[squid-users] Making ACL for an IP range
Hello :-) That's my first mailist posting but I hope I'll get the basics soon. Please excuse my poor english. The problem I'm trying to solve is how to make ACL responding for a range of IPs (not the whole subnet). If I wanted to make the ACL responding for the whole subnet I would use CIDR or dotted notation like: acl mynetwork src 192.168.1.1/255.255.255.0 or acl mynetwork src 192.168.1.1/24 I want that acl 'mynetwork' to respond only for IPs 192.168.1.30 - 192.168.1.47 (for example). That is neither a subnetwork and can't be done via the upper examples. So can I use (from IP) (to IP) range in squid.conf and what is the exact syntaxis? I haven't seen anything like that in the online documentation, but that doesn't mean it doesn't exist :-) Greetings, Ivan Petrushev. - http://host.GBG.bg -
Re: [squid-users] external_acl_type with http request header question
On Mon, 9 May 2005, Ryan Lamberton wrote: Sorry, I had: external_acl_type propel_header_auth %{Hdr:member} /etc /squid/ident.sh x-pun:user acl propel_header_auth ident REQUIRED http_access allow propel_header_auth you need an acl using the external_acl_type.. acl propel_header_auth external propel_header_auth After this acl has been evaluated in http_access you may use ident acls to match specific user names if desired. You should not use an ident acl otherwise. Regards Henrik
Re: [squid-users] Making ACL for an IP range
Dear Ivan For and IP to IP you can define as follow acl pc1 src 192.168.1.30/255.255.255.255 http_access allow pc1 acl pc2 src 192.168.1.31/255.255.255.255 http_access allow pc2 regrds Maham Pakistan On 5/10/05, Ivan Petrushev [EMAIL PROTECTED] wrote: Hello :-) That's my first mailist posting but I hope I'll get the basics soon. Please excuse my poor english. The problem I'm trying to solve is how to make ACL responding for a range of IPs (not the whole subnet). If I wanted to make the ACL responding for the whole subnet I would use CIDR or dotted notation like: acl mynetwork src 192.168.1.1/255.255.255.0 or acl mynetwork src 192.168.1.1/24 I want that acl 'mynetwork' to respond only for IPs 192.168.1.30 - 192.168.1.47 (for example). That is neither a subnetwork and can't be done via the upper examples. So can I use (from IP) (to IP) range in squid.conf and what is the exact syntaxis? I haven't seen anything like that in the online documentation, but that doesn't mean it doesn't exist :-) Greetings, Ivan Petrushev. - http://host.GBG.bg -
Re: [squid-users] Making ACL for an IP range
acl vip src 192.168.1.1-192.168.1.10/255.255.255.255 http_access allow vip http_access deny all Dear Ivan For and IP to IP you can define as follow acl pc1 src 192.168.1.30/255.255.255.255 http_access allow pc1 acl pc2 src 192.168.1.31/255.255.255.255 http_access allow pc2 regrds Maham Pakistan On 5/10/05, Ivan Petrushev [EMAIL PROTECTED] wrote: Hello :-) That's my first mailist posting but I hope I'll get the basics soon. Please excuse my poor english. The problem I'm trying to solve is how to make ACL responding for a range of IPs (not the whole subnet). If I wanted to make the ACL responding for the whole subnet I would use CIDR or dotted notation like: acl mynetwork src 192.168.1.1/255.255.255.0 or acl mynetwork src 192.168.1.1/24 I want that acl 'mynetwork' to respond only for IPs 192.168.1.30 - 192.168.1.47 (for example). That is neither a subnetwork and can't be done via the upper examples. So can I use (from IP) (to IP) range in squid.conf and what is the exact syntaxis? I haven't seen anything like that in the online documentation, but that doesn't mean it doesn't exist :-)
Re: [squid-users] no_cache or always_direct ?
On 10.05 17:02, D E Radel wrote: We wish to cache all internet websites but not our local webservers. We have alot of students with their own webpages which are modified frequently and do not wish to run into problems with .asp and old versions of pages in the cache. there will only be problem, if you: 1. misconfigure proxy server (force it to cache something even if it has not to be cached) 2. misconfigure the web server or scipts to produce invalid headers. the first should not happen, unless you'll play with refresh_pattern etc. if the second makes problems, fix the server or scripts, otherwise many people will have problems even without using your proxy. Which is the better option: no_cache or always_direct ? always_direct is about parent proxies, not about caching. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Two words: Windows survives. - Craig Mundie, Microsoft senior strategist So does syphillis. Good thing we have penicillin. - Matthew Alton
[squid-users] Access denied
Since a few weeks we have a strange effect on one of our two squids. (2.5 stable3) We start Internetexplorer and try to open an URL in the internet. In result I get the authentication window (we authenticate agains LotusNotes via LDAP) I type in the correct username/password and get the restult: Error The requested URL could not be retrieved While trying to retrieve the URL: http:// The following error was encountered: * Access denied. Access control configuration prevents your request from beeing allowed at thsi time... The funny thing is, that if I press F5 it will load the page. This error appear only one time for each newly opened browser window, but it doesn' appear everytime. Usualy the notesserver writes a message to the console if there was an authentication with a bad password, but in this case there is no notice, so I think squid does not ask Notes at this point or it asks and find the password correct (most likely). Any Ideas? Kind regards Stefan Vogel
Re: [squid-users] external_acl_type with http request header question
Still not working...OK I have: external_acl_type propel_header_auth %{Hdr:member} /etc /squid/ident.sh x-pun:user # Is the %{Hdr:member} exactly what I need there? And is x-pun:user needed on the end (x-pun is the header name)? How is the header looked up and passed to the ident.sh program? # acl propel_auth external propel_header_auth x-pun # I assume I need something on the end - is the header name correct or should it be user or REQUIRED? # http_access allow propel_auth http_access deny all # How do I make this required? I can run ident.sh and it works like it should and I see there is 5 processed started using ps -ax so I know squid is looking at it. Thank You for your help! Ryan Lamberton - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Ryan Lamberton [EMAIL PROTECTED] Cc: Henrik Nordstrom [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Monday, May 09, 2005 11:15 PM Subject: Re: [squid-users] external_acl_type with http request header question On Mon, 9 May 2005, Ryan Lamberton wrote: Sorry, I had: external_acl_type propel_header_auth %{Hdr:member} /etc /squid/ident.sh x-pun:user acl propel_header_auth ident REQUIRED http_access allow propel_header_auth you need an acl using the external_acl_type.. acl propel_header_auth external propel_header_auth After this acl has been evaluated in http_access you may use ident acls to match specific user names if desired. You should not use an ident acl otherwise. Regards Henrik
Re: [squid-users] Memory Utilization high and Squid is slow
On 10.05 05:38, Rahul Sinha wrote: My squid proxy is very slow as compared to cacheflow which is configured as a failover. Also squid eats up memory :: total used free sharedbuffers cached Mem: 1001983 18 0108294 -/+ buffers/cache:580421 Swap: 1027 28999 Free memory is only 18 MB out of 1 GB the -/+ buffers/cache is important. you see that 580 MB is used by processes and 421 is left fot buffers, dick cache and unused. You see that you have enough of memory. 19:45:14 up 10 days, 16:25, 3 users, load average: 1.06, 1.11, 1.08 100 processes: 98 sleeping, 2 running, 0 zombie, 0 stopped CPU states: cpuusernice systemirq softirq iowaitidle total 25.4%0.0%2.6% 0.0% 0.0%2.2% 69.5% cpu00 100.0%0.0%0.0% 0.0% 0.0%0.0%0.0% cpu010.0%0.0%2.5% 0.0% 0.0%0.0% 97.4% cpu021.9%0.0%7.7% 0.0% 0.0%4.1% 86.0% cpu030.0%0.0%0.3% 0.0% 0.0%4.7% 94.8% PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND 1653 root 25 0 600 20 4 R24.6 0.0 15344m0 cmaperfd 29173 squid 15 0 214M 210M 840 S3.5 21.0 11:272squid The %Memory by squid is 21.0 right. That is not much, and squid even doesn't eat all your CPU, so the problems will probably lie somewhere else, probably in disk I/O. Squid configuration is as follows:: cache_swap_low 90 cache_swap_high 92 low difference for such small cache size. cache_dir ufs /var/squid/cache 8000 18 256 cache_dir ufs /usr/local/squid/var/cache 2000 5 256 doesn't your cache eat too much space on filesystem? read http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.14 Also you should try aufs instead of ufs. memory_pools off you should turn this on. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie)
Re: Re: [squid-users] Making ACL for an IP range
Thanks fot the comment :) Dear Ivan For and IP to IP you can define as follow acl pc1 src 192.168.1.30/255.255.255.255 http_access allow pc1 acl pc2 src 192.168.1.31/255.255.255.255 http_access allow pc2 But that would allow access only for two IPs. If I have to describe every IP in that way, imagine what would my squid.conf would be looking like for about 40 IPs :) There have to be shorter way. Thanks again :) - http://host.GBG.bg -
Re: Re: [squid-users] Making ACL for an IP range
