Re: [squid-users] show ips going outside squid
On Thu, 26 May 2005, Abu Khaled wrote: What happend to the Transparent Proxy term. I have been using Squid for 3 years now and it was always called Transparent Proxy. After subscribing to the mailling list all repiles to Transparent Proxy are answered Intercepting Proxy. I wonder why ?! The term Transparent Proxy has always meant something else: A proxy not changing the semantics of the forwarded request/replies, as opposed to a non-transparent proxy which changes requests/replies for example image transcoding, WAP recpding or rewriting of requested URLs to somenthing else. Unfortunately a lot of people (and a large part of the industry) also used the term Transparent for proxies intercepting port 80 traffic making their precense somewhat transparent to the end-user. About 3-4 years ago it was standardized to use the term Interception for the act of redirecting port 80 traffic and consequently the term Intercepting proxy for a proxy for a proxy where this technique is ised for getting the traffic to the proxy. But many still uses the term Transparent proxy. To reduce the confusion Semantically transparent proxy is standardized for the original (and official) meaning of Transparent proxy. When someone says Transparent proxy it is often unclear what he means, even if he most often means a (transparently) intercepting proxy. Regards Henrik
Re: [squid-users] ntlm tutorials
On Wed, 25 May 2005, Jon Howe wrote: Does anyone know of any good ntlm authentication tutorials? The FAQ has a step-by-step guide on configuring Squid NTLM authentication using winbind. There is also several other guides out on the Internet. Regards Henrik
Re: [squid-users] mount options for cache_dir
On Thu, 26 May 2005, Matus UHLAR - fantomas wrote: However, some researches documented that reiserfs is not good FS for things like squid cache and that ext3 is faster... And several has the exact opposite results.. Regards Henrik
RE: [squid-users] Squid authentication and Active Directory
On Wed, 25 May 2005 [EMAIL PROTECTED] wrote: But: Is there a way to use the integrated windows authentication, so that the user will not be asked for his password each time he tries to brows the internet? It should use the login password from windows automatically. See the Squid FAQ section on using Squid with Samba winbind. Regards Henrik
Re: [squid-users] is there tproxy patch for freebsd?
On Wed, 25 May 2005, S.M.H. Hamidi wrote: Does any one know if there is a patch similar to BalaBit patches for transparent proxying (http://www.balabit.com/downloads/tproxy/) to Freebsd kernel? Probably somewhere. Dunno if available publically however.. Another question: Is it necessary such patches to be implemented in kernel level? May it be possible to implement it using packet capture libraries(e.g. libpcap or bpf). You can implement it using NAT and tcp_outgoing_address. Regards Henrik
Re: [squid-users] Advise on response time on custom logformat and duration in native log
On Thu, 26 May 2005, squid squid wrote: 1. whether the duration field in navtive log has the same meaning as response time in Custom LogFormat??? Yes. The response time / duration in Squid logs is from the time the request was received by Squid (full headers seen) until the last byte of the reply has been queued for write to the client. Time not included is the time it takes for the client to send the request headers to Squid, or for TCP/IP to transmit the last bytes of the response. Regards Henrik
Re: [squid-users] Failover with 2 parents
On Thu, 26 May 2005, Konstantin Polihronov wrote: In the A-office I'm using child-proxy which redirects requests to the parent1, and I want to make failover in case when internet line for parent1 is down to redirect requests to parent2 in branch2. If you use ICP then this should be automatic after some time, when the parent detects it's Internet is not working and enters so called Hit only mode. But this takes a while before it kicks in (there must be a significant amount of failed requests on that Squid for Hit only mode to be activated). If the parents have a reasonably short connect_timeout then the failover should also be automatic. But at the same time this increases the risk of false failures when the origin web server is just slow at accepting the connection so it is not an universal solution to the problem. Regards Henrik
RE: [squid-users] Blocking all IP sites
On Thu, 26 May 2005, squidrunner support wrote: If you use dstdom* acl, then squid will reverse lookup on that domain. You can use url_regex acl itself as, 2.5.STABLE10 and later allows matching of IP based hosts in dstdomain and dstdom_regex. Regards Henrik
RE: [squid-users] Blocking all IP sites
On Thu, 26 May 2005 [EMAIL PROTECTED] wrote: The problem is that it works when i am testing it with squidclient, but not in production. What does access.log say? Regards Henrik
Re: [squid-users] refresh_pattern explanation wanted
