Re: [squid-users] Authentication Problems
Hement Gopal wrote: Hi I start squid as a process in my rc.local file /usr/local/squid/sbin/squid Rgds, Hement Chris Robertson wrote: -Original Message- From: Hement Gopal [mailto:[EMAIL PROTECTED] Sent: Thursday, January 13, 2005 12:06 AM To: squid Subject: [squid-users] Authentication Problems Hi all I have two proxy servers, both running the same OS and Squid Squid Cache: Version 2.5.STABLE5 Linux athena.wits.ac.za 2.4.20-8smp Linux version 2.4.20-8smp ([EMAIL PROTECTED]) (gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #1 SMP Thu Mar 13 17:45:54 EST 2003 On server 1, user authetication seems to be giving problems. A small percentage of users complain that their username and password combinations do not work. If I test from Netscape and IE with their user/pass combos I also have issues. When I test on the server 1 itself using the ncsa-auth command, I get an OK so I know the problem is not with my password file. Comparing password files on the two servers also confirms that there are no probelms. If I change my browser to point to server 2, authetication works fineso I'm pretty sure problem is related to the server 1 only. I also noticed that when I do a squid -k reconfig on server 1, the problem disappears. Any ideas folks? Rgds, Hement Gopal If I'm reading this right, you are saying that when you initially start squid on server 1, it has problems with some user's authentication, but after you run a reconfig everything works just fine. If this is the case, I would venture a guess that you might have two different squid.conf files. One is read on startup (specified by /etc/rc.d/init.d/squid) and one is read when you run the squid -k reconfig (specified by how you compiled squid). But this is just a guess, based on interpretation... Chris
Re: [squid-users] Authentication Problems
Hi How would I confirm that I am running the correct version of nsca? rgds, Hement Henrik Nordstrom wrote: On Thu, 13 Jan 2005, Hement Gopal wrote: On server 1, user authetication seems to be giving problems. A small percentage of users complain that their username and password combinations do not work. If I test from Netscape and IE with their user/pass combos I also have issues. When I test on the server 1 itself using the ncsa-auth command, I get an OK so I know the problem is not with my password file. Make sure you use ncsa_auth from Squid-2.5 and not an older version.. Regards Henrik
[squid-users] can a redirector do this?
Folks, We are playing with Websense running in squid redirector mode. On the whole, this works pretty well, I have it integrated with our AD and squid nicely and we are able to control where our users are able to go. The problem I have is that we want to block proxy bypass sites, one of the sites we are having problems with uses https, when this goes through the websense redirector the redirector says "blocked" but the browser still gets the site displayed. I have had a bit of a to and fro with websense support and they are saying you cannot redirect a https request to a http page (websense uses a http server to tell the user they have been blocked). I am not certain what they are telling me is true, mainly because they started off by trying to tell me the https requests never went through the redirector - only to change that story when I gave them the logs showing their redirector was seeing the https requests. So, can a redirector rewrite a https request to go to a http server? Would squid ignore the redirect and just go to the https server anyway? -- Brett Lymn
[squid-users] How squid get and make use of username?
Hi ALL, I am new to squid and wondering anyone could help about how the squid get username from the OS environment. Did the browser send anything to squid to tell it about the client identity? or squid will resolve the identity based on the source ip addresses? I have a scenario here: I wish i can define a set of acl rules based on username in squid. Since the client is not using standard authentication method of any kind, i am thinking if the squid can be modified to resolve the username based on client's source ip address. for your information, the client may anyhow loggin via web page and be authenticated locally by the an self written easy authentication service. means, the username can be obtained locally by squid. i am hoping that the squid can then filter the traffic based on the predefined acl (using username). any other suggestion in accomplishing this? anyone can tell me about generally how the squid get username from the system, how they make use of the username (does squid resolve the ip?) and how the acl is enforce to that user? Thank you. Steve
[squid-users] digest
Hi All, I've just set up Squid on a Debian Sarge box and tried to configure it so that it will proxy/cache for my local network which is connected via ISDN to my ISP. When I run Squid, and make the first request for a webpage, it appears to go off and try to get the file /squid-internal-periodic/store_digest from the nominated parent (ISP runs Squid 2.5.). This file is some 6MB is size and uses most of my link's resources to download. I am not sure what happens next but I see a continual transfer of data at about 6MB per hour (in darkstat) making me think that the digest file is constantly being downloaded. I don't really need the digest anyway as I only have one access point to the wider world and no other sibling caches, just the ISP parent. I've tried various squid.conf configurations and nothing works right. I either get it working with the parent and downloading my wanted webpages BUT along with the % digest OR my proxy tries to access the wanted webpages directly and the ISP firewall stops that. Any way I can get squid to simply act as a local caching proxy, getting non-locally stored stuff from a single parent proxy without dwonloading the digest almost contunuously? Has anyone else seen this digest info continuously flowing? I am assuming that the problem is mine as I have another box running Squid 2.2.STABLE6 and it works fine. Thanks for any help. David...