Thanks for the comment :) http://squid.visolve.com/squid/squid24s1/access_controls.htm acl aclname src 172.16.1.25-172.16.1.35/32 Ryan Lamberton FamiLink Company Family Safe Internet Access That's exactly what I need :) In that example what is the purpose of the subnet mask? Does it have to match the subnet mask configured on the PCs over the network? Or it is only for determing the IP range parameters? - http://host.GBG.bg -
Re: [squid-users] Access denied
Addition to my problem: in access.log the following entry occours: 172.25.9.90 - vogels [10/May/2005:09:51:03 +0200] GET http://www.squid-cache.org/Doc/FAQ/FAQ-10.html HTTP/1.1 403 1433 TCP_DENIED:NONE after pressing F5 this line is added 172.25.9.90 - vogels [10/May/2005:09:53:11 +0200] GET http://www.squid-cache.org/Doc/FAQ/FAQ-10.html HTTP/1.1 200 32790 TCP_CLIENT_REFRESH_MISS:DIRECT [EMAIL PROTECTED] c.com To 10.05.2005 09:20 squid-users@squid-cache.org cc Subject [squid-users] Access denied Since a few weeks we have a strange effect on one of our two squids. (2.5 stable3) We start Internetexplorer and try to open an URL in the internet. In result I get the authentication window (we authenticate agains LotusNotes via LDAP) I type in the correct username/password and get the restult: Error The requested URL could not be retrieved While trying to retrieve the URL: http:// The following error was encountered: * Access denied. Access control configuration prevents your request from beeing allowed at thsi time... The funny thing is, that if I press F5 it will load the page. This error appear only one time for each newly opened browser window, but it doesn' appear everytime. Usualy the notesserver writes a message to the console if there was an authentication with a bad password, but in this case there is no notice, so I think squid does not ask Notes at this point or it asks and find the password correct (most likely). Any Ideas? Kind regards Stefan Vogel
Re: [squid-users] Making ACL for an IP range
Ivan Petrushev wrote: Thanks for the comment :) http://squid.visolve.com/squid/squid24s1/access_controls.htm acl aclname src 172.16.1.25-172.16.1.35/32 Ryan Lamberton FamiLink Company Family Safe Internet Access That's exactly what I need :) In that example what is the purpose of the subnet mask? Does it have to match the subnet mask configured on the PCs over the network? Or it is only for determing the IP range parameters? For determining the IP range squid lets through. It doesn't have to match the clients subnet. Eg, I have a network of 10.0.0.0/16 Within that, there are VLAN's of 10.0.0.0/24, 10.0.1.0/24, etc In squid, I just do acl office_all 10.0.0.0/255.255.0.0 and then acl office0 10.0.0.0/255.255.255.0 acl office1 10.0.1.0/255.255.255.0 etc
Re: [squid-users] external_acl_type with http request header question
On Tue, 10 May 2005, Ryan Lamberton wrote: Still not working...OK I have: external_acl_type propel_header_auth %{Hdr:member} /etc /squid/ident.sh x-pun:user # Is the %{Hdr:member} exactly what I need there? And is x-pun:user needed on the end (x-pun is the header name)? How is the header looked up and passed to the ident.sh program? Then you should use %{x-pun} The %{header:member} thing is if you for example want the cache-control max-age parameter value. The format is then %{Cache-control:max-age} acl propel_auth external propel_header_auth x-pun You don't need any arguments in the acl unless you want these to be sent to the helper in addition to the format string details. Regards Henrik
FW: [squid-users] Puzzling permissions problem
Does anyone have any thoughts on my problem? Anthony -Original Message- From: warren, anthony [mailto:[EMAIL PROTECTED] Sent: 06 May 2005 11:28 To: squid-users@squid-cache.org Subject: [squid-users] Puzzling permissions problem Hi, I have a problem with cache directory permissions. What I am trying to do is run multiple instances of squid on a RHEL4 server, with squid configured to listen on different IP address and use the TCP_OUTGOING_ADDRESS config option, so I can apply different Websense policies based on the IP address. I installed squid via RHEL's up2date RPM install procedure (to enable easy version updates). The default cache directory is /var/spool/squid What I want to do is create the following structure: Instance 1: Cache dir = /opt/secng/secngcache Logs dir = /opt/secng/secnglogs Instance 2: Cache dir = /opt/filtproxy/filtcache Logs dir = /opt/filtproxy/filtlogs Instance 3: Cache dir = /opt/ning/ningcache Logs dir = /opt/ning/ninglogs I am trying to get the secng instance working at the moment but whenever I try to initialize the cache dir I get the following in /var/log/messages: May 6 11:04:00 uranus squid[2930]: Squid Parent: child process 2947 exited due to signal 6 May 6 11:04:03 uranus squid[2930]: Squid Parent: child process 2952 started May 6 11:04:03 uranus kernel: audit(1115373843.232:0): avc: denied { append } for pid=2952 exe=/usr/sbin/squid name=c ache.log dev=sdb1 ino=10354692 scontext=root:system_r:squid_t tcontext=user_u:object_r:usr_t tclass=file May 6 11:04:03 uranus kernel: audit(1115373843.233:0): avc: denied { append } for pid=2952 exe=/usr/sbin/squid name=a ccess.log dev=sdb1 ino=10354693 scontext=root:system_r:squid_t tcontext=user_u:object_r:usr_t tclass=file May 6 11:04:03 uranus (squid): Cannot open '/opt/secng/secnglogs/access.log' for writing. The parent directory must be writeable by theuser 'squid', which is the cache_effective_user set in squid.conf. May 6 11:04:03 uranus squid[2930]: Squid Parent: child process 2952 exited due to signal 6 May 6 11:04:03 uranus squid[2930]: Exiting due to repeated, frequent failures Now I have checked permission all the way into the logs directory and from what I can see all is correct. To check this, I gave the squid user a shell, did an su squid, and then made my way into the correct directories and touched access.log and cache.log Below is how the permissions are setup currently: [EMAIL PROTECTED] filtproxy]# cd /opt [EMAIL PROTECTED] opt]# ls -al total 56 drwxr-xr-x 6 squid root 4096 Apr 20 15:51 . drwxr-xr-x 23 root root 4096 Apr 21 11:29 .. drwxr-xr-x 4 squid root 4096 Apr 20 15:53 filtproxy drwx-- 2 squid root 16384 Apr 14 16:00 lost+found drwxr-xr-x 4 squid root 4096 Apr 20 15:53 ning drwxr-xr-x 4 squid squid 4096 Apr 20 15:52 secng [EMAIL PROTECTED] secng]# ls -al total 32 drwxr-xr-x 4 squid squid 4096 Apr 20 15:52 . drwxr-xr-x 6 squid root 4096 Apr 20 15:51 .. drwxr-xr-x 2 squid squid 4096 Apr 28 16:52 secngcache drwxr-xr-x 2 squid squid 4096 Apr 22 11:17 secnglogs [EMAIL PROTECTED] secng]# Please can someone offer some advice as it is driving me crazy and I am up against a fairly tight timescale to get this working. Many thanks, Anthony Warren
[squid-users] Blocking all IP sites
Can you guide me how to block all dest IP based sites (no domain name), while name based requests are still allowed? They make my box overloaded and too much flood. Thank you. Winn
RE: [squid-users] Blocking all IP sites
Hi Winn url_regex http://[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* regards Mukunthd -Original Message- From: Winn Rama [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 10, 2005 2:06 PM To: squid-users@squid-cache.org Subject: [squid-users] Blocking all IP sites Can you guide me how to block all dest IP based sites (no domain name), while name based requests are still allowed? They make my box overloaded and too much flood. Thank you. Winn *** This message is proprietary to Future Software Limited (FSL) and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. FSL accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus. ***
RE: Odp: Re: [squid-users] how to apply epoll-2_5 patch to squid2.5-stable9
On Tue, 10 May 2005, Sally Huang wrote: Guess it is the same problem with Pawe Staszewski. Steven said he hasfound the solution and updated CVS. May I know where I can get the updated patch? Shall I download the whole squid src tagged with epoll-2.5 in squid CVS? Or, may I just download the newest squid2.5STABLE10 version, and applied the patch from http://devel.squid-cache.org/cgi-bin/diff2/epoll-2_5.patch?s2_5? Either method is fine. Regards Henrik
Re: Re: [squid-users] Making ACL for an IP range
On Tue, 10 May 2005, Ivan Petrushev wrote: That's exactly what I need :) In that example what is the purpose of the subnet mask? Does it have to match the subnet mask configured on the PCs over the network? Or it is only for determing the IP range parameters? It specifies the size of the addresses specified. The same syntax is used for specifying ranges of networks. I.e you can use acl my_networks src 172.16.1.0-172.16.3.0/24 for matching the three 172.16.1-3.* networks. Due to some odd logics in Squid wrt netmaks size detection it is best to always specify the mask size (or netmask if you prefer). If you do not specify the maks size then Squid tries to guess, but it is not always right, especially so on ranges. Regards Henrik
Re: [squid-users]
On Mon, 9 May 2005, Matteo Villari wrote: I'm sorry for my simple questions but i'm going mad. I'm trying to force squid to give fresh copy of a simple .htm page after an amount of time set by me. I set this pattern refresh_pattern \.htm$ 2 100% 3 ignore-reload override-lastmod reload-into-ims override-expire Not sure what will happen if you use both ignore-reload and reload-into-ims... the first says reload should be ignored as if it was a plain GET request. the second says reloads should be converted into IMS queries to the web server... Regards Henrik