On Thu, 26 May 2005, Matus UHLAR - fantomas wrote: # usage: refresh_pattern [-i] regex min percent max [options] [...] # 'Percent' is a percentage of the objects age (time since last # modification age) an object without explicit expiry time # will be considered fresh. percent of what time? percens of max time? or does it mean thar lm-factor thing below? (should be mentioned in the default manual imho) Age of the document. Yes this is the origin of the lm-factor. The authoriative manual on Squid directives is squid.conf.default. # Basically a cached object is: # # FRESH if expires now, else STALE ^ shouldn't that be expires now? an object is fresh, if it will expire in the future, not if it already expired, right? (a bug in the doc?) Right. another strange thing: the lm-factor is explained on http://www.squid-cache.org/Doc/FAQ/FAQ-12.html#ss12.20 # OBJ_DATE is the time when the object was given out by the origin server. This is taken from the HTTP Date reply header. # OBJ_LASTMOD is the time when the object was last modified, given by the HTTP Last-Modified reply header. # OBJ_AGE is how much the object has aged since it was retrieved: OBJ_AGE = NOW - OBJ_DATE - It it really calculated from current local date, and Date: from object header? Does squid mix local Date and remote servers' Date or is this part of configuration incorrect and squid counts current local date and locatl date when the object was fetched? Yes there is an mix. And is why it is importand time on the web servers and your proxy is reasonably correct. This is even more visible in the Expires header. Regards Henrik
Re: [squid-users] NTLM Authentication and redirecting some users
On Thu, 26 May 2005, Matus UHLAR - fantomas wrote: quick guide or FAQ about transparent (we call it intercapting) proxy with authentication? There is one: http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.16 Probably ntlm or other authorization that doesn't require client to send Proxy-Authorization headers (external, IP-based) would work. NTLM is a HTTP authentication scheme (just badly designed) and won't work either. IP-based authentication schemes do work and is used at several installations. But there is no standard tools available for this. Regards Henrik
Re: [squid-users] Problem denying certain requests
On Thu, 26 May 2005, galle wrote: Which version of Squid? sorry squid 2.5 stable 3 Both urlpath_regex and dstdom_regex should be able to match these in the current versions of Squid. i have try them and they dont work. Your Squid is not a current version and is well knon to have the issue you describe. Regards Henrik
RE: [squid-users] XML-RPC
On Thu, 26 May 2005, Charl Papenfus wrote: With auth enabled we do get auth failed messages on the programmer's side. Any way to test if packets are really coming back? Apart from running a traffic monitor, of course. You can assume there is a responso of some kind sent to the requestor, but if you wand to be really sure there is not much else besides a traffic monitor. Regards Henrik
Re: [squid-users] found two conflicting content-length headers
On Fri, 27 May 2005, kodel wrote: This said I published a patch today to work around this quite common cases in an reasonable manner, hopefully without opening up for cache pollution attacks on the proxy. Thanks again for your help But where I can find those patch you mention here..? From the patches page. I guess it is in the diff file of daily release is that correct ? It is there as well, but not what I meant. Regards Henrik
[squid-users] content mixed up.
Please forgive me if this question has been asked/reported before, I couldn't find anything on the list or faq that suggest a solution. I have just been asked by the our designer of a strange problem he observed. While he was working on some new template on 2 of our testing site, he notices that after he shift-reload a certain static html on one of the site (let's call it site A), if he is to open the same url in the second site (Site B), which of course has some different content, he would landed getting content of the same URL in site A. To demonstrate the problem, I have prepared the following url. Site A - http://mymail.kafai-green-v1.sme.outblaze.com/test.htm Site B - http://mymail.kafai-blue-v1.sme.outblaze.com/test.htm Step 1) Open 2 browser instant (or 2 tab) bring each url up. Note : Site A should give you the word 'green' while site B give you the word 'blue' Step 2) shift-reload site A, then go to site B and reload (without shift). From what I see here I landed with the word 'green' show up on Site B. (Note, if you can not replicate the problem with a browser, try these telnet command) Step 1 - telnet mymail.kafai-green-v1.sme.outblaze.com 80 GET /test.htm HTTP/1.0 Host: mail.kafai-green-v1.sme.outblaze.com Pragma: no-cache telnet mymail.kafai-blue-v1.sme.outblaze.com 80 GET /test.htm HTTP/1.0 Host: mail.kafai-blue-v1.sme.outblaze.com Pragma: no-cache (you should see the word green as html body for the first site and blue for the second site) Step 2 - telnet mymail.kafai-green-v1.sme.outblaze.com 80 GET /test.htm HTTP/1.0 Host: mail.kafai-green-v1.sme.outblaze.com Pragma: no-cache telnet mymail.kafai-blue-v1.sme.outblaze.com 80 GET /test.htm HTTP/1.0 Host: mail.kafai-blue-v1.sme.outblaze.com You should see 'green' after completing these 2 command. btw, the problem wouldn't work the other way around, I mean, if you load site B (Blue one) before Site A (green one) the problem wouldn't shows up. I'm running squid as http accelator in front of a apache installed in localhost, the 2 hosts are different vhost with different document root. I have upgraded squid to stable 10 yesterday and am still seeing this issue. Disabling squid would solve the problem. Any help would be much appreciated. Tor.