[squid-users] Re: [PATCH] fix transparent caching when squid listens on non-80 port
On Thu, 13 Jan 2005, Denis Vlasenko wrote: Your patch is about "httpd_accel_port 0 did not work unless httpd_accel_host virtual was also specified" but I do have that specified! My patch is for slightly different bug. I will try to explain. Ok. You have convinced me Please file a bug report at http://www.squid-cache.org/bugs/, and if you can please also make a patch relative to the current nightly snapshots (which include the other patch), if not attach your 2.5.STABLE7 patch to the bug report. This way I will remember to look into this before 2.5.STABLE8 is released. Regards Henrik
Re: [squid-users] Re: yet another squid_ldap_auth question when connecting to AD
Henrik Nordstrom wrote: On Fri, 14 Jan 2005, Oliver Hookins wrote: It was a copy and paste job, but I thought I changed the text in squid_ldap_group from 'password' to 'group'... oh well. Care to make a second attempt? (yes, I am lazy) Regards Henrik I think you're just afraid of writing documentation! Anyway here are the revised patches. I added a bit more information that I forgot about yesterday. Regards, Oliver --- squid_ldap_auth.8.orig 2004-07-18 01:00:12.0 +1000 +++ squid_ldap_auth.8 2005-01-14 10:49:44.0 +1100 @@ -1,4 +1,4 @@ -.TH squid_ldap_auth 8 "17 July 2004" "Squid LDAP Auth" +.TH squid_ldap_auth 8 "14 January 2005" "Squid LDAP Auth" . .SH NAME squid_ldap_auth - Squid LDAP authentication helper @@ -13,6 +13,16 @@ squid_ldap_auth - Squid LDAP authenticat .SH DESCRIPTION This helper allows Squid to connect to a LDAP directory to validate the user name and password of Basic HTTP authentication. +LDAP options are specified as parameters on the command line, +while the username(s) and password(s) to be checked against the +LDAP directory are specified on subsequent lines of input to the +helper, one username/password pair per line separated by a space. +.P +As expected by the external_acl construct of Squid, after +specifying a username and password followed by a new line, this +helper will produce either OK or ERR on the following line +to show if the specified credentials are correct according to +the LDAP directory. .P The program has two major modes of operation. In the default mode of operation the users DN is constructed using the base DN and --- squid_ldap_group.8.orig 2004-07-18 01:00:12.0 +1000 +++ squid_ldap_group.8 2005-01-14 10:48:47.0 +1100 @@ -1,4 +1,4 @@ -.TH squid_ldap_group 8 "17 July 2004" "Squid LDAP Group" +.TH squid_ldap_group 8 "14 January 2005" "Squid LDAP Group" . .SH NAME squid_ldap_group - Squid LDAP external acl group helper @@ -9,6 +9,15 @@ squid_ldap_group -b "base DN" -f "LDAP s .SH DESCRIPTION This helper allows Squid to connect to a LDAP directory to authorize users via LDAP groups. +LDAP options are specified as parameters on the command line, +while the username(s) and group(s) to be checked against the +LDAP directory are specified on subsequent lines of input to the +helper, one username/group pair per line separated by a space. +.P +As expected by the external_acl construct of Squid, after +specifying a username and group followed by a new line, this +helper will produce either OK or ERR on the following line +to show if the user is a member of the specified group. .P The program operates by searching with a search filter based on the users user name and requested group, and if a match
Re: AW: AW: AW: [squid-users] authentication problem with squid_ldap_group
On Thu, 13 Jan 2005, Joachim JS. Schuster wrote: I mean i found the error. i installed a squid 2.5.Stable6 Version and it yust works. The squid version 2.5.Stable7 dont`t work. The squid_ldap_group file from stbale 2.7 is bigger. here is a diffrent. There is two related patches in the 2.5.STABLE7 release: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-basic_auth_caseinsensitive http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-ldap_helpers The first is quite self explanatory.. The second changes some of the code in both squid_ldap_auth and squid_ldap_group mainly to work better with different LDAP servers having restrictions on how one may login to their directory services... If you can detail what problem you are seeing, and what exact auth_param and external_acl_type parameters you are using then maybe your problem can be better understood. Regards Henrik
Re: [squid-users] Re: yet another squid_ldap_auth question when connecting to AD
On Fri, 14 Jan 2005, Oliver Hookins wrote: It was a copy and paste job, but I thought I changed the text in squid_ldap_group from 'password' to 'group'... oh well. Care to make a second attempt? (yes, I am lazy) Regards Henrik
Re: [squid-users] Re: yet another squid_ldap_auth question when connecting to AD
Henrik Nordstrom wrote: > On Thu, 13 Jan 2005, Oliver Hookins wrote: > >> OK here they are, both squid_ldap_auth.8 and squid_ldap_group.8. I >> haven't ever submitted a patch before so hopefully I got the diff >> options right. > > > The patch format looked good. No problem with the diff options. > > However, the squid_ldap_group text is not correct. The squid_ldap_group > helper checks group memberships (one or more groups), not passwords... It was a copy and paste job, but I thought I changed the text in squid_ldap_group from 'password' to 'group'... oh well. Regards, Oliver
Re: [squid-users] MSNTAuth
BusyBoy wrote: Hello , I have the Cache System in a domain of Windows Workstations: My Current configuration is like this: I have three groups to give them internet access accordingly: 1: some are totally blocked to internet ( except local interanet sites) 2: around 100 IP's are allowed for all internet except Hotmail.com,mail.yahoo.com and MSN Messenger: 3: around 50 IP's are those who are totally allowed to every internet entity. and all this is working fine as far as the IPs are concenered. before this I had configured ISA server for Active Directory User based permissions and It went quite happily but due to some reason (Fortunately we moved to Squid) now when I have installed Squid and I am doing with it fine w.r.t IP,,, I have seen that there is a patch for squid called " MSNTAuth"... Can someone guideme if there is anything with MSNTAuth patch to do with Active Directory Users, so that I can configure it to autheticate current user from Primary Domain Controller and the proxy/cache remain transparent to user. One thing more that if it is done successfully,,,will the user have to put username/password everytime to verify access information? You don't need any patches for Squid 2.5, it's all built in. As far as actually interfacing with the Active Directory, you can either use the LDAP helpers (squid_ldap_auth and squid_ldap_group) or Samba 3.0 and Winbind. There is information in the FAQ. If you don't want the users to be prompted for logon information, it can be gathered using NTLM authentication. This grabs the logon details straight from Internet Explorer, but I've heard it may be prone to failure. There should be plenty of information in the FAQ and list archives (since I've just been through this mess). Regards, Oliver
RE: [squid-users] X-Squid-Error: ERR_DNS_FAIL
> -Original Message- > From: yomama [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 13, 2005 12:08 PM > To: squid-users@squid-cache.org > Subject: [squid-users] X-Squid-Error: ERR_DNS_FAIL > > > > Get this error when trying to reach this site thru squid: > https://www.totallyfreebanking.com/ > > It works fine direct. > Any ideas how to make it work thru squid? Check what dns servers squid is using (squidclient cache_object://localhost/idns), and try to resolve the host there. Do you have problems with other sites? Chris
RE: [squid-users] least resource intensive log analyzer
> -Original Message- > From: joe z [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 13, 2005 10:46 AM > To: squid-users@squid-cache.org > Subject: [squid-users] least resource intensive log analyzer > > > hello all, > > i have a proxy setup running transparently with squid, squidguard, and > privoxy. i am looking to setup a web page accessible via a browser that > lists top 15 websites visited, host html activity, and by clicking on the > name of the site in the top visited a list of which hosts were active on > that site. i want the default to be for the last twelve hours but the option > (via dropdown? with last day, last two days, last week) to view more > history. i looked around and found some log analyzers. i am more of an > engineer than programmer/web designer (i can do the basics and figure out > what i need to) and am hoping someone who knows this stuff can point me to > what is the fastest, least resource intensive solution to this. i also want > to be able to plug these graphs into a custom webpage. > > thanks in advance, > zack I don't know of a single squid log analyzer that works on live data. All of the ones that I have seen parse old logs. Aside from that fact, Calamaris (http://cord.de/tools/squid/calamaris/) is capable of making a lot of the graphs you are looking for (top 15 sites, host activity (though I don't know if it will do host activity only for a specific site)), and the current beta is capable of making pretty graphs which you can plug into a custom page. *shrug* Chris
[squid-users] X-Squid-Error: ERR_DNS_FAIL
Get this error when trying to reach this site thru squid: https://www.totallyfreebanking.com/ It works fine direct. Any ideas how to make it work thru squid? ___ Join Excite! - http://www.excite.com The most personalized portal on the Web!
