[squid-users] Squid, sarg and incorrect shutdown
Hi everyone. I'm experiencing a recently-discovered problem with my setup: - Slackware 1.0 - kernel 2.4.26 - squid-2.5.STABLE6-20040907 - ncsa_auth authentication squid module - sarg-1.4.1 Every night at 2:00AM the following script is started by cron: [START SCRIPT1] /usr/local/squid/sbin/squid -k shutdown /usr/bin/sarg /usr/local/sbin/archivia_log_squid /usr/local/squid/sbin/squid [END SCRIPT1] The '/usr/local/sbin/archivia_log_squid' script simply archives the squid logs: [START SCRIPT2] cd /var/squid tar cvzf /var/squid/logs.tgz /var/squid/logs ACTDATETIME=`date +%y%m%d-%H%M` export ACTDATETIME mv /var/squid/logs.tgz /var/squid/squid-logs_$ACTDATETIME.tgz rm /var/squid/logs/* [START SCRIPT1] Recently I noticed that during working-time, when a 'squid -k reconfigure' command is performed, the reply is 'no running copy', even if the squid-processes works fine (if not, my users will kill me: how can they try to download GBs of MP3 :-) )!!! No 'squid -k shutdown' or 'squid -k reconfigure' command can be performed without receiving 'no running copy' message. I thought the shutdown command doesn't complete before the 'sarg' command is performed, so I modified SCRIPT 1: [START SCRIPT1 MODIFIED] /usr/local/squid/sbin/squid -k shutdown sleep 120 killall squid sleep 120 /usr/bin/sarg /usr/local/sbin/archivia_log_squid /usr/local/squid/sbin/squid [END SCRIPT1 MODIFIED] The 'killall squid' command took some time to complete, but it seems to be correctly completed within the sleep-time. Furthermore I noticed the squid-logs_xxx-tgz file is very small, like no logs were correctly saved by the squid process, for 6 days (the same period within I experienced the 'no running copy' message ) Tonight this script has worked perfectly (I will check next nights), but I'm worried about this 'pre-problem signal': is there anyone experiencing the same problem (incorrect shutdown) and found a solution? Bye Davide
[squid-users] what is dot
hello I have some destination domains which I have allowed to localusers like this nasir.com nasir123.com nasir123.net nasirgr8.com nasirgr8.net and I have 172.16.0.0/24 pool to allow that only these domains should be opened. I have put following in my squid.conf acl nasir src 172.16.0.0/255.255.0.0 acl nasir_locals dstdomain url_regex -i "/usr/local/squid/nasirlocals" http_access deny nasir !nasir_locals http_access allow nasir File: /usr/local/squid/nasirlocals .nasir.com .nasir123.com .nasir123.net .nasirgr8.com .nasirgr8.net -- Now everything works fine,, except that when the user writes "nasir.com" in the Explorer , the browser never goes anywhere and stops, but when they write "www.nasir.com" they are given the desired page. I tried to put this in my FILE :/usr/local/squid/nasirlocals nasir.com nasir123.com nasir123.net nasirgr8.com nasirgr8.net and after this I was not able to open any subdomain for any of the above TLD's,neither www.nasir.com nor yahoo.nasir.com What I want is that I want the users be able to browse any subdomain of the listen domain TLD's in my file either with subdomain or not. Also I can't put ".nasir.com" and "nasir.com" in the nasirlocals file ,,a s I get errors of the parent domain when I do "squid -k reconfigure" Any idea.? -- Nasir Mahmood Systems Administrator.
Re: [squid-users] Yet another question re ERR_ZERO_SIZE_OBJECT
Henrik, Here's the answers to your questions regarding our customer's problem with ERR_ZERO_SIZE_OBJECT: Q1. HTTPS or HTTP? A1. HTTP only. Q2. What A2. Excerpt from access.log follows: 10.160.231.ZZZ - - [02/Jan/2005:10:50:48 +0900] "GET http://www.xx-websystem.xx-intra.net/zz/app/z00/script/z00pnl00.js HTTP/1.1" 304 189 TCP_REFRESH_HIT:DIRECT [Accept: */*\r\nReferer: http://www.xx-websystem.xx-intra.net/zz/transactions/menu_fork\r\nAccept-Language: ja\r\nAccept-Encoding: gzip, deflate\r\nIf-Modified-Since: Mon, 29 Nov 2004 10:25:41 GMT; length=24386\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)\r\nHost: www.xx-websystem.xx-intra.net\r\nProxy-Connection: Keep-Alive\r\nCookie: SIDE-B=xx; LtpaToken=...; SalsaAuth=... 10.160.231.YYY - - [02/Jan/2005:10:50:48 +0900] "POST http://www.xx-websystem.xx-intra.net/ny3jimu/transactions/y31seiyaku._N076510_y31D17t1 HTTP/1.1" 503 1380 TCP_MISS:DIRECT [Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\nReferer: http://www.xx-websystem.xx-intra.net/nbjikai/transactions/b0njikai._1000551_b05507\r\nAccept-Language: ja\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)\r\nHost: www.xx-websystem.xx-intra.net\r\nContent-Length: 639\r\nProxy-Connection: Keep-Alive\r\nPragma: no-cache\r\nCookie: SalsaAuthMessage=...; SIDE-B=xx; LtpaToken=... 10.160.231.XXX - - [02/Jan/2005:10:50:48 +0900] "POST http://www.xx-websystem.xx-intra.net//transactions/r2cshindan._L373000_r2c001 HTTP/1.1" 200 3987 TCP_MISS:DIRECT [Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\nReferer: http://www.xx-websystem.xx-intra.net//transactions/r2cshindan._L373000_r2c000\r\nAccept-Language: ja\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)\r\nHost: www.xx-websystem.xx-intra.net\r\nContent-Length: 143\r\nProxy-Connection: Keep-Alive\r\nPragma: no-cache\r\nCookie: SIDE-A=xx; LtpaToken=... Here, the second entry records a 503 error. Regards. Ken Sugawara <[EMAIL PROTECTED]> Linux @ IBM http://www.ibm.com/linux/
Re: [squid-users] Error-page