Re: [squid-users] Puzzling permissions problem
On Fri, 6 May 2005, warren, anthony wrote: May 6 11:04:03 uranus kernel: audit(1115373843.232:0): avc: denied { append } for pid=2952 exe=/usr/sbin/squid name=c ache.log dev=sdb1 ino=10354692 scontext=root:system_r:squid_t tcontext=user_u:object_r:usr_t tclass=file Permission errro on cache.log, either filesystem permission problem or perhaps a selinux permission/policy problem. May 6 11:04:03 uranus kernel: audit(1115373843.233:0): avc: denied { append } for pid=2952 exe=/usr/sbin/squid name=a ccess.log dev=sdb1 ino=10354693 scontext=root:system_r:squid_t tcontext=user_u:object_r:usr_t tclass=file May 6 11:04:03 uranus (squid): Cannot open '/opt/secng/secnglogs/access.log' for writing. The parent directory must be writeable by theuser 'squid', which is the cache_effective_user set in squid.conf. Same here but for access.log. Now I have checked permission all the way into the logs directory and from what I can see all is correct. What cache_effective_user are you using? To check this, I gave the squid user a shell, did an su squid, and then made my way into the correct directories and touched access.log and cache.log Below is how the permissions are setup currently: [EMAIL PROTECTED] filtproxy]# cd /opt [EMAIL PROTECTED] opt]# ls -al total 56 drwxr-xr-x 6 squid root 4096 Apr 20 15:51 . drwxr-xr-x 23 root root 4096 Apr 21 11:29 .. drwxr-xr-x 4 squid root 4096 Apr 20 15:53 filtproxy drwx-- 2 squid root 16384 Apr 14 16:00 lost+found drwxr-xr-x 4 squid root 4096 Apr 20 15:53 ning drwxr-xr-x 4 squid squid 4096 Apr 20 15:52 secng [EMAIL PROTECTED] secng]# ls -al total 32 drwxr-xr-x 4 squid squid 4096 Apr 20 15:52 . drwxr-xr-x 6 squid root 4096 Apr 20 15:51 .. drwxr-xr-x 2 squid squid 4096 Apr 28 16:52 secngcache drwxr-xr-x 2 squid squid 4096 Apr 22 11:17 secnglogs [EMAIL PROTECTED] secng]# What permissions are set on the actual files? Regards Henrik
Re: [squid-users] Images not loading: access denied?
On Sat, 7 May 2005, Evan Roth wrote: Hello, I've got a very strange issue going on. For example, when i go to http://daveslongbox.blogspot.com/2005/05/force-works-3-marvel-comics-1994.html, i'm losing some of the images (sporadically on and off). Thus, http://photos1.blogger.com/img/198/4480/400/force%20works%20cover.jpg does not load...and when i select to 'view the image' directly in firefox, i'm given an error message back from squid: While trying to retrieve the URL: http://127.0.0.1:8000/img/198/4480/400/force%20works%20cover.jpg Are you perhaps using a redirector? What did access.log say? Regards Henrik
Re: [squid-users] Access denied
On Tue, 10 May 2005 [EMAIL PROTECTED] wrote: Addition to my problem: in access.log the following entry occours: 172.25.9.90 - vogels [10/May/2005:09:51:03 +0200] GET http://www.squid-cache.org/Doc/FAQ/FAQ-10.html HTTP/1.1 403 1433 TCP_DENIED:NONE after pressing F5 this line is added 172.25.9.90 - vogels [10/May/2005:09:53:11 +0200] GET http://www.squid-cache.org/Doc/FAQ/FAQ-10.html HTTP/1.1 200 32790 TCP_CLIENT_REFRESH_MISS:DIRECT Odd. See Squid FAQ 10.9 I set up my access controls, but they don't work! why? url:http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#acl-debug for instructions how to get a more detailed view of what is going on here. Regards Henrik
[squid-users] How do I configure Squid forward all requests to another proxy?
In my squid.conf I put the same lines that the FAQ recomend, but when I put in my browser the name of the server squid, I can connect to the Web. My squid.conf: visible_hostname professor cache_log /var/log/squid/cache.log cache_access_log /var/log/squid/access.log cache_mem 8 MB http_port 8080 icp_port 0 »»» cache_peer server parent 8080 0 no-query no-digest default »»» acl all src 0.0.0.0/0 »»» never_direct allow all http_access allow all Thanks On Mon, 9 May 2005 [EMAIL PROTECTED] wrote: Hi, I need to redirect all the requests to another proxy, running on Windows 2003. I want to receive all the requests, filtering and forwarding to the other proxy, which is connected to the internet. (squid Linux (professor:8080) » proxy Windows 2003 (server:8080) » Web) See the Squid FAQ entry with the same name as your subject... http://www.squid-cache.org/Doc/FAQ/ Regards Henrik This message was sent using IMP, the Internet Messaging Program.
Re: [squid-users] Urgent Yahoo Error'unable to process request at this time -- error 999'
i already have this rule in squid.conf see below. acl yahoo dstdomain .yahoo.com no_cache deny yahoo acl mycompany dstdomain mycompany.com no_cache deny mycompany Then I configured my machine's brower to proxy server ip 3128 port. I opened mycompany.com and tailed the /var/log/httpd/access.log. In logs it still showed me the proxy server ip. Because you need to tell your -clients- that they should access the site directly Joost
Re: [squid-users] Access denied
Hello, I tried and get this in access.log 172.25.9.90 - - [10/May/2005:11:55:34 +0200] GET http://www.heise.de/ HTTP/1.1 407 1802 TCP_DENIED:NONE 172.25.9.90 - vogels [10/May/2005:11:55:41 +0200] GET http://www.heise.de/ HTTP/1.1 403 1381 TCP_DENIED:NONE and this in cache.log 2005/05/10 11:55:34| The request GET http://www.heise.de/ is DENIED, because it matched 'inet_users' 2005/05/10 11:55:34| The reply for GET http://www.heise.de/ is ALLOWED, because it matched 'all' 2005/05/10 11:55:41| The request GET http://www.heise.de/ is DENIED, because it matched 'all' 2005/05/10 11:55:41| The reply for GET http://www.heise.de/ is ALLOWED, because it matched 'all' in squid.conf I have http_access allow inet_users ... http_access deny all ... the acl inet_users is the ldap-group-helper, and of course I am in that group. I don't understand why there is ALLOWED because it matches ALL... Regards Stefan Henrik Nordstrom [EMAIL PROTECTED] org To [EMAIL PROTECTED] 10.05.2005 11:29 cc squid-users@squid-cache.org Subject Re: [squid-users] Access denied On Tue, 10 May 2005 [EMAIL PROTECTED] wrote: Addition to my problem: in access.log the following entry occours: 172.25.9.90 - vogels [10/May/2005:09:51:03 +0200] GET http://www.squid-cache.org/Doc/FAQ/FAQ-10.html HTTP/1.1 403 1433 TCP_DENIED:NONE after pressing F5 this line is added 172.25.9.90 - vogels [10/May/2005:09:53:11 +0200] GET http://www.squid-cache.org/Doc/FAQ/FAQ-10.html HTTP/1.1 200 32790 TCP_CLIENT_REFRESH_MISS:DIRECT Odd. See Squid FAQ 10.9 I set up my access controls, but they don't work! why? url:http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#acl-debug for instructions how to get a more detailed view of what is going on here. Regards Henrik
[squid-users] cache machine specs
hi list sorry i'm going to ask a very dump question however I need you gurus suggestions :) we are going to order new machine for cache/proxy server squid we are already running cache servers all on Intel plateform This time we want to give a try to AMD processor, what you ppl things which processor would be benfiical 1) Athlon 32bit or 64bit? 2) opetron ? I far i can understand, I don't think 64 bit will significantly improve performance for cache/proxy servers. 64 bit is worth it only for computationally intensive tasks, imho. At least with ordinary working set sizes. users to support 250 pipe to internet : 2 mbit users are dynamic not a corporate users, but dialup users. I will appreciate if someone using AMD gimme suggestions which... processor to select + mobo + ram (3 gb would be enough?) + 3 x 36 gb (sata)? Thanks and regards
Re: [squid-users] Access denied
On Tue, 10 May 2005 [EMAIL PROTECTED] wrote: Hello, I tried and get this in access.log 172.25.9.90 - - [10/May/2005:11:55:34 +0200] GET http://www.heise.de/ HTTP/1.1 407 1802 TCP_DENIED:NONE 172.25.9.90 - vogels [10/May/2005:11:55:41 +0200] GET http://www.heise.de/ HTTP/1.1 403 1381 TCP_DENIED:NONE and this in cache.log 2005/05/10 11:55:34| The request GET http://www.heise.de/ is DENIED, because it matched 'inet_users' 2005/05/10 11:55:34| The reply for GET http://www.heise.de/ is ALLOWED, because it matched 'all' 2005/05/10 11:55:41| The request GET http://www.heise.de/ is DENIED, because it matched 'all' 2005/05/10 11:55:41| The reply for GET http://www.heise.de/ is ALLOWED, because it matched 'all' in squid.conf I have http_access allow inet_users ... http_access deny all ... the acl inet_users is the ldap-group-helper, and of course I am in that group. I don't understand why there is ALLOWED because it matches ALL... Don't worry, its the http_reply_access check (hinted by The reply for in the debug message) More interesting is the The request GET http://www.heise.de/ is DENIED, line.. how is the acl all defined in your config? Regards Henrik
Re: [squid-users] squid wont start
On Mon, 9 May 2005, boricua wrote: something wrong happend to my squid that now it wont start, things were fine until i initialized the cache with webmin, and not it wont start under any circumstances Quite likely there is some config error making your Squid very unhappy. Try /path/to/sbin/squid -k parse If that works, try /path/to/sbin/squid -DNYCd3 also remember to check cache.log for any hints. Regards Henrik
Re: [squid-users] How do I configure Squid forward all requests to another proxy?
On Tue, 10 May 2005 [EMAIL PROTECTED] wrote: In my squid.conf I put the same lines that the FAQ recomend, but when I put in my browser the name of the server squid, I can connect to the Web. Can, or can not? If you can not, what error is seen? (remember to disable Show friendly error messages if using MSIE, if not you will be fumbling pretty much in the dark). Regards Henrik
Re: [squid-users] Getting valid ip address thru browser
On Tue, 10 May 2005, Rahul Sinha wrote: Hi, I'm trying to get valid ip-address thru proxy server using http://checkip.dyndns.org/ But it shows private ip address of the machine. This is because this web service is proxy aware and looks into the custom X-Forwarded-For header added by Squid. This to help users using an ISP proxy or similar. How do u I get the valid ip address using this URL..? Hard, unless you configure Squid to NOT forward the internal IP address.. header_access X-Forwarded-For deny all Regards Henrik
[squid-users] NT authentication without joining the domain
Hi All, I am running into a curious problem that I was hoping you all would be able to help me with. I am troubleshooting a problem with a squid config where squid authenticates proxy users against active directory using NT authentication (re: NOT LDAP) and that machine isn't joined to the domain at all. It doesn't work now, but they insist it did work. Does anyone have docs on how to get squid to auth users without being joined to the domain first? Thanks!
Re: [squid-users] NT authentication without joining the domain
Hi, At 15.50 10/05/2005, Discussion Lists wrote: Hi All, I am running into a curious problem that I was hoping you all would be able to help me with. I am troubleshooting a problem with a squid config where squid authenticates proxy users against active directory using NT authentication (re: NOT LDAP) and that machine isn't joined to the domain at all. It doesn't work now, but they insist it did work. This is correct, but with many limitations: - The AD domain must have Pre-Windows 2000 Compatible Access enabled - The AD domain policies must don't activate any security policy regarding traffic signing - You must use SMB NTLM authenticator or MSNT basic authenticator - You cannot check group membership - NTLMv2 cannot be supported Does anyone have docs on how to get squid to auth users without being joined to the domain first? See any docs about SMB and MSNT. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: Re: [squid-users] Making ACL for an IP range
It looks like is what is needed to determine the IP range for the acl. Ryan Lamberton - Original Message - From: Ivan Petrushev [EMAIL PROTECTED] To: Ryan Lamberton [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Tuesday, May 10, 2005 12:48 AM Subject: Re: Re: [squid-users] Making ACL for an IP range Thanks for the comment :) http://squid.visolve.com/squid/squid24s1/access_controls.htm acl aclname src 172.16.1.25-172.16.1.35/32 Ryan Lamberton FamiLink Company Family Safe Internet Access That's exactly what I need :) In that example what is the purpose of the subnet mask? Does it have to match the subnet mask configured on the PCs over the network? Or it is only for determing the IP range parameters? - http://host.GBG.bg -
Re: [squid-users] Access denied
Hello, the ACL all is defined like acl all src 0.0.0.0/0.0.0.0 I have never changed anything with this ACL. What is funny, is that we have to Squidboxes, that are both configured the same, and only one has this problem. (And 3 weeks ago both were fine...) Regards Stefan Henrik Nordstrom [EMAIL PROTECTED] org To [EMAIL PROTECTED] 10.05.2005 14:24 cc Henrik Nordstrom [EMAIL PROTECTED], squid-users@squid-cache.org Subject Re: [squid-users] Access denied On Tue, 10 May 2005 [EMAIL PROTECTED] wrote: Hello, I tried and get this in access.log 172.25.9.90 - - [10/May/2005:11:55:34 +0200] GET http://www.heise.de/ HTTP/1.1 407 1802 TCP_DENIED:NONE 172.25.9.90 - vogels [10/May/2005:11:55:41 +0200] GET http://www.heise.de/ HTTP/1.1 403 1381 TCP_DENIED:NONE and this in cache.log 2005/05/10 11:55:34| The request GET http://www.heise.de/ is DENIED, because it matched 'inet_users' 2005/05/10 11:55:34| The reply for GET http://www.heise.de/ is ALLOWED, because it matched 'all' 2005/05/10 11:55:41| The request GET http://www.heise.de/ is DENIED, because it matched 'all' 2005/05/10 11:55:41| The reply for GET http://www.heise.de/ is ALLOWED, because it matched 'all' in squid.conf I have http_access allow inet_users ... http_access deny all ... the acl inet_users is the ldap-group-helper, and of course I am in that group. I don't understand why there is ALLOWED because it matches ALL... Don't worry, its the http_reply_access check (hinted by The reply for in the debug message) More interesting is the The request GET http://www.heise.de/ is DENIED, line.. how is the acl all defined in your config? Regards Henrik
[squid-users] Forwarding loop messages
I'm using Squid to forward requests to Dansguardian as a parent cache peer. Then Dansguardian forwards the request back to the same Squid so I can get back out to the internet. This works when I use an always_direct allow localhost to avoid a routing loop between Squid and Dansguardian. However for every site I visit I get a WARNING forwarded loop detected in my cache logs. It's functional though. If I use always_direct shoudn't it bypass the cache altogethor for the specific acl? Is there a way I can tell squid to not log these messages for this specific acl? Thanks, Brett
[squid-users] Squid and Italian Black List
Hi, I have need of your aid about the use of black list, I have tried to use those downloaded from squidguard site and from squidblock but without happening, first does not bring back many Italians sites (.it) and second the modernized creed is not a lot. Thanks. Salvatore.
RE: [squid-users] NT authentication without joining the domain
Hi, At 16.39 10/05/2005, Discussion Lists wrote: Awsome! Great info, thank you! Incidentally, I set it up with LDAP authentication just to see what would happen. It seems to recognize group membership under that scheme, but it always prompts me for a password (with msnt_auth it doesn't do that BTW. It just lets me directly into the website.), and it shouldn't be doing that. Any ideas on how to stop that? You can't do it: LDAP authentication uses basic authentication schema as msnt_auth. Only the SMB auth is a NTLM authentication schema helper. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
[squid-users] Integrated Authentication
I'm still trying to force my users to be logged with their workstation into the Active Directory, if they want to use the Internet proxy, with a user/password/domain popup authentication window request disable from the proxy. As long as I understand, I have the following truths: - A proxy can authenticate an Active Directory user by using Integrated Windows Authentication, so no user/password/domain is requested and windows logon credentials are used, and to do that it can use as authentication protocols NTLM or Kerberos. These protocols are used between the browser and the proxy. - MS ISA 2004 support both (/NTLM and Kerberos) authentication protocols - Squid support only NTLM authentication protocol - IE 6 support Kerberos authentication protocol, but it doesn't work if you are using a workstation with Win9x/Me/NT Operating System. So, because Squid only suppport NTLM authentication protocol, I can't disable from the proxy the popup authentication to the AD, neither disable it if I have in the net workstations with Win9x/Me/NT Operating System. I'm right? Thanks! ---BeginMessage--- Hi, I'm running samba3 and using the integrated NTLM authentication so our users get authenticated to the AD Domain when they use their IE, without being asked for a username / password. If they aren't logged into the AD domain, a popup it´s open on their browsers asking for its username / password. So, what I need, it's disable this last option to run, forcing to all users to are logged into the AD if they want to use Internet. I'm using the ntlm_auth authentication helper, what and how I can do it? Thanks! ---End Message---
Re: [squid-users] Cache isn't used
Matus UHLAR - fantomas wrote: You must allow manager from the machine where cachemgr.cgi runs, not where you connect to cachemgr.cgi - if you want to restrict requests for cachemgr.cgi, you must do that on httpd level. ..many thanks !! now it's all ok !! still thanks. Salvatore.
Re: [squid-users] Integrated Authentication
Hi, At 17.51 10/05/2005, fryxar wrote: I'm still trying to force my users to be logged with their workstation into the Active Directory, if they want to use the Internet proxy, with a user/password/domain popup authentication window request disable from the proxy. As long as I understand, I have the following truths: - A proxy can authenticate an Active Directory user by using Integrated Windows Authentication, so no user/password/domain is requested and windows logon credentials are used, and to do that it can use as authentication protocols NTLM or Kerberos. These protocols are used between the browser and the proxy. - MS ISA 2004 support both (/NTLM and Kerberos) authentication protocols - Squid support only NTLM authentication protocol - IE 6 support Kerberos authentication protocol, but it doesn't work if you are using a workstation with Win9x/Me/NT Operating System. So, because Squid only suppport NTLM authentication protocol, I can't disable from the proxy the popup authentication to the AD, neither disable it if I have in the net workstations with Win9x/Me/NT Operating System. I'm right? Thanks! No, you are not right. Using NTLM authentication schema you can authenticate your DOMAIN clients (Win 9x, NT4, W2k, ...) logged with a DOMAIN user without any prompt using Squid or ISA Server. If you are logged with a LOCAL user account, you will be ALWAYS prompted for username/password/domain with both Squid or ISA Server. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Images not loading: access denied?
Hi there, thanks for the reply. no redirector in use. if i disable the proxy in the browser settings, the pictures will load. in access.log, i've got the following: 1115741495.718 8 192.168.0.101 TCP_NEGATIVE_HIT/403 1438 GET http://photos1.blogger.com/img/198/4480/400/Walker.jpg - NONE/- text/html which corresponds to the image at http://daveslongbox.blogspot.com/2005/05/mark-v-ewok-crusher.html Thanks again for the help... Evan Henrik Nordstrom wrote: On Sat, 7 May 2005, Evan Roth wrote: Hello, I've got a very strange issue going on. For example, when i go to http://daveslongbox.blogspot.com/2005/05/force-works-3-marvel-comics-1994.html, i'm losing some of the images (sporadically on and off). Thus, http://photos1.blogger.com/img/198/4480/400/force%20works%20cover.jpg does not load...and when i select to 'view the image' directly in firefox, i'm given an error message back from squid: While trying to retrieve the URL: http://127.0.0.1:8000/img/198/4480/400/force%20works%20cover.jpg Are you perhaps using a redirector? What did access.log say? Regards Henrik
[squid-users] 2.5STABLE9 Compile Error
On FreeBSD 4.10-STABLE (as of Dec 2nd) gcc version 2.95.4 20020320 [FreeBSD] I get the following error when compiling: source='stmem.c' object='stmem.o' libtool=no depfile='.deps/stmem.Po' tmpdepfile='.deps/stmem.TPo' depmode=gcc /bin/sh ../cfgaux/depcomp gcc -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\/usr/local/squid/etc/squid.conf\ -I. -I. -I../include -I. -I. -I../include -I../include -g -O2 -Wall -c `test -f stmem.c || echo './'`stmem.c stmem.c:70: conflicting types for `stmemFreeDataUpto' protos.h:863: previous declaration of `stmemFreeDataUpto' *** Error code 1 Any suggestions? -gvb
RE: [squid-users] Blocking all IP sites
-Original Message- From: Winn Rama [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 10, 2005 2:06 PM To: squid-users@squid-cache.org Subject: [squid-users] Blocking all IP sites Can you guide me how to block all dest IP based sites (no domain name), while name based requests are still allowed? They make my box overloaded and too much flood. Thank you. Winn -Original Message- From: Mukunthan D [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 10, 2005 12:52 AM To: 'Winn Rama'; squid-users@squid-cache.org Subject: RE: [squid-users] Blocking all IP sites Hi Winn url_regex http://[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* regards Mukunthd I don't know if it would be less processor intensive, but url_regex http://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} would be more accurate. :o) Chris
Re: [squid-users] Blocking all IP sites
On 10.05 14:21, Mukunthan D wrote: url_regex http://[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* I'm not so sure that would deny requests for sites like 1.2.3.4.fantomas.sk -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: Re: [squid-users] I want to translate your program (squid) in French
I want to translate your program (squid) in French. We already have a French translation of the localised portions (the error pages). What else would you like to translate? Regards Henrik What do you like to translate? the file of configuration (squid.conf) I am not an English good thank you -- Que aimez-vous traduire? le fichier de configuration (squid.conf) je ne suis pas un bon en anglais merci PUB (caramail.lycos.fr) Protek-on: CaraMail met en oeuvre un nouveau Concept de Scurit Globale - www.caramail.com
RE: [squid-users] Blocking all IP sites
-Original Message- From: Matus UHLAR - fantomas [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 10, 2005 9:40 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Blocking all IP sites On 10.05 14:21, Mukunthan D wrote: url_regex http://[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* I'm not so sure that would deny requests for sites like 1.2.3.4.fantomas.sk The original request was: Can you guide me how to block all dest IP based sites (no domain name), while name based requests are still allowed? *shrug* In any case, the regex would block the domain you specified (1.2.3.4.fantomas.sk), as it (the regex) doesn't specify where the string would start or end... In all honesty, it would probably be better to use a dstdom_regex for the stated purpose, as then only the domain portion of the request would be compared to the regex, versus the whole url. Something like: dstdom_regex ip_based ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ would match IP based requests fairly narrowly. One could get even more specific, but that might require a pretty complex regular expression, and that's not something that you really want to do to reduce load. Chris
Re: [squid-users] external_acl_type with http request header question
It works! Thank you! Just one more question (more in the programming area). The accelerator sends the username in base64. Can I use the ident.sh to convert it to English before echoing it back? If so, what I would I use for the code to accomplish it. Thank you Ryan Lamberton - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Ryan Lamberton [EMAIL PROTECTED] Cc: Henrik Nordstrom [EMAIL PROTECTED]; Squid Users squid-users@squid-cache.org Sent: Tuesday, May 10, 2005 1:31 AM Subject: Re: [squid-users] external_acl_type with http request header question On Tue, 10 May 2005, Ryan Lamberton wrote: Still not working...OK I have: external_acl_type propel_header_auth %{Hdr:member} /etc /squid/ident.sh x-pun:user # Is the %{Hdr:member} exactly what I need there? And is x-pun:user needed on the end (x-pun is the header name)? How is the header looked up and passed to the ident.sh program? Then you should use %{x-pun} The %{header:member} thing is if you for example want the cache-control max-age parameter value. The format is then %{Cache-control:max-age} acl propel_auth external propel_header_auth x-pun You don't need any arguments in the acl unless you want these to be sent to the helper in addition to the format string details. Regards Henrik
[squid-users] Blocking Yahoo Webmail
Hi list, I´m implementing a webmail block with url_regex acl and keywords, but I canno´t block Yahoo Webmail, even if I put the whole url in the block list. How can I do it ? Thanks, Fabio G. Baptista
Re: [squid-users] Images not loading: access denied?
On Tue, 10 May 2005, Evan Roth wrote: Hi there, thanks for the reply. no redirector in use. if i disable the proxy in the browser settings, the pictures will load. in access.log, i've got the following: 1115741495.718 8 192.168.0.101 TCP_NEGATIVE_HIT/403 1438 GET http://photos1.blogger.com/img/198/4480/400/Walker.jpg - NONE/- text/html This is not the same image as you reported the problem on before.. Key question: Does access.log report the same strange URL as you see in the error message? If not, what entries in access.log is there which could be for that image? Is there perhaps more than one? Regards Henrik
Re: [squid-users] Images not loading: access denied?