[squid-users] least resource intensive log analyzer
hello all, i have a proxy setup running transparently with squid, squidguard, and privoxy. i am looking to setup a web page accessible via a browser that lists top 15 websites visited, host html activity, and by clicking on the name of the site in the top visited a list of which hosts were active on that site. i want the default to be for the last twelve hours but the option (via dropdown? with last day, last two days, last week) to view more history. i looked around and found some log analyzers. i am more of an engineer than programmer/web designer (i can do the basics and figure out what i need to) and am hoping someone who knows this stuff can point me to what is the fastest, least resource intensive solution to this. i also want to be able to plug these graphs into a custom webpage. thanks in advance, zack _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
[squid-users] Re: [PATCH] fix transparent caching when squid listens on non-80 port
On Thursday 13 January 2005 18:15, Henrik Nordstrom wrote: > > On Thu, 13 Jan 2005, Denis Vlasenko wrote: > > > Squid uses destination port of incoming request > > in order to determine dst port for it's own request > > if vport is used. This is handled correctly for > > case where there is no "Host:" header in user > > request. However, if there *IS* a "Host:" header > > without explicit :port spec, squid does not check > > whether port was translated by NAT before reaching > > squid. > > > > This will work if your squid listens on port 80, but > > in my case, it was on 9080, causing all requests to go > > to port 9080 too on origin servers 8( > > According to my notes this was fixed quite some time ago: > > http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-httpd_accel_vport Your patch is about "httpd_accel_port 0 did not work unless httpd_accel_host virtual was also specified" but I do have that specified! My patch is for slightly different bug. I will try to explain. Your patch: Index: squid/src/client_side.c diff -c squid/src/client_side.c:1.561.2.64 squid/src/client_side.c:1.561.2.65 *** squid/src/client_side.c:1.561.2.64 Tue Dec 7 16:57:25 2004 --- squid/src/client_side.c Tue Dec 7 17:44:01 2004 *** *** 2872,2877 --- 2872,2886 vport, url); #endif debug(33, 5) ("VHOST REWRITE: '%s'\n", http->uri); + } else if (vport_mode) { + int vport; + const char *protocol_name = "http"; + vport = (int) ntohs(http->conn->me.sin_port); + url_sz = strlen(url) + 32 + Config.appendDomainLen + + strlen(Config.Accel.host); + http->uri = xcalloc(url_sz, 1); + snprintf(http->uri, url_sz, "%s://%s:%d%s", + protocol_name, Config.Accel.host, vport, url); } else { url_sz = strlen(Config2.Accel.prefix) + strlen(url) + Config.appendDomainLen + 1; it is to be applied to this place: #else #if LINUX_NETFILTER /* If the call fails the address structure will be unchanged */ getsockopt(conn->fd, SOL_IP, SO_ORIGINAL_DST, &conn->me, &sock_sz); debug(33, 5) ("parseHttpRequest: addr = %s", inet_ntoa(conn->me.sin_addr)); if (vport_mode) vport = (int) ntohs(http->conn->me.sin_port); #endif snprintf(http->uri, url_sz, "http://%s:%d%s";, inet_ntoa(http->conn->me.sin_addr), vport, url); #endif debug(33, 5) ("VHOST REWRITE: '%s'\n", http->uri); } else { url_sz = strlen(Config2.Accel.prefix) + strlen(url) + Config.appendDomainLen + 1; http->uri = xcalloc(url_sz, 1); snprintf(http->uri, url_sz, "%s%s", Config2.Accel.prefix, url); } http->flags.accel = 1; So, vport = (int) ntohs(http->conn->me.sin_port); line in your patch is outside of #if LINUX_NETFILTER and thus have no chance in hell to extract correct dst port in my case when squid listens on NATed port: this is my xparent proxy box: ---> :8080 \ ---> :3128 -> NATed to port 9080 --> squid -> internet ---> :80 / HTTP requests which go to port 8080 get NATed to 9080, accepted by squid, and if there is "Host:" header which does not have :8080 spec - guess what? squid sends request to origin server's port 9080 (!) because it believes user's request was to port 9080. squid should ask NAT machinery about "original", untranslated dst port and send request to it instead. My patch does exactly that. Please apply. -- vda
RE: [squid-users] Authentication Problems
