Re: [squid-users] advice for proxy architecture
On 14.01 11:49, [EMAIL PROTECTED] wrote: > Here is my squid architecture : > I am using Squid Version 2.5.STABLE7 and Samba 3.0.9 on Red Hat ES3.0. > I've got two internal proxies on which are performed the NLTM > authentication of the users. There are configured to forward request to > some remote proxies (in other sites of the company), or to two redundant > external proxies used for internet access. > > I am studying how to optimise my proxy architecture, and am looking for > advices. > > Based on your own experience, is it better to keep the architecture 1 : > > Client <--> internal proxies <--> FW <--> External proxies <--> Internet > > or the architecture 2 > > Client <--> internal proxies <--> FW <--> Internet the second one is easier and you won't get any benefit of the external proxy. > Do find some particular advantages to have additionnal external proxies > (in term of performances, security, ..) no. > or do you think that having only two internal proxies for all trafic (remote > site, internet traffic) is sufficient and not risky ? yes. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!".
[squid-users] assertion failed: cbdata.cc:402: "c->locks > 0"
I get this error assertion failed: cbdata.cc:402: "c->locks > 0" on FreeBSD 5.2.1Rand 5.3R from squid-3.0-PRE3-20040116 Squid compiles fine with any compile options and starts as well also, soon the first request comes in it exites with this error. It does not matter which store_io I use for the cache_dir, also it doen't matter wether I compile with any of storeio,disk-io,kqueue or not. Both server run absolutly fine with squid2.5 and diskd Hans pgpLgCtdbwCh0.pgp Description: PGP signature
[squid-users] transparent proxy + web content filter problem
I am using web proxy content filter (Dansguardian) to scan all outgoing traffic from my LAN. I am using transparent proxying with an iptable rule that forwards all outgoing traffic to web proxy. This setup works but all the browsing activity gets slowed down. When I configure my browser to use proxy Internet access gets faster. Can someone suggest me how can I enhance the performance of iptables with this rule is place and without configuring my browser to use proxy. Thanks in advance. Durga Prasad.
[squid-users] Re: assertion failed: HttpHeader.c:1046: "e"
On Mon, 17 Jan 2005, Askar wrote: 2005/01/17 11:56:37| WARNING: unparseable HTTP header field near 'F57A245B432AD60D0956D90; OE_Usermoonjee81_hotmail.com=1106030955' 2005/01/17 11:56:37| assertion failed: HttpHeader.c:1046: "e" we are using : Squid Cache: Version 2.5.STABLE7-20041228 any work around this problem ? Better yet, there is a fix. Upgrade to a more recent snapshot and you will get rid of this. Regards Henrik
Re: [squid-users] can a redirector do this?
On Fri, 14 Jan 2005, Brett Lymn wrote: their redirector was seeing the https requests. So, can a redirector rewrite a https request to go to a http server? Would squid ignore the redirect and just go to the https server anyway? In theory it should be able to send a browser redirect, but I am not sure if either Squid or the clients supports this.. It should be possible to redirect to another https server specifically designed to return the block page no matter what the client requests, but not without a browser warning about the certificate name due to the nature of SSL. Reards Henrik
Re: [squid-users] freak auth problem
On Fri, 14 Jan 2005, Varun wrote: I am using squid with NSCA auth. I type my user name and password and add a extra letter or number to my password and it logs in. Why does it allow that ? The good old "crypt" password hashing algorithm used by ncsa_auth and many other Unix applications only looks at the first 8 characters. ncsa_auth found in the Squid-3 snapshots also supports MD5 hashing where there is no limit on the password length. this version of ncsa_auth works just fine wiht Squid-2.5 as well. Regards Henrik
Re: [squid-users] Problem on transparent proxy!
On Sat, 15 Jan 2005, Hamed Majnoonian wrote: listening on 3128, have checked before. Squid module is up and running and my firewall has just these two lines: ipfw add allow ip from any to any ipfw add fwd 127.0.0.1,3128 tcp from any to any 80 Which won't intercept anything as the first line accepts everything. See the Squid FAQ where you can find examples on how this should be done. Regards Henrik
Re: [squid-users] question about surrogate pooling/conf
On Sat, 15 Jan 2005, Chow mae wrote: Now the question is: if I use http_accel_uses_host_header on, and the squids have the real IPs in /etc/hosts for logo1-4, then the squids should just be able to hit each of the origin servers on the backend fine, assuming that the requests have host headers for logo1-4, correct ? Correct. But you should also set up proper access controls in http_access limiting to which destinations the proxy will allow requests. If not it can easily be abused to reach other sites.. An alternative method is to tell Squid about each web server using cache_peer, control which requests gets sent where with cache_peer_access and force Squid to use the peers via never_direct. This gives you better control over how Squid distributes the load on the web servers, for example if you have multiple backend servers for the same content. and would there be anything special about having the squid pool take the incoming requests on one interface/IP (seen by the load balancer), and having Squid doesn't care much about what your network layout looks like, as long as it is a valid network that can be used for TCP/IP communication. So as long as you make sure the routing etc is correctly set up Squid will work fine. Regards Henrik
Re: [squid-users] Squid Parent: child process 4977 exited due to signal 6
On Sun, 16 Jan 2005, Askar wrote: hi list can someone help me to solve my problem, from last few days im getting this in /var/log/messages/ Jan 15 16:20:29 Mcache squid[1419]: Squid Parent: child process 4289 exited due to signal 6 Your squid aborted due to a fatal error. See cache.log for a more in-depth description of the error. Regards Henrik
Re: [squid-users] Question about Store Directory Stats section of cachemgr