Interesting, that explain a lot of things. And make more people to change into FireFox at www.mozilla.org Cheers, Daniel Navarro Maracay, Venezuela. www.csaragua.com/ecodiver --- Henrik Nordstrom <[EMAIL PROTECTED]> escribió: > On Mon, 10 Jan 2005, Mustafa ERGUC wrote: > > > but when somebody tries https like > > client https://www.tspakb.org.tr:8445 > > server prints only some lines of the > ERR_ACCESS_DENIED page > > I could not find the reason if sb knows mail me > > This is a bug in MSIE, where it fails to properly > show the proxy error > message in response to rejected CONNECT requests. > > Regards > Henrik > _ Do You Yahoo!? Información de Estados Unidos y América Latina, en Yahoo! Noticias. Visítanos en http://noticias.espanol.yahoo.com
[squid-users] Re: Autentication x AD intermittent
Please don't post the same message to the list multiple times. rodd wrote: > I am having some problems using my Squid authenticating > against my Active Directory Server. > I have this environment working for about 6 months, and it was > fine, but since last month its behavior became very strange. The point > is when the clients request a page, some time it works fine, but some > times they get an error like: "The page cannot be displayed". Have you upgraded any software or installed any patches on the Squid server or the domain controller? Has your useage level increased significantly? > I have checked many things, starting with the DNS sctructure, > and I didn`t find any problem. I've checked the response time between > my workstation machine and the Squid Server, and between the Squid > Server and the AD server, and is everything fine, acctualy they are > all in the same LAN. How are you checking this? > I tryed many different configurations of samba and squid to > solve that, but it is still happen. I changed my smb.conf and the > squid.conf and now it is like that: [squid.conf and smb.conf snipped] I see you are using NTLM authentication. Due to the nature of NTLM, problems often occur for one of two reasons: 1) Insufficient NTLM helpers (most common) 2) Too much load on the DC Increase the number of helpers and see what happens. If the problem recurs, but takes longer than before to start happening, keep increasing the number of helpers until the problem goes away. Also, Cache Manager has an page of interesting info on the NTLM helpers. This may also help point you in the direction of the problem. > The softwares versions are: > > Squid: Version 2.5.STABLE7 > Winbindd: Version 3.0.7 > krb5 - 1.2.7-24 > and Red Hat Enterprise Server > Other important information is when I stop the > authentication, the problem stop. Other important information is that > the problem just happen during the bussiness day, we have around 3000 > users accessing the internet. Btw, the cpu and memory of the server > are ok. I tryed also disabling the cache, but without success. How many concurrent requests to the proxy? For NTLM, the recommendation is one helper for each concurrent request. > Other very interesting thing is that I have a backup proxy > server, and in that server the problem doesn`t happened, so, I > switched the clients to the backup server > the clients are accessing the backup server since two weeks ago without > any problem, but today the problem also started in the backup server. Which makes it seem like a load issue, though if all the clients were switched to the backup at once, it's odd that it would take two weeks for the problem to occur there as well. Was the load lighter than normal for the first part of the two weeks? Adam
Re: [squid-users] trying to track down a bug
On Mon, 10 Jan 2005, Robert Borkowski wrote: A wget in a loop retrieving the main page of our site will occasionally take just under 15 minutes to complete the retrieval. Normally it takes 0.02 seconds. A related note: The default timeout waiting for data from the server is 15 minutes. (read_timeout). When I look at the access.log for that retrieval and work back to the time the request was placed I often find that some client out on the internet had issued a request with a no-cache header resulting in TCP_CLIENT_REFRESH_MISS for the main page. Which will cause all clients to join this request to your server. If this requests takes a long time to complete then all clients will experience this delay. The Age + the time to retrieve the object = the read_timeout in squid.conf. I changed it to 9 minutes on one server and started seeing wget fail with 8+ instead of 14+ minutes. Ok, so your server is not finishing the page properly to Squid. The object is transferred quickly, but the connection stays open until some timer in squid elapses (read_timeout) and only then squid closes the connection. Most likely there is some bytes at the end missing. You can try working around it by setting "server_persistent_connections off" in squid.conf, but I would recommend identifying exacly what is going wrong first. A good step on the way is to save a packet trace of the failing server request tcpdump -s 1600 -w traffic.out -i any host ip.of.your.web.server then analyze this with ngrep / ethereal etc to try to figure out why the response never finishes proper. Regards Henrik
Re: [squid-users] Help proxying Sun Java while using 'ident required'
On Mon, 10 Jan 2005, Brian E. Conklin wrote: I am having an issue with the Sun Java VM and Squid. Squid won't proxy any applets running in a browser while our 'ident required' ACL is active. If I deactivate the 'ident required' ACL, the applets work fine in the Sun Java VM. However, if I switch my browser to use Microsoft's Java VM, the applets work correctly with the 'ident required' ACL active. Very odd. ident is completely separate from HTTP. Maybe there is something the Sun VM does which confuses your ident server on the client station? Regards Henrik
Re: [squid-users] Squid x AD - randomic fucking error !
On Mon, 10 Jan 2005, rodd wrote: auth_param ntlm max_challenge_reuses 3 auth_param ntlm max_challenge_lifetime 24 hours Try without challenge reuses. Challenge reuses is inherently instable by design and will go away completely in a upcoming Squid release. auth_param ntlm use_ntlm_negotiate off And when you disable challenge reuse I would recommend to enable this as you use a current Samba version which benefits from it. Regards Henrik
Re: [squid-users] Error-page
On Mon, 10 Jan 2005, Mustafa ERGUC wrote: but when somebody tries https like client https://www.tspakb.org.tr:8445 server prints only some lines of the ERR_ACCESS_DENIED page I could not find the reason if sb knows mail me This is a bug in MSIE, where it fails to properly show the proxy error message in response to rejected CONNECT requests. Regards Henrik
Re: RES: [squid-users] CONNECT issues
On Mon, 10 Jan 2005, Renato Policani wrote: Hi Elsen, "TCP_MISS:DIRECT" is a standard ? http://www.squid-cache.org/Doc/FAQ/FAQ-6.html#ss6.6 Regards Henrik
RE: [squid-users] CONNECT issues
On Mon, 10 Jan 2005, Diamond King wrote: I`ve checked the configuration file and it seems that only port 443 and 563 were connected to SSL_Ports acl rule. You then have some error in your http_access rules, allowing things you did not intend to allow. 192.168.25.220 - - [10/Jan/2005:11:24:38 +0800] "CONNECT 213.103.81.214:3518 HTTP/1.0" 200 223 TCP_MISS:DIRECT What's the usage of port 563 anyway? nntps, NNTP over SSL. Supported by many browsers and is why it is in the default allowed list. By the way, any other way to check what exactly those logs for? is it attempt by kazaa users? Thanks again! If you are lucky then a meaningful user-agent string is included.. visible if you enable log_mime_hdrs. But most likely this is blank or forged. Regards Henrik
Re: [squid-users] blocking some IP to some sites
On Mon, 10 Jan 2005, Daniel Navarro wrote: Got the idea, so, what do you recomend to avoid internal user to visit pornos and dirty pages as datemanager.com and kazaa.com? Use the correct acls for their respective purpose. To match destination sites use the dstdomain acl type. See also Squid FAQ Chapter 10 Access Controls, especially the intruction section. Regards Henrik
RE: [squid-users] swap.state: (13) Permission denied
On my squid server the permissions are as follows. As the squid service is run by the squid user. -rw-r--r--1 squid squid 3627600 Jan 11 12:07 swap.state -rw-r--r--1 squid squid 0 Jan 11 00:00 swap.state.last-clean The directory /squid/var/cache should also be owned by squid. Mine is a follows :- drwxr-xr-x 19 squid squid 4096 Jan 11 00:00 cache Regards, Greg -Original Message- From: Billy Kotlaroff [mailto:[EMAIL PROTECTED] Sent: Tuesday, 11 January 2005 12:10 PM To: Greg Robertson Subject: RE: [squid-users] swap.state: (13) Permission denied root root it used to be proxy and proxy. I changed this because I figured root was the owner of the process. -Original Message- From: Greg Robertson [mailto:[EMAIL PROTECTED] Sent: Tuesday, 11 January 2005 12:04 PM To: squid-users@squid-cache.org Subject: RE: [squid-users] swap.state: (13) Permission denied What is the permissions on this file ? -Original Message- From: Billy Kotlaroff [mailto:[EMAIL PROTECTED] Sent: Tuesday, 11 January 2005 11:39 AM To: squid-users@squid-cache.org Subject: [squid-users] swap.state: (13) Permission denied Hi all, I'm getting desperate now. I am receiving the following error message: /squid/var/cache/swap.state: (13) Permission denied Can anyone offer some advice, Cheers, ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. ** ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. **
Re: [squid-users] swap.state: (13) Permission denied
Billy, it seems to be an OS issue not squid. I mean that file seems to be open in swap memory. could try erasin .swap file. Hope it works, Daniel Navarro Maracay, Venezuela www.csaragua.com/ecodiver --- Billy Kotlaroff <[EMAIL PROTECTED]> escribió: > Hi all, > > I'm getting desperate now. I am receiving the > following error message: > > /squid/var/cache/swap.state: (13) Permission denied > > Can anyone offer some advice, > > Cheers, > > > > _ Do You Yahoo!? Información de Estados Unidos y América Latina, en Yahoo! Noticias. Visítanos en http://noticias.espanol.yahoo.com
RE: [squid-users] swap.state: (13) Permission denied
What is the permissions on this file ? -Original Message- From: Billy Kotlaroff [mailto:[EMAIL PROTECTED] Sent: Tuesday, 11 January 2005 11:39 AM To: squid-users@squid-cache.org Subject: [squid-users] swap.state: (13) Permission denied Hi all, I'm getting desperate now. I am receiving the following error message: /squid/var/cache/swap.state: (13) Permission denied Can anyone offer some advice, Cheers, ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. **
[squid-users] swap.state: (13) Permission denied
Hi all, I'm getting desperate now. I am receiving the following error message: /squid/var/cache/swap.state: (13) Permission denied Can anyone offer some advice, Cheers,
Re: [squid-users] blocking some IP to some sites
keep on --- Henrik Nordstrom <[EMAIL PROTECTED]> escribió: > Please keep discussion on the mailinglist. > > Thanks > Henrik > > On Mon, 10 Jan 2005, Daniel Navarro wrote: > > > Got the idea, so, what do you recomend to avoid > > internal user to visit pornos and dirty pages as > > datemanager.com and kazaa.com? > > > > I try to optimize my squid con fedora core 3, I am > > wondering what is a good cache_dir size. I see > over 5 > > Gigas can take long to look for info. > > > > I have 20 internet clients plus 10 game clients in > a > > CiberCafe. > > > > Regards, Daniel Navarro > > > > --- Henrik Nordstrom <[EMAIL PROTECTED]> > escribió: > >> On Sun, 9 Jan 2005, Daniel Navarro wrote: > >> > >>> is working, I just wonder how many lines can > >> support > >>> because the big file is not supported. > >> > >> How big acl lists are supported is very much > >> dependent on the type of the > >> acl, and how you specify the data. > >> > >> Common mistakes you should stay away from: > >> > >>1. Very large regex based lists (url_regex, > >> urlpath_regex etc). These > >> are quite expensive, foremost in CPU usage which > is > >> linear to the > >> number of entries in the list but also in memory > >> usage which is rather > >> high per entry. In addition regex patters are > very > >> hard to get correct in > >> most real-life situations. > >> > >>2. Specifying IP based ACLs by name (src, > dst). > >> If you specify IP > >> addresses by name then Squid will need to make a > DNS > >> lookup on each name > >> while parsing the configuration and this will > take > >> quite some time if the > >> list is large, probably longer than anyone are > >> willing to wait. > >> > >> > >> The main acl types in Squid can support very many > >> entries efficiently: > >> > >> src (client IP) > >> dst (server IP) > >> dstdomain (server hostname / domain) > >> proxy_auth (username) > >> > >> For these the memory usage is approximately 4 > times > >> the size of the list, > >> and parsing speed on a P3 450 MHz is > approximately > >> 20K entries per second. > >> Runtime lookup time is not very dependent on the > >> size of the list. > >> > >> For the other ACL types the runtime lookup time > is > >> linear to the size of > >> the list which makes them unsuitable to be used > with > >> very large lists. The > >> memory usage and parsing speed is about the same > as > >> above, except for the > >> regex based acls where both memory usage and > parsing > >> time is significantly > >> higher. > >> > >> > >> While talking about large acls it is also worth > >> mentioning the external > >> acl interface of Squid. This allows you to > instruct > >> Squid to automatically > >> query a backend database of your choice to > perform > >> large scale acl lookups > >> in an dynamic and reasonably efficient manner. > >> > >> Regards > >> Henrik > >> > > > > > _ > > Do You Yahoo!? > > Información de Estados Unidos y América Latina, en > Yahoo! Noticias. > > Visítanos en http://noticias.espanol.yahoo.com > > _ Do You Yahoo!? Información de Estados Unidos y América Latina, en Yahoo! Noticias. Visítanos en http://noticias.espanol.yahoo.com
[squid-users] trying to track down a bug
Hi everyone, I am trying to track down a bug which is troubling our production systems and am so far stumped. This is on Debian Linux. Tried kernels 2.4.27, and 2.6.7, squid 2.5STABLE[157]. All have this problem. Squid is configured as a reverse-accelerator, compiled with --enable-x-accelerator-vary and our webservers add X-Accelerator-Vary: Accept-Encoding to responses. A small percentage of incoming requests (about 0.02%) to our reverse-accelerator farm take a very long time to complete. From the few clues I've been able to glean I suspect there is a problem with squid refreshing objects while another client is in the process of retrieving the same object. The clues: A wget in a loop retrieving the main page of our site will occasionally take just under 15 minutes to complete the retrieval. Normally it takes 0.02 seconds. When I look at the access.log for that retrieval and work back to the time the request was placed I often find that some client out on the internet had issued a request with a no-cache header resulting in TCP_CLIENT_REFRESH_MISS for the main page. With wget --server-response I see that the Age header of the slow to retrieve page always has a low number of seconds, so it was just refreshed prior to the request. The Age + the time to retrieve the object = the read_timeout in squid.conf. I changed it to 9 minutes on one server and started seeing wget fail with 8+ instead of 14+ minutes. The object is transferred quickly, but the connection stays open until some timer in squid elapses (read_timeout) and only then squid closes the connection. This problem did not exist on the same hardware with Solaris x86 as the OS. Any ideas as to where I should be looking? There are a few places in the code that are ifdef'd _SQUID_LINUX_, but nothing looks applicable to the problem. I am having no luck reproducing this on a test system. -- Robert Borkowski
[squid-users] Autentication x AD intermittent
Hi masters !