Hi again, it's regardless which image i choose...i can go back to the original if you prefer. both are showing up the same in access.log, with the correct URL. I've only been able to reproduce this thus far from blogger.com. Thanks, Evan Henrik Nordstrom wrote: On Tue, 10 May 2005, Evan Roth wrote: Hi there, thanks for the reply. no redirector in use. if i disable the proxy in the browser settings, the pictures will load. in access.log, i've got the following: 1115741495.718 8 192.168.0.101 TCP_NEGATIVE_HIT/403 1438 GET http://photos1.blogger.com/img/198/4480/400/Walker.jpg - NONE/- text/html This is not the same image as you reported the problem on before.. Key question: Does access.log report the same strange URL as you see in the error message? If not, what entries in access.log is there which could be for that image? Is there perhaps more than one? Regards Henrik
Re: Re: [squid-users] I want to translate your program (squid) in French
On Tue, 10 May 2005, super-cool wrote: What do you like to translate? the file of configuration (squid.conf) Unfortnately we do not have a framework allowing for translations of squid.conf, and even less to keep it maintained. But if you have ideas on how this can be done then I am all ears. squid.conf is generated from cf.data.pre in the source distribution. I am not an English good thank you Many of us are not. I barely passed the english classes in school (grade 2 of 5, what in todays scale is barely approved). Regards Henrik
Re: [squid-users] external_acl_type with http request header question
On Tue, 10 May 2005, Ryan Lamberton wrote: It works! Thank you! Just one more question (more in the programming area). The accelerator sends the username in base64. Can I use the ident.sh to convert it to English before echoing it back? Yes. If so, what I would I use for the code to accomplish it. I leave that as an programming excersice for you to solve. Shell scripts is not the most suitable for this kind of transformations and the shell helper should be seen mostly as an illustration, not as the ultimate solution. redirector helpers to Squid is quite commonly written in perl, where this kind of transformations is rather trivial. Regards Henrik
Re: [squid-users] 2.5STABLE9 Compile Error
I am using the ports tree in FreeBSD (via make fetch) to provide me with the src and patches, and then building manually... here are the patches that were applied: squid-2.5.STABLE9-2GB.patch squid-2.5.STABLE9-CONNECT_truncated.patch squid-2.5.STABLE9-acl_error.patch squid-2.5.STABLE9-aufs.patch squid-2.5.STABLE9-aufs_shutdown.patch squid-2.5.STABLE9-bzero.patch squid-2.5.STABLE9-cachemgr_objects.patch squid-2.5.STABLE9-config_overflow.patch squid-2.5.STABLE9-ctype.patch squid-2.5.STABLE9-date.patch squid-2.5.STABLE9-defer_digest_fetch.patch squid-2.5.STABLE9-delay_access_doc.patch squid-2.5.STABLE9-disable_hostname_checks.patch squid-2.5.STABLE9-dup_content_length.patch squid-2.5.STABLE9-excess_data.patch squid-2.5.STABLE9-extaclauth.patch squid-2.5.STABLE9-ftp_EPLF.patch squid-2.5.STABLE9-ftp_base_href.patch squid-2.5.STABLE9-long_basic_auth.patch squid-2.5.STABLE9-pid_t.patch squid-2.5.STABLE9-reload_into_ims.patch squid-2.5.STABLE9-setcookie.patch squid-2.5.STABLE9-syslog.patch They are being applied in alphabetical order via a shell script.. could the patch order be the problem? -gvb On May 10, 2005, at 2:07 PM, Henrik Nordstrom wrote: On Tue, 10 May 2005, Gaylord Van Brocklin wrote: On FreeBSD 4.10-STABLE (as of Dec 2nd) gcc version 2.95.4 20020320 [FreeBSD] I get the following error when compiling: source='stmem.c' object='stmem.o' libtool=no depfile='.deps/stmem.Po' tmpdepfile='.deps/stmem.TPo' depmode=gcc /bin/sh ../cfgaux/depcomp gcc -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\/usr/local/squid/etc/squid.conf\ -I. -I. -I../include -I. -I. -I../include -I../include -g -O2 -Wall -c `test -f stmem.c || echo './'`stmem.c stmem.c:70: conflicting types for `stmemFreeDataUpto' protos.h:863: previous declaration of `stmemFreeDataUpto' Any patches applied? If so, which and from what dates? My guess is that you have a partially applied or out of date 2GB patch in your source tree, causing the function to be inconsistently declared. I have verified the declaration in both Squid-2.5.STABLE9, Current CVS and Squid-2.5.STABLE9 + all patches and in all is it consistent. Regards Henrik
Re: [squid-users] Images not loading: access denied?
On Tue, 10 May 2005, Evan Roth wrote: it's regardless which image i choose...i can go back to the original if you prefer. both are showing up the same in access.log, with the correct URL. I've only been able to reproduce this thus far from blogger.com. One last question: Do you have any httpd_accel_* settings in your squid.conf? Regards Henrik
Re: [squid-users] 2.5STABLE9 Compile Error
On Tue, 10 May 2005, Gaylord Van Brocklin wrote: They are being applied in alphabetical order via a shell script.. could the patch order be the problem? Quite likely you have rejects from several of the patches then... Often there is dependencies between the patches, and as notes on the patches page patches need to be applied in the reverse order listed to solve these. Regards Henrik
Re: [squid-users] squid wont start
On Tue, 10 May 2005 14:28:31 +0200 (CEST) Henrik Nordstrom [EMAIL PROTECTED] wrote: On Mon, 9 May 2005, boricua wrote: something wrong happend to my squid that now it wont start, things were fine until i initialized the cache with webmin, and not it wont start under any circumstances Quite likely there is some config error making your Squid very unhappy. Try /path/to/sbin/squid -k parse If that works, try /path/to/sbin/squid -DNYCd3 i did a chown -R to the user who runs squid and got fix. no idea how it changed to 'nobody' thanks all also remember to check cache.log for any hints. Regards Henrik
[squid-users] Re: Questions on Squid Usage/Config
Please use the squid-users mailinglist for Squid usage and configuration questions. On Tue, 10 May 2005, Mark Romer wrote: Do you have any data or experience-based estimates about how many companies use Squid? It's very hard to tell as there is no registration of who is using Squid, but experience indicate it is very common among companies having their own UNIX IT staff. Is use biased towards small companies, large companies, tech companies, non-tech companies? My experience indicates mainly small tech companies, ISPs and large companies. small non-tech companies in my experience rarely install Squid unless they have a Linux/FreeBSD sawy IT admin, but quite some may be running networking/firewalliing appliances of different kinds where Squid is included and then often without knowing they use Squid. And how many prefer to use static vs. auto vs. script for configuration of browsers? In the large companies segment using Squid my estimate is approximate 50/50 automated proxy settings via login scripts vs proxy.pac scripts. Very few rely on static per-client config. It also seems very few companies are using automatic proxy discovery mechanisms but this may be an underestimate. In ISPs static configuration or automatic proxy discovery is the most common, if not counting automatic interception of port 80. Automatic interception of port 80 is also quite common in all four cases, more so in the smaller companies/ISPs, forcing all port 80 traffic via the proxy without requiring client configuration. Regards Henrik
Re: [squid-users] external_acl_type with http request header question
OK I think I have something... This will give me the same result as ident.sh when I enter a base64 string OK user=name: #!/usr/bin/perl -w $|=1; # no buffering??? while () { chop; ($u) = split; use MIME::Base64 (); $u = MIME::Base64::decode($u); $ans = check($u); print $ans,$u,\n; } sub check { local($u) = @_; return 'OK user='; } As you can see I took another auth script and modified it. Even thought I get the same result as the sh script I tried to use this and it caused problems. Some of the base64 strings have the @familink.net in them as part of the username. Can Squid use that as a username? Just so you know, my only programming was in fortran! Ryan Lamberton FamiLink Company Family Safe Internet Access - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Ryan Lamberton [EMAIL PROTECTED] Cc: Henrik Nordstrom [EMAIL PROTECTED]; Squid Users squid-users@squid-cache.org Sent: Tuesday, May 10, 2005 1:54 PM Subject: Re: [squid-users] external_acl_type with http request header question On Tue, 10 May 2005, Ryan Lamberton wrote: It works! Thank you! Just one more question (more in the programming area). The accelerator sends the username in base64. Can I use the ident.sh to convert it to English before echoing it back? Yes. If so, what I would I use for the code to accomplish it. I leave that as an programming excersice for you to solve. Shell scripts is not the most suitable for this kind of transformations and the shell helper should be seen mostly as an illustration, not as the ultimate solution. redirector helpers to Squid is quite commonly written in perl, where this kind of transformations is rather trivial. Regards Henrik
Re: Odp: Re: [squid-users] how to apply epoll-2_5 patch to squid2.5-stable9