On Sun, 16 Jan 2005 [EMAIL PROTECTED] wrote: I've got my Squid 2.5.STABLE7 proxy configured using "heap LRU" after running it with "heap GDSF" for a while. I notice in the "Store Directory Stats" section of cachemgr, the removal policy appears as "heap" instead of "heap LRU" or "heap GDSF".Why is this? The function to showing the arguments of the policy is not implemented in the cachemgr Store Directory Stats page, leaving only the policy type. You should see it in the configuration dump screen however. Regards Henrik
Re: [squid-users] 5 old Pentium I PC for squid server
On Mon, 17 Jan 2005, Internet Admin wrote: I have here 5 old Pentium I PC which is just sitting around on my storage room. Now I wonder if i could make a simple redundant squid servers out of those 5 PC that I have. Could someone point me to the right direction where i could start to make those PCs into a server farm, cluster, fail-over (whatever you call it) squid server. You probably want to make one of them a load balancer, if not only for the fun of it when making a cluster ;-) http://www.linuxvirtualserver.org Then install the others as plain Squid proxies. Nothing special about it. Regards Henrik
Re: [squid-users] port 33644
On Mon, 17 Jan 2005, Brent Clark wrote: Would anyone know what this port is for, and most importantly, DO I need it. It's most likely the port used by Squid to make DNS queries to your DNS server(s). See cache.log when Squid starts to be sure. Regards Henrik
Re: [squid-users] Re: assertion failed: HttpHeader.c:1046: "e"
Henrik Nordstrom wrote: On Mon, 17 Jan 2005, Askar wrote: 2005/01/17 11:56:37| WARNING: unparseable HTTP header field near 'F57A245B432AD60D0956D90; OE_Usermoonjee81_hotmail.com=1106030955' 2005/01/17 11:56:37| assertion failed: HttpHeader.c:1046: "e" we are using : Squid Cache: Version 2.5.STABLE7-20041228 any work around this problem ? Better yet, there is a fix. Upgrade to a more recent snapshot and you will get rid of this. Regards Henrik yep I upgraded to lastest release and things looks fine atm from last 2 hours. Regards Askar
Re: [squid-users] Cache refresh after edit using Zope
Thank you Henrik. I found more on this in Chapter 7 of Squid: The Definitive Guide. Some Zope-specific instructions can also be found here: http://www.zope.org.tw/docs/NewPloneBook/Chapter14#id28 But I also have a more serious problem. I publish a large number of RSS feeds which I update once a day. These are cached by Squid and bear "Last-Modified", "Expires" and "Cache-Control" headers. But some user agents (the 'feed aggregators') ignore these; I understand this means they do not implement 'conditional GET'. I need Squid to send back a "304 Not Modified" reply instead of the "200 OK" for any fresh files and never allow a CLIENT_REFRESH_MISS for any files called 'rss.xml'. I would appreciate any help! Thanks, Ken --- Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > > > On Thu, 30 Dec 2004, Ken Ara wrote: > > > Could Zope somehow tell Squid to perform the > refresh? > > Or could an acl be used to specify this? > > You should be able to add a trigger or similar to > your Zope to > automatically send PURGE requests to Squid when > updating URLs. > > Regards > Henrik > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[squid-users] squid/ads problem - no username handed over?
Hello List, I am somewhat stuck here... I have successfully intregrated my linux box (suse 9.2) into an active directory domain and I can access the proxy squid on it perfectly. Now I want to combine the two services, like I did several times before, with no problem. [A perl skript is called which checks whether the user is in an active directory group which is allowed to acess the internet.] But this is the first time with suse 9.2, and now i run into problems: I get FATAL errors in my squid cache.log file. FATAL: authenticateNTLMHandleReply: called with no result string Squid Cache (Version 2.5.STABLE6): Terminated abnormally. -- Normally, the browser should hand over the User name to squid, but it doesn't - see my access.log: - 1105959574.911 4 192.194.146.14 TCP_DENIED/407 1716 GET http://www.google.de/ - NONE/- text/html 1105959618.610 4 192.194.146.14 TCP_DENIED/407 1716 GET http://www.google.de/ - NONE/- text/html 1105960427.520 5 192.194.146.14 TCP_DENIED/407 1716 GET http://www.google.de/ - NONE/- text/html - here the log from a working system: 1105961962.811162 192.16.110.16 TCP_MISS/304 217 GET http://www.n-tv.de/images/200501/5475522__.jpg domain\username DIRECT/217.27.2.150 - Can u help me? Has anybody experienced something similar? -- Mit freundlichen GrÃÃen Markus Feilner -- Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank. -- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 skype ID: mfeilner mail: [EMAIL PROTECTED]
Re: [squid-users] can a redirector do this?
On Mon, Jan 17, 2005 at 11:04:17AM +0100, Henrik Nordstrom wrote: > On Fri, 14 Jan 2005, Brett Lymn wrote: > > >their redirector was seeing the https requests. So, can a redirector > >rewrite a https request to go to a http server? Would squid ignore the > >redirect and just go to the https server anyway? > > In theory it should be able to send a browser redirect, but I am not sure > if either Squid or the clients supports this.. > I may have been a bit sloppy in my terminology there. When I said redirect I meant "rewrite the URL", this is what Websense does in the normal case if the page is blocked the redirector process rewrites the URL to point at a "this access is blocked" page. Anyway, I think you have confirmed what I understood to be happening. > It should be possible to redirect to another https server specifically > designed to return the block page no matter what the client requests, but > not without a browser warning about the certificate name due to the nature > of SSL. > Yes, that was my thinking. The certificate issue should not be too bad since the block page server would be under our control so our users would only have to accept the certificate once in an ideal world they would never need to see the blocked page anyway since it is somewhere they should not be going using work's resources. -- Brett Lymn
[squid-users] WindowsUpdate Problems.