I am having some problems using my Squid authenticating
against my Active Directory Server.
I have this environment working for about 6 months, and it was
fine, but since last month its behavior became very strange. The point
is when the clients request a page, some time it works fine, but some
times they get an error like: "The page cannot be displayed".
I have checked many things, starting with the DNS sctructure,
and I didn`t find any problem. I've checked the response time between
my workstation machine and the Squid Server, and between the Squid
Server and the AD server, and is everything fine, acctualy they are
all in the same LAN.
I tryed many different configurations of samba and squid to
solve that, but it is still happen. I changed my smb.conf and the
squid.conf and now it is like that:
smb.conf
[global]
workgroup = domain
password server = IP
encrypt passwords = yes
realm = DOMAIN
server string = Samba 3.0.7
security = ADS
username map = /etc/samba/smbusers
log level = 2
syslog = 0
log file = /var/log/samba/%m
max log size = 100
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
ldap ssl = no
idmap uid = 1-10
idmap gid = 1-10
winbind gid = 1-10
winbind cache time = 240
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template primary group = "Domain Users"
template homedir = /dev/null
template shell = /dev/null
winbind separator = +
basic squid.conf
http_port 8081
buffered_logs on
dead_peer_timeout 90 seconds
hierarchy_stoplist cgi-bin ?
cache_mem 256 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 16384 KB
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
cache_dir aufs /cache01 1 16 256
cache_dir aufs /cache02 1 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
dns_children 15
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 90
auth_param ntlm max_challenge_reuses 3
auth_param ntlm max_challenge_lifetime 24 hours
auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 15
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 24 hours
authenticate_ttl 3 hourconnect_timeout 2 minutes
request_timeout 2 minutes
persistent_request_timeout 5 minute
half_closed_clients off
acl user_AD proxy_auth REQUIRED
http_access allow user_AD all
http_access deny all
http_reply_access allow all
icp_port 0
log_icp_queries off
icp_access deny all
miss_access allow all
cache_mgr root
cache_effective_user squid
cache_effective_group squid
forwarded_for off
coredump_dir /var/spool/squid
I am using Samba 3.0.7 with winbind, and it is ok. My krb5.conf
is like that:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = XXX.COM.BR
dns_lookup_realm = no
dns_lookup_kdc = no
forwardable = true
proxiable = true
kdc_timeout = 5
[realms]
XXX.COM.BR = {
kdc = IP:88
admin_server = IP:749
default_domain = xx.com.br
}
[domain_realm]
.xx.com.br = XX.COM.BR
xx.com.br = XX.COM.BR
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
The softwares versions are:
Squid: Version 2.5.STABLE7
Winbindd: Version 3.0.7
krb5 - 1.2.7-24
and Red Hat Enterprise Server
I've tryed different log levels, and I dind`t get any
error, even in winbindd.log, or cache.log, or access.log, acctually,
when the error happen it doesn`t log.
I did upgrade the Squid, and I've tryed to upgrade the
winbind, but the new winbind doesn`t work fine, I don`t know why. Does
anybody had compiled the news version of Samba with Squid ? The error
that I got was: "failed tcon_X with NT_STATUS_ACCESS_DENIED".
I don`t really think that the samba 3.0.7 could be the problem.
Other important information is when I stop the
authentication, the problem stop. Other important information is that
the problem just happen during the bussiness day, we have around 3000
users accessing the internet. Btw, the cpu and memory of the server
are ok. I tryed also disabling the cache, but without success.
Other very interesting thing is that I have a backup proxy
server, and in that server the problem doesn`t happened, so, I
switched the clients to the backup server while I was working in the
main server, so, I tryed an upgrade of Kernel and others
configurations, but nothing changed. My last choice was to rebuild the
whole machine and I am doing it now, and the clients are accessing the
backup server since two weeks ago without any problem, but today the
problem also started in the backup server. Ar
[squid-users] Squid x AD - randomic problem
Hi masters !
I am having some problems using my Squid authenticating
against my Active Directory Server.
I have this environment working for about 6 months, and it was
fine, but since last month its behavior became very strange. The point
is when the clients request a page, some time it works fine, but some
times they get an error like: "The page cannot be displayed".
I have checked many things, starting with the DNS sctructure,
and I didn`t find any problem. I've checked the response time between
my workstation machine and the Squid Server, and between the Squid
Server and the AD server, and is everything fine, acctualy they are
all in the same LAN.