Re: [squid-users] Bugs in IE digest proxy auth
On Fri, 27 May 2005, Joshua Goodall wrote: I've observed three bugs in IE6's digest proxy authentication implemention. Is anyone able to confirm that it's Not Just Me, and whether any good workarounds are already out there? IS6 is well known for being broken in it's authentication support in variuous manners (details varies greatly with the patch level or hotfixes used) 1. Double-quote-marks in URLs. IE sends a digest-uri-value that's improperly escaped, as in (when visiting http://localhost/test.htmlfoo): What can I say? URL-escaping seems to be a very hard thing to do for some unknown reason.. most clients gets URL-escaping wrong one way or another when given bad URLs as input.. Yes, the above URL is an invalid URL as the MUST be escaped according to the URL standard (RFC 1738) where is in the set of unsafe characters which must always be encoded (RFC1738 section 2.2, subsection Unsafe), which means that whoever typed/generated such URL as input to the client placed himself outside standards.. Clients (and servers) are not required to accept bad URLs, but at th same time they MUST NOT send bad URLs. Digest username=User Name, realm=Login, qop=auth, algorithm=MD5, uri=/test.htmlfoo, nonce=q3... vs Firefox which sends: Digest username=User Name, realm=Login, nonce=42yWQuDPGw/gebJ8, uri=/test.html%22foo, response=666... Another interesting point is that neither is correct for proxy authentication. The uri should be identical to the request-URI which for proxy requests is an absoluteURI http://www.example.com/test.html%22foo Related question: What was the request-URI on the request line send by IE in the above? Was this escaped properly or where it using unescaped quote there as well? 2. Never reuses a nonce - always sends a request, gets a 407 challenge with a new nonce value, then reissues the request with the correct Proxy-Authorization header; this doubles the number of actual HTTP requests; is there a workaround? Uncertain. nonce reuse is quite dependent on the client having support for this. It may obviously be the case that IE do have support for nonce reuse but for some reason refuses to do so with Squid but it's very hard to know outside Microsoft. The only thing I can think of is to make sure there is persistent connections enabled. I could imagine that nonce reuse may be related to connection reuse in some clients. 3. IE gets confused when a website uses a 401 authentication challenge. In this case, it prompts for and sends the Authorization: header, but then repeatedly re-prompts the user for their proxy credentials. Nice... I've worked around this by inventing the following access list: acl msie-win-browser browser MSIE.*Windows acl basic-auth auth_regex Basic auth_param digest access deny msie-win-browser basic-auth auth_param digest access allow all Yes, I had to invent auth_regex and auth_param digest access. This ACL effectively downgrades the user to using basic proxy auth if using basic www auth. Interesting. So this worked around the problem for you? I'd especially like a solution for bug 3, because the workaround is ugly, insecure and expensive. I have a case open with Microsoft Partner Support right now. Probably the only viable path to find a good solution to this problem. Oddly enough, IE5 on the Mac doesn't have any of these symptoms. More proof of the above. On a related note I have the impression that the HTTP support in MSIE has degraded noticeably with the MSIE6 release, and that it has since then been a big patchwork to get things running.. especially in areas relating to authentication where I do not know a single MSIE6 version which gets it correct.. (always one scheme broken) There is also issues in connection management when accessing secure sites (accidental reuse of existing connection without enabling SSL, sending the supposedly protected request in plaintext...), and a handful of other issues I do not remember right now. Regards Henrik
Re: [squid-users] Chain SSL Cert files
On Thu, 26 May 2005, Dan DeLong wrote: Hello, I am running 2.5.STABLE4 as a reverse proxy. I would like to know how to use SSL Chain certs. I currently am using SSL certs from Thawte and can use them with the following line in my conf file https_port 10.10.1.1:443 cert =/certfile key=/keyfile version=1 Now I am in need of using chain certs but don't know how to incorporate both the domain and the CA cert. The SSL update patch for Squid-2.5 adds certificate chain support. With this patch just add the CA cert to your domain cert file after the domain cert. There is also a one-line patch floating around for this. Should be available in the squid-users archives. But I recommend the SSL update. Regards Henrik
