Re: [squid-users] No cache to one IP address
On Tuesday 08 March 2005 10:49, Henrik Nordstrom wrote: On Tue, 8 Mar 2005, razidan wrote: I didn't read over what I wrote before I sent it... Is there any way to check whether if the websites accessed from 192.168.0.14 are being cached or not? store.log. If there is SWAPOUT entries maching your requests then objects got cached. or clearing your browser cache and then access the same page again (but NOT by pressing the reload button). If cached you should see TCP_HIT, if not cached only TCP_MISS. It seems to be working as it should be. I was the one looking at the wrong place. Thanks guy.
Re: [squid-users] HTTPD Accelerator for OWA 2003
Henrik Nordstrom [EMAIL PROTECTED] a écrit: What do you see as URLs in the frameset of you do View Page Source? Client used for test : IE6. Accessing directly from internet the reverse proxy, after filling the login credentials and validating by OK, it gives a blank page. at this point, View page source shows this : !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=Content-Type content=text/html; charset=windows-1252/HEAD BODY/BODY/HTML In the access.log, i have this : 172.17.84.20 - - [08/Mar/2005:10:39:26 +0100] GET http://81.255.124.59:64300/Exchange HTTP/1.1 401 514 TCP_MISS:DIRECT 172.17.84.20 - - [08/Mar/2005:10:39:36 +0100] GET http://81.255.124.59:64300/Exchange HTTP/1.1 302 515 TCP_MISS:DIRECT 172.17.84.20 - - [08/Mar/2005:10:39:37 +0100] GET http://81.255.124.59:64300/Exchange/ HTTP/1.1 200 1418 TCP_MISS:DIRECT Below is an extract of the log when it works correctly ( using a third party proxy to access my reverse ) 82.66.36.188 - - [07/Mar/2005:21:58:18 +0100] GET http://81.255.124.59:64300/exchange HTTP/1.0 401 514 TCP_MISS:DIRECT 82.66.36.188 - - [07/Mar/2005:21:58:35 +0100] GET http://81.255.124.59:64300/exchange HTTP/1.0 302 515 TCP_MISS:DIRECT 82.66.36.188 - - [07/Mar/2005:21:58:35 +0100] GET http://81.255.124.59:64300/exchange/ HTTP/1.0 200 1699 TCP_MISS:DIRECT 82.66.36.188 - - [07/Mar/2005:21:58:35 +0100] GET http://81.255.124.59:64300/exchange/Administrateur/? HTTP/1.0 200 20497 TCP_MISS:DIRECT 82.66.36.188 - - [07/Mar/2005:21:58:35 +0100] GET http://81.255.124.59:64300/exchange/Administrateur/Bo%C3%AEte%20de%20r%C3%A9ception/? HTTP/1.0 200 20536 TCP_MISS:DIRECT 82.66.36.188 - - [07/Mar/2005:21:58:36 +0100] GET http://81.255.124.59:64300/exchweb/6.5.7226.0/controls/owastyle.css HTTP/1.0 200 10914 TCP_MISS:DIRECT 82.66.36.188 - - [07/Mar/2005:21:58:36 +0100] GET http://81.255.124.59:64300/exchweb/themes/0/owacolors.css HTTP/1.0 200 13194 TCP_MISS:DIRECT I noticed that when the protocol used is HTTP1.0, it works, but not when HTTP1.1 is. Is it a clue? Thanks for your help. Momo Regards Henrik --- HopHopHop !
Re: [squid-users] How to Squid-Websense
I personelly don't want to install the server policy or other websense components on the same box as the proxy server just because I have websense already running on a w2k3 machine. i don't want to change the architecture already implemented. Thanks fr your suggestion. --- Brett Lymn [EMAIL PROTECTED] wrote: On Mon, Mar 07, 2005 at 01:47:43PM -0500, Corey Tyndall wrote: I get the same error when entering in Filtering service IP addr. The Filtering Service provided does not support a remote plug-in. Select another Filtering Service. Any ideas?? Yes, install the policy server on the linux machine and push the policy to the linux machine. I am not entirely sure why you don't want to do this. At the risk of sounding like a Websense salesdroid, the Websense infrastructure is quite flexible and can be distributed quite well. You _can_ centralise your policy management and push the policy to the squid proxies. You _don't_ have to run the network agent on the same machine, you _can_ send your logs to the win2k machine. Why do you both insist on making the win2k box do everything when it does not need to? -- Brett Lymn Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com
[squid-users] child/parent cluster http 302 redirect query
Hi, I would like to know if it's possible to configure a child squid to query parents using ICP, as standard, but to return a HTTP 302 redirect to the end user browser with the URL for the preferred parent. The driver behind this is to develop a high bandwidth content delivery network. Serving more data/bandwidth than any one box could proxy. I would like to build the below architecture. WEB-Browser - Child Squid (performs ICP request to N parents , sends back http Redirect) WEB-Browser - Parent Squid (Parent host serves content direct to browser without channelling data through Child node) I am hopeful that the above will allow us to serve +4Gbit/Sec of data. As an aside the files served will be on average 1Gbyte, around 2,000 off them. The project is shoe-horned into using HTTP as delivery, making use of the Microsoft BITS service for download management. The average client will be broadband, read 500Kb-1mb/sec and we expect a total concurrent load of 5,000 users. Which due to the file size - will be concurrent . Other suggestions welcome, initially I had explored large SAN infrastructure, though factoring IO consumption and number of FC connections to web servers I'm convinced squid can provide more fully redundant, better performing solution - backed by a smaller pair of webservers and large NAS. Cisco CDN is another solution, though I'm yet to be convinced of its ability to scale to multi-gigabit delivery. The entire solution may end up being replicated in many locations, a rack per country etc with data-tier updates once per day for upto 10GByte of data. Also thoughts on pre-populating the cache would be welcome, though ultimately this would be easy to achieve with a small robot script, a push method to populate edge caches would be better suited. Thanks for any help, Danny
[squid-users] Did Anyone used ESI with squid ?
Hi, I am having problem with configuring squid with ESI parsing. Did anyone implemented it ? Regards Nitesh Naik
Re: [squid-users] Did Anyone used ESI with squid ?
Dear Nitesh, I'm also trying to use ESI with squid - I installed Squid 3, (remember to use --enable-esi with configure) and pages are composed fine (I use esi:include), but templates and fragments are not cached. Remember that your pages must have appropriate HTTP headers in order to make squid parsing it as ESI templates. I hope you are more lucky and will have your pages cached. Regards, Michal Pietrusinski Nitesh Naik napisa(a): Hi, I am having problem with configuring squid with ESI parsing. Did anyone implemented it ? Regards Nitesh Naik
Re: [squid-users] Did Anyone used ESI with squid ?
Dear Michal, Thanks for your reply. Let me send you some more information about settings that I am using. We are using squid squid-3.0-PRE3-20041220 for parsing ESI. squid is compiled with esi ( --enable-esi ) but for some reason esi is not getting parsed and we get following error in the browser. The following error was encountered: ESI Processing failed. The ESI processor returned: esiProcess: Parse error at line 2: junk after document element This means that: The surrogate was not able to process the ESI template. Please report this error to the webmaster ESI example used esi:assign name=date_string value=$strftime($time(), '%a, %d %B %Y %H:%M:%S %Z')/ esi:vars $(date_string) /esi:vars squid.conf settings httpd_accel_surrogate_id unset-id http_accel_surrogate_remote on esi_parser libxml2 cache_peer xyz.com parent 80 0 no-query originserver Apache configuration at origin server Directory /esi/ Header add Surrogate-Control max-age=60,content=ESI/1.0 ExpiresActive On ExpiresByType text/html now plus 1 minutes /Directory When we hit origin server the Surrogate-Control is added to header HTTP/1.1 200 OK Date: Fri, 04 Mar 2005 13:30:03 GMT Surrogate-Control: max-age=60,content=ESI/1.0 P3P: CP=NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC, policyref=/w3c/p3p.xml Last-Modified: Fri, 04 Mar 2005 12:50:06 GMT ETag: 13c8a1-133-4228597e Accept-Ranges: bytes Content-Length: 307 Connection: close Content-Type: text/html Regards Nitesh Naik - Original Message - From: Michal Pietrusinski [EMAIL PROTECTED] To: squid-users@squid-cache.org Sent: Tuesday, March 08, 2005 5:26 PM Subject: Re: [squid-users] Did Anyone used ESI with squid ? Dear Nitesh, I'm also trying to use ESI with squid - I installed Squid 3, (remember to use --enable-esi with configure) and pages are composed fine (I use esi:include), but templates and fragments are not cached. Remember that your pages must have appropriate HTTP headers in order to make squid parsing it as ESI templates. I hope you are more lucky and will have your pages cached. Regards, Michal Pietrusinski Nitesh Naik napisa(a): Hi, I am having problem with configuring squid with ESI parsing. Did anyone implemented it ? Regards Nitesh Naik
Re: [squid-users] Did Anyone used ESI with squid ?
Dear Nitesh, It looks like the header is ok, since ESI processing started. I also had problems with parser 'libxml2' - it was constantly reporting some parsing errors even on simple pages which were validated with W3C validator. So finally I changed to 'custom' and 'expat' parsers. I suggest you first try some really simple ESI constructs with 'custom' parser. Regards, Michal Nitesh Naik napisa(a): Dear Michal, Thanks for your reply. Let me send you some more information about settings that I am using. We are using squid squid-3.0-PRE3-20041220 for parsing ESI. squid is compiled with esi ( --enable-esi ) but for some reason esi is not getting parsed and we get following error in the browser. The following error was encountered: ESI Processing failed. The ESI processor returned: esiProcess: Parse error at line 2: junk after document element This means that: The surrogate was not able to process the ESI template. Please report this error to the webmaster ESI example used esi:assign name=date_string value=$strftime($time(), '%a, %d %B %Y %H:%M:%S %Z')/ esi:vars $(date_string) /esi:vars squid.conf settings httpd_accel_surrogate_id unset-id http_accel_surrogate_remote on esi_parser libxml2 cache_peer xyz.com parent 80 0 no-query originserver Apache configuration at origin server Directory /esi/ Header add Surrogate-Control max-age=60,content=ESI/1.0 ExpiresActive On ExpiresByType text/html now plus 1 minutes /Directory When we hit origin server the Surrogate-Control is added to header HTTP/1.1 200 OK Date: Fri, 04 Mar 2005 13:30:03 GMT Surrogate-Control: max-age=60,content=ESI/1.0 P3P: CP=NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC, policyref=/w3c/p3p.xml Last-Modified: Fri, 04 Mar 2005 12:50:06 GMT ETag: 13c8a1-133-4228597e Accept-Ranges: bytes Content-Length: 307 Connection: close Content-Type: text/html Regards Nitesh Naik - Original Message - From: Michal Pietrusinski [EMAIL PROTECTED] To: squid-users@squid-cache.org Sent: Tuesday, March 08, 2005 5:26 PM Subject: Re: [squid-users] Did Anyone used ESI with squid ? Dear Nitesh, I'm also trying to use ESI with squid - I installed Squid 3, (remember to use --enable-esi with configure) and pages are composed fine (I use esi:include), but templates and fragments are not cached. Remember that your pages must have appropriate HTTP headers in order to make squid parsing it as ESI templates. I hope you are more lucky and will have your pages cached. Regards, Michal Pietrusinski Nitesh Naik napisa(a): Hi, I am having problem with configuring squid with ESI parsing. Did anyone implemented it ? Regards Nitesh Naik
Re: [squid-users] samba with squid
Give permission on /usr/local/samba/var/locks/winbindd_privileged or where it is in your installation like this: chown root:squid winbindd_privileged chmod 750 winbindd_privileged Nikolay [EMAIL PROTECTED]@inet 04.03.2005 15:54 To squid-users@squid-cache.org cc Subject [squid-users] samba with squid Hello, Installed squid 2.5STABLE9 with ntlm_auth from samba 3.0.11. Periodically got this error from winbindd: After restart working fine... rpc_client/cli_pipe.c:rpc_api_pipe(435) cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds and Squid dying with segmentation fault. AD controllers is working fine with no errors in logs. Can anybody help me?
[squid-users] group attribute from ntml?
Hi, i have configure squid with samba and ntlm authentication with wbinfo_group.pl and winbindd. the authentication from nt domain is working, but i see in log files only user attribute. I need to see and group one, because i need to pass this attribute to other proxy. Regards, Nikolay
[squid-users] hide ip
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Can I hide one of the ip's connecting to the proxy? How may I configure the proxy to do that ? -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFCLZmwKuNGplU1TBgRAkPlAKDXNFBLWi/NKc1m1O92tPv6B6mHrQCeNG2P xw9mhn1OtU+tqLArRIPSj/k= =B2EU -END PGP SIGNATURE-
Re: [squid-users] HTTPD Accelerator for OWA 2003
On Tue, 8 Mar 2005, Momo wrote: Client used for test : IE6. Accessing directly from internet the reverse proxy, after filling the login credentials and validating by OK, it gives a blank page. at this point, View page source shows this : !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=Content-Type content=text/html; charset=windows-1252/HEAD BODY/BODY/HTML Hmm.. this looks very familiar with another error seen recently due to broken web servers.. try the following header_access Accept-Encodig deny all If this helps please document in detail what web software (including any IIS filters etc) installed on the OWA web server. Regards Henrik
Re: [squid-users] samba with squid
Give permission on /usr/local/samba/var/locks/winbindd_privileged or where it is in your installation like this: chown root:squid winbindd_privileged chmod 750 winbindd_privileged Nikolay [EMAIL PROTECTED]@inet 04.03.2005 15:54 To squid-users@squid-cache.org cc Subject [squid-users] samba with squid Hello, Installed squid 2.5STABLE9 with ntlm_auth from samba 3.0.11. Periodically got this error from winbindd: After restart working fine... rpc_client/cli_pipe.c:rpc_api_pipe(435) cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds and Squid dying with segmentation fault. AD controllers is working fine with no errors in logs. Can anybody help me?