Hello, I have just been made aware that some machines are not Windows updating on our campus network, I've done a fair bit of investigation and I 'think' I know what the problem is and just wondered if anyone else had seen this, and if so how it was remedied. Initially I thought this was a Squid problem, but I'm now tending to think it's a Microsoft problem. On our campus we force certain IP ranges to go through our squid caches, which I guess you could call opaque, IE browsers/clients etc have to be configured to go through the cache rather than transparent. These restricted clients are forced to use the cache by the use of acls on core routers denying port 80 traffic from various IPs. It appears that the Windows Update V5 client (not sure about V4) tries to open a port 80 connection directly to Microsoft servers to check for and download updates, this obviously fails as the router acls drop the packets. The only way I've found to get this to work is to totally disable the windows update client so it makes no checks etc, then manually run WU from a browser which isn't ideal. Even manual attempts fail if the WU client is running. Does anyone know of a list of IP's that the client uses so holes can be made to allow port 80 traffic through to them, or if there is a way to configure the WU client with the proxy settings? Or perhaps I am barking up the wrong tree altogether? Many thanks, Jezz Palmer. Jezz Palmer. Internet Systems Officer. Library and Information Services University of Wales, Swansea Singleton Park Swansea SA2 8PP
RE: [squid-users] WindowsUpdate Problems.
> > > Hello, > > I have just been made aware that some machines are not > Windows updating on > our campus network, I've done a fair bit of investigation and > I 'think' I > know what the problem is and just wondered if anyone else had > seen this, and > if so how it was remedied. > Initially I thought this was a Squid problem, but I'm now > tending to think > it's a Microsoft problem. > > On our campus we force certain IP ranges to go through our > squid caches, > which I guess you could call opaque, IE browsers/clients etc > have to be > configured to go through the cache rather than transparent. > These restricted clients are forced to use the cache by the > use of acls on > core routers denying port 80 traffic from various IPs. > > It appears that the Windows Update V5 client (not sure about > V4) tries to > open a port 80 connection directly to Microsoft servers to > check for and > download updates, this obviously fails as the router acls > drop the packets. > > The only way I've found to get this to work is to totally disable the > windows update client so it makes no checks etc, then > manually run WU from a > browser which isn't ideal. Even manual attempts fail if the > WU client is > running. > > Does anyone know of a list of IP's that the client uses so > holes can be made > to allow port 80 traffic through to them, or if there is a > way to configure > the WU client with the proxy settings? > Or perhaps I am barking up the wrong tree altogether? > > FYI , while I don't know the answer to your problem. A similar issue appeared recently on the list. Check this thread : http://www.squid-cache.org/mail-archive/squid-users/200501/0283.html M.
[squid-users] Fw: SSL Reverse Proxy to Exchange 2003 OWA - SQUID just shutsdown by itself.
Further on this problem I am sending you the access.log entries: These are log entries when Inbox opens and mail is read - 1105959678.926130 168.187.x.y TCP_MISS/207 813 PROPFIND http://mail.xyz.com/rakesh/Inbox/ - FIRST_UP_PARENT/mail.xyz.com text/xml 1105959679.931 2303 168.187.x.y TCP_MISS/200 20266 GET http://mail.xyz.com/rakesh/Inbox/? - FIRST_UP_PARENT/mail.xyz.com text/html 1105959687.326720 168.187.x.y TCP_MISS/200 11992 GET http://mail.xyz.com/exchweb/6.5.7226.0/controls/tf_Messages.xsl - FIRST_UP_PARENT/mail.burgan.co m text/xml 1105959691.525 4 168.187.x.y TCP_MISS/207 568 POLL http://mail.xyz.com/rakesh/Inbox - FIRST_UP_PARENT/mail.xyz.com text/xml 1105959695.153 2913 168.187.x.y TCP_MISS/207 13487 SEARCH http://mail.xyz.com/rakesh/Inbox/ - FIRST_UP_PARENT/mail.xyz.com text/xml 1105959717.840 86 168.187.x.y TCP_MISS/207 796 BPROPPATCH http://mail.xyz.com/rakesh/ - FIRST_UP_PARENT/mail.xyz.com text/xml 1105959724.603 5778 168.187.x.y TCP_MISS/200 22442 GET http://mail.xyz.com/rakesh/Inbox/RE:-112.EML? - FIRST_UP_PARENT/mail.xyz.com text/html 1105959733.203 4 168.187.x.y TCP_MISS/207 568 POLL http://mail.xyz.com/rakesh/Inbox - FIRST_UP_PARENT/mail.xyz.com text/xml These are log entries when changing to another box IT-Sec and box does not open and "LOADING" remains in screens - 1105972004.207 50 168.187.x.y TCP_MISS/207 814 PROPFIND http://mail.xyz.com/rakesh/IT-Sec/ - FIRST_UP_PARENT/mail.xyz.com text/xml 1105972010.419 4 168.187.x.y TCP_MISS/207 568 POLL http://mail.xyz.com/rakesh/Inbox - FIRST_UP_PARENT/mail.xyz.com text/xml 1105972014.046 899554 168.187.x.y TCP_MISS/207 13530 SEARCH http://mail.xyz.com/rakesh/Inbox/ - FIRST_UP_PARENT/mail.xyz.com text/xml 1105972031.426 899696 168.187.x.y TCP_MISS/200 11058 GET http://mail.xyz.com/exchweb/6.5.7226.0/controls/tf_TwoLine.xsl - FIRST_UP_PARENT/mail.xyz.com text/xml This is the instant when even INBOX did not open - 1105971037.526 4 168.187.x.y TCP_MISS/401 393 GET http://mail.xyz.com/ - FIRST_UP_PARENT/mail.xyz.com text/html 1105971050.808 18 168.187.x.y TCP_MISS/200 1537 GET http://mail.xyz.com/ - FIRST_UP_PARENT/mail.xyz.com text/html 1105971053.670 2127 168.187.x.y TCP_MISS/200 24495 GET http://mail.xyz.com/rakesh/? - FIRST_UP_PARENT/mail.xyz.com text/html 1105971058.072 4690 168.187.x.y TCP_MISS/200 20266 GET http://mail.xyz.com/rakesh/Inbox/? - FIRST_UP_PARENT/mail.xyz.com text/html 1105971060.767 5 168.187.x.y TCP_MISS/200 11992 GET http://mail.xyz.com/exchweb/6.5.7226.0/controls/tf_Messages.xsl - FIRST_UP_PARENT/mail.burgan.co m text/xml 1105971037.526 4 168.187.x.y TCP_MISS/401 393 GET http://mail.xyz.com/ - FIRST_UP_PARENT/mail.xyz.com text/html 1105971050.808 18 168.187.x.y TCP_MISS/200 1537 GET http://mail.xyz.com/ - FIRST_UP_PARENT/mail.xyz.com text/html 1105971053.670 2127 168.187.x.y TCP_MISS/200 24495 GET http://mail.xyz.com/rakesh/? - FIRST_UP_PARENT/mail.xyz.com text/html 1105971058.072 4690 168.187.x.y TCP_MISS/200 20266 GET http://mail.xyz.com/rakesh/Inbox/? - FIRST_UP_PARENT/mail.xyz.com text/html 1105971060.767 5 168.187.x.y TCP_MISS/200 11992 GET http://mail.xyz.com/exchweb/6.5.7226.0/controls/tf_Messages.xsl - FIRST_UP_PARENT/mail.burgan.co m text/xml With Squid-3-PRE3 we did not have this problem, all the mail boxes were opening in reasonably quick. The problem with Squid-3-PRE3 was that often SQUID process was terminating with segmentation fault or shuting down after 17-18 such error messages "clientNegotiateSSL: Error negotiating SSL connection on FD 25: error::lib(0):func(0):reason(0) (5/0)" Any help? Rakesh Jha - Original Message - From: "Rakesh Jha" <[EMAIL PROTECTED]> To: "Henrik Nordstrom" <[EMAIL PROTECTED]> Cc: "Squid Users" Sent: Sunday, January 16, 2005 12:28 PM Subject: SSL Reverse Proxy to Exchange 2003 OWA - SQUID just shutsdown by itself. > I have installed now Squid-3.0-PRE3-20050111. Now squid porcess is seems to > be stable as I have not restarted for last 4-5 days but facing an other > problem, now opening a box or a mail takes very long time (may be 10 > minutes). We keep on seeing 'Loading' on the screen. > What is the problem > > Thanks in advance. > > Rakesh > - Original Message - > From: "Henrik Nordstrom" <[EMAIL PROTECTED]> > To: "Rakesh Kumar" <[EMAIL PROTECTED]> > Cc: "Squid Users" > Sent: Monday, January 10, 2005 02:41 PM > Subject: [squid-users] Re: SSL Reverse Proxy to Exchange 2003 OWA - SQUID > just shutsdown by itself. > > > > > > > > On Mon, 10 Jan 2005, Rakesh Kumar wrote: > > > > > Now I have installed a fresh RH9 and Squid-3 PRE3 > > > > Don't use 3.0.PRE3, if you run Squid-3 you should run a recent snapshot > > release. > > > > Regards > > Henrik > > > > ## Attention: This e-mail message is privileged and confidential. If you are not the intended recipient please delete the message and
RE: [squid-users] Regarding wccp
Hi, The easiest way is to define an access list with a deny for the host and permit the rest and apply it to the interface. ip wccp version 1 ip wccp web-cache redirect-list 110 access-list 110 deny tcp the_host_for_exclusion any eq www access-list 110 permit tcp any any and apply to interface like: interface# ip wccp web-cache redirect out -Original Message- From: Bijay Kumar Rauniyar [mailto:[EMAIL PROTECTED] Sent: Sunday, January 16, 2005 12:40 PM To: squid-users@squid-cache.org Subject: [squid-users] Regarding wccp Hi I have a problem with squid cache and cisco wccp. My problem is that i have wccp enabled on cisco router which points to my cache server.But i want one IP to access to http traffic bypassing cache server..Is there any way out for this by changin squid configuration file.. i would be grateful rgds uglyjoe -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.302 / Virus Database: 265.6.13 - Release Date: 1/16/2005
Re: [squid-users] can a redirector do this?
On Mon, 17 Jan 2005, Brett Lymn wrote: Yes, that was my thinking. The certificate issue should not be too bad since the block page server would be under our control so our users would only have to accept the certificate once in an ideal world they would never need to see the blocked page anyway since it is somewhere they should not be going using work's resources. Just tested this and it does work. The users will get the warning once per site they get blocked from, as the certificate does not match the site they are visiting. Regards Henrik
Re: [squid-users] Regarding wccp
On Sun, 16 Jan 2005, Bijay Kumar Rauniyar wrote: cache server.But i want one IP to access to http traffic bypassing cache server..Is there any way out for this by changin squid configuration file.. No, this has to be done using ACLs in your WCCP router to tell the router to not redirect the traffic from this IP. Regards Henrik
Re: [squid-users] squid/ads problem - no username handed over?
On Mon, 17 Jan 2005, Markus Feilner wrote: FATAL: authenticateNTLMHandleReply: called with no result string Your specified "auth_param ntlm program" helper is crashing, and bringing Squid with it.. Regards Henrik
Re: [squid-users] squid/ads problem - no username handed over? (solved)
Am Montag, 17. Januar 2005 12:42 schrieb Markus Feilner: > Hello List, > > Can u help me? > Has anybody experienced something similar? Ok, I found sth. similar in the archive which helped me! I works now perfectly. The link is: http://www.squid-cache.org/mail-archive/squid-users/200406/0338.html Follow the thread, luke! -- Mit freundlichen GrÃÃen Markus Feilner -- Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank. -- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 skype ID: mfeilner mail: [EMAIL PROTECTED]
Re: [squid-users] can a redirector do this?