I tryed many different configurations of samba and squid to
solve that, but it is still happen. I changed my smb.conf and the
squid.conf and now it is like that:
smb.conf
[global]
workgroup = domain
password server = IP
encrypt passwords = yes
realm = DOMAIN
server string = Samba 3.0.7
security = ADS
username map = /etc/samba/smbusers
log level = 2
syslog = 0
log file = /var/log/samba/%m
max log size = 100
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
ldap ssl = no
idmap uid = 1-10
idmap gid = 1-10
winbind gid = 1-10
winbind cache time = 240
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template primary group = "Domain Users"
template homedir = /dev/null
template shell = /dev/null
winbind separator = +
basic squid.conf
http_port 8081
buffered_logs on
dead_peer_timeout 90 seconds
hierarchy_stoplist cgi-bin ?
cache_mem 256 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 16384 KB
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
cache_dir aufs /cache01 1 16 256
cache_dir aufs /cache02 1 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
dns_children 15
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 90
auth_param ntlm max_challenge_reuses 3
auth_param ntlm max_challenge_lifetime 24 hours
auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 15
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 24 hours
authenticate_ttl 3 hourconnect_timeout 2 minutes
request_timeout 2 minutes
persistent_request_timeout 5 minute
half_closed_clients off
acl user_AD proxy_auth REQUIRED
http_access allow user_AD all
http_access deny all
http_reply_access allow all
icp_port 0
log_icp_queries off
icp_access deny all
miss_access allow all
cache_mgr root
cache_effective_user squid
cache_effective_group squid
forwarded_for off
coredump_dir /var/spool/squid
I am using Samba 3.0.7 with winbind, and it is ok. My krb5.conf
is like that:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = XXX.COM.BR
dns_lookup_realm = no
dns_lookup_kdc = no
forwardable = true
proxiable = true
kdc_timeout = 5
[realms]
XXX.COM.BR = {
kdc = IP:88
admin_server = IP:749
default_domain = xx.com.br
}
[domain_realm]
.xx.com.br = XX.COM.BR
xx.com.br = XX.COM.BR
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
The softwares versions are:
Squid: Version 2.5.STABLE7
Winbindd: Version 3.0.7
krb5 - 1.2.7-24
and Red Hat Enterprise Server
I've tryed different log levels, and I dind`t get any
error, even in winbindd.log, or cache.log, or access.log, acctually,
when the error happen it doesn`t log.
I did upgrade the Squid, and I've tryed to upgrade the
winbind, but the new winbind doesn`t work fine, I don`t know why. Does
anybody had compiled the news version of Samba with Squid ? The error
that I got was: "failed tcon_X with NT_STATUS_ACCESS_DENIED".
I don`t really think that the samba 3.0.7 could be the problem.
Other important information is when I stop the
authentication, the problem stop. Other important information is that
the problem just happen during the bussiness day, we have around 3000
users accessing the internet. Btw, the cpu and memory of the server
are ok. I tryed also disabling the cache, but without success.
Other very interesting thing is that I have a backup proxy
server, and in that server the problem doesn`t happened, so, I
switched the clients to the backup server while I was working in the
main server, so, I tryed an upgrade of Kernel and others
configurations, but nothing changed. My last choice was to rebuild the
whole machine and I am doing it now, and the clients are accessing the
backup server since two weeks ago without any problem, but today the
problem also started in the
[squid-users] Help proxying Sun Java while using 'ident required'
Hello, I am having an issue with the Sun Java VM and Squid. Squid won't proxy any applets running in a browser while our 'ident required' ACL is active. If I deactivate the 'ident required' ACL, the applets work fine in the Sun Java VM. However, if I switch my browser to use Microsoft's Java VM, the applets work correctly with the 'ident required' ACL active. Here is the applicable portion of my ACL: acl mgh src 172.31.192.0/255.255.240.0 192.168.11.0/255.255.255.0 acl idents ident REQUIRED acl SNMPpublic snmp_community public acl 7Ato7P time 07:00-19:00 acl ICU7Ato7PPCs src 172.31.195.138 acl JavaApplets url_regex -i \.Class \.loadClass java \.jar acl JavaOctet-Stream req_mime_type application/octet-stream acl fw_outside src 66.119.204.11 acl jsStream req_mime_type application/x-javascript snmp_access allow mgh SNMPpublic http_access allow manager mgh http_access deny ICU7Ato7PPCs !7Ato7P http_access deny !Safe_ports http_access deny CONNECT !SSL_ports !Safe_ports http_access allow JavaApplets !idents http_access allow JavaOctet-Stream !idents http_access allow jsStream !idents http_access allow mgh idents http_access deny all !Server_IPs !fw_outside The output of uname -a is: FreeBSD fw.masongeneral.com 4.10-RELEASE-p1 FreeBSD 4.10-RELEASE-p1 #2: Wed Jun 30 08:23:12 PDT 2004 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/FIREWALL i386 The version of Squid I am running is: Squid-2.5.6_10 Brian E. Conklin Director of Information Services Mason General Hospital ===Mason General Hospital 901 Mt. View Drive PO Box 1668 Shelton, WA 98584 http://www.masongeneral.com (360) 426-1611 === This message is intended for the sole use of the individual and entity to whom it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the addressee nor authorized to receive for the addressee, you are hereby notified that you may not use, copy, disclose or distribute to anyone this message or any information contained in the message. If you have received this message in error, please immediately notify the sender and delete the message. Thank you.
[squid-users] Squid x AD - randomic fucking error !
Hi masters !
I am having some problems using my Squid authenticating
against my Active Directory Server.
I have this environment working for about 6 months, and it was
fine, but since last month its behavior became very strange. The point
is when the clients request a page, some time it works fine, but some
times they get an error like: "The page cannot be displayed".
I have checked many things, starting with the DNS sctructure,
and I didn`t find any problem. I've checked the response time between
my workstation machine and the Squid Server, and between the Squid
Server and the AD server, and is everything fine, acctualy they are
all in the same LAN.
I tryed many different configurations of samba and squid to
solve that, but it is still happen. I changed my smb.conf and the
squid.conf and now it is like that:
smb.conf
[global]
workgroup = domain
password server = IP
encrypt passwords = yes
realm = DOMAIN
server string = Samba 3.0.7
security = ADS
username map = /etc/samba/smbusers
log level = 2
syslog = 0
log file = /var/log/samba/%m
max log size = 100
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
ldap ssl = no
idmap uid = 1-10
idmap gid = 1-10
winbind gid = 1-10
winbind cache time = 240
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template primary group = "Domain Users"
template homedir = /dev/null
template shell = /dev/null
winbind separator = +
basic squid.conf
http_port 8081
buffered_logs on
dead_peer_timeout 90 seconds
hierarchy_stoplist cgi-bin ?
cache_mem 256 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 16384 KB
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
cache_dir aufs /cache01 1 16 256
cache_dir aufs /cache02 1 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
dns_children 15
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 90
auth_param ntlm max_challenge_reuses 3
auth_param ntlm max_challenge_lifetime 24 hours
auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 15
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 24 hours
authenticate_ttl 3 hourconnect_timeout 2 minutes
request_timeout 2 minutes
persistent_request_timeout 5 minute
half_closed_clients off
acl user_AD proxy_auth REQUIRED
http_access allow user_AD all
http_access deny all
http_reply_access allow all
icp_port 0
log_icp_queries off
icp_access deny all
miss_access allow all
cache_mgr root
cache_effective_user squid
cache_effective_group squid
forwarded_for off
coredump_dir /var/spool/squid
I am using Samba 3.0.7 with winbind, and it is ok. My krb5.conf
is like that:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = XXX.COM.BR
dns_lookup_realm = no
dns_lookup_kdc = no
forwardable = true
proxiable = true
kdc_timeout = 5
[realms]
XXX.COM.BR = {
kdc = IP:88
admin_server = IP:749
default_domain = xx.com.br
}
[domain_realm]
.xx.com.br = XX.COM.BR
xx.com.br = XX.COM.BR
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
The softwares versions are:
Squid: Version 2.5.STABLE7
Winbindd: Version 3.0.7
krb5 - 1.2.7-24
and Red Hat Enterprise Server
I've tryed different log levels, and I dind`t get any
error, even in winbindd.log, or cache.log, or access.log, acctually,
when the error happen it doesn`t log.
I did upgrade the Squid, and I've tryed to upgrade the
winbind, but the new winbind doesn`t work fine, I don`t know why. Does
anybody had compiled the news version of Samba with Squid ? The error
that I got was: "failed tcon_X with NT_STATUS_ACCESS_DENIED".
I don`t really think that the samba 3.0.7 could be the problem.
Other important information is when I stop the
authentication, the problem stop. Other important information is that
the problem just happen during the bussiness day, we have around 3000
users accessing the internet. Btw, the cpu and memory of the server
are ok. I tryed also disabling the cache, but without success.
Other very interesting thing is that I have a backup proxy
server, and in that server the problem doesn`t happened, so, I
switched the clients to the backup server while I was working in the
main server, so, I tryed an upgrade of Kernel and others
configurations, but nothing changed. My last choice was to rebuild the
whole machine and I am doing it now, and the clients are accessing the
backup server since two weeks ago without any problem, but
Re: [squid-users] Usernames with whitespace
I'll test your patch on a 2.5STABLE7. I'll let you know about the results. Bugzilla # is 1187 By the way I use these filters : auth_param basic program /proxy1/libexec/squid_ldap_auth -b ou=Person,dc=company,dc=com -f(uid=%s) -h ldapserver external_acl_type ldap_group %LOGIN /proxy1/libexec/squid_ldap_group -b ou=Applications,dc=company,dc=com -B ou=Person,dc=company,dc=com -F "(uid=%s)" -f "(&(uniqueMember=%u)(cn=%g)(objectClass=groupofuniquenames))" -h ldapserver Thanks Andrew. >> The best would be that Squid asks for a username/passwd until it is valid (good pair && no whitespace) so that the end-user doesn't get confused. > >Then make sure the authentication helper rejects logins with spaces in >them. > > > On Fri, 7 Jan 2005, Henrik Nordstrom wrote: > > > On Fri, 7 Jan 2005 [EMAIL PROTECTED] wrote: > > > >> I am using squid_ldap_auth as shipped with squid 2.5stable5 > >> and also squid_ldap_group but that's out of topic. > > > > Hmm.. What LDAP server are you using, with what user filter to > > squid_ldap_auth? > > > > Also try with a more current version. There was significant changes in > > related areas for the 2.5.STABLE6 release (bug #935). This doesn'e > explicitly > > deal with space characters however.. > > > > A quick test with LDAP search tools reveals this is a bit problematic as > the > > LDAP server ignores the amount of spaces in logins.. Please try the > attached > > patch. > > And please also file a bugreport so I have a bug to attach the patch to > to make sure it doesn't get forgotten before 2.5.STABLE8 is released. > > Regards > Henrik >
Re: [squid-users] Error-page
> like this > client http://www.kyk.gov.tr:7779 > squid prints ERR_ACCESS_DENIED > but when somebody tries https like > client https://www.tspakb.org.tr:8445 > server prints only some lines of the ERR_ACCESS_DENIED page > I could not find the reason if sb knows mail me Give your squid.conf configurations for ACL + HTTP Acess settings as getting as, grep -E '^[ ]*acl|^[ ]*http_access' squid.conf Access will be blocked with http_access settings. Regards -Muthu
[squid-users] Error-page
Hello I'm using squid 2.7 as proxy. And I closed some port that are not secure. And when somebody tries to connect some port other than safe proxy server prints ERR_ACCESS_DENIED page like this client http://www.kyk.gov.tr:7779 squid prints ERR_ACCESS_DENIED but when somebody tries https like client https://www.tspakb.org.tr:8445 server prints only some lines of the ERR_ACCESS_DENIED page I could not find the reason if sb knows mail me
RES: [squid-users] CONNECT issues
Hi Elsen, "TCP_MISS:DIRECT" is a standard ? -Mensagem original- De: Diamond King [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 10 de janeiro de 2005 11:03 Para: Elsen Marc; squid-users@squid-cache.org Assunto: RE: [squid-users] CONNECT issues I`ve checked the configuration file and it seems that only port 443 and 563 were connected to SSL_Ports acl rule. What's the usage of port 563 anyway? By the way, any other way to check what exactly those logs for? is it attempt by kazaa users? Thanks again! Brian --- Elsen Marc <[EMAIL PROTECTED]> wrote: > > > > > > Dear all, > > > > Recently, i became aware that a number of my > users > > started to use kazaa and those other tunnel > software > > as well. I checked the access.log files and came > > across these logs :- > > > > 192.168.25.220 - - [10/Jan/2005:11:24:38 +0800] > > "CONNECT 213.103.81.214:3518 HTTP/1.0" 200 223 > > TCP_MISS:DIRECT > > 192.168.25.220 - - [10/Jan/2005:11:24:39 +0800] > > "CONNECT 4.16.112.104:1214 HTTP/1.0" 0 0 > TCP_MISS:NONE > > 192.168.21.23 - - [10/Jan/2005:11:24:42 +0800] > > "CONNECT 65.32.244.27:3697 HTTP/1.0" 200 212 > > TCP_MISS:DIRECT > > 192.168.25.55 - - [10/Jan/2005:11:24:45 +0800] > > "CONNECT 24.166.75.223:1214 HTTP/1.0" 200 221 > > TCP_MISS:DIRECT > > 192.168.25.55 - - [10/Jan/2005:11:24:46 +0800] > > "CONNECT 66.139.108.167:1340 HTTP/1.0" 200 227 > > TCP_MISS:DIRECT > > > > > > If you noticed carefully, the logs sometimes has > the > > value of TCP_MISS:DIRECT and some of them are > > TCP_MISS:NONE. > > > > > > I`ve been trying to track down the source of the > > problem. They are using hopster and etc. It seems > like > > they know the existant of Squid server here and > try to > > take advantage of it.Could some one point me how > to > > get rid of these things? thanks! > > > > The SSL_Ports acl in squid.conf(.default), can be > used to allow > the list of ports allowed for 'CONNECT'. Make sure > that , for instance, > port 443 is the only port allowed for the connect > method. > > M. > __ Do you Yahoo!? All your favorites on one personal page - Try My Yahoo! http://my.yahoo.com Atenção: Esta mensagem foi enviada para uso exclusivo do(s) destinatários(s) acima identificado(s), podendo conter informações e/ou documentos confidencias/privilegiados e seu sigilo é protegido por lei. Caso você tenha recebido por engano, por favor, informe o remetente e apague-a de seu sistema. Notificamos que é proibido por lei a sua retenção, disseminação, distribuição, cópia ou uso sem expressa autorização do remetente. Opiniões pessoais do remetente não refletem, necessariamente, o ponto de vista da CETIP, o qual é divulgado somente por pessoas autorizadas. Attention: This message was sent for exclusive use of the addressees above identified, being able to contain information and or privileged/confidential documents and law protects its secrecies. In case that you it has received for deceit, please, it informs the shipper and erases it of your system. We notify that law forbids its retention, dissemination, distribution, copy or use without express authorization. Personal opinions of the shipper do not reflect, necessarily, the point of view of the CETIP, which is only divulged by authorized people.
RE: [squid-users] CONNECT issues
> > I`ve checked the configuration file and it seems > that only port 443 and 563 were connected to SSL_Ports > acl rule. I doubt this for your current configuration, because otherwise the CONNECT requests for other ports then 443 and 553 should be denied by SQUID , which apparently from the log examples they aren't. > What's the usage of port 563 anyway? From : http://www.iana.org/assignments/port-numbers -> nntps 563/tcpnntp protocol over TLS/SSL (was snntp) nntps 563/udpnntp protocol over TLS/SSL (was snntp) M.
Re: [squid-users] URL too large workaround
On Mon, 10 Jan 2005, Irfan DP wrote: it might be some garbage malfunctioning request from our client, i couldn't confirm that too. Unfortunately it is a little tricky to confirm without using tcpdump/ngrep.. I just want to make it clean on cache.logsome i don;t have to worry too much on that kind of error. anyway,is it correct value to increase the URL MAXSIZE threshold ? Unless you can confirm your users really need to access applications requiring URLs larger than 4KB (the default) I would recommend leaving this alone. The Squid sources have not been tested much with a MAX_URL other thant 4KB. If all you want to do is to get rid of the cache.log message then change the debug() statement printing the warning to use debug level 2 instead of 1. Regards Henrik
RE: [squid-users] CONNECT issues
I`ve checked the configuration file and it seems that only port 443 and 563 were connected to SSL_Ports acl rule. What's the usage of port 563 anyway? By the way, any other way to check what exactly those logs for? is it attempt by kazaa users? Thanks again! Brian --- Elsen Marc <[EMAIL PROTECTED]> wrote: > > > > > > Dear all, > > > > Recently, i became aware that a number of my > users > > started to use kazaa and those other tunnel > software > > as well. I checked the access.log files and came > > across these logs :- > > > > 192.168.25.220 - - [10/Jan/2005:11:24:38 +0800] > > "CONNECT 213.103.81.214:3518 HTTP/1.0" 200 223 > > TCP_MISS:DIRECT > > 192.168.25.220 - - [10/Jan/2005:11:24:39 +0800] > > "CONNECT 4.16.112.104:1214 HTTP/1.0" 0 0 > TCP_MISS:NONE > > 192.168.21.23 - - [10/Jan/2005:11:24:42 +0800] > > "CONNECT 65.32.244.27:3697 HTTP/1.0" 200 212 > > TCP_MISS:DIRECT > > 192.168.25.55 - - [10/Jan/2005:11:24:45 +0800] > > "CONNECT 24.166.75.223:1214 HTTP/1.0" 200 221 > > TCP_MISS:DIRECT > > 192.168.25.55 - - [10/Jan/2005:11:24:46 +0800] > > "CONNECT 66.139.108.167:1340 HTTP/1.0" 200 227 > > TCP_MISS:DIRECT > > > > > > If you noticed carefully, the logs sometimes has > the > > value of TCP_MISS:DIRECT and some of them are > > TCP_MISS:NONE. > > > > > > I`ve been trying to track down the source of the > > problem. They are using hopster and etc. It seems > like > > they know the existant of Squid server here and > try to > > take advantage of it.Could some one point me how > to > > get rid of these things? thanks! > > > > The SSL_Ports acl in squid.conf(.default), can be > used to allow > the list of ports allowed for 'CONNECT'. Make sure > that , for instance, > port 443 is the only port allowed for the connect > method. > > M. > __ Do you Yahoo!? All your favorites on one personal page Try My Yahoo! http://my.yahoo.com
[squid-users] Re: ntlmssp_server_auth: failed to parse NTLMSSP
This is a samba ntlm blob parsing failure. I submited a bug to Andrew Bartlett. To shut up the messages, add the line log level = 0 To your [global] section of smb.conf Stop squid, stop winbindd, stop nmbd, start nmbd, start winbindd and start your squid. Your cache.log no longer has these reports. - Original Message - From: "Rodrigo A B Freire" <[EMAIL PROTECTED]> To: Sent: Thursday, December 09, 2004 1:29 PM Subject: ntlmssp_server_auth: failed to parse NTLMSSP Hello, I set up a Squid 2.5-STABLE7 (./configure --enable-underscores --enable-gnuregex --disable-ident-lookups --enable-snmp --enable-err-languages="English" --with-pthreads --mandir=/usr /share/man --enable-storeio=diskd,ufs --enable-auth="ntlm,basic" --enable-ex ternal-acl-helpers="wbinfo_group") with Samba 3.0.9 (./configure --prefix=/usr --with-winbind --with-configdir=/etc/samba --mand ir=/usr/share/man). The authentication is working good, but my cache.log is full of [2004/12/09 11:40:21, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(549) ntlmssp_server_auth: failed to parse NTLMSSP: [2004/12/09 11:40:21, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(549) ntlmssp_server_auth: failed to parse NTLMSSP: [2004/12/09 11:40:21, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(549) ntlmssp_server_auth: failed to parse NTLMSSP: [2004/12/09 11:40:22, 1] libsmb/ntlmssp.c:ntlmssp_server_auth(549) ntlmssp_server_auth: failed to parse NTLMSSP: Any ideas? Thank you, Rod.
Re: [squid-users] URL too large workaround
it might be some garbage malfunctioning request from our client, i couldn't confirm that too. I just want to make it clean on cache.logsome i don;t have to worry too much on that kind of error. anyway,is it correct value to increase the URL MAXSIZE threshold ? Thank you irfan-dp <<< Replied Message >>>- On 1/10/2005 at 12:48 PM Henrik Nordstrom wrote: |>On Mon, 10 Jan 2005, Irfan DP wrote: |> |>> 2005/01/10 14:04:00| urlParse: URL too large (65558 bytes). |>> |>> Last time i checked that out on maillist archive and someone try to |>increase the default value of URL Maxsize in src/defines.h from default |>value 4096 to appropriate number that suit to our requirement. |> |>Are you sure these really are URLs and not just garbage some |>malfunctining client has sent to Squid? |> |>Regards |>Henrik --->>> Reply End <<<---
Re: [squid-users] URL too large workaround
On Mon, 10 Jan 2005, Irfan DP wrote: 2005/01/10 14:04:00| urlParse: URL too large (65558 bytes). Last time i checked that out on maillist archive and someone try to increase the default value of URL Maxsize in src/defines.h from default value 4096 to appropriate number that suit to our requirement. Are you sure these really are URLs and not just garbage some malfunctining client has sent to Squid? Regards Henrik
Re: [squid-users] Squid 2.5stable7 patch 20050105 reload
On Mon, 10 Jan 2005, Irfan DP wrote: After serving request from users, my squid daemon always restarted after receiving warning and cache.log like "ctx: enter level (number)"...or after receiving large number of request URL bigger than 65536 Bytes (eventhough i try to increase MAX_URL from 4096 to 8192 on src/define.h) or frequently receiving whitespace error on httpheader and send this message then reload the daemon: 2005/01/10 15:43:37| httpAccept: FD 521: accept failure: (53) Software caused connection abort FATAL: Received Bus Error...dying. Any idea how this thing happen ? A bug. See the Squid FAQ on how to sent bug reports for instructions on how to proceed. If the required information is collected it should not take long to get the bug fixed (I hope). Regards Henrik
Re: [squid-users] Negative
On Sun, 9 Jan 2005, Houssam Melhem wrote: i was monitoring squid today and i noticed that the Process Data Segment Size was increasing and when it reaches more thane 2G cachemgr started to display negative values why do cachemgr display these negative vaules? because in a 32-bit 2-complement world values above 2GB is negative, and values above 4GB becomes 0 again.. I switched to the cachemgr mem page to see what memory pool has the bigest amount: mem_node has 75% impact is this normal? and what is the mem_node pool? How large is your cache_mem setting? Regards Henrik
[squid-users] Re: SSL Reverse Proxy to Exchange 2003 OWA - SQUID just shutsdown by itself.
On Mon, 10 Jan 2005, Rakesh Kumar wrote: Now I have installed a fresh RH9 and Squid-3 PRE3 Don't use 3.0.PRE3, if you run Squid-3 you should run a recent snapshot release. Regards Henrik
Re: [squid-users] Authentication and Windows Media
On Mon, 2005-01-10 at 13:37 +1100, Chris Vaughan wrote: > Greetings, > > Given that proxy authentication for windows media player, how would I > set up an acl in squid.conf to bypass authentication for that > application? Your best bet is a 'browser' type ACL, combined with other ACL types such as src, dst or dstdomain (or it's a potential security problem - kind of leaving your front door open for everyone to go through. -- Kinkie <[EMAIL PROTECTED]>
[squid-users] URL too large workaround
2005/01/10 14:04:00| urlParse: URL too large (65558 bytes). Last time i checked that out on maillist archive and someone try to increase the default value of URL Maxsize in src/defines.h from default value 4096 to appropriate number that suit to our requirement. I tried to increase it --> #define MAX_URL 16384 and recompile squid again. But still i received that error "URL too large (65558 bytes)." messages. Any idea to get it bigger threshold size ? thank you irfan_dp
RE: [squid-users] basic authenticator hangs when squid often receive logrotate
Hi Henrik, Thank you for your prompt reply! I installed latest squid with recommended patch (luckily squid port well maintained) and will watch the result. You are right "time" values from helper statistics don't exactly correspond to "rotate" calls. And it can be a problem within authenticator. Hope the patch will help squid to kill stalled helpers during "rotate". Many thanks, Anton
RE: [squid-users] Squid 2.5stable7 patch 20050105 reload
> dear all, > > After serving request from users, my squid daemon always > restarted after receiving warning and cache.log like "ctx: > enter level (number)"...or after receiving large number of > request URL bigger than 65536 Bytes (eventhough i try to > increase MAX_URL from 4096 to 8192 on src/define.h) or > frequently receiving whitespace error on httpheader and > send this message then reload the daemon: > > 2005/01/10 15:43:37| httpAccept: FD 521: accept failure: (53) > Software caused connection abort The above is normally harmless. And is reported on FreeBSD due to clients aborting connection(s) to the Squid Cache. > FATAL: Received Bus Error...dying. Bus error and friends, is of the same class/magnitude as SEGV on Unix and indicate inconsistencies/fatal errors/bugs in the software (SQUID). You can file a bug report, if you would feel this appropriate considering the changes you made to the source e.d. M.
[squid-users] Squid 2.5stable7 patch 20050105 reload
dear all, After serving request from users, my squid daemon always restarted after receiving warning and cache.log like "ctx: enter level (number)"...or after receiving large number of request URL bigger than 65536 Bytes (eventhough i try to increase MAX_URL from 4096 to 8192 on src/define.h) or frequently receiving whitespace error on httpheader and send this message then reload the daemon: 2005/01/10 15:43:37| httpAccept: FD 521: accept failure: (53) Software caused connection abort FATAL: Received Bus Error...dying. Any idea how this thing happen ? thank you. irfan-dp