> -Original Message- > From: Hement Gopal [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 13, 2005 12:06 AM > To: squid > Subject: [squid-users] Authentication Problems > > > Hi all > > I have two proxy servers, both running the same OS and Squid > > Squid Cache: Version 2.5.STABLE5 > Linux athena.wits.ac.za 2.4.20-8smp > Linux version 2.4.20-8smp ([EMAIL PROTECTED]) (gcc > version 3.2.2 > 20030222 (Red Hat Linux 3.2.2-5)) #1 SMP Thu Mar 13 17:45:54 EST 2003 > > > On server 1, user authetication seems to be giving problems. A small > percentage of users complain that their username and password > combinations do not work. If I test from Netscape and IE with their > user/pass combos I also have issues. When I test on the server 1 itself > using the ncsa-auth command, I get an OK so I know the problem is not > with my password file. > > Comparing password files on the two servers also confirms that there are > no probelms. If I change my browser to point to server 2, authetication > works fineso I'm pretty sure problem is related to the server 1 only. > > I also noticed that when I do a squid -k reconfig on server 1, the > problem disappears. > > Any ideas folks? > > Rgds, > Hement Gopal If I'm reading this right, you are saying that when you initially start squid on server 1, it has problems with some user's authentication, but after you run a reconfig everything works just fine. If this is the case, I would venture a guess that you might have two different squid.conf files. One is read on startup (specified by /etc/rc.d/init.d/squid) and one is read when you run the squid -k reconfig (specified by how you compiled squid). But this is just a guess, based on interpretation... Chris
RE: [squid-users] Issue with squid-2.5STABLE7
> -Original Message- > From: Deepa D [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 12, 2005 7:46 PM > To: Elsen Marc; squid-users@squid-cache.org > Subject: RE: [squid-users] Issue with squid-2.5STABLE7 > > > Hi, > Thanks for the response. > When running squid in strace then was displaying -1, > EAGAIN(Resource temporarily unavailable). Also, > another command called host that I think uses the same > DNS server(/etc/resolv.conf on linux) was resolving > the urls correctly. > When we revertedback to squid2.5.STABLE5, the > problem got resolved though. > Kindly let me know what the problem could have been. > Regards and TIA, > Deepa > Are you using the same squid.conf for both versions? Are you using a separate cache_dns_program (i.e. did you compile with "--disable-internal-dns")? What is your dns_timeout set to? Squid 2.5.STABLE7 is working fine for me (and I'm sure many others) so I'd have to presume it's not a *known* bug... Chris
RE: [squid-users] Bad request when access a website.
> -Original Message- > From: Niti Lohwithee [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 12, 2005 5:33 PM > To: Henrik Nordstrom > Cc: Squid Users > Subject: RE: [squid-users] Bad request when access a website. > > > > > On Fri, 7 Jan 2005, Niti Lohwithee wrote: > >>> I see only TCP_NEGATIVE_HIT from access.log(using " grep thaiair >> >access.log ") when I request to www.thaiair.com website. > >>What is your negative_ttl set to? > >>The default is only 5 minutes. > > > I' sorry for late reply. After I changed to negative_ttl to 10 and 15 > min. It display message in the same as below > > 172.30.xx.xx - nitil [13/Jan/2005:08:59:46 +0700] "GET > http://www.thaiair.com/ HTTP/1.1" 400 403 TCP_NEGATIVE_HIT:NONE > > Please advice > > Regards and Thanks > Niti : ) The negative_ttl option specifies how long squid will cache a non-reachable response to a page. In other words, increasing the value of negative_ttl will decrease the frequency Squid will recheck if the page is available. You need to find the original TCP_MISS entry in your access.log to find the root cause of the problem. Chris
[squid-users] Re: [PATCH] fix transparent caching when squid listens on non-80 port
On Thu, 13 Jan 2005, Denis Vlasenko wrote: Squid uses destination port of incoming request in order to determine dst port for it's own request if vport is used. This is handled correctly for case where there is no "Host:" header in user request. However, if there *IS* a "Host:" header without explicit :port spec, squid does not check whether port was translated by NAT before reaching squid. This will work if your squid listens on port 80, but in my case, it was on 9080, causing all requests to go to port 9080 too on origin servers 8( According to my notes this was fixed quite some time ago: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-httpd_accel_vport Regards Henrik
[squid-users] Video caching
Hi all fellows, Since squid is running fine I set 10Gigas of cache size that store aproximately 12 days of browsing from the 20 clients with 712 Mb cache_mem. Now. How can I set video players cache? I mean. Windows media player. QuickTime RTSP RealPlayer PNA RTSP Windows Media Player MMS Regards, Daniel Navarro Maracay, Venezuela. www.csaragua.com/ecodiver _ Do You Yahoo!? Información de Estados Unidos y América Latina, en Yahoo! Noticias. Visítanos en http://noticias.espanol.yahoo.com
Re: [squid-users] SHIRAZ-how to cache all exe 10MB files for atleast 30 days...
