192.168.0.10 Cache-Control: max-age=259200 http://schemas.xmlsoap.org/soap/envelope/"; xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:tns="http://soap.dealeredit.autotrader.co.uk"; xmlns:types="http://soap.dealeredit.autotrader.co.uk/encodedTypes"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:xsd="http://www.w3.org/2001/XMLSchema";>http://schemas.xmlsoap.org/ws/2002/07/utility";>2 004-12-16T19:03:34Z2004-12-16T19:08:34Z http://schemas.xmlsoap.org/soap/encoding/";> 1 2004-12-16T00:00:00.000-00:00 6.0.2600. 16/12/2004 19:03:34 Intel(R) Pentium(R) 4 CPU 1400MHz bob.trml.co.uk cbd091ab-ff73-435f-b045-9a 803721216 Microsoft Windows NT 5.1.2600.0 1600x1200 Martyn 403 4.1.0.14 A packet arriving from the upstream proxy contains this:- HTTP/1.0 100 Continue Date: Thu, 16 Dec 2004 18:58:28 GMT Via: 1.1 cache0 (NetCache NetApp/5.3.1R2) To which the squid server adds:- X-Cache: MISS from jfc Proxy-Connection: close As it passes it back to the client. More data then arrives from the upstream proxy, but of course by now, the client has thrown its toys out of the cot. Mow this is mostly gobbledy gook to me, but I am sure the answer is in there somewhere. regards Martyn Bright
[squid-users] Squid Growth
Hello, We have recently been running very low on system growth through our squid cache servers in an ISP transparent cache service. I have no problems running it etc and its been great for a long time. I have some questions about an upgrade path. We are currently looking to increase many of our servers performance. This has been done to try and grow with our customers growth to adsl etc etc. Currently im running 8 * Dual Pentium 3 1ghz servers with 4gb RAM and 4 * 18gb SCSI drives for the store in each system (only about 10-12gb used max per disk). What we are looking at doing is upgrading we are tossing up the options I have been reading alot about what we should be looking towards. I have some questions though that I would like to answer. I have been told that the Opteron systems are great for this type of application. Primarily because of the great memory controller on chip/large amount of RAM that the system can handle. I am looking to upgrade the service to a single Opteron 244 at this stage with the same sort of disk arrangement however Im looking at 4 * 36GB (because the 18s are getting harder and harder to get if they fail). however Im looking to use the 15,000RPM drives. Would that make a big difference to the over all performance? Does/Can squid use any of the benefits of going to an opteron. Should I just look at other platforms. Any additional Advice would be great. Regards, Jack http://forum.lucidnow.com
[squid-users] Re: Access Still DENIED]]]
Removed the comma, still not generating any logfiles. Original Message Subject:[squid-users] Re: [Fwd: Re: Access Still DENIED]] Date: Thu, 16 Dec 2004 11:59:31 -0500 From: Adam Aube <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] References: <[EMAIL PROTECTED]> TopGun Technician wrote: I have tried all of these suggestions, including starting with the basic squid.conf and adding my rules at the maked location in the file. I have also enabled loggin with debug_options ALL, 1, 33, 2 This is wrong - remove the comma after the 1. Squid is not gernerating ANY log files. So no help there. Both cache.log and access.log are completely empty? This indicates a separate problem. One question. I installed squid with the aufs file system, could this be part of the issue? No, that shouldn't be a problem - aufs works fine. Adam
RE: [squid-users] follow_xff rpm?