Thanks for your clarify. The author doesn't reply me. Could you pls do me a favor and check with the author whether he has updated the latest epoll patch so that everyone won't face this epoll_ctl(EPOLL_CTL_DEL): failed on fd=197 problem? Regards, sally On 5/10/05, Henrik Nordstrom [EMAIL PROTECTED] wrote: On Tue, 10 May 2005, Sally Huang wrote: Do you mean the epoll_ctl(EPOLL_CTL_DEL): failed on fd=197 bug isalready fixed on both epoll-2_5 patch and epoll-2.5 branch in squidCVS? I am the wrong person to answer that question, but as you I remember the branch author mentioning that there has been fixes in that area. I answerd to the question how you could get the latest version of the epoll branch. Regards Henrik
RE: [squid-users] 2 squid processes
On a redhat distro, this is what I have done, for 2 squid instances... This is only in the lab so I may have missed something, hope it helps a little Make a /etc/squid2 directory copy data into it, also make a cache dir for the second instance copy the init script mkdir /etc/squid2 cp -r /etc/squid /etc/squid2 cp /etc/init.d/squid /etc/init.d/squid2 mkdir -p /var/spool/squid2 ; chmod 750 /var/spool/squid2 ; chown squid.squid /var/spool/squid2 Link squid2 to squid ( to get a different process to look for in the initscripts pidof() ) ln -s /usr/sbin/squid /usr/sbin/squid2 Differences between /etc/init.d/squid /etc/init.d/squid2 ( = squid= squid2 ) [ -f /etc/squid/squid.conf ] || exit 0 [ -f /etc/squid2/squid.conf ] || exit 0 if [ -f /etc/sysconfig/squid ]; then . /etc/sysconfig/squid if [ -f /etc/sysconfig/squid2 ]; then . /etc/sysconfig/squid2 [ -f /usr/sbin/squid ] SQUID=squid [ -f /usr/sbin/squid2 ] SQUID=squid2 CACHE_SWAP=`sed -e 's/#.*//g' /etc/squid/squid.conf | \ CACHE_SWAP=`sed -e 's/#.*//g' /etc/squid2/squid.conf | \ [ -z $CACHE_SWAP ] CACHE_SWAP=/var/spool/squid [ -z $CACHE_SWAP ] CACHE_SWAP=/var/spool/squid2 $SQUID -z -F -D 2/dev/null $SQUID -f /etc/squid2/squid.conf -z -F -D 2/dev/null [ ! -f /var/run/squid.pid ] || break [ ! -f /var/run/squid2.pid ] || break $SQUID -k shutdown $SQUID -f /etc/squid2/squid.conf -k shutdown [ -f /var/run/squid.pid ] || break [ -f /var/run/squid2.pid ] || break [ -e /var/lock/subsys/squid ] restart || : [ -e /var/lock/subsys/squid2 ] restart || : Differences between /etc/squid/squid.conf /etc/squid2/squid.conf ( is squid/squid.conf is squid2/squid.conf ) cache_dir aufs /var/spool/squid 5000 32 256 cache_dir aufs /var/spool/squid2 5000 32 256 cache_access_log /var/log/squid2/access.log cache_log /var/log/squid2/cache.log pid_filename /var/run/squid2.pid chkconfig squid2 on service squid2 start Hope this helps as well... J.J. -Original Message- From: Chris Robertson [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 03, 2005 2:35 PM To: squid-users@squid-cache.org Subject: RE: [squid-users] 2 squid processes -Original Message- From: Chris Robertson [mailto:[EMAIL PROTECTED] Sent: Friday, April 29, 2005 10:55 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] 2 squid processes -Original Message- From: Discussion Lists [mailto:[EMAIL PROTECTED] Sent: Friday, April 29, 2005 8:16 AM To: squid-users@squid-cache.org Subject: [squid-users] 2 squid processes All, Obscure question here: Has anyone been able to get 2 squid processes running? I remember corresponding to a gentleman a while back who was able to get it to work, and he gave me his init-scripts, and conf files. Since then I have been unable to find that stuff try as I may, so I wanted to check with you good folks to see if any of you have something like that which can help me? The problem is that the single squid process can't handle all of what I want: -Internal squid listener for proxy clients -External squid listener to publish our websites Port 80. -External squid listener to publish SSL Port 443. I found the following link (scroll down a third of the way) and it describes how to do this, but it would be really helpful to see config files, and init files. http://66.102.7.104/search?q=cache:OwnNlpbABqgJ:www.swelltech.com/sup p or t/webminguide/ch03.html+%22two+squid+processes%22hl=enclient =firefox-a Thanks! I have two squid processes running on one box, but only to take advantage of a second processor. One instance Squid is capable of running as both a caching proxy, and a web-accelerator (http://www.squid-cache.org/Doc/FAQ/FAQ-20.html). In any case, if you want to follow the path of running two processes, then you just need to follow the FAQ on setting up each conf file. The directives that MUST be different for each conf file are http_port, icp_port (if it's not set to 0), cache_dir, cache_access_log (if not set to /dev/null), cache_log, cache_swap_log, pid_filename, and snmp_port (if squid was compiled with snmp support). You can use the same squid binary for both processes, just specify a different conf file for them to use (e.g. squid -f /path/to/accelerator.conf squid -f /path/to/cache.conf). Chris -Original Message- From: Discussion Lists [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 03, 2005 11:24 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] 2 squid processes Okay I read your adivice and finally was able to find blurb about it in the FAQ. So my question is this . . . How do I get the second process to create its own cache? I can see how to set it up in init to use a different cache
RE: Odp: Re: [squid-users] how to apply epoll-2_5 patch to squid2.5-stable9
I did manage to trace the cause of the epoll_ctl(EPOLL_CTL_DEL): failed on fd=197 messages. The latest epoll patch fixes this problem. There are 2 messages that the new patch will cause to appear with the default debug options (ALL,1): storeClientCopy3: url - clearing ENTRY_DEFER_READ This is caused when an object has been deferred, and for some reason the memory has not been freed, even though all clients have seen all in-memory parts of the url. I can't see why this would be the case, and I'm sure it's not caused by the epoll code, but the epoll code needs to catch this condition. WARNING defer handler for fd=fd(url) does not call commDeferFD() - backing off manually. This is caused when an object has data ready to be read, and the defer handler reports that the read should be deferred, but does not tell the epoll code to back off. This debug would probably be very noisy if used with delay pools, but other than that it indicates a non-optimised defer handler. These two debug statements do not produce a large number of entries in the debug logs (181 and 52 messages respectively out of 3204 messages total in one of our proxy server's cache.log out of a total of ~4.2 million requests). The proxy server does handle these cases appropriately, but they indicate sub-optimal performance. As they represent a tiny fraction of the total number of requests, I have not spent any time working out the exact cause of these problems. Regards Steven -Original Message- From: Sally Huang [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 11, 2005 9:34 AM To: Henrik Nordstrom Cc: squid-users@squid-cache.org Subject: Re: Odp: Re: [squid-users] how to apply epoll-2_5 patch to squid2.5-stable9 Thanks for your clarify. The author doesn't reply me. Could you pls do me a favor and check with the author whether he has updated the latest epoll patch so that everyone won't face this epoll_ctl(EPOLL_CTL_DEL): failed on fd=197 problem? Regards, sally On 5/10/05, Henrik Nordstrom [EMAIL PROTECTED] wrote: On Tue, 10 May 2005, Sally Huang wrote: Do you mean the epoll_ctl(EPOLL_CTL_DEL): failed on fd=197 bug isalready fixed on both epoll-2_5 patch and epoll-2.5 branch in squidCVS? I am the wrong person to answer that question, but as you I remember the branch author mentioning that there has been fixes in that area. I answerd to the question how you could get the latest version of the epoll branch. Regards Henrik -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.8 - Release Date: 5/10/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.8 - Release Date: 5/10/2005
Re: [squid-users] dns lookups
From: Kevin [EMAIL PROTECTED] On 5/10/05, D E Radel [EMAIL PROTECTED] wrote: This is a real n00b question. Sorry. Our squid setup is working nicely and DNS is being resolved nicely for internet domain names no problem. However, local computer names are not resolved with the squid server. eg: http://my-server/index.html will fail. If you use an intranet domain and your hosts are all in DNS, this can be easily addressed with append_domain, as a simple google search would tell you: http://nixdoc.net/files/forum/about28247.html I check my resolv.conf, it's sweet. Pinging just the computer name (without the DNS suffix appended) from the linux box results in a correct DNS lookup and the ping works fine. However, Squid still doesn't resolve just the computer name, even though the DNS config of the linux box is working. I added the append_domain option in Squid. This worked, however not without problems. We have *two* domains with lengthy names. When using append_domain, it blindly adds the single domain suffix to any computer name without dots. If the computer is a member of another Whereas what I need is a correct DNS lookup search because of our two domains. If one DNS lookup fails, try the next domain suffix, etc. Is this do-able? Dietrich
Re: Odp: Re: [squid-users] how to apply epoll-2_5 patch to squid2.5-stable9