On Wed, 12 Jan 2005, Shiraz Gul Khan wrote: please tell me what and where i add or edit command in squid.conf to "keep all downloaded files which is under 10MB and all .exe files in cache for atleast 30 days" You can't, but you can be a lot smarter. For the first part see the maximum_object_size directive. For the second part see the refresh_pattern directive, but beware that all .exe requests are note downloads (a lot are CGI requests on Windows servers). Regards Henrik
Re: [squid-users] Two questions about the cachemgr in Squid 2.5.STABLE7
On Wed, 12 Jan 2005 [EMAIL PROTECTED] wrote: 1. What does the "unlink" count in the DISKD stats section of the cachemgr mean? Does that indicate the number of cache objects that have been deleted from the cache? Yes. 2. Also, I'm still populating my cache. It's about 14% used and I'm wondering when Squid will start purging items from the cache, now that I'm using GDSF vs LRU. Will Squid purge items from the cache even though it's not near the cache_swap_low threshold? Objects gets purged from the cache due to a number of reasons - Object replaced by a newer version of the same URL - Object expired and deleted by the removal policy due to this, despite there still being free space available. - Removal policy throws objects out to make space for new ones when low on space. Regards Henrik
[squid-users] [PATCH] fix transparent caching when squid listens on non-80 port
Squid uses destination port of incoming request in order to determine dst port for it's own request if vport is used. This is handled correctly for case where there is no "Host:" header in user request. However, if there *IS* a "Host:" header without explicit :port spec, squid does not check whether port was translated by NAT before reaching squid. This will work if your squid listens on port 80, but in my case, it was on 9080, causing all requests to go to port 9080 too on origin servers 8( Patch fixes this. Fix for LINUX_NETFILTER only, sorry. Patch also fixes missing "\n" in debug print and optimizes "http->conn" into "conn" because they are equal throughout affected function. Patch developed and tested on STABLE1, rediffed to STABLE7. -- vda--- squid-2.5.STABLE7/src/client_side.c.orig Wed Oct 6 01:34:42 2004 +++ squid-2.5.STABLE7/src/client_side.c Thu Jan 13 16:04:41 2005 @@ -2717,8 +2717,13 @@ int vport; char *q; const char *protocol_name = "http"; - if (vport_mode) - vport = (int) ntohs(http->conn->me.sin_port); + if (vport_mode) { +#if LINUX_NETFILTER + /* If the call fails the address structure will be unchanged */ + getsockopt(conn->fd, SOL_IP, SO_ORIGINAL_DST, &conn->me, &sock_sz); +#endif + vport = (int) ntohs(conn->me.sin_port); + } else vport = (int) Config.Accel.port; /* If a Host: header was specified, use it to build the URL @@ -2741,9 +2746,9 @@ http->uri = xcalloc(url_sz, 1); #if SSL_FORWARDING_NOT_YET_DONE - if (Config.Sockaddr.https->s.sin_port == http->conn->me.sin_port) { + if (Config.Sockaddr.https->s.sin_port == conn->me.sin_port) { protocol_name = "https"; - vport = ntohs(http->conn->me.sin_port); + vport = ntohs(conn->me.sin_port); } #endif snprintf(http->uri, url_sz, "%s://%s:%d%s", @@ -2754,14 +2759,14 @@ url_sz = strlen(url) + 32 + Config.appendDomainLen; http->uri = xcalloc(url_sz, 1); if (vport_mode) - vport = (int) ntohs(http->conn->me.sin_port); + vport = (int) ntohs(conn->me.sin_port); else vport = (int) Config.Accel.port; #if IPF_TRANSPARENT - natLookup.nl_inport = http->conn->me.sin_port; - natLookup.nl_outport = http->conn->peer.sin_port; - natLookup.nl_inip = http->conn->me.sin_addr; - natLookup.nl_outip = http->conn->peer.sin_addr; + natLookup.nl_inport = conn->me.sin_port; + natLookup.nl_outport = conn->peer.sin_port; + natLookup.nl_inip = conn->me.sin_addr; + natLookup.nl_outip = conn->peer.sin_addr; natLookup.nl_flags = IPN_TCP; if (natfd < 0) { int save_errno; @@ -2805,7 +2810,7 @@ return parseHttpRequestAbort(conn, "error:nat-lookup-failed"); } else snprintf(http->uri, url_sz, "http://%s:%d%s";, - inet_ntoa(http->conn->me.sin_addr), + inet_ntoa(conn->me.sin_addr), vport, url); } else { if (vport_mode) @@ -2823,10 +2828,10 @@ return parseHttpRequestAbort(conn, "error:pf-open-failed"); } memset(&nl, 0, sizeof(struct pfioc_natlook)); - nl.saddr.v4.s_addr = http->conn->peer.sin_addr.s_addr; - nl.sport = http->conn->peer.sin_port; - nl.daddr.v4.s_addr = http->conn->me.sin_addr.s_addr; - nl.dport = http->conn->me.sin_port; + nl.saddr.v4.s_addr = conn->peer.sin_addr.s_addr; + nl.sport = conn->peer.sin_port; + nl.daddr.v4.s_addr = conn->me.sin_addr.s_addr; + nl.dport = conn->me.sin_port; nl.af = AF_INET; nl.proto = IPPROTO_TCP; nl.direction = PF_OUT; @@ -2838,7 +2843,7 @@ return parseHttpRequestAbort(conn, "error:pf-lookup-failed"); } else snprintf(http->uri, url_sz, "http://%s:%d%s";, - inet_ntoa(http->conn->me.sin_addr), + inet_ntoa(conn->me.sin_addr), vport, url); } else snprintf(http->uri, url_sz, "http://%s:%d%s";, @@ -2848,12 +2853,12 @@ #if LINUX_NETFILTER /* If the call fails the address structure will be unchanged */ getsockopt(conn->fd, SOL_IP, SO_ORIGINAL_DST, &conn->me, &sock_sz); - debug(33, 5) ("parseHttpRequest: addr = %s", inet_ntoa(conn->me.sin_addr)); + debug(33, 5) ("parseHttpRequest: addr = %s\n", inet_ntoa(conn->me.sin_addr)); if (vport_mode) - vport = (int) ntohs(http->conn->me.sin_port); + vport = (int) ntohs(conn->me.sin_port); #endif snprintf(http->uri, url_sz, "http://%s:%d%s";, - inet_ntoa(http->conn->me.sin_addr), + inet_ntoa(conn->me.sin_addr), vport, url); #endif debug(33, 5) ("VHOST REWRITE: '%s'\n", http->uri);
RE: [squid-users] Squid Cache
On Thu, 2005-01-13 at 14:53 +0200, Raphael Maseko wrote: > The best way is to ensure that your squid.conf has been set up correctly > using the cache_dir ufs tag. Let the size be at least 80% Maybe you meant "at most"? > of the total partition used for the cache. -- Kinkie <[EMAIL PROTECTED]>
RE: [squid-users] squid error
> > I've installed a SuSE 9.1, but the squid doesn't work. > When I start it (from runlevel editor in yast or with rcsquid start) > it sends the following error: > > +Starting WWW-proxy squid > (/var/cache/squid)/usr/sbin/rcsquid: line 135: > > 13915 Aborted $SQUID_BIN -z -F >/dev/null 2>&1 > > > - Could not create cache_dir ! > > failed > > > > > > I've controlled the permissions of the folders /var/log/squid and > > /var/cache/squid that are the same of others 9.1 installations I've > > done, I've tried to delete those folders (created during the > > installation) but it can't recreate them. > > I've also tried to install squid 3 beta, same problem... > > > - Checkout the user (and group) Squid is intended to run as in squid.conf. Check whether this user has appropriate access w.r.t to the cache directories. M.