There's got to be a way for this to work. Does anyone have an rpm with follow_xff built-in? -Devon -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Thursday, December 16, 2004 12:00 PM To: Harding, Devon Cc: Henrik Nordstrom; Chris Robertson; [EMAIL PROTECTED] Subject: RE: [squid-users] follow_xff rpm? On Thu, 16 Dec 2004, Harding, Devon wrote: > Would I also need to add the "--enable-follow-x-forwarded-for" option > under %configure? Probably, if the patch requires this. Regards Henrik
Re: [squid-users] Fail Over
John wrote: Hi I have two squid servers running on separate machines. My query is, can squid provide automatic failover if one server dies? Is there some directive which enables each squid server to health check or test the availability of the other squid server? Regards John I use heartbeat for this: http://www.linux-ha.org/ Andrew -- Zope Managed Hosting Systems Administrator/Software Engineer Zope Corporation (540) 361-1700
Re: [squid-users] Large acl regex causes Squid to use all memory on startup
On Thu, 16 Dec 2004, Daniel T. Gynn wrote: I have an acl file that has about 500,000 lines in it. I'm declaring it as a dstdom_regex type of acl. Why regex? I have a very hard time beleiving you have made 500K regex expressions for matching patterns in domain names.. (not explicit domain names). Quite likely you should be using a dstdomain type acl for the absolute majority of these. Regards Henrik
Re: [squid-users] problems with squid 2.5.Stable7 in accelerator mode with https
On Thu, 16 Dec 2004, Glatzel Tino wrote: i want to use my squid in accelerator mode to secure the access to our Exchange Server (Outlook Webaccess). You can't in a reasonable manner with Squid-2.5, at least not without patching it to support the OWA specifig Front-End-Https header telling OWA there is https gateway infront of it accepting requests as https and forwarding them as http to OWA. Regards Henrik
Re: [squid-users] Java applet loading and caching problems with Squid
On Thu, 16 Dec 2004, Tilmann Haug wrote: We recorded the network traffic and had strange findings: The applet tries to connect to port 65535 instead of port 80. Ouch. What does the proxy access logs say? Now the question is: How can squid influence the behavior of the two applets? It can't, but depending on how the applet has been written it may get confused if the browser is configured to use a proxy. What do the developpers have to change in the applet to avoid caching problems with squid? Only use the basic http primitives which relies on the browser http implementation, not some Java http implementation ontop of the Java TCP direct network connections. What are the importend config directions to make sure the applets are not chached (for both squid and the application)? applets are just http objects like any other. If your server has applets which change such frequently that caching is not adviseable then you should include the proper cache headers on your server. See "Caching Tutorial for Web Authors and Webmasters" and/or "The Cacheability Engine". What relation between the request of port 65535 can there be in relation to squid? Port 65535 is the same as port -1. -1 is sometimes used in applications to represent "failed to understand the value". As far as I know Squid never uses -1 as the port number if it fails to understand the requested port number but instead completely rejects such malformed requests. I don't see any relation to Squid as such. Regards Henrik
Re: [squid-users] User Authentication
On Thu, 16 Dec 2004, Mohammad Shoaib Irtaza wrote: I would like to know if there is a way to transmit authentication information to squid from a web page [login page] instead of calling the traditional pop-up window? Not easily in a Internet proxy. The closest you can get is to build a session concept based on the source IP address of the user. Regards Henrik
Re: [squid-users] Upstream Proxy problem
On Thu, 16 Dec 2004, Martyn Bright wrote: I point it directly at the ISP's proxy, it works perfectly. How do I diagnose what is not getting through? Start by investigating what you see in access.log Regards Henrik
RE: [squid-users] Upstream Proxy problem
On Thu, 16 Dec 2004, Martyn Bright wrote: 1103202409.999169 192.168.0.10 TCP_MISS/100 154 POST http://de4.autotrader.co.uk/DealerEditv4/services/DealerEdit - FIRST_UP_PARENT/proxy.easynet.net - Someone upstream of this Squid is seriously malfunctioning and sending a HTTP/1.1 100 Continue message to Squid. This is forbidden by the HTTP specifications as Squid is HTTP/1.0. Regards Henrik
RE: [squid-users] follow_xff rpm?
On Thu, 16 Dec 2004, Harding, Devon wrote: Patch #111 (follow_xff-2.5.patch): + patch -p1 -s missing header for unified diff at line 4 of patch The text leading up to this was: -- |Index: acconfig.h Looks like this patch requires -p0, not -p1 man patch if you want to know what this does. Regards Henrik
Re: [squid-users] How do I use client certificates to authenticate to the Squid server?