On Mon, Jan 17, 2005 at 01:45:20PM +0100, Henrik Nordstrom wrote: > > Just tested this and it does work. > Thanks for that Henrik! > The users will get the warning once per site they get blocked from, as the > certificate does not match the site they are visiting. > OK - now all I have to do is convince Websense support they have something wrong. I haven't succeeded up to now but I live in hope :) -- Brett Lymn
[squid-users] Memory_pools.
Hi all.. I have a squid proxy and I want active memory_pools, but this error happend: [EMAIL PROTECTED] squid -z Memory pools are 'off'; limit: 2.00 MB My configuration in squid.conf: # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your # system and you believe your malloc library outperforms Squid # routines, disable this. # #Default: memory_pools on # TAG: memory_pools_limit (bytes) # Used only with memory_pools on: # memory_pools_limit 50 MB # # If set to a non-zero value, Squid will keep at most the specified # limit of allocated (but unused) memory in memory pools. All free() # requests that exceed this limit will be handled by your malloc # library. Squid does not pre-allocate any memory, just safe-keeps # objects that otherwise would be free()d. Thus, it is safe to set # memory_pools_limit to a reasonably high value even if your # configuration will use less memory. # # If not set (default) or set to zero, Squid will keep all memory it # can. That is, there will be no limit on the total amount of memory # used for safe-keeping. # # To disable memory allocation optimization, do not set # memory_pools_limit to 0. Set memory_pools to "off" instead. # # An overhead for maintaining memory pools is not taken into account # when the limit is checked. This overhead is close to four bytes per # object kept. However, pools may actually _save_ memory because of # reduced memory thrashing in your malloc library. # #Default: memory_pools_limit 2 MB Somebody can help me ? Regards, Renato Policani. Atenção: Esta mensagem foi enviada para uso exclusivo do(s) destinatários(s) acima identificado(s), podendo conter informações e/ou documentos confidencias/privilegiados e seu sigilo é protegido por lei. Caso você tenha recebido por engano, por favor, informe o remetente e apague-a de seu sistema. Notificamos que é proibido por lei a sua retenção, disseminação, distribuição, cópia ou uso sem expressa autorização do remetente. Opiniões pessoais do remetente não refletem, necessariamente, o ponto de vista da CETIP, o qual é divulgado somente por pessoas autorizadas. Attention: This message was sent for exclusive use of the addressees above identified, being able to contain information and or privileged/confidential documents and law protects its secrecies. In case that you it has received for deceit, please, it informs the shipper and erases it of your system. We notify that law forbids its retention, dissemination, distribution, copy or use without express authorization. Personal opinions of the shipper do not reflect, necessarily, the point of view of the CETIP, which is only divulged by authorized people.
RE: Re: [squid-users] squid_ldap_auth or squid_ldapauth supports MD5 ?
>
>
>
>
> squid_ldap_auth supports whatever passwords encryption schemes supported
> by your LDAP server, using either ldap_simple_bind to bind to the user
> object in the LDAP tree or ldap_compare to compare the selected password
> attribute with the user supplied password. In both operations it is the
> LDAP server which determines if the password is valid or not.
>
>
on my server only works if i have a Crypt (DES) password.
I add a test user with password test:
MD5:
# squid_ldapauth -v -q -l
squid_ldapauth[3656]: config - found key: 'ldap-server'
squid_ldapauth[3656]: config - got value: '192.168.1.146'
squid_ldapauth[3656]: config - found key: 'ldap-port'
squid_ldapauth[3656]: config - got value: '389'
squid_ldapauth[3656]: config - found key: 'ldap-suffix'
squid_ldapauth[3656]: config - got value: 'o=unipost'
squid_ldapauth[3656]: config - found key: 'ldap-filter'
squid_ldapauth[3656]: config - got value: '(uid=%s)'
squid_ldapauth[3656]: config - found key: 'ldap-passwdfield'
squid_ldapauth[3656]: config - got value: 'userPassword'
squid_ldapauth[3656]: using ldap-server => '192.168.1.146'
squid_ldapauth[3656]: using ldap-port => '389'
squid_ldapauth[3656]: using ldap-suffix => 'o=unipost'
squid_ldapauth[3656]: using ldap-filter => '(uid=%s)'
squid_ldapauth[3656]: using ldap-passwdfield => 'userPassword'
squid_ldapauth[3656]: using ldap-binddn => ''
squid_ldapauth[3656]: using ldap-password => ''
squid_ldapauth[3656]: connection etablished - waiting for queries
test test
squid_ldapauth[3656]: ldap vals[0]= '{MD5}CY9rzUYh03PK3k6DJie09g=='
squid_ldapauth[3656]: authentication request for 'test' - ERR
ERR
^C
Now i change the pass to Crypt (DES):
# squid_ldapauth -v -q -l
squid_ldapauth[3657]: config - found key: 'ldap-server'
squid_ldapauth[3657]: config - got value: '192.168.1.146'
squid_ldapauth[3657]: config - found key: 'ldap-port'
squid_ldapauth[3657]: config - got value: '389'
squid_ldapauth[3657]: config - found key: 'ldap-suffix'
squid_ldapauth[3657]: config - got value: 'o=unipost'
squid_ldapauth[3657]: config - found key: 'ldap-filter'
squid_ldapauth[3657]: config - got value: '(uid=%s)'
squid_ldapauth[3657]: config - found key: 'ldap-passwdfield'
squid_ldapauth[3657]: config - got value: 'userPassword'
squid_ldapauth[3657]: using ldap-server => '192.168.1.146'
squid_ldapauth[3657]: using ldap-port => '389'
squid_ldapauth[3657]: using ldap-suffix => 'o=unipost'
squid_ldapauth[3657]: using ldap-filter => '(uid=%s)'
squid_ldapauth[3657]: using ldap-passwdfield => 'userPassword'
squid_ldapauth[3657]: using ldap-binddn => ''
squid_ldapauth[3657]: using ldap-password => ''
squid_ldapauth[3657]: connection etablished - waiting for queries
test test
squid_ldapauth[3657]: ldap vals[0]= '{CRYPT}IDV1FVNqCpls2'
squid_ldapauth[3657]: authentication request for 'test' - OK
OK
why not works with MD5?