[squid-users] squid error
I've installed a SuSE 9.1, but the squid doesn't work. When I start it (from runlevel editor in yast or with rcsquid start) it sends the following error: +Starting WWW-proxy squid (/var/cache/squid)/usr/sbin/rcsquid: line 135: 13915 Aborted $SQUID_BIN -z -F >/dev/null 2>&1 - Could not create cache_dir ! failed I've controlled the permissions of the folders /var/log/squid and /var/cache/squid that are the same of others 9.1 installations I've done, I've tried to delete those folders (created during the installation) but it can't recreate them. I've also tried to install squid 3 beta, same problem... Any help? Thanks, Davide
Re: [squid-users] Squid Cache
Khalid, The cache size is defined by the cache_dir on your file squid.conf . The default configuration is: #cache_dir ufs /usr/local/squid/var/cache 5600 16 256 That means: Your cache is located at /usr/local/squid/var/cache and will have a maximum size of 5.600 MB (5,6 GB) You'll find the disk usage of your cache directory issuing a du -sb /usr/local/squid/var/cache (maybe it will take a time to run) If you want a complete wipe of your cache directory, I first *STOP* squid, ensure that your cache is stopped issuing a ps ax|grep squid, then: rm -rf /usr/local/squid/var/cache mkdir /usr/local/squid/var/cache chown squid_process_owner /usr/local/squid/var/cache /usr/local/squid/sbin/squid -z Then, run your cache normally. Please notice, as Elsen stated, Squid ages and delete normally the objects on the cache, to keep the cache_size within the specified on squid.conf . So, under typical ops, you have no need to erase your cache dir. Good luck, Rodrigo. --- Rodrigo A B Freire http://www.pt2rod.qsl.br/ Brasilia - DF .--. - ..--- .-. --- -.. - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Thursday, January 13, 2005 10:48 AM Subject: [squid-users] Squid Cache Hi, I am new to squid, how do i know if the cache have reached its limit and where do i delete it.
RE: [squid-users] Squid Cache
The best way is to ensure that your squid.conf has been set up correctly using the cache_dir ufs tag. Let the size be at least 80% of the total partition used for the cache. Squid will purge old entries accordingly without you having to manually delete the cache directories. Ralph -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, January 13, 2005 2:48 PM To: squid-users@squid-cache.org Subject: [squid-users] Squid Cache Hi, I am new to squid, how do i know if the cache have reached its limit and where do i delete it. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.302 / Virus Database: 265.6.11 - Release Date: 1/12/2005
RE: [squid-users] Squid Cache
> > Hi, > > I am new to squid, how do i know if the cache have reached > its limit and > where do i delete it. Check cachemgr -> Store Directory Stats. SQUID will automatically maintain (and trim if needed) the specified cache dirs (& sizes). You do not need to intervene. M.
[squid-users] Squid Cache
Hi, I am new to squid, how do i know if the cache have reached its limit and where do i delete it.
RE: [squid-users] auth popup is not comming
> Hi, > I am running the squid in the transparent mode. While i abrowsing a > secured site it should give a popup window for giving theuser name and > passwd, but if i browse these site through squid the popupwindow is > not comming and i am getting 401 error. > > If i reuest thissitr without squid i am getting the popup window. > > What configurationshould i change in the squid to get the > popup window? > Does it work, when the browser is set to use SQUID directly (through proxy settings) ? M.
Re: [squid-users] Authentication Problems
On Thu, 13 Jan 2005, Hement Gopal wrote: On server 1, user authetication seems to be giving problems. A small percentage of users complain that their username and password combinations do not work. If I test from Netscape and IE with their user/pass combos I also have issues. When I test on the server 1 itself using the ncsa-auth command, I get an OK so I know the problem is not with my password file. Make sure you use ncsa_auth from Squid-2.5 and not an older version.. Regards Henrik
AW: AW: AW: [squid-users] authentication problem with squid_ldap_group
Hi Yong, I mean i found the error. i installed a squid 2.5.Stable6 Version and it yust works. The squid version 2.5.Stable7 dont`t work. The squid_ldap_group file from stbale 2.7 is bigger. here is a diffrent. Or is this a compiling problem. I compile with ./configure --prefix=/usr/local/squid . Is this correct ? Regard Joachim -Ursprüngliche Nachricht- Von: Yong Bong Fong [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 13. Januar 2005 08:00 An: Joachim JS. Schuster Betreff: Re: AW: AW: [squid-users] authentication problem with squid_ldap_group Hi Joachim, I am using squid-2.5.STABLE5-2, comes with FC2. Actually for your case, is it when you do it from command prompt, its ok but from browser it cannot pass through? I had a case before when I got OK from terminal but on browser it cannot go through. It just kept reprompting for username and password from the browser. Then I changed the %u -> %v and %g -> %a and worked. regards Yong Joachim JS. Schuster wrote: >Hi Yong, >What squid version do you use ? > >regards > >Joachim > > >-Ursprüngliche Nachricht- >Von: Yong Bong Fong [mailto:[EMAIL PROTECTED] >Gesendet: Donnerstag, 13. Januar 2005 01:27 >An: Joachim JS. Schuster >Betreff: Re: AW: [squid-users] authentication problem with squid_ldap_group > > >Hi Joachim, > > This is my acl which works. Maybe you can copy exactly mine, >especially the order of the http_access part. And see if it works. > >acl all src 0.0.0.0/0.0.0.0 >acl manager proto cache_object >acl localhost src 127.0.0.1/255.255.255.255 >acl to_localhost dst 127.0.0.0/8 >acl SSL_ports port 443 563 >acl Safe_ports port 80 # http >acl Safe_ports port 21 # ftp >acl Safe_ports port 443 563 # https, snews >acl Safe_ports port 70 # gopher >acl Safe_ports port 210 # wais >acl Safe_ports port 1025-65535 # unregistered ports >acl Safe_ports port 280 # http-mgmt >acl Safe_ports port 