On Thu, 16 Dec 2004, Strickland, Lawrence P wrote: How do I use client certificates to authenticate to the Squid server? You need the SSL update to Squid-2.5, and to configure the client ca options in your https_port. Then use the ca related ACLs to match certificate information. Regards Henrik
Re: [squid-users] Extremly high duration value in access.log
On Thu, 16 Dec 2004, Stefan Bohm wrote: I'm experiencing some strange timeout problems, that causes pictures not to be loaded from our backend machines. We are running squid 2.5STABLE7 as a reverse proxy. You proably want "half_closed_clients off" if you do not have this already. 1103204870.586 300081 10.1.10.1 TCP_MISS/200 2929 GET http://www.rp-online.de/image1.jpg - NONE/- image/jpeg Looks like the TCP connection Squid<->backend server had a hickup, and never completed correctly. Regards Henrik
Re: [squid-users] Squid Growth
On Thu, 16 Dec 2004 [EMAIL PROTECTED] wrote: What we are looking at doing is upgrading we are tossing up the options I have been reading alot about what we should be looking towards. I have some questions though that I would like to answer. I have been told that the Opteron systems are great for this type of application. P4 or maybe Athlon systems is more cost optimal for a Squid. You do not want 64 bit for Squid, and with 32 bit you are somewhat limited in the amount of memory you can have per process. Regards Henrik
[squid-users] Re: Access Still DENIED
Everyone here has been great. But, I still have a squid server that isn't working. Still no log files so I can't give further information. But I still get access denied when trying to use Squid cache proxy. Kurt Original Message Subject:[squid-users] Re: Access Still DENIED]]] Date: Thu, 16 Dec 2004 13:46:47 -0600 From: TopGun Technician <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Removed the comma, still not generating any logfiles. Original Message Subject:[squid-users] Re: [Fwd: Re: Access Still DENIED]] Date: Thu, 16 Dec 2004 11:59:31 -0500 From: Adam Aube <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] References: <[EMAIL PROTECTED]> TopGun Technician wrote: I have tried all of these suggestions, including starting with the basic squid.conf and adding my rules at the maked location in the file. I have also enabled loggin with debug_options ALL, 1, 33, 2 This is wrong - remove the comma after the 1. Squid is not gernerating ANY log files. So no help there. Both cache.log and access.log are completely empty? This indicates a separate problem. One question. I installed squid with the aufs file system, could this be part of the issue? No, that shouldn't be a problem - aufs works fine. Adam
Re: [squid-users] Digest Authentication
Dear Henrik, Thanks for your help and suggestions. Will try the same and revert back. Regards Glenn Baptista Henrik Nordstrom wrote: On Thu, 16 Dec 2004, Glenn Baptista wrote: Did try to look around to see how to proceed, but did not reach the desired outcome. Saw the code for the text_backend.c file and realised that you need to insert an additional parameter '-c' in the squid.conf file for tthe 'digest_auth program ' parameter. You can verify the operation of the helper by starting it interactively from a shell and the type the username. If everything works you should be given back the encrypted password string. Regards Henrik
Re: [squid-users] Re: bypass domain through squid
Hi Henrik, > > > On Thu, 16 Dec 2004, Eswari wrote: > > > I am running transparent proxy and facing a strange problem that could not > > browse hotmail.com through squid. How can I bypass this domain from squid . Henrik wrote : > > You can't from Squid. It needs to be done where you intercept the > connections and redirect them to Squid. Temporarily I have intercept the range of hotmail ip through router. still few clients could not browse hotmail from their end . Is there any alternate or best way to solve this problem ? Thanx for your swift reply and hope to get your help asap. Kind regards, eswari
[squid-users] transparent proxy howto?
can someone point me to a good howto for setting up a transparent proxy with client authentication? i want to make an anonymous proxy so my clients can surf anonymously, is a transparent proxy what i want? thanks nick
Re: [squid-users] Re: Access Still DENIED
On Thu, 16 Dec 2004, TopGun Technician wrote: Everyone here has been great. But, I still have a squid server that isn't working. Still no log files so I can't give further information. But I still get access denied when trying to use Squid cache proxy. Stop your Squid and start it interactively. This will give you the equivalence of cache.log on the screen. killall squid /path/to/sbin/squid -DNYd3 look in the screen output for any signs of problems opening cache.log or access.log. If there is problems, fix them first. then configure your browser to use the port opened by Squid. You must now see your requests in the access.log. Regards Henrik
Re: [squid-users] transparent proxy howto?
On Fri, 17 Dec 2004, Nick Smith wrote: can someone point me to a good howto for setting up a transparent proxy with client authentication? You can't combine transparent interception and authentication. HTTP does not allow this for very good reasons. i want to make an anonymous proxy so my clients can surf anonymously, is a transparent proxy what i want? A proxy is what you want. It does not need to be transparent. Regards Henrik
Re: [squid-users] Re: bypass domain through squid
On Fri, 17 Dec 2004, Eswari wrote: Temporarily I have intercept the range of hotmail ip through router. still few clients could not browse hotmail from their end . Too bad. Is there any alternate or best way to solve this problem ? Have the clients configured to use the proxy is the best way. You can also try to make sure to NAT all outgoing traffic to the same IP address, making sure that intercepted requests and direct traffic seems to come from the same IP in your network. Regards Henrik
[squid-users] Redirect without script in squid 3 pre-3?
All, I think I read somewhere that it's possible to redirect a client's browser without using a redirector script in squid 3 pre-3. I simply need to redirect http://a.b.c to https://a.b.c, or, more specifically, redirect connections to port 80 for site a.b.c to port 443 with the same site name. I use squid in accelerator mode with multiple IP's, one per site. I currently run apache on port 80 to do the redirection (mainly because I had limited time to get the proxy in place and couldn't get the perl redirector script to work in time). I'd like to simplify the proxy configuration as much as possible, so if squid 3 can do this, it'd be great. I think the answer might lie in the "http_port" directive, and I played around with vhost and vport=443 etc. but couldn't get it to work. Any help would be greatly appreciated. Regards, Francois Visser.
Re: [squid-users] transparent proxy howto?
> > > On Fri, 17 Dec 2004, Nick Smith wrote: > >> can someone point me to a good howto for setting up a >> transparent proxy with >> client authentication? > > You can't combine transparent interception and authentication. > HTTP does > not allow this for very good reasons. well i dont want just anyone connecting to my proxy, so what do i need to be able to authenticate and keep it anonymous? > >> i want to make an anonymous proxy so my clients can surf >> anonymously, is >> a transparent proxy what i want? > > A proxy is what you want. It does not need to be transparent. > what do i need then? and do i have to set it up any differently to be anonymous? any howtos you can point out? thanks for the quick response nick > Regards > Henrik >
RE: [squid-users] Upstream Proxy problem
> > I have a local squid proxy that passes all requests to an > > upstream proxy > > at our ISP. Normal web pages are fine, but a thick client application > > that is proxy aware fails to work if I point it at our local > > proxy. If > > I point it directly at the ISP's proxy, it works perfectly. How do I > > diagnose what is not getting through? I've tried various levels of > > debugging, but can make little sense of it. > > There's more info needed to go into this. > > Local Squid version ? > Os/platform version ? Squid 2.5 Stable 6 on Fedora 2 > > What is 'fails to work' ? > What happens more exact ? The application (to which I have no debug control) reports a failed internet connection whilst trying to retreive data from an http server. > > How are all requests passed to the upstream proxy ? > (config setting). The line from the config file is:- cache_peer proxy.easynet.net parent 3128 0 > > Determine (show) access log entries in Squid for objects which > can't be loaded (e.g). > These should be compared with log entries, from the Upstream Proxy, > when the upstream proxy is being used directly. I have no access to the logs from the upstream proxy, so can't tell what goes to it. As far as I can tell, my proxy is not reporting any failures. The only other thing I could do is provide a tcpdump of the traffic to each of the proxies. Is there a log setting in squid that will show failed connections?
[squid-users] Fail Over
Hi I have two squid servers running on separate machines. My query is, can squid provide automatic failover if one server dies? Is there some directive which enables each squid server to health check or test the availability of the other squid server? Regards John
[squid-users] How do I use client certificates to authenticate to the Squid server?
How do I use client certificates to authenticate to the Squid server?
[squid-users] Re: bypass domain through squid
On Thu, 16 Dec 2004, Eswari wrote: I am running transparent proxy and facing a strange problem that could not browse hotmail.com through squid. How can I bypass this domain from squid . You can't from Squid. It needs to be done where you intercept the connections and redirect them to Squid. Regards Henrik
Re: [squid-users] async-io and threads
On Thu, 16 Dec 2004, Lucas Brasilino wrote: Hi Henrik: Are you asking your ps command to include threads information? Yep :) Did I misunderstand the docs? :) Most people asking this question forget the option to ps for including threads information and gets confused... On Linux this is the -m option. On other OS:es other ps options may be needed. The other thing to note about the threads is that they only get started on the first I/O request, so if your Squid has not seen any cacheable requests yet since startup there won't be any aufs threads. I assume you have configured your cache_dir accordingly in squid.conf? Regards Henrik