Thanks a lot. I send to a wrong email address last time. Where is the lastest epoll patch that solved the epoll_ctl(EPOLL_CTL_DEL): failed on fd=197 problem? Is it in squid src tagged with epoll-2.5 in squid CVS? Or, is it in the patch from http://devel.squid-cache.org/cgi-bin/diff2/epoll-2_5.patch?s2_5? sally On 5/11/05, Steven Wilton [EMAIL PROTECTED] wrote: I did manage to trace the cause of the epoll_ctl(EPOLL_CTL_DEL): failed on fd=197 messages. The latest epoll patch fixes this problem. There are 2 messages that the new patch will cause to appear with the default debug options (ALL,1): storeClientCopy3: url - clearing ENTRY_DEFER_READ This is caused when an object has been deferred, and for some reason the memory has not been freed, even though all clients have seen all in-memory parts of the url. I can't see why this would be the case, and I'm sure it's not caused by the epoll code, but the epoll code needs to catch this condition. WARNING defer handler for fd=fd(url) does not call commDeferFD() - backing off manually. This is caused when an object has data ready to be read, and the defer handler reports that the read should be deferred, but does not tell the epoll code to back off. This debug would probably be very noisy if used with delay pools, but other than that it indicates a non-optimised defer handler. These two debug statements do not produce a large number of entries in the debug logs (181 and 52 messages respectively out of 3204 messages total in one of our proxy server's cache.log out of a total of ~4.2 million requests). The proxy server does handle these cases appropriately, but they indicate sub-optimal performance. As they represent a tiny fraction of the total number of requests, I have not spent any time working out the exact cause of these problems. Regards Steven -Original Message- From: Sally Huang [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 11, 2005 9:34 AM To: Henrik Nordstrom Cc: squid-users@squid-cache.org Subject: Re: Odp: Re: [squid-users] how to apply epoll-2_5 patch to squid2.5-stable9 Thanks for your clarify. The author doesn't reply me. Could you pls do me a favor and check with the author whether he has updated the latest epoll patch so that everyone won't face this epoll_ctl(EPOLL_CTL_DEL): failed on fd=197 problem? Regards, sally On 5/10/05, Henrik Nordstrom [EMAIL PROTECTED] wrote: On Tue, 10 May 2005, Sally Huang wrote: Do you mean the epoll_ctl(EPOLL_CTL_DEL): failed on fd=197 bug isalready fixed on both epoll-2_5 patch and epoll-2.5 branch in squidCVS? I am the wrong person to answer that question, but as you I remember the branch author mentioning that there has been fixes in that area. I answerd to the question how you could get the latest version of the epoll branch. Regards Henrik -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.8 - Release Date: 5/10/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.8 - Release Date: 5/10/2005
Re: [squid-users] dns lookups
When using a Proxy Automatic Configuration script, the script can be coded to use the client's own DNS library and search suffixes when a URL is accessed which is just a bare hostname. On 5/10/05, D E Radel [EMAIL PROTECTED] wrote: I check my resolv.conf, it's sweet. Pinging just the computer name (without the DNS suffix appended) from the linux box results in a correct DNS lookup and the ping works fine. However, Squid still doesn't resolve just the computer name, even though the DNS config of the linux box is working. I added the append_domain option in Squid. This worked, however not without problems. We have *two* domains with lengthy names. When using append_domain, it blindly adds the single domain suffix to any computer name without dots. If the computer is a member of another Whereas what I need is a correct DNS lookup search because of our two domains. If one DNS lookup fails, try the next domain suffix, etc. Is this do-able? Yes it is do-able, but it's not pretty. If you reconfigure squid using the --disable-internal-dns flag, recompile, and re-install, squid will go back to the old behavior of using dnsserver with the system resolver library (which obeys /etc/resolv.conf), instead of the embedded DNS code. This should address your problem, but may cause other problems in the long run. The --disable-internal-dns configure option is deprecated, as the dnsserver solution is inefficient, does not scale well. This could work out okay on a lightly loaded cache serving a limited number of users. Kevin Kadow
RE: Odp: Re: [squid-users] how to apply epoll-2_5 patch to squid2.5-stable9
The updated patch is available in both locations that you have mentioned. CVS does get updated quicker than the web site (the web site sync's with CVS periodically). Steven -Original Message- From: Sally Huang [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 11, 2005 12:03 PM Thanks a lot. I send to a wrong email address last time. Where is the lastest epoll patch that solved the epoll_ctl(EPOLL_CTL_DEL): failed on fd=197 problem? Is it in squid src tagged with epoll-2.5 in squid CVS? Or, is it in the patch from http://devel.squid-cache.org/cgi-bin/diff2/epoll-2_5.patch?s2_5? sally On 5/11/05, Steven Wilton [EMAIL PROTECTED] wrote: I did manage to trace the cause of the epoll_ctl(EPOLL_CTL_DEL): failed on fd=197 messages. The latest epoll patch fixes this problem. There are 2 messages that the new patch will cause to appear with the default debug options (ALL,1): storeClientCopy3: url - clearing ENTRY_DEFER_READ This is caused when an object has been deferred, and for some reason the memory has not been freed, even though all clients have seen all in-memory parts of the url. I can't see why this would be the case, and I'm sure it's not caused by the epoll code, but the epoll code needs to catch this condition. WARNING defer handler for fd=fd(url) does not call commDeferFD() - backing off manually. This is caused when an object has data ready to be read, and the defer handler reports that the read should be deferred, but does not tell the epoll code to back off. This debug would probably be very noisy if used with delay pools, but other than that it indicates a non-optimised defer handler. These two debug statements do not produce a large number of entries in the debug logs (181 and 52 messages respectively out of 3204 messages total in one of our proxy server's cache.log out of a total of ~4.2 million requests). The proxy server does handle these cases appropriately, but they indicate sub-optimal performance. As they represent a tiny fraction of the total number of requests, I have not spent any time working out the exact cause of these problems. Regards Steven -Original Message- From: Sally Huang [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 11, 2005 9:34 AM To: Henrik Nordstrom Cc: squid-users@squid-cache.org Subject: Re: Odp: Re: [squid-users] how to apply epoll-2_5 patch to squid2.5-stable9 Thanks for your clarify. The author doesn't reply me. Could you pls do me a favor and check with the author whether he has updated the latest epoll patch so that everyone won't face this epoll_ctl(EPOLL_CTL_DEL): failed on fd=197 problem? Regards, sally On 5/10/05, Henrik Nordstrom [EMAIL PROTECTED] wrote: On Tue, 10 May 2005, Sally Huang wrote: Do you mean the epoll_ctl(EPOLL_CTL_DEL): failed on fd=197 bug isalready fixed on both epoll-2_5 patch and epoll-2.5 branch in squidCVS? I am the wrong person to answer that question, but as you I remember the branch author mentioning that there has been fixes in that area. I answerd to the question how you could get the latest version of the epoll branch. Regards Henrik -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.8 - Release Date: 5/10/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.8 - Release Date: 5/10/2005 -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.8 - Release Date: 5/10/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.8 - Release Date: 5/10/2005
Re: [squid-users] dns lookups
From: Kevin [EMAIL PROTECTED] If you reconfigure squid using the --disable-internal-dns flag, recompile, and re-install, squid will go back to the old behavior of using dnsserver with the system resolver library (which obeys /etc/resolv.conf), instead of the embedded DNS code. This should address your problem, but may cause other problems in the long run. The --disable-internal-dns configure option is deprecated, as the dnsserver solution is inefficient, does not scale well. This could work out okay on a lightly loaded cache serving a limited number of users. Thanks for that info Kevin. I use the binary packages from Debian because 'They Just WorkT'. Compiling my own packages are not an option for me at present. A Proxy Automatic Configuration script might be the best long term solution. I would've thought that there would be disable_internal_dns option or something to that extent in the squid.conf. I mean if a PAC script can do it without a recompile.Thanks again Kevin. regards, Dietrich
Re: [squid-users] Images not loading: access denied?
nope...all httpd_accel_* parameters are left to default. Best Regards, Evan Henrik Nordstrom wrote: On Tue, 10 May 2005, Evan Roth wrote: it's regardless which image i choose...i can go back to the original if you prefer. both are showing up the same in access.log, with the correct URL. I've only been able to reproduce this thus far from blogger.com. One last question: Do you have any httpd_accel_* settings in your squid.conf? Regards Henrik
[squid-users] {Spam?} acl help please
I have a program that synchronises using the proxy. however I keep getting this error message in the cache.log file. 2005/05/11 08:25:51| The request CONNECT ip number:port is DENIED, because it matched 'password' Ho can I bypass the password acl I have and allow the CONNECT method just for the ipnumber:port . Carinus