488 # gss-http >acl Safe_ports port 591 # filemaker >acl Safe_ports port 777 # multiling http >acl CONNECT method CONNECT >acl ldap_group-admin external ldap_group admin > > > >http_access allow manager localhost >http_access allow manager >http_access allow ldap_group-admin >http_access deny !Safe_ports >http_access deny CONNECT !SSL_ports >http_access allow localhost >http_access deny all > >Regards >Yong > > >Joachim JS. Schuster wrote: > > > >>Hi, >>Please have a look on the lines below: >> >> >>acl all src 0.0.0.0/0.0.0.0 >>acl manager proto cache_object >>acl localhost src 127.0.0.1/255.255.255.255 >>acl to_localhost dst 127.0.0.0/8 >>acl SSL_ports port 443 563 >>acl Safe_ports port 80 >>acl Safe_ports port 21 >>acl Safe_ports port 443 563 >>acl Safe_ports port 70 >>acl Safe_ports port 210 >>acl Safe_ports port 1025-65535 >>acl Safe_ports port 280 >>acl Safe_ports port 488 >>acl Safe_ports port 591 >>acl Safe_ports port 777 >>acl CONNECT method CONNECT >>acl ldapproxygroup external ldapgroup webaccess >> >>http_access allow manager localhost >>http_access deny manager >>http_access deny !Safe_ports >>http_access deny CONNECT !SSL_ports >>http_access allow ldapproxygroup >>http_access deny all >> >>Regards >> >>Joachim >> >> >>-Ursprüngliche Nachricht- >>Von: Yong Bong Fong [mailto:[EMAIL PROTECTED] >>Gesendet: Mittwoch, 12. Januar 2005 02:29 >>An: Joachim JS. Schuster >>Betreff: Re: [squid-users] authentication problem with >>squid_ldap_group >> >> >>Hi Joachim, >> >> Can you post your acl list and http_access? >>Maybe we can spot some mistakes from your acl and http_access. >> >> >> >>Joachim JS. Schuster wrote: >> >> >> >> >> >>>Dear squid users, >>>I need help about my authentifaction problem with squid_ldap_group. >>> >>>first i create a entry for squid_ldap_auth. i can login and i have >>>web access and it works fine. >>> >>>auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b >>>"dc=mb,dc=local" -D "cn=squid,cn=users,dc=mb,dc=local" -w secret1998 >>>-f "(&(sAMAccountName=%s)(objectClass=Person))" -h 192.168.3.1 acl >>>USERS proxy_auth REQUIRED >>> >>>http_access allow USERS >>> >>>in the next step i create this lines for my ldap group access. >>> >>>external_acl_type ldapgroup concurrency=15 %LOGIN >>>/usr/sbin/squid_ldap_group -P -R -b "ou=intern,dc=mb,dc=local" -f >>>"(&(cn=%g)(member=%u))" -F >>>"(&(sAMAccountName=%s)(objectClass=Person))" >>>-D "cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1 >>> >>>acl ldapproxygroup external ldapgroup webaccess >>> >>>http_access allow ldapproxygroup >>> >>>i can login but i have no webaccess. i see the 407 error access >>>denied in squid conf. >>> >>>when i execute >>> >>>heins:~ # /usr/sbin/squid_ldap_group -P -R -b >>>"ou=intern,dc=mb,dc=local" -f "(&(cn=%g)(member=%u))" -F >>>"(&(sAMAccountName=%s)(objectClass=Person))" -D >>>"cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1 cwm >>>webaccess OK >>> >>>i get ok but the user cwm can´t use the proxy. >>
Re: [squid-users] trying to track down a bug
On Wed, 12 Jan 2005, Robert Borkowski wrote: Well, I captured a failed server request. Looks like apache finishes sending the object, sends a FIN to close the connection, squid acks the FIN, but never sends its own FIN. 16 seconds later apache sends an RST. Please capture the full data stream with tcpdump -s 1600 -w capture.tcpdump then upload the resulting capture.tcpdump to ftp://ftp.squid-cache.se/incoming/ and drop me an email. Regards Henrik
[squid-users] auth popup is not comming
Hi, I am running the squid in the transparent mode. While i abrowsing a secured site it should give a popup window for giving theuser name and passwd, but if i browse these site through squid the popupwindow is not comming and i am getting 401 error. If i reuest thissitr without squid i am getting the popup window. What configurationshould i change in the squid to get the popup window? Thanks and Regards Chima
[squid-users] Delay pools
Hi all ... I am having a problem regarding delay pools.. I have a total bandwidth of 128kbps ( cable line ). I want to divide this bandwidth for three pools One for class 1 pool( 28 kbps ), second for class 2 pool ( 50 kbps ), third for class 2 pool. ( 50 kbps ) In pool 1 , I have 5 members, In pool 2 , I have 10 members with 5kbps for each member In pool 3 , I have 25 members with 2 kbps for each user the delay parameter will be delay_parameter 1 3500/3500 delay_prameter 2 6250/6250 625/625 delay_parameter 3 6250/6250 250/250 This will limit the individual member not to cross their individual limit even if no one is using the bandwidth.I want that a member should be able to use the bandwidth when no one is using it. How can I achieve that ..? Can any one help me? Thank's in advance Imtiyaz Ansari -- Netcore's New Website http://www.netcore.co.in --
[squid-users] Authentication Problems
Hi all I have two proxy servers, both running the same OS and Squid Squid Cache: Version 2.5.STABLE5 Linux athena.wits.ac.za 2.4.20-8smp Linux version 2.4.20-8smp ([EMAIL PROTECTED]) (gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #1 SMP Thu Mar 13 17:45:54 EST 2003 On server 1, user authetication seems to be giving problems. A small percentage of users complain that their username and password combinations do not work. If I test from Netscape and IE with their user/pass combos I also have issues. When I test on the server 1 itself using the ncsa-auth command, I get an OK so I know the problem is not with my password file. Comparing password files on the two servers also confirms that there are no probelms. If I change my browser to point to server 2, authetication works fineso I'm pretty sure problem is related to the server 1 only. I also noticed that when I do a squid -k reconfig on server 1, the problem disappears. Any ideas folks? Rgds, Hement Gopal
Re: [squid-users] Connection reset by peer
On Thu, Jan 13, 2005 at 09:17:11AM +0100, Elsen Marc wrote: > > http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.41 > > (Conn reset by peer , explanation). I should have mentioned that I had already read that while researching on her problems. But unlike the FAQ mentioned she is getting many many request which are getting reset. > I never hear reports of google usage restrictions in that area. > Your friend should also consult the FAQ ; checkout the > 'System dependend Weirdness' section. Follow advises mentioned > for Linux. I read it too and did not find anything specific for this issue. Unfortunately, I do not have a big setup to test it from my side. With warm regards, -Payal
RE: [squid-users] Problem with ncsa_auth and squid 2.5.7
Thanx a lot. now it works. cheers. Il giorno gio, 13-01-2005 alle 09:23 +0100, Elsen Marc ha scritto: > > > > > Hello, > > > > I've worked with squid for 5 years. > > > > Squid works with ncsa_auth and manage up to 400 users; > > some logins are written with first, second or both letter in > > uppercare: > > Pippo, PLuto... > > > > Today I upgraded Squid to version 2.5.7 (before it was 2.5.6) in my > > Internet Server and squid doesn't > > work any more with the users who have login with uppercase. > > > > I've been trying in other systems with squid 2.5.7 (both ppc and x86 > > system) and I had the same result! > > > > My system works on Debian 3.1 testing (i386). > > > > Is that a bug? > > > Apparently : > > http://www.squid-cache.org/bugs/show_bug.cgi?id=431 > > got tackled in 2.5.STABLE7 (ref ChangeLog). > > Maybe you need : > >auth_param basic casesensitive on > > as mentioned in the bugzilla entry. > > Not sure though. > > M. ___ Umberto Zanatta linuxDidattica tel: +39 (335) 54 71 385 email: [EMAIL PROTECTED] web: http://linuxdidattica.org ___
Re: [squid-users] Re: yet another squid_ldap_auth question when connecting to AD
On Thu, 13 Jan 2005, Oliver Hookins wrote: OK here they are, both squid_ldap_auth.8 and squid_ldap_group.8. I haven't ever submitted a patch before so hopefully I got the diff options right. The patch format looked good. No problem with the diff options. However, the squid_ldap_group text is not correct. The squid_ldap_group helper checks group memberships (one or more groups), not passwords... Regards Henrik
Re: [squid-users] SHIRAZ-how to open smtp and pop
Hello, On 12.01 15:51, Shiraz Gul Khan wrote: > dear heng, hello > > now i am on my server. ok listen. when i applied this line > # iptable -A INPUT -p tcp -m tcp -dport 110 -j ACCEPT > error come: bash iptable command not found > > # iptables -A INPUT -p tcp -m tcp -dport 110 -j ACCEPT > error come: bad argument '110' > > i am using Linux redhat 7.2 Please, keep this discussion out of this mailing list. Find a linux mailing list for such problems. They will be able to help you much more than us. the others, please do not continue on this topic to the list. ...and for the owner of this list: sorry for doing your work. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor.
RE: [squid-users] Problem with ncsa_auth and squid 2.5.7
> > Hello, > > I've worked with squid for 5 years. > > Squid works with ncsa_auth and manage up to 400 users; > some logins are written with first, second or both letter in > uppercare: > Pippo, PLuto... > > Today I upgraded Squid to version 2.5.7 (before it was 2.5.6) in my > Internet Server and squid doesn't > work any more with the users who have login with uppercase. > > I've been trying in other systems with squid 2.5.7 (both ppc and x86 > system) and I had the same result! > > My system works on Debian 3.1 testing (i386). > > Is that a bug? > Apparently : http://www.squid-cache.org/bugs/show_bug.cgi?id=431 got tackled in 2.5.STABLE7 (ref ChangeLog). Maybe you need : auth_param basic casesensitive on as mentioned in the bugzilla entry. Not sure though. M.
RE: [squid-users] Connection reset by peer
> > Hi, > My friend is using squid/2.5.STABLE4 in her institute on a Linux > system. She is having around 300 users. Many a times when she tries > to go to google's cache or 'Similar pages' link she gets, > (104) Connection reset by peerAn error condition occurred while > reading data from the network. http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.41 (Conn reset by peer , explanation). > Please retry your request. > This happens many times. But if I check it immediately from my > company the same query works fine. We are both around 100Kms apart > and using different ISPs and I have around 20 ppl. browsing the net > on same version of squid. Is it that google might be accepting a > limited number of requests from any particular IP? > I never hear reports of google usage restrictions in that area. Your friend should also consult the FAQ ; checkout the 'System dependend Weirdness' section. Follow advises mentioned for Linux. M.
[squid-users] Problem with ncsa_auth and squid 2.5.7
Hello, I've worked with squid for 5 years. Squid works with ncsa_auth and manage up to 400 users; some logins are written with first, second or both letter in uppercare: Pippo, PLuto... Today I upgraded Squid to version 2.5.7 (before it was 2.5.6) in my Internet Server and squid doesn't work any more with the users who have login with uppercase. I've been trying in other systems with squid 2.5.7 (both ppc and x86 system) and I had the same result! My system works on Debian 3.1 testing (i386). Is that a bug? Regards, ___ Umberto Zanatta linuxDidattica tel: +39 (335) 54 71 385 email: [EMAIL PROTECTED] web: http://linuxdidattica.org ___
[squid-users] Connection reset by peer
Hi, My friend is using squid/2.5.STABLE4 in her institute on a Linux system. She is having around 300 users. Many a times when she tries to go to google's cache or 'Similar pages' link she gets, (104) Connection reset by peerAn error condition occurred while reading data from the network. Please retry your request. This happens many times. But if I check it immediately from my company the same query works fine. We are both around 100Kms apart and using different ISPs and I have around 20 ppl. browsing the net on same version of squid. Is it that google might be accepting a limited number of requests from any particular IP? Thanks for any tips in advance. With warm regards, -Payal