Re: [squid-users] ZeroSized Reply error from squid
On Tue, 8 Mar 2005, razidan wrote: Hi! I'm running a web application on our local server running Apache version 2.0.50-7mdk and Squid Version: 2.5.STABLE6-2.2.101mdk on Mandrakelinux 10.1. When i connect to the server from a client computer and click a button which runs a php-script and returns a .png file to a window, i receive this error: ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://192.168.0.3/ern/ijb/report/print_reportgd.php? The following error was encountered: Zero Sized Reply This error indicates the server closed the connection before sending any response at all (not even a blank response). See the web server logs if there is any hints there as to what is going wrong. Regards Henrik
[squid-users] How to get the latest ICAP patch
Hi, is there an easy way to get the newest ICAP patch? Unfortunately the icap-squid on Duane Wessels homepage is from Sept. 2004. Is the newest icap branch adapted to squid-2.5.STABLE9? Thanks for information. Regards Michael
Re: [squid-users] child/parent cluster http 302 redirect query
On Tue, 8 Mar 2005, Danny Hallwood wrote: I would like to know if it's possible to configure a child squid to query parents using ICP, as standard, but to return a HTTP 302 redirect to the end user browser with the URL for the preferred parent. No. URLs indicate the location and name of the object to fetch, not the path how to get to the object. The driver behind this is to develop a high bandwidth content delivery network. Serving more data/bandwidth than any one box could proxy. I would like to build the below architecture. Ok. Sounds like a reverse proxy setup, not a normal setup? If it is a reverse proxy setup then returning redirects as you describe is feasible, but some coding is required to implement the function in Squid. Regards Henrik
Re: [squid-users] Blacklist for squirm
On Mar 7, 2005, at 11:32 PM, Awie wrote: Nevermind - I was able to download Berkeley DB v2.7.7 from SleepyCat and squidGuard complies now. Bryan Bryan, squidguard 1.2.0 works better with Berekely DB v3.2.9, you may be able to use 2.7.7 loading blacklists into memory for each redirector, which takes forever. Using 3.2.9 will allow you much better performance using pre-built database for blacklists -j Jeff, If you said that DB 3.2.9 is better (it should be) than 2.7.7. How is about using the latest version of BerkelyDB v4.3.27? Thx rgds, Awie I'm not sure. i was troubleshooting a problem a while back when i was running 2.7.7. SquidGuard 1.2 wouldn't read the pre-built data bases, then i found an obscure web site that listed 3.2.9 http://www.maynidea.com/squidguard/step-by-step.html So once i installed 3.2.9 and the 2 patches it worked better than ever. i have not tried 4.x.x --j --- jeff donovan basd network operations (610) 807 5571 x41 AIM xtdonovan
Re: [squid-users] How to get the latest ICAP patch
On Tue, 8 Mar 2005, Michael Pophal wrote: is there an easy way to get the newest ICAP patch? http://devel.squid-cache.org/ Regards Henrik
Re: [squid-users] group attribute from ntml?
On Tue, 8 Mar 2005 [EMAIL PROTECTED] wrote: i have configure squid with samba and ntlm authentication with wbinfo_group.pl and winbindd. the authentication from nt domain is working, but i see in log files only user attribute. Yes... I need to see and group one, because i need to pass this attribute to other proxy. Unfortunately the group is not clearly known to Squid, only the fact (yes/no) that the user is member of the required groups. Regards Henrik
RE: [squid-users] child/parent cluster http 302 redirect query
Thanks Henrik, The solution is for reverse proxy. The key to making this solution work is to ensure the child squid does not proxy the data stream from 'best capable' Parent to end-user browser. Could you hazard a guess as to how much effort would be required to transpose an ICP return into a HTTP 302 redirect message back to the client? We have a development team in house, however I'm pretty sure squid source is not something they are au'fait with. Thanks, Danny Danny Hallwood -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 08 March 2005 12:43 To: Danny Hallwood Cc: squid-users@squid-cache.org Subject: Re: [squid-users] child/parent cluster http 302 redirect query On Tue, 8 Mar 2005, Danny Hallwood wrote: I would like to know if it's possible to configure a child squid to query parents using ICP, as standard, but to return a HTTP 302 redirect to the end user browser with the URL for the preferred parent. No. URLs indicate the location and name of the object to fetch, not the path how to get to the object. The driver behind this is to develop a high bandwidth content delivery network. Serving more data/bandwidth than any one box could proxy. I would like to build the below architecture. Ok. Sounds like a reverse proxy setup, not a normal setup? If it is a reverse proxy setup then returning redirects as you describe is feasible, but some coding is required to implement the function in Squid. Regards Henrik
[squid-users] POP3/SMTP Probs.
Hello. I have SuSE Linux 9.1 with squid-2.5.STABLE5-37.i586 installed, no firewall installed. Web browsing work fine but POP3/SMTP connections from clients (Windows 2000 machines running MS Outlook Express 6) don't work. I checked the squid config...but I have no idea how to fix this BIG problem. Anyone can help me? I'm looking forward to your kind reply. Thank You in advance, Antonio Romani IT Specialist SYS-THEMA S.r.l. ITALY Navighi a 2 MEGA e i primi 3 mesi sono GRATIS. Scegli Libero Adsl Flat senza limiti su http://www.libero.it
Re: [squid-users] POP3/SMTP Probs.
quote who=[EMAIL PROTECTED] Hello. I have SuSE Linux 9.1 with squid-2.5.STABLE5-37.i586 installed, no firewall installed. Web browsing work fine but POP3/SMTP connections from clients (Windows 2000 machines running MS Outlook Express 6) don't work. I checked the squid config...but I have no idea how to fix this BIG problem. Anyone can help me? I'm looking forward to your kind reply. Thank You in advance, Could you post your squid.conf acl section? -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 742001 E [EMAIL PROTECTED] Open Source. Open Solutions(tm). http://www.suretecsystems.com/
RE: [squid-users] POP3/SMTP Probs.
Hello. I have SuSE Linux 9.1 with squid-2.5.STABLE5-37.i586 installed, no firewall installed. Web browsing work fine but POP3/SMTP connections from clients (Windows 2000 machines running MS Outlook Express 6) don't work. I checked the squid config...but I have no idea how to fix this BIG problem. Anyone can help me? I'm looking forward to your kind reply. http://www.squid-cache.org/Doc/FAQ/FAQ-1.html#ss1.1 - Squid is a http proxy only (doesn't support POP3/SMTP) M.
[squid-users] Start error
Hi, I have installed Squid on FC with .rpm., but when I try to start Squid I have the following error: [EMAIL PROTECTED] root]# /etc/init.d/squid start init_cache_dir /var/spool/squid... /etc/init.d/squid: line 162: 1936 Abortito $SQUID -z -F -D 2/dev/null Avvio di squid: /etc/init.d/squid: line 162: 1937 Abortito $SQUID $SQUID_OPTS 2/dev/null [FALLITO] ..where I mistake ?? thanks. Salvatore.
RE: [squid-users] POP3/SMTP Probs.
Hi, Squid is an HTTP proxy only. It simply doesn't understand other protocols let alone forward them (it will, however, tunnel SSL and also allow FTP over HTTP for FTP in web browsers). If you want other protocols (POP3/SMTP) then you need a POP3/SMTP relay or NAT/firewall. The SQUID FAQ is a good place to go to find out this stuff! Regards, Stephen -Original Message- From: Gavin Henry [mailto:[EMAIL PROTECTED] Sent: 08 March 2005 13:41 To: squid-users@squid-cache.org Subject: Re: [squid-users] POP3/SMTP Probs. Importance: High quote who=[EMAIL PROTECTED] Hello. I have SuSE Linux 9.1 with squid-2.5.STABLE5-37.i586 installed, no firewall installed. Web browsing work fine but POP3/SMTP connections from clients (Windows 2000 machines running MS Outlook Express 6) don't work. I checked the squid config...but I have no idea how to fix this BIG problem. Anyone can help me? I'm looking forward to your kind reply. Thank You in advance, Could you post your squid.conf acl section? -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 742001 E [EMAIL PROTECTED] Open Source. Open Solutions(tm). http://www.suretecsystems.com/ == The HENLEY College -- This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential and/or legally privileged. Unauthorised use is strictly prohibited and may be unlawful. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, including any picture or graphic and any attachment, except for the purpose of delivery to the addressee. We make every effort to keep our network free from viruses. However, you do need to verify this e-mail and any attachments to it to be virus free as we can take no responsibility for any computer virus which might be transferred by way of this e-mail.