thanks
Joan Ramos Ramos
Dpto. Informática
Tel.: +34 932 232 552 (Ext. 260)
Fax.: +34 932 230 151
Este mensaje es confidencial y atañe exclusivamente a las personas a las que va
dirigido.
Cualquier opinión en el contenida, es exclusivo de su autor y no representa
necesariamente
la opinion de UNIPOST, S.A.
Si Ud. no es el destinatario del mensaje, considerese advertido que lo ha
recibido por error
y que cualquier difusión o copia estan terminantemente prohibidos. Si ha
recibido por error,
por favor comuniquelo a UNIPOST, S.A. al número +34 93 223 25 52 o correo
electrónico
a <[EMAIL PROTECTED]>.
This e-mail is confidential and intended solely for the use of the individual
to whom it is addressed.
Any opinions presented are solely those of the author and do not necessarily
represent those of
UNIPOST, S.A.
If you are not the intended recipient, be advised that you have received this
e-mail in error and that
dissemination, forwarding or copying of this e-mail is strictly prohibited. If
you have received this
e-mail in error please notify it to UNIPOST, S.A. by telephone on number +34 93
223 25 52 or by
e-mail to <[EMAIL PROTECTED]>.
Re: [squid-users] Cache refresh after edit using Zope
On Mon, 2005-01-17 at 03:14 -0800, Ken Ara wrote: > I publish a large number of RSS feeds which I update > once a day. These are cached by Squid and bear > "Last-Modified", "Expires" and "Cache-Control" > headers. But some user agents (the 'feed aggregators') > ignore these; I understand this means they do not > implement 'conditional GET'. I need Squid to send back > a "304 Not Modified" reply instead of the "200 OK" for > any fresh files and never allow a CLIENT_REFRESH_MISS > for any files called 'rss.xml'. > > I would appreciate any help! You might want to check the refresh_pattern directive out. Kinkie
[squid-users] HTTPS + Transparent proxying error
I am using squid + dansguardian on a FC3 system. Transparent proxying is in place to REDIRECT all requests from 80 and 443 to 8080 (port on which dansguardian is running) using iptables rules. My setup is as below, LAN -> Dansguardian > Squid --> Internet 80192.168.3.100:8080 192.168.3.100:3128 Dansguardian and squid are running on same machine working as Router with iptables. Both dansguardian and squid are listening on one of the ethernet interfaces serving as gateway to my LAN. When I try to browse (from Mozilla) a secure HTTP(https request) website I get and error message "Connection to xyx.com has been terminated unexpectedly. Some data may have been transferred". If I configure my browser to use proxy, it works fine. Any suggestions please. Thanks in advance. Durga Prasad.
Re: [squid-users] question about surrogate pooling/conf
thanks! > > But you should also set up proper access controls in http_access limiting > to which destinations the proxy will allow requests. If not it can easily > be abused to reach other sites.. > right. I've been reading and testing for that. > An alternative method is to tell Squid about each web server using > cache_peer, control which requests gets sent where with cache_peer_access > and force Squid to use the peers via never_direct. This gives you better > control over how Squid distributes the load on the web servers, for > example if you have multiple backend servers for the same content. only thing about that is the backend origin servers all have unique content. no images/html on one machine are on any other. would that alternative method still work on that case ?
Re: [squid-users] Cache refresh after edit using Zope
Thanks Kinkie! Since I am setting an "Expires" header, I did not think this would work. According to _Squid: The Definitive Guide_, "The refresh_pattern rules apply only to responses without an explicit expiration time." Perhaps I should try anyway and see what happens... Ken --- Kinkie <[EMAIL PROTECTED]> wrote: > On Mon, 2005-01-17 at 03:14 -0800, Ken Ara wrote: > > > I publish a large number of RSS feeds which I > update > > once a day. These are cached by Squid and bear > > "Last-Modified", "Expires" and "Cache-Control" > > headers. But some user agents (the 'feed > aggregators') > > ignore these; I understand this means they do not > > implement 'conditional GET'. I need Squid to send > back > > a "304 Not Modified" reply instead of the "200 OK" > for > > any fresh files and never allow a > CLIENT_REFRESH_MISS > > for any files called 'rss.xml'. > > > > I would appreciate any help! > > You might want to check the refresh_pattern > directive out. > > Kinkie > __ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250
RE: [squid-users] Multiple IP - 2 domains - 1 web server
> I have squid setup for one domain working fine. www.mysite.com resolves > to squid box and then proxies for the backend web server. I have > another site setup on that web server that uses a different IP address. > anothersite.mysite.com I would like to go through the proxy as well. How > would I set squid up for that? The easiest is to change the ip of anothersite.mysite.com to the IP of your Squid. Is there any specific reason why you want the two sites to use different public IPs? Regards Henrik It was originally setup this way, not sure of the reason, it was before I was here. If I set it up with the same public IP address I would need to use host headers correct? Brad
