Re: [squid-users] Squid/LDAP_AUTH compilation errors for HPUX 11.23
On Mon, 2 May 2005, Daniel Lim wrote: Hi, I am having problem compiling (i.e. make) squid-2.5.STABLE7 with LDAP_AUTH for HPUX 11.23 on itanium platform I am using GNU Make 3.79.1, gcc 3.4.3 and openldap-2.2.24 installed for HPUX 11.23 on itanium. It failed at the ~helpers/basic_auth/LDAP directory with numerous 'ld: Unsatisfied symbol' errors, for example ld: Unsatisfied symbol "SSL_library_init" in file /usr/local/lib/hpux32/libldap.a[tls.o] ld: Unsatisfied symbol "SSL_accept" in file /usr/local/lib/hpux32/libldap.a[tls.o] "" " " Your OpenLDAP is compiled with SSL support, but the linker did not automatically add the dependent SSL libraries. After running configure, edit helpers/basic_auth/LDAP/Makefile and add -lssl -lcrypto after -lldap -llber same thing in helpers/external_acl/ldap_group/Makefile. Regards Henrik
[squid-users] Squid/LDAP_AUTH compilation errors for HPUX 11.23
Hi, I am having problem compiling (i.e. make) squid-2.5.STABLE7 with LDAP_AUTH for HPUX 11.23 on itanium platform I am using GNU Make 3.79.1, gcc 3.4.3 and openldap-2.2.24 installed for HPUX 11.23 on itanium. It failed at the ~helpers/basic_auth/LDAP directory with numerous 'ld: Unsatisfied symbol' errors, for example ld: Unsatisfied symbol "SSL_library_init" in file /usr/local/lib/hpux32/libldap.a[tls.o] ld: Unsatisfied symbol "SSL_accept" in file /usr/local/lib/hpux32/libldap.a[tls.o] "" " " I have also tried on squid-2.5.STABLE9 but failed with similar errors. If I compiled WITHOUT the LDAP_AUTH both STABLE7/9 worked (make) successfully. I nned the LDAP_AUTH for Novell NDS. Can someone please shed light on this problem. Thanks in advance. Regards, Daniel Lim Sydney/Australia ** This email message, including any attached files, is confidential and intended solely for the use of the individual or entity to whom it is addressed. The NSW Department of Commerce prohibits the right to publish, copy, distribute or disclose any information contained in this email, or its attachments, by any party other than the intended recipient. If you have received this email in error please notify the sender and delete it from your system. No employee or agent is authorised to conclude any binding agreement on behalf of the NSW Department of Commerce by email. The views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Department, except where the sender expressly, and with authority, states them to be the views of NSW Department of Commerce. The NSW Department of Commerce accepts no liability for any loss or damage arising from the use of this email and recommends that the recipient check this email and any attached files for the presence of viruses. **
Re: [squid-users] websites not working via squid
On Thu, 28 Apr 2005, Joe Pukepail wrote: We have some users that are running into problems with a couple websites when accessing via squid: www.worldatwork.org and www.profitcents.com Can you be a little more specific in what kind of problems is seen acessing these sites? Anything in cache.log? Anything relevant in access.log? Regards Henrik
Re: [squid-users] Downloads Slow down
On Thu, 28 Apr 2005, Paulo Andre wrote: The problem is that they say that this happens at different intervals with various files, I know that this is a question that is very broad. But what could I start looking at to troubleshoot this? First verify the networking of your Squid server - Cabling - Link speed negotiation with the swithch - Interface statistics (Errors / Overruns etc) Cabling should be good. Links speed negotiation should indicate 100Mbps full duplex both on the server and the switch. Interface statistics should show no errors or overruns. Regards Henrik
Re: [squid-users] access.log equivalent for server side
On Wed, 20 Apr 2005, Thien Vu wrote: I'll take a look at it. I think it was to keep the format simpler because the majority of the acls are url_regexes. But I don't think this is the problem. Most ofthen the situation should be the reverse, with url_regex being the minority only used when none of all the other acl types is suitable. I haven't looked at how the ACLs are evaluated and if re-ordering them would help. Is this a worthwhile idea? Only if you find that ACL processing is the bottleneck. Regards Henrik
Re: [squid-users] how to NOT ALLOW to forward proxy
On Wed, 20 Apr 2005, Funieru Bogdan wrote: themselves in the requests. However if the proxy follows the RFC you should be able to look for a Via:, X-Forwarded-For: or other proxy generated request header line. But not all proxies adds these request headers. how can i do this ?? where can i find som info, and how does it work ? See the req_header acl in squid-2.5.STABLE9 (appeared first in 2.5.STABLE8, but broken there..) this is rather hard because i have a lot of users and to pass arround the pass for each individual would be a really messy job Noone said it would be easy. But it is quite likely easier than try to identify all those kinds of proxies, many of which leaves no traces other than that you get requests from many different users from the same IP. The final option is to run statistics, and look closely at the traffic from suspected users (preferably with the User-Agent header preserved) to judge if this traffic is reasonably from one person or if there is many persons behind this IP. this could work but what if there are users that just happen to download a demo in a day a demo of 400 mb... so this won't work as well I didn't say you should base this on amount of data transferred. Not very relevant. More releveant is if you see several different User-Agent headers in the same time period from the same IP, indicating that several different browser or OS versions/models is in use... or that you see concurrent traffic for very many different web sites in a pattern not realistic for a single human. Regards Henrik
Re: [squid-users] Feeding a file to squid's storage without intruping the squid
On Sun, 10 Apr 2005, Ali Nikneshan wrote: experimental protocol there), I want to transfer HOT OBJECT via this line and feed it to squid or another modified instance of squid which will be cache_peer to the main squid. To me it sounds like it would be easier for you if this was not a Squid but just a simple HTTP server designed for the purpose coupled with a simple ICP server. Both knowing your hot object scheme. But if you want to use Squid then I would suggest looking into the PushCache modified version of Squid. http://devel.squid-cache.org/ http://www.pushcache.com/ Regards Henrik
Re: [squid-users] ASP upload through Squid
On Fri, 29 Apr 2005, Brett Simpson wrote: I have a site I'm trying to upload a pdf document to. It works fine if I upload a file smaller than 90KB but anything larger times out through Squid with a "cannot find server" error. If I go direct then the upload works fine. Any ideas on where the problem is? Can you provide a playground for testing? I suppose this is a POST form upload of a file? Regards Henrik
Re: [squid-users] transparent proxy + auth
On Sun, 1 May 2005, Jon Newman wrote: I work as the lead developer for an ISP in Houston TX. I am developing a transparent bridge/filter/firewall for our customers where we map each customers IP/MAC/etc (and other information depending on the type of account and whats available to 'map' them) to their account, For this IP based authentication works very well with Squid. All you need is a small helper querying your backend system for the current user name of the IP and you will get the user name in your logs for proper accounting. But as you note you then also will need to live with the limitation of not being able to identify individuals behind NAT or proxies. As you are an ISP this usually isn't a limitation, but in an office environment it often is a noticeable limitation. This sais, the mentioned Cookie scheme is not without flaws either. It changes the web traffic flows in subtle manners to replicate the cookie, and there is a lot of applications out there who do not cope well with this. But most often these problems is not very visible unless you know where to look for them.. Regards Henrik
[squid-users] rproxy squid 2.5-stable9
Squid folk (cc Henrik), Sorry to bug, but... Is there are a version of the rproxy.patch that patches cleanly against Squid 2.5-STABLE9? Thanks, Matt -- Matt Benjamin The Linux Box 206 South Fifth Ave. Suite 150 Ann Arbor, MI 48104 http://linuxbox.com tel. 734-761-4689 fax. 734-769-8938 cel. 734-216-5309
[squid-users] Fw: logging
Hi, I was just wondering quickly... Can squid log to pipes??? I want to log to a application to insert the logs in real time to a mysql database... Something similar to 'cronolog' that is used with Apache... Thanks, -- Chris. I love deadlines. I especially love the whooshing sound they make as they fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy'
Re: [squid-users] transparent proxy + auth
I work as the lead developer for an ISP in Houston TX. I am developing a transparent bridge/filter/firewall for our customers where we map each customers IP/MAC/etc (and other information depending on the type of account and whats available to 'map' them) to their account, and using that as 'authentication' for who they are. After they are mapped to their account, we use a user/pass combo stored in an SQL database through a web interface so that customers can select what kind of filtering/etc they desire. The customers mapping is re-evaluated every 30 seconds or so (through a background accounting daemon), to make sure that the correct settings/firewall/etc are in place for 'their' IP(s) the account is currently using (we update periodically because we have many customers which are dynamic DSL which we map using their vp/vc pair info, and to generally ensure people are configured correctly). It is still in the final phases of development, but it all appears to be going well thus far (after a few hiccups that had to be cured here and there, of course). By keeping track of this information we can also see if any customers are misconfigured, or connected to the network through our in-house web based management software. Another nice benefit of this method that might be something to consider. This works on a per-ip basis, so if you have several customers connecting behind a NAT box or something similar, you are out of luck as far as controlling each person independently. Just thought I'd offer a perspective on what one company is doing to get around these issues. -Jon -- Jon Newman ([EMAIL PROTECTED]) Technical Solutions Manager / Senior software Engineer The Optimal Link (http://www.oplink.net) > > This solution only works when there is a one-to-one > mapping between users and ip addresses but imagine > circumstances where all users have same ip addresses( > e.g. terminal server users). > > The definite solution to this problem is > "cookie-based authentication" which is implemented by > some commercial products like bluecoat ProxySG > (http://www.bluecoat.com/downloads/support/BCS_tb_enabling_transparent_auth.pdf) > and Novell BoarderManager > (http://support.novell.com/techcenter/articles/cfa03332.html) > > > --- Henrik Nordstrom <[EMAIL PROTECTED]> wrote: >> On Sat, 30 Apr 2005, Varun wrote: >> >> > Is it possible to have any sort of >> > authentication with squid running as >> > transparent proxy. >> >> Yes, but not the HTTP authentication. >> >> To make authenitcation in a transparent proxy you >> need to figure out some >> way of authenticating the user based on his IP. The >> external_acl interface >> of Squid-2.5 or later allows you to plug this into >> Squid. >> >> Regards >> Henrik >> > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > -- Jon Newman ([EMAIL PROTECTED]) Technical Solutions Manager / Senior software Engineer The Optimal Link (http://www.oplink.net)
Re: [squid-users] transparent proxy + auth
On Sun, 1 May 2005, S.M.H. Hamidi wrote: This solution only works when there is a one-to-one mapping between users and ip addresses but imagine circumstances where all users have same ip addresses( e.g. terminal server users). The definite solution to this problem is "cookie-based authentication" which is implemented by some commercial products like bluecoat ProxySG (http://www.bluecoat.com/downloads/support/BCS_tb_enabling_transparent_auth.pdf) and Novell BoarderManager (http://support.novell.com/techcenter/articles/cfa03332.html) This is doable as well, using the exact same mechanism. But you probably want to extend Squid slightly to filter out that cookie on the forwarded requests to not leak session information to the web servers. Regards Henrik
Re: [squid-users] transparent proxy + auth
This solution only works when there is a one-to-one mapping between users and ip addresses but imagine circumstances where all users have same ip addresses( e.g. terminal server users). The definite solution to this problem is "cookie-based authentication" which is implemented by some commercial products like bluecoat ProxySG (http://www.bluecoat.com/downloads/support/BCS_tb_enabling_transparent_auth.pdf) and Novell BoarderManager (http://support.novell.com/techcenter/articles/cfa03332.html) --- Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > On Sat, 30 Apr 2005, Varun wrote: > > > Is it possible to have any sort of > > authentication with squid running as > > transparent proxy. > > Yes, but not the HTTP authentication. > > To make authenitcation in a transparent proxy you > need to figure out some > way of authenticating the user based on his IP. The > external_acl interface > of Squid-2.5 or later allows you to plug this into > Squid. > > Regards > Henrik > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] Squid hangs up ! :[
I think the problem is with how logrotate restarts squid. Please do the following. Change logrotate restart procedure to killall -9 squid and then /etc/rc.d/init.d/squid restart Please inform back the results. Maybe not a squid problem. On Wed, 2005-04-27 at 19:58 +0200, kamil kapturkiewicz wrote: > hello > > its me again. > > i wrote the same problem a several days ago, now i have logs and still > dont have any idea how to solve problem. > > my problem is: squid hangs up unexpectedly. > > squid works fine for ex. two days or several hours. there is nothing in > syslog or messages, also i think in cache.log. i think problem is in > logs rotating, even if logfile_rotate 0. squid made files called > cache.log.00 then cache.log.00.clean and then hangs up. > > http://rox.us/~horizn/logs.tar.bz2 <- my squid.conf and logs from squid > for analyse by someone who knows whats the problem. > > my compilation: > > --prefix=/usr/local/squid/ --enable-storeio=diskd,ufs,aufs > --enable-linux-netfilter --enable-underscores --enable-removal-policies > --enable-cache-digests --enable-icmp --enable-poll --enable-htcp > --enable-carp --enable-delay-pools --with-pthreads --enable-internal-dns > --enable-err-language=Polish --enable-ssl > --with-openssl=/usr/local/openssl --with-dl --with-aio > --enable-large-files --enable-useragent-log --enable-http-violations > --enable-arp-acl --enable-referer-log --enable-wccp > --disable-ident-lookups --disable-hostname-checks --enable-async-io=160 > --enable-truncate > > system: slackware 10.0 > kernel 2.4.30 > cache filesystem is reiserfs. -- Best Regards, Khawar Nehal CEO Applied Technology Research Center (ATRC) The first and best Linux and OpenSource support company in Pakistan. C-55 Block A KDA Officers, Karachi 75260, Pakistan Voice : 92-21-4980523 Mobile : 92-333-2335380, 92-300-9284698 Email : [EMAIL PROTECTED] Web : atrc.net.pk Fax : 1-734-298-6555 BCS, MCS, LPI, CCNA, CCAI Assistant Registrar Preston Institute of Management, Science and Technology (PIMSAT) For an education that really helps you. 177/2 IEP Building, Opposite Regent Plaza (Formerly Taj Mahal Hotel) Shahrah-a-Faisal, Karachi, Pakistan Voice : 92-21-2789888 to 90 Fax : 92-21-2789891 Email : [EMAIL PROTECTED] General Inqiries : [EMAIL PROTECTED] Web : pimsat-khi.edu.pk Time Zone : GMT +5 Group for ATRC Customer Support : [EMAIL PROTECTED] Group for Linux and Opensource discussions : [EMAIL PROTECTED]