RE: [squid-users] Start error
Hi, I have installed Squid on FC with .rpm., but when I try to start Squid I have the following error: [EMAIL PROTECTED] root]# /etc/init.d/squid start init_cache_dir /var/spool/squid... /etc/init.d/squid: line 162: 1936 Abortito$SQUID -z -F -D 2/dev/null Avvio di squid: /etc/init.d/squid: line 162: 1937 Abortito $SQUID $SQUID_OPTS 2/dev/null [FALLITO] ..where I mistake ?? thanks. Salvatore. - Try to start squid manually, using the binary (.../squid) - Check cache.log M.
RE: [squid-users] POP3/SMTP Probs.
quote who=Stephen Hi, Squid is an HTTP proxy only. It simply doesn't understand other protocols let alone forward them (it will, however, tunnel SSL and also allow FTP over HTTP for FTP in web browsers). I was getting to that bit ;-) If you want other protocols (POP3/SMTP) then you need a POP3/SMTP relay or NAT/firewall. The SQUID FAQ is a good place to go to find out this stuff! Regards, Stephen -Original Message- From: Gavin Henry [mailto:[EMAIL PROTECTED] Sent: 08 March 2005 13:41 To: squid-users@squid-cache.org Subject: Re: [squid-users] POP3/SMTP Probs. Importance: High quote who=[EMAIL PROTECTED] Hello. I have SuSE Linux 9.1 with squid-2.5.STABLE5-37.i586 installed, no firewall installed. Web browsing work fine but POP3/SMTP connections from clients (Windows 2000 machines running MS Outlook Express 6) don't work. I checked the squid config...but I have no idea how to fix this BIG problem. Anyone can help me? I'm looking forward to your kind reply. Thank You in advance, Could you post your squid.conf acl section? -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 742001 E [EMAIL PROTECTED] Open Source. Open Solutions(tm). http://www.suretecsystems.com/ == The HENLEY College -- This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential and/or legally privileged. Unauthorised use is strictly prohibited and may be unlawful. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, including any picture or graphic and any attachment, except for the purpose of delivery to the addressee. We make every effort to keep our network free from viruses. However, you do need to verify this e-mail and any attachments to it to be virus free as we can take no responsibility for any computer virus which might be transferred by way of this e-mail.
Re: [squid-users] Strange HTTP Header causing error message from squid to user
On Tue, 2005-03-08 at 13:17 +1300, Reuben Farrelly wrote: I'll put a request in Fedora Core bugzilla, for the maintainer to upgrade the package to -STABLE9.. reuben Wow. thanks. So this is safe? Has anyone looked into the security aspects of very badly implemented HTTP Headers (and their Servers)?
Re: [squid-users] Did Anyone used ESI with squid ?
Michal, Thanks for your suggestion. Changed parser to custom and used following sample ESI code. esi:assign name=test_string value=This is test/ esi:vars $(test_string) /esi:vars Its Working perfectly fine. Is squid not supporting all ESI tags ? Regards Nitesh Naik - Original Message - From: Michal Pietrusinski [EMAIL PROTECTED] To: Nitesh Naik [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Tuesday, March 08, 2005 5:57 PM Subject: Re: [squid-users] Did Anyone used ESI with squid ? Dear Nitesh, It looks like the header is ok, since ESI processing started. I also had problems with parser 'libxml2' - it was constantly reporting some parsing errors even on simple pages which were validated with W3C validator. So finally I changed to 'custom' and 'expat' parsers. I suggest you first try some really simple ESI constructs with 'custom' parser. Regards, Michal Nitesh Naik napisa(a): Dear Michal, Thanks for your reply. Let me send you some more information about settings that I am using. We are using squid squid-3.0-PRE3-20041220 for parsing ESI. squid is compiled with esi ( --enable-esi ) but for some reason esi is not getting parsed and we get following error in the browser. The following error was encountered: ESI Processing failed. The ESI processor returned: esiProcess: Parse error at line 2: junk after document element This means that: The surrogate was not able to process the ESI template. Please report this error to the webmaster ESI example used esi:assign name=date_string value=$strftime($time(), '%a, %d %B %Y %H:%M:%S %Z')/ esi:vars $(date_string) /esi:vars squid.conf settings httpd_accel_surrogate_id unset-id http_accel_surrogate_remote on esi_parser libxml2 cache_peer xyz.com parent 80 0 no-query originserver Apache configuration at origin server Directory /esi/ Header add Surrogate-Control max-age=60,content=ESI/1.0 ExpiresActive On ExpiresByType text/html now plus 1 minutes /Directory When we hit origin server the Surrogate-Control is added to header HTTP/1.1 200 OK Date: Fri, 04 Mar 2005 13:30:03 GMT Surrogate-Control: max-age=60,content=ESI/1.0 P3P: CP=NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC, policyref=/w3c/p3p.xml Last-Modified: Fri, 04 Mar 2005 12:50:06 GMT ETag: 13c8a1-133-4228597e Accept-Ranges: bytes Content-Length: 307 Connection: close Content-Type: text/html Regards Nitesh Naik - Original Message - From: Michal Pietrusinski [EMAIL PROTECTED] To: squid-users@squid-cache.org Sent: Tuesday, March 08, 2005 5:26 PM Subject: Re: [squid-users] Did Anyone used ESI with squid ? Dear Nitesh, I'm also trying to use ESI with squid - I installed Squid 3, (remember to use --enable-esi with configure) and pages are composed fine (I use esi:include), but templates and fragments are not cached. Remember that your pages must have appropriate HTTP headers in order to make squid parsing it as ESI templates. I hope you are more lucky and will have your pages cached. Regards, Michal Pietrusinski Nitesh Naik napisa(a): Hi, I am having problem with configuring squid with ESI parsing. Did anyone implemented it ? Regards Nitesh Naik
RE: [squid-users] Strange HTTP Header causing error message fromsquid to user
On Tue, 2005-03-08 at 13:17 +1300, Reuben Farrelly wrote: I'll put a request in Fedora Core bugzilla, for the maintainer to upgrade the package to -STABLE9.. reuben Wow. thanks. So this is safe? Has anyone looked into the security aspects of very badly implemented HTTP Headers (and their Servers)? - Squid did,on recent releases and now offers the squid admin. various choices : # TAG: relaxed_header_parser on|off|warn # In the default on setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous # what the sending application intended even if the message # is not correctly formatted. The messages is then normalized # to the correct form when forwarded by Squid. # # If set to warn then a warning will be emitted in cache.log # each time such HTTP error is encountered. # # If set to off then such HTTP errors will cause the request # or response to be rejected. # M.
Re: [squid-users] How to Squid-Websense
same here. Politics keep me from doing that. I still can't seem to get around this error. I have sent to Websense and am awaiting answer. sania maro [EMAIL PROTECTED] 03/08/05 06:00AM I personelly don't want to install the server policy or other websense components on the same box as the proxy server just because I have websense already running on a w2k3 machine. i don't want to change the architecture already implemented. Thanks fr your suggestion. --- Brett Lymn [EMAIL PROTECTED] wrote: On Mon, Mar 07, 2005 at 01:47:43PM -0500, Corey Tyndall wrote: I get the same error when entering in Filtering service IP addr. The Filtering Service provided does not support a remote plug-in. Select another Filtering Service. Any ideas?? Yes, install the policy server on the linux machine and push the policy to the linux machine. I am not entirely sure why you don't want to do this. At the risk of sounding like a Websense salesdroid, the Websense infrastructure is quite flexible and can be distributed quite well. You _can_ centralise your policy management and push the policy to the squid proxies. You _don't_ have to run the network agent on the same machine, you _can_ send your logs to the win2k machine. Why do you both insist on making the win2k box do everything when it does not need to? -- Brett Lymn Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com -- The contents of this e-mail (and any attachments) are confidential, may be privileged and may contain copyright material. You may only reproduce or distribute material if you are expressly authorized by us to do so. If you are not the intended recipient, any use, disclosure or copying of this email (and any attachments) is unauthorized. If you have received this e-mail in error, please notify the sender and immediately delete this e-mail and any copies of it from your system. ==
[squid-users] Store dir info
greetings looking at my store directory makes me think I should add another cache directory or increase the size your thoughts Store Directory Statistics: Store Entries : 4031124 Maximum Swap Size : 67107840 KB Current Store Swap Size: 60519440 KB Current Capacity : 90% used, 10% free Store Directory #0 (ufs): /Volumes/cache1/cache FS Block Size 4096 Bytes First level subdirectories: 16 Second level subdirectories: 256 Maximum Size: 67107840 KB Current Size: 60519440 KB Percent Used: 90.18% Filemap bits in use: 4027925 of 4194304 (96%) Filesystem Space in use: 62736716/244986264 KB (26%) Filesystem Inodes in use: 15684177/61246564 (26%) Flags: SELECTED Removal policy: lru LRU reference age: 21.84 days -j --- jeff donovan basd network operations (610) 807 5571 x41 AIM xtdonovan
Re: [squid-users] Did Anyone used ESI with squid ?
Hi Nitesh, I don't know if squid supports all ESI tags. I try to use only the basic esi:include tag and have problems. Could you, please, check, if esi:include works with your installation? If it works fine, you should see the page properly composed, and in the squid_installation/var/logs/access.log there should be entries, that the template and included pages where taken from the cache. I would be very gratefull if you could do that test. Regards, Michal Nitesh Naik napisa(a): Michal, Thanks for your suggestion. Changed parser to custom and used following sample ESI code. esi:assign name=test_string value=This is test/ esi:vars $(test_string) /esi:vars Its Working perfectly fine. Is squid not supporting all ESI tags ? Regards Nitesh Naik - Original Message - From: Michal Pietrusinski [EMAIL PROTECTED] To: Nitesh Naik [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Tuesday, March 08, 2005 5:57 PM Subject: Re: [squid-users] Did Anyone used ESI with squid ? Dear Nitesh, It looks like the header is ok, since ESI processing started. I also had problems with parser 'libxml2' - it was constantly reporting some parsing errors even on simple pages which were validated with W3C validator. So finally I changed to 'custom' and 'expat' parsers. I suggest you first try some really simple ESI constructs with 'custom' parser. Regards, Michal Nitesh Naik napisa(a): Dear Michal, Thanks for your reply. Let me send you some more information about settings that I am using. We are using squid squid-3.0-PRE3-20041220 for parsing ESI. squid is compiled with esi ( --enable-esi ) but for some reason esi is not getting parsed and we get following error in the browser. The following error was encountered: ESI Processing failed. The ESI processor returned: esiProcess: Parse error at line 2: junk after document element This means that: The surrogate was not able to process the ESI template. Please report this error to the webmaster ESI example used esi:assign name=date_string value=$strftime($time(), '%a, %d %B %Y %H:%M:%S %Z')/ esi:vars $(date_string) /esi:vars squid.conf settings httpd_accel_surrogate_id unset-id http_accel_surrogate_remote on esi_parser libxml2 cache_peer xyz.com parent 80 0 no-query originserver Apache configuration at origin server Directory /esi/ Header add Surrogate-Control max-age=60,content=ESI/1.0 ExpiresActive On ExpiresByType text/html now plus 1 minutes /Directory When we hit origin server the Surrogate-Control is added to header HTTP/1.1 200 OK Date: Fri, 04 Mar 2005 13:30:03 GMT Surrogate-Control: max-age=60,content=ESI/1.0 P3P: CP=NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC, policyref=/w3c/p3p.xml Last-Modified: Fri, 04 Mar 2005 12:50:06 GMT ETag: 13c8a1-133-4228597e Accept-Ranges: bytes Content-Length: 307 Connection: close Content-Type: text/html Regards Nitesh Naik - Original Message - From: Michal Pietrusinski [EMAIL PROTECTED] To: squid-users@squid-cache.org Sent: Tuesday, March 08, 2005 5:26 PM Subject: Re: [squid-users] Did Anyone used ESI with squid ? Dear Nitesh, I'm also trying to use ESI with squid - I installed Squid 3, (remember to use --enable-esi with configure) and pages are composed fine (I use esi:include), but templates and fragments are not cached. Remember that your pages must have appropriate HTTP headers in order to make squid parsing it as ESI templates. I hope you are more lucky and will have your pages cached. Regards, Michal Pietrusinski Nitesh Naik napisa(a): Hi, I am having problem with configuring squid with ESI parsing. Did anyone implemented it ? Regards Nitesh Naik
RE: [squid-users] Store dir info
greetings looking at my store directory makes me think I should add another cache directory or increase the size Any specified store dir (size) will fill up in the end. Squid removed the oldest objects when needed. The question of the size needed : the average size of one week of web traffic generated by your users is a good rule of thumb. M.
[squid-users] no subject
Hi, I try to set up a squid reverse-proxy in front of a Lotus Notes Webmail and an IIS-webserver - two different machines in the same domain. squid.conf looks like this: https_port 443 cert=/usr/local/squid/cacert.pem key=/usr/local/squid/privkey.pem defaultsite=domino.oursite.de https_port 442 cert=/usr/local/squid/cacert.pem key=/usr/local/squid/privkey.pem defaultsite=iis.oursite.de cache_peer 10.0.1.1 parent 443 0 no-query proxy-only name=domino.oursite.de ssl sslflags=DONT_VERIFY_PEER cache_peer 10.0.1.2 parent 443 0 no-query proxy-only name=iis.oursite.de ssl sslflags=DONT_VERIFY_PEER acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl data dstdomain iis.oursite.de acl mails dstdomain domino.oursite.de #cache_peer_access domino.oursite.de deny data cache_peer_access domino.oursite.de allow all #cache_peer_access web-eins.ad.worldgames2005.de deny mails cache_peer_access web-eins.ad.worldgames2005.de allow all The idea is to forward requests for domino to the cache_peer 10.0.1.1. and requests for iis to the cache_peer 10.0.1.2. But EVERYTIME i change the cache_peer_access directiv to something other than allow all Squid aborts with the error assertion failed: cbdata.cc:402: c-locks 0 Changing the directive and restarting helps an squid works - but the second webserver cannot be reached. The error can be reproduced by activating the cache_peer_access-directive with a content other than allow all What's wrong ? How can i get it working? Any help is very much appreciated. Thanks, Michael __ Mit WEB.DE FreePhone mit hoechster Qualitaet ab 0 Ct./Min. weltweit telefonieren! http://freephone.web.de/?mc=021201
[squid-users] Squid aborts with cache_peer_access
Hi, I try to set up a squid reverse-proxy in front of a Lotus Notes Webmail and an IIS-webserver - two different machines in the same domain. squid.conf looks like this: https_port 443 cert=/usr/local/squid/cacert.pem key=/usr/local/squid/privkey.pem defaultsite=domino.oursite.de https_port 442 cert=/usr/local/squid/cacert.pem key=/usr/local/squid/privkey.pem defaultsite=iis.oursite.de cache_peer 10.0.1.1 parent 443 0 no-query proxy-only name=domino.oursite.de ssl sslflags=DONT_VERIFY_PEER cache_peer 10.0.1.2 parent 443 0 no-query proxy-only name=iis.oursite.de ssl sslflags=DONT_VERIFY_PEER acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl data dstdomain iis.oursite.de acl mails dstdomain domino.oursite.de #cache_peer_access domino.oursite.de deny data cache_peer_access domino.oursite.de allow all #cache_peer_access web-eins.ad.worldgames2005.de deny mails cache_peer_access web-eins.ad.worldgames2005.de allow all The idea is to forward requests for domino to the cache_peer 10.0.1.1. and requests for iis to the cache_peer 10.0.1.2. But EVERYTIME i change the cache_peer_access directiv to something other than allow all Squid aborts with the error assertion failed: cbdata.cc:402: c-locks 0 Changing the directive and restarting helps an squid works - but the second webserver cannot be reached. The error can be reproduced by activating the cache_peer_access-directive with a content other than allow all What's wrong ? How can i get it working? Any help is very much appreciated. Thanks, Michael __ Verschicken Sie romantische, coole und witzige Bilder per SMS! Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193
RE: [squid-users] child/parent cluster http 302 redirect query
On Tue, 8 Mar 2005, Danny Hallwood wrote: Could you hazard a guess as to how much effort would be required to transpose an ICP return into a HTTP 302 redirect message back to the client? For me at the very most about a day including testing. Probably half a day including testing. For someone somewhat experienced in C but who have never looked at the Squid sources but willing to learn maybe a week in worst case. Regards Henrik
Re: [squid-users] Strange HTTP Header causing error message from squid to user
On Tue, 8 Mar 2005, Mark Wiater wrote: So this is safe? Has anyone looked into the security aspects of very badly implemented HTTP Headers (and their Servers)? I have tried to analyze the impacts of each workaround implemented, but recommends relaxed_header_parser off for the security minded even if this makes a large number of web sites inaccessible, especially so if you are in a cache hierarchy with other proxy brands or versions. Regards Henrik
Re: [squid-users] Start error
On Tue, 8 Mar 2005, sasa wrote: Hi, I have installed Squid on FC with .rpm., but when I try to start Squid I have the following error: [EMAIL PROTECTED] root]# /etc/init.d/squid start init_cache_dir /var/spool/squid... /etc/init.d/squid: line 162: 1936 Abortito $SQUID -z -F -D 2/dev/null Avvio di squid: /etc/init.d/squid: line 162: 1937 Abortito$SQUID $SQUID_OPTS 2/dev/null [FALLITO] ..where I mistake ?? Usually a squid.conf error, in combination with the RedHat init script discarding any error messages given by Squid making you stumble in the dark.. /usr/sbin/squid -k parse Regards Henrik
Re: [squid-users] Blacklist for squirm
On Mar 7, 2005, at 11:32 PM, Awie wrote: Nevermind - I was able to download Berkeley DB v2.7.7 from SleepyCat and squidGuard complies now. Bryan Bryan, squidguard 1.2.0 works better with Berekely DB v3.2.9, you may be able to use 2.7.7 loading blacklists into memory for each redirector, which takes forever. Using 3.2.9 will allow you much better performance using pre-built database for blacklists -j Jeff, If you said that DB 3.2.9 is better (it should be) than 2.7.7. How is about using the latest version of BerkelyDB v4.3.27? Thx rgds, Awie I'm not sure. i was troubleshooting a problem a while back when i was running 2.7.7. SquidGuard 1.2 wouldn't read the pre-built data bases, then i found an obscure web site that listed 3.2.9 http://www.maynidea.com/squidguard/step-by-step.html So once i installed 3.2.9 and the 2 patches it worked better than ever. i have not tried 4.x.x --j OK. Thanks for your explain. Thx Rgds, Awie
Re: [squid-users] Squid aborts with cache_peer_access
On Tue, 8 Mar 2005 [EMAIL PROTECTED] wrote: But EVERYTIME i change the cache_peer_access directiv to something other than allow all Squid aborts with the error assertion failed: cbdata.cc:402: c-locks 0 This is a known defect in the current Squid-3 development sources. See bug #1201. What's wrong ? How can i get it working? The bug needs to get fixed. Regards Henrik
Re: [squid-users] Force users to accept a disclaimer before allowing access
On Mon, Mar 07, 2005 at 01:22:48PM -0500, Dave Inabinet wrote: I tried out IR from http://www.vanheusden.com/ir/ . It works great, however, if a user has a toolbar that queries the Internet for updates (Netcraft toolbar, etc.) the browser is the second request and the user is never redirected to the Disclaimer page. I don't want people to have to authenticate. I'm thinking I can use authentication but hide the credentials in a form. This way they HAVE to be authenticated before they can get anywhere. Then you might be interested in: http://www.nufw.org/ Cheers Christoph -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
Re: [squid-users] Squid FTP server
Hi, D u n c a n... I need your help , i want to configure my box Fedora C-2 to allow users on windows machines to FTP using Internet Explorer. Basically i have tried with squid to ftp thru the browser and it keeps telling me that i have read only access.how can i configure squid to allow me to FTP across, i know its easier with IP fowarding but i am using iptables and those are much difficult to implement Browser configured to use proxy? Passive FTP enabled? Folder view for FTP disabled? These are common pitfalls in the crappy IE to use FTP through a proxy. If it's something different you need to provide more information. What's in the logs? What is the error message you get? Also what is the difference between IP forwarding and iptables? Are you using interception caching (which can't work with FTP)? Regards C h r i s t o p h -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
[squid-users] squid blocks all websites
Squid is blocking all websites, here's what IE tells me: ERROR The requested URL could not be retrieved The following error was encountered: Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. Your cache administrator is root. I've tried different acl configurations but here's what I'm using now #Recommended minimum configuration: acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl gchi src 192.168.70.0/255.255.255.0 acl all src 0.0.0.0/0.0.0.0 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 280 488 591 777 1025-65535 acl CONNECT method CONNECT http_access deny CONNECT !SSL_ports http_access deny !Safe_ports http_access deny CONNECT http_access allow localhost http_access allow gchi http_access allow all http_access deny all --- Any help would be greatly appreciated! Bryan
Re: [squid-users] hide ip
On Tue, Mar 08, 2005 at 02:25:18PM +0200, Costas Zacharopoulos wrote: Can I hide one of the ip's connecting to the proxy? How may I configure the proxy to do that ? Hide like what? Where does the IP appear where you don't want it to? Regards Christoph -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
[squid-users] FW: squid blocks all websites
My acl was pasted incorrectly, here it is: acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl gchi src 192.168.70.0/255.255.255.0 acl all src 0.0.0.0/0.0.0.0 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 280 488 591 777 1025-65535 acl CONNECT method CONNECT http_access deny CONNECT !SSL_ports http_access deny !Safe_ports http_access deny CONNECT http_access allow localhost http_access allow gchi http_access allow all http_access deny all -Original Message- From: Bryan Miles Sent: Tuesday, March 08, 2005 2:39 PM To: squid-users@squid-cache.org Subject: squid blocks all websites Squid is blocking all websites, here's what IE tells me: ERROR The requested URL could not be retrieved The following error was encountered: Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. Your cache administrator is root. I've tried different acl configurations but here's what I'm using now #Recommended minimum configuration: acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl gchi src 192.168.70.0/255.255.255.0 acl all src 0.0.0.0/0.0.0.0 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 280 488 591 777 1025-65535 acl CONNECT method CONNECT http_access deny CONNECT !SSL_ports http_access deny !Safe_ports http_access deny CONNECT http_access allow localhost http_access allow gchi http_access allow all http_access deny all --- Any help would be greatly appreciated! Bryan
Re: [squid-users] squid blocks all websites
On Tue, Mar 08, 2005 at 02:38:53PM -0500, Bryan Miles wrote: Squid is blocking all websites [...] acl localhost src 127.0.0.1/255.255.255.255 acl gchi src 192.168.70.0/255.255.255.0 acl all src 0.0.0.0/0.0.0.0 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 280 488 591 777 1025-65535 acl CONNECT method CONNECT http_access deny CONNECT !SSL_ports http_access deny !Safe_ports http_access deny CONNECT http_access allow localhost http_access allow gchi http_access allow all http_access deny all First you allow only a few IPs, then you allow IPs and finally you deny everyone? That doesn't make much sense. Please read on ACLs in the documentation. If you are still denied access then set debug_options ALL,1 33,2 in your squid.conf, restart squid and watch the cache.log. Regards Christoph -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
RE: [squid-users] squid blocks all websites
It didn't make sense to me either, my initial configuration didn't look like that. After trying unsuccessfully to make it work, I followed an example I saw online at http://www.uniforum.ch.il.us/slides/squid/sld030.htm I'll go back over the material, thanks for the suggestion. Bryan -Original Message- From: Christoph Haas [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 08, 2005 2:47 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] squid blocks all websites On Tue, Mar 08, 2005 at 02:38:53PM -0500, Bryan Miles wrote: Squid is blocking all websites [...] acl localhost src 127.0.0.1/255.255.255.255 acl gchi src 192.168.70.0/255.255.255.0 acl all src 0.0.0.0/0.0.0.0 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 280 488 591 777 1025-65535 acl CONNECT method CONNECT http_access deny CONNECT !SSL_ports http_access deny !Safe_ports http_access deny CONNECT http_access allow localhost http_access allow gchi http_access allow all http_access deny all First you allow only a few IPs, then you allow IPs and finally you deny everyone? That doesn't make much sense. Please read on ACLs in the documentation. If you are still denied access then set debug_options ALL,1 33,2 in your squid.conf, restart squid and watch the cache.log. Regards Christoph -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
Re: [squid-users] MRTG or RRD for Squid monitoring
Check out www.cacti.net to graph squid usage. On Sat, 5 Mar 2005 23:05:48 -0800 (PST), Babs [EMAIL PROTECTED] wrote: Hi Thanx a log for ur valuable suggestion, will try that and get back to u all regards Babs --- Christoph Haas [EMAIL PROTECTED] wrote: On Sat, Mar 05, 2005 at 06:17:31AM -0800, Babs wrote: Does squid needs MRTG for monitoring if I plan to use RRDTools? RRDTools is just the backend to store those data. MRTG graphs them. You may perhaps want to take a look at Cricket (cricket.sf.net) which is another tool that uses RRDTools and is suited better for heavier monitoring tasks. (Templates for Squid/Cricket at http://workaround.org) Regards Christoph -- ~ ~ .signature [Modified] 3 lines --100%-- 3,41 All __ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/
Re: [squid-users] hide ip
On Tue, 8 Mar 2005, Christoph Haas wrote: On Tue, Mar 08, 2005 at 02:25:18PM +0200, Costas Zacharopoulos wrote: Can I hide one of the ip's connecting to the proxy? How may I configure the proxy to do that ? Hide like what? Where does the IP appear where you don't want it to? Perhaps Squid FAQ 4.17 What is ``HTTP_X_FORWARDED_FOR''? Why does squid provide it to WWW servers, and how can I stop it? url:http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.17 You can see this header in action at http://marasystems.com/test/ Regards Henrik
[squid-users] Failed to select source for... Other websites
I inherited our squid so hope this makes sense. To start with, any experts who will accept PayPal donations are welcome to contact me directly. I think I need some help...at least a point in the right direction. We have squid in front of Zope (ZEO with 2 public clients) as caching and accelerator. We have a redirector written in python to bounce between the two clients. Occasionally the cache.log will show: 2005/03/08 14:13:26| Failed to select source for 'http://st.sageanalyst.net/tag-703.js' 2005/03/08 14:13:26| always_direct = 0 2005/03/08 14:13:26|never_direct = 1 2005/03/08 14:13:26|timedout = 0 2005/03/08 14:13:26| WARNING: redirector #2 (FD 7) exited That failed site has nothing to do with us. I have seen that with different names on occasion. And recently I have seen our main IP address with /robots.txt on the end and the same message. We have a robots.txt file so why can it not find it?? Would like to us a different redirector/load balancer either with or without squid. Considering Pound. Responses welcome here or directly and happy to provide more info. I have the squid book but so many parameters in the conf file its hard to decide how or what to change. Thanks Allen
Re: [squid-users] Failed to select source for... Other websites
On Tue, 8 Mar 2005, Allen Schmidt wrote: We have squid in front of Zope (ZEO with 2 public clients) as caching and accelerator. Ok. We have a redirector written in python to bounce between the two clients. Why a redirector? Squid has balancing already built in.. Admittedly simple, but still quite effective. Occasionally the cache.log will show: 2005/03/08 14:13:26| Failed to select source for 'http://st.sageanalyst.net/tag-703.js' 2005/03/08 14:13:26| always_direct = 0 2005/03/08 14:13:26|never_direct = 1 2005/03/08 14:13:26|timedout = 0 no live cache_peers where this could be forwarded, or no peers where this request were allowed to be forwarded. if these sites are not yours then most likely someone tried to use your accelerator as a general purpose proxy. See access.log. it is recommended to set up http_access to only allow reuqests to your published servers using the dstdomain acl. This will stop these requests proper, avoiding the failed to select source clutter in your cache.log. 2005/03/08 14:13:26| WARNING: redirector #2 (FD 7) exited This is worse.. looks like your redirector is not entirely stable. but limiting access to your sites only in http_access may help, as this also limits what gets sent to your redirector. And recently I have seen our main IP address with /robots.txt on the end and the same message. We have a robots.txt file so why can it not find it?? Most likely your forwarding policies or redirector does not account for requests by IP. Regards Henrik
[squid-users] invalidate cache
Hello I have a forum, I am caching the page that shows message list. I want to be able to programmaticaly invalidate the cache for this page when a user add a message. Is there any POST command i can send to squid to manually invalidate the cache from my code ? Regards, Tarek
Re: [squid-users] Squid aborts with cache_peer_access
On Tue, 8 Mar 2005 [EMAIL PROTECTED] wrote: I'm aware of the development status, but i would like to use client-certificates as a means of authentication and https-access to the backend servers without bothering about rewriting urls. From what i googled i understood that this is only possible with Squid-3. Also possible with the SSL update to Squid-2.5, and in fact more so than with Squid-3 at the moment.. (the SSL support in Squid-3 lags behind a little). Regards Henrik
Re: [squid-users] invalidate cache
On Tue, 8 Mar 2005, [ISO-8859-1] Tarek Ziadé wrote: I want to be able to programmaticaly invalidate the cache for this page when a user add a message. Is there any POST command i can send to squid to manually invalidate the cache from my code ? Squid FAQ 7.5 How can I purge an object from my cache? url:http://www.squid-cache.org/Doc/FAQ/FAQ-7.html#ss7.5 Regards Henrik
Re: [squid-users] invalidate cache
Henrik Nordstrom wrote: On Tue, 8 Mar 2005, [ISO-8859-1] Tarek Ziadé wrote: I want to be able to programmaticaly invalidate the cache for this page when a user add a message. Is there any POST command i can send to squid to manually invalidate the cache from my code ? Squid FAQ 7.5 How can I purge an object from my cache? url:http://www.squid-cache.org/Doc/FAQ/FAQ-7.html#ss7.5 Regards Henrik Thanks
Re: [squid-users] How to Squid-Websense
On Tue, Mar 08, 2005 at 09:50:46AM -0500, Corey Tyndall wrote: same here. Politics keep me from doing that. You have my commiserations but it seems ridiculous that you are not allowed to install the software in a configuration what works I suppose it's a great excuse to get ISA, that squid stuff just doesn't work, let's use ISA instead. I know that sense does not need to prevail - I am sorry for you. I still can't seem to get around this error. I have sent to Websense and am awaiting answer. Hopefully they can sort you out or at least give you some backing for getting the solution architected properly. I have found the Websense people to be very responsive. -- Brett Lymn
[squid-users] browser ACL regexs
Is there documentation for brower ACL regular expressions? Are spaces valid? Are the expressions limited to classic sed/awk style, or are they extended? How can I tell if squid was built to use GNU regexs or not? Thanks, -richard
RE: [squid-users] browser ACL regexs
... ... How can I tell if squid was built to use GNU regexs or not? % squid -v M.
Re: [squid-users] Did Anyone used ESI with squid ?
Michal,
Here is ESI code that I used .
table
tr
td colspan=2
esi:try
esi:attempt
esi:include src=http://www.yahoo.com/
/esi:attempt
esi:except
!--esi This spot is reserved for your company.s advertising. For more info
a href=www.yahoo.com click here /a --
/esi:except
/esi:try
/td /tr
/table
esi:assign name=date_string value=This is test/
esi:vars $(date_string) /esi:vars
In access log of squid I get following error.
1110289050.099 0 255.255.255.255 TCP_DENIED/403 0 GET
http://www.yahoo.com - NONE/- text/html
Enabled access to all in squid.conf now I am getting following error.
1110351386.705541 255.255.255.255 TCP_MISS/403 0 GET
http://www.yahoo.com - ANY_PARENT/originserver text/html
Is esi:vars$set_redirect('http://www.yahoo.com')/esi:vars works for you
?
Regards
Nitesh Naik
- Original Message -
From: Michal Pietrusinski [EMAIL PROTECTED]
To: Nitesh Naik [EMAIL PROTECTED]
Cc: squid-users@squid-cache.org
Sent: Tuesday, March 08, 2005 8:34 PM
Subject: Re: [squid-users] Did Anyone used ESI with squid ?
Hi Nitesh,
I don't know if squid supports all ESI tags. I try to use only the basic
esi:include tag and have problems.
Could you, please, check, if esi:include works with your installation?
If it works fine, you should see the page properly composed, and in the
squid_installation/var/logs/access.log there should be entries, that the
template and included pages where taken from the cache.
I would be very gratefull if you could do that test.
Regards,
Michal
Nitesh Naik napisa(a):
Michal,
Thanks for your suggestion.
Changed parser to custom and used following sample ESI code.
esi:assign name=test_string value=This is test/
esi:vars $(test_string) /esi:vars
Its Working perfectly fine. Is squid not supporting all ESI tags ?
Regards
Nitesh Naik
- Original Message -
From: Michal Pietrusinski [EMAIL PROTECTED]
To: Nitesh Naik [EMAIL PROTECTED]
Cc: squid-users@squid-cache.org
Sent: Tuesday, March 08, 2005 5:57 PM
Subject: Re: [squid-users] Did Anyone used ESI with squid ?
Dear Nitesh,
It looks like the header is ok, since ESI processing started. I also had
problems with parser 'libxml2' - it was constantly reporting some
parsing errors even on simple pages which were validated with W3C
validator.
So finally I changed to 'custom' and 'expat' parsers.
I suggest you first try some really simple ESI constructs with 'custom'
parser.
Regards,
Michal
Nitesh Naik napisa(a):
Dear Michal,
Thanks for your reply.
Let me send you some more information about settings that I am using.
We are using squid squid-3.0-PRE3-20041220 for parsing ESI. squid is
compiled with esi ( --enable-esi ) but for some reason esi is not
getting
parsed and we get following error in the browser.
The following error was encountered:
ESI Processing failed.
The ESI processor returned:
esiProcess: Parse error at line 2: junk after document element
This means that:
The surrogate was not able to process the ESI template. Please report
this
error to the webmaster
ESI example used
esi:assign name=date_string value=$strftime($time(), '%a, %d %B %Y
%H:%M:%S %Z')/
esi:vars
$(date_string)
/esi:vars
squid.conf settings
httpd_accel_surrogate_id unset-id
http_accel_surrogate_remote on
esi_parser libxml2
cache_peer xyz.com parent 80 0 no-query originserver
Apache configuration at origin server
Directory /esi/
Header add Surrogate-Control max-age=60,content=ESI/1.0
ExpiresActive On
ExpiresByType text/html now plus 1 minutes
/Directory
When we hit origin server the Surrogate-Control is added to header
HTTP/1.1 200 OK
Date: Fri, 04 Mar 2005 13:30:03 GMT
Surrogate-Control: max-age=60,content=ESI/1.0
P3P: CP=NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC,
policyref=/w3c/p3p.xml
Last-Modified: Fri, 04 Mar 2005 12:50:06 GMT
ETag: 13c8a1-133-4228597e
Accept-Ranges: bytes
Content-Length: 307
Connection: close
Content-Type: text/html
Regards
Nitesh Naik
- Original Message -
From: Michal Pietrusinski [EMAIL PROTECTED]
To: squid-users@squid-cache.org
Sent: Tuesday, March 08, 2005 5:26 PM
Subject: Re: [squid-users] Did Anyone used ESI with squid ?
Dear Nitesh,
I'm also trying to use ESI with squid - I installed Squid 3, (remember
to use --enable-esi with configure) and pages are composed fine (I use
esi:include), but templates and fragments are not cached.
Remember that your pages must have appropriate HTTP headers in order
to
make squid parsing it as ESI templates.
I hope you are more lucky and will have your pages cached.
Regards,
Michal Pietrusinski
Nitesh Naik napisa(a):
Hi,
I am having problem with configuring squid with ESI parsing. Did
anyone
implemented it ?
Regards
Nitesh Naik