Re: [squid-users] Usernames with whitespace
> > I'll test your patch on a 2.5STABLE7. > > > > I'll let you know about the results. > > How have your tests progressed? > 2.5st7 : accepts usernames with leading/trailing spaces 5.5st7+patch : rejects those badly typed usernames. as wanted We don't have usernames with a space in it. And I don't know whether ldap is supposed to support this feature. So I couldn't test this part. Seems pretty good to me, Andrew
RE: [squid-users] HTTPS + Transparent proxying error
This as been discusd many times here and it is also available on many faq: you cannot transparent prox HTTPS. Please read the transparent proxy faq or the relevant postings. From: DurgaPrasad Adusumalli <[EMAIL PROTECTED]> Reply-To: DurgaPrasad Adusumalli <[EMAIL PROTECTED]> To: squid-users@squid-cache.org Subject: [squid-users] HTTPS + Transparent proxying error Date: Mon, 17 Jan 2005 19:26:21 +0530 I am using squid + dansguardian on a FC3 system. Transparent proxying is in place to REDIRECT all requests from 80 and 443 to 8080 (port on which dansguardian is running) using iptables rules. My setup is as below, LAN -> Dansguardian > Squid --> Internet 80192.168.3.100:8080 192.168.3.100:3128 Dansguardian and squid are running on same machine working as Router with iptables. Both dansguardian and squid are listening on one of the ethernet interfaces serving as gateway to my LAN. When I try to browse (from Mozilla) a secure HTTP(https request) website I get and error message "Connection to xyx.com has been terminated unexpectedly. Some data may have been transferred". If I configure my browser to use proxy, it works fine. Any suggestions please. Thanks in advance. Durga Prasad. _ Express yourself instantly with MSN Messenger! Download today - it's FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
[squid-users] why is transparent proxying bad? (FAQ wanted)
Hello, I'm searching for collected informations that tell what is bad about transparent proxying. I've seen some discussions about this in the past, together with last hotmail problem, but wasn't able to collect informations. mostly I'm interested in possible problems that may be caused by interception, if we can avoid them and how. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set.
Re: [squid-users] question about surrogate pooling/conf
On Mon, 17 Jan 2005, John Allspaw wrote: only thing about that is the backend origin servers all have unique content. no images/html on one machine are on any other. would that alternative method still work on that case ? Yes. The trick is cache_peer_access. One note however: Squid-2.5 does not know about origin server type peers, so persistent connections to your backend web servers won't work when using the cache_peer method. Other than this there is very few limitations. Regards Henrik
RE: [squid-users] Multiple IP - 2 domains - 1 web server
On Mon, 17 Jan 2005, Brad Taylor wrote: It was originally setup this way, not sure of the reason, it was before I was here. If I set it up with the same public IP address I would need to use host headers correct? Yes. Regards Henrik
[squid-users] Problems with Squid 2.5 and Squid 2.4 as parent
Hi there, I have a problem after using the new Squid-2.5 with an Parent: Squid 2.4 The conncections works, and many sites can be surfed, but sometimes some sites will not be displayed in browser and comes with a connectiontimeout (110). For example: www.telefonbuch.de, after entering a search-pattern no result will be shown. Also on www.google.de, no result will be shown after starting a search. Is it possible, that the problem comes from our parent proxy (squid 2.4 on debian) ? The line for parent in the squid.conf of Squid 2.5 is: cache_peer 192.168.XXX.XXX parent 3128 7 no-query default And works fine under a Squid 2.3 installation. Or could it be another problem? I cannot determine it, because no error-message will be logged anywhere. Hope someone can help me to fix this prob. :-) -- Regards, Jens Strohschnitter - *!!!LINUX LINUX LINUX LINUX LINUX!!!* * http://www.jens-strohschnitter.de * - Set the controls for the heart of the sun -
Re: [squid-users] Question about Store Directory Stats section of cachemgr
Thanks. Is the "configuration dump screen" one of the links in the cachemgr or output that gets logged or displayed when specifying a command line option to squid? Peace... Tom Henrik Nordstrom <[EMAIL PROTECTED] org> To [EMAIL PROTECTED] 01/17/2005 02:21 m AM cc squid-users@squid-cache.org Subject Re: [squid-users] Question about Store Directory Stats section of cachemgr On Sun, 16 Jan 2005 [EMAIL PROTECTED] wrote: > I've got my Squid 2.5.STABLE7 proxy configured using "heap LRU" after > running it with "heap GDSF" for a while. I notice in the "Store Directory > Stats" section of cachemgr, the removal policy appears as "heap" instead of > "heap LRU" or "heap GDSF".Why is this? The function to showing the arguments of the policy is not implemented in the cachemgr Store Directory Stats page, leaving only the policy type. You should see it in the configuration dump screen however. Regards Henrik
Re: [squid-users] Memory_pools.
On Mon, 17 Jan 2005, Renato Policani wrote: I have a squid proxy and I want active memory_pools, but this error happend: [EMAIL PROTECTED] squid -z Memory pools are 'off'; limit: 2.00 MB Is this a Squid-3 developer/beta version of Squid? Regards Henrik
Re: [squid-users] Usernames with whitespace
On Mon, 17 Jan 2005 [EMAIL PROTECTED] wrote: 2.5st7 : accepts usernames with leading/trailing spaces 5.5st7+patch : rejects those badly typed usernames. as wanted We don't have usernames with a space in it. And I don't know whether ldap is supposed to support this feature. So I couldn't test this part. Seems pretty good to me, Thanks. The change is now official and will be in 2.5.STABLE8. Regards Henrik
Re: [squid-users] Problems with Squid 2.5 and Squid 2.4 as parent
On Mon, 17 Jan 2005, Jens Strohschnitter wrote: Hi there, I have a problem after using the new Squid-2.5 with an Parent: Squid 2.4 The conncections works, and many sites can be surfed, but sometimes some sites will not be displayed in browser and comes with a connectiontimeout (110). For example: www.telefonbuch.de, after entering a search-pattern no result will be shown. Also on www.google.de, no result will be shown after starting a search. Sounds like you are inside a firewall without informing Squid about this minor detail. See the Squid FAQ. Regards Henrik
Re: [squid-users] Cache refresh after edit using Zope
On Mon, 17 Jan 2005, Ken Ara wrote: Since I am setting an "Expires" header, I did not think this would work. See the squid.conf comments.. there is some interesting options to refresh_pattern to bend the rules of HTTP.. Regards Henrik
Re: [squid-users] assertion failed: cbdata.cc:402: "c->locks > 0"
On Mon, 17 Jan 2005, H Matik wrote: cbdata.cc:402: "c->locks > 0" on FreeBSD 5.2.1Rand 5.3R from squid-3.0-PRE3-20040116 Squid compiles fine with any compile options and starts as well also, soon the first request comes in it exites with this error. Please file a bug report as per the instructions in the Squid FAQ Squid FAQ 11.19 Sending in Squid bug reports http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.19> Regards Henrik
Re: [squid-users] Question about Store Directory Stats section of cachemgr
On Mon, 17 Jan 2005 [EMAIL PROTECTED] wrote: Thanks. Is the "configuration dump screen" one of the links in the cachemgr Yes. "Current Squid Configuration". You need to set a password for this option to enable it. See squid.conf documentation for details. Regards Henrik
[squid-users] squid not caching files to disk
Hi all, I have a problem with squid not writing files to its cache directories. My squid setup is like so: squid+ntlm --> Dans Guardian --> squid The toplevel squid is non-caching (null cache_dir) and is used for NTLM authentication and passing requests to DansGuardian, which then filters the request or passes the request on to the bottom layered squid which (should) take care of fetching the page and caching it to disk/memory whatever. The bottom level squid is configured to roughly use the majority of a 29GB partition, this is verified from the logfile: 2005/01/12 18:53:40| Swap maxSize 23552000 KB, estimated 1811692 objects When I originally configured this cache, I left the cache_dir settings to the default 128MB or 125MB or whatever it is (yeah, my bad). Soon after deploying the server, realising my mistake I reconfigured it like so: cache_dir ufs /var/spool/squid 23000 16 256 Now, my problem is that about a month or so later after, usage on my swap disk is still sitting at 126MB and i'm almost certainly sure it should be showing much larger usage (this cache is fairly heavily used). I've tried doing a full restart of the squid since reconfiguring it (instead of just a squid -k reconfigure to kick the new config in). I've also tried stopping the cache and re-creating the swap directories (over the top of existing directories, havent tried completely removing and re-creating). Config files can be viewed at: http://www.nct.com.au/conf/squid.conf - bottom (caching) layer config http://www.nct.com.au/conf/squidntlm.conf - top (ntlm) layer config Is there something obvious I am missing here? Cheers, Ben -- In God We Trust, Everyone else must have an X.509 certificate.
[squid-users] Squid 3.0 "accelerator using host" caching problem
hi,all I'm using squid 3.0 's vhost mode. I set some domain name as cache_peers with the originserver option as follow : cache_peer myhost.domain parent 80 0 originserver default But all the access log I got is kind of MISSes (TCP_MISS, TCP_CLIENT_REFRESH_MISS). If I set "always_direct allow myhost.domain" , I got all the http traffic to myhost in DIRECT mode. Didn't I set the proper configuration ? Or can't I got this pages cached ? 致 礼! forgetful tan [EMAIL PROTECTED] 2005-01-17
[squid-users] Squid 3.0 "accelerator using host" caching problem
hi,all I'm using squid 3.0 's vhost mode. I set some domain name as cache_peers with the originserver option as follow : cache_peer myhost.domain parent 80 0 originserver default But all the access log I got is kind of MISSes (TCP_MISS, TCP_CLIENT_REFRESH_MISS). If I set "always_direct allow myhost.domain" , I got all the http traffic to myhost in DIRECT mode. Didn't I set the proper configuration ? Or can't I got this pages cached ? 致 礼! forgetful tan [EMAIL PROTECTED] 2005-01-17
RE: [squid-users] why is transparent proxying bad? (FAQ wanted)
> > Hello, > > I'm searching for collected informations that tell what is bad about > transparent proxying. I've seen some discussions about this > in the past, > together with last hotmail problem, but wasn't able to collect > informations. > > mostly I'm interested in possible problems that may be caused by > interception, if we can avoid them and how. > http://www.squid-cache.org/mail-archive/squid-users/200501/0012.html M.
Re: [squid-users] Squid 3.0 "accelerator using host" caching problem
At 07:07 p.m. 18/01/2005, forgetful tan wrote: hi,all I'm using squid 3.0 's vhost mode. I set some domain name as cache_peers with the originserver option as follow : cache_peer myhost.domain parent 80 0 originserver default But all the access log I got is kind of MISSes (TCP_MISS, TCP_CLIENT_REFRESH_MISS). If I set "always_direct allow myhost.domain" , I got all the http traffic to myhost in DIRECT mode. Didn't I set the proper configuration ? Or can't I got this pages cached ? I'm seeing the same thing on a customer system (everything retrieved from the backend server is always TCP_MISS/304 even though it definitely is cacheable), but was holding back till I'd done some more investigation. I am using a very old snapshot (about -PRE3). I can't upgrade as more recent versions seem to be very unstable right now :( I have a recollection of this problem being fixed at some point but it must have been far far back, wish me luck finding the patch. reuben
[squid-users] difference in acessing servers directly and cache
hi friends, pls tell me what is the exact difference between always_direct deny all and never_direct allow all options in squid.conf thanks and greetings, anu bhaskar