RE: [squid-users] mount options for cache_dir
On Thu, 26 May 2005, Ilker GOKHAN wrote: As far as I remember there was a benchmarking test which was done by Duane. According to this report, ext2 with async (aufs) is one the best choice. Sounds reasonable. ext2 is a farily light filesystem unless you need syncronous operations (which Squid doesn't use) or very large directories (which Squid also doesn't use) However, smarter filesystems may be able to acheive a better write speed for the amount of small files used by Squid. Regards Henrik
Re: [squid-users] Password rewriting issues
Okay, thanks Henrik, I have modded my helpers to unencode this. Cheers once again for your always extremely helpful replies Scott On 27/05/2005, at 2:48 PM, Henrik Nordstrom wrote: On Wed, 25 May 2005, Scott Horsley wrote: scott abc#123 would produce scott abc%23123 Correct. Documented in the Squid-2.5 release notes. This is obviously quite annoying as it restricts passwords to be plain alphanumeric Rather the opposite actually. But your helper needs to know how to decode the data sent by Squid. This encoding is plain URL encoding using %NN where NN is the hex code of the odd character. A) This was normal behaviour Yes. B) Is a fix for this? Yes, make your helper support the format used by Squid-2.5. C) Am I doing something wrong? D) Do I need to adjust my helper to re-ascii my password in order to authenticate users? Yes. E) Has anybody else come across this? Yes. I made this change in the helper format for Squid-2.5 it as there was a lot of problems with non-ascii usernames or passwords. Most notably space characters. Regards Henrik This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email.
Re: [squid-users] [Fwd: Regarding Ldap+Squid]
On Thu, 26 May 2005, Sunil S wrote: Helo Selvam, 1. I use auth param as below: auth_param basic program /d2/sw/squid-3.0/libexec/squid_ldap_auth -u CN -b CN=Users,DC=my,DC=company,DC=co,DC=in -h server_ip Looks reasonable if you have a flat tree of users (all in the Users container) and use the full name as login name to the proxy. For more advanced situations a search filter is required. See the squid_ldap_auth manual (shipped with Squid). 2. There should be a netlogon share on your domain controller (server_ip in the above case) with a file named proxyauth and that file should contain just one word allow inside it. This is only required by the the smb_auth helper, not squid_ldap_auth. Regards Henrik
Re: [squid-users] Permission denied on squidguard
PF wrote: Do you know where the blacklist's, the logs directory and squidGuard.conf is located? All the directories need to be owned by squid So just chown -R squid:squid directory [EMAIL PROTECTED] ~]# ls -l /etc/squid/squidguard.conf -rw-r--r-- 1 root root 2569 23 mag 15:24 /etc/squid/squidguard.conf [EMAIL PROTECTED] ~]# ls -l /var/lib/squidguard/ totale 32 drwxr-xr-x 2 squid squid 4096 19 mag 20:48 ad drwxr-xr-x 13 squid squid 4096 18 mag 17:48 blacklists drwxr-xr-x 2 squid squid 4096 19 mag 20:48 ok drwxr-xr-x 2 squid squid 4096 19 mag 20:48 ok1 [EMAIL PROTECTED] ~]# ls -l /var/lib/squidguard/ad/ totale 40 -rw-r--r-- 1 squid squid 16 18 mag 18:04 domains -rw-r--r-- 1 squid squid 8192 19 mag 20:48 domains.db -rwxr-xr-x 1 squid squid 18 18 mag 18:04 urls -rw-r--r-- 1 squid squid 8192 19 mag 20:48 urls.db [EMAIL PROTECTED] ~]# ls -l /var/lib/squidguard/blacklists/ totale 96 drwxr-xr-x 2 squid squid 4096 19 mag 20:48 ads drwxr-xr-x 2 squid squid 4096 19 mag 20:48 aggressive drwxr-xr-x 2 squid squid 4096 19 mag 20:48 audio-video drwxr-xr-x 2 squid squid 4096 19 mag 20:48 drugs drwxr-xr-x 2 squid squid 4096 19 mag 20:48 gambling drwxr-xr-x 2 squid squid 4096 19 mag 20:48 hacking drwxr-xr-x 2 squid squid 4096 18 mag 17:48 mail drwxr-xr-x 2 squid squid 4096 19 mag 20:48 porn drwxr-xr-x 2 squid squid 4096 19 mag 20:48 proxy -rw-r--r-- 1 squid squid 508 25 mar 2000 README drwxr-xr-x 2 squid squid 4096 19 mag 20:48 violence drwxr-xr-x 2 squid squid 4096 19 mag 20:48 warez [EMAIL PROTECTED] ~]# ls -l /var/log/squidguard/ totale 12 -rw-r--r-- 1 squid squid 7419 19 mag 20:48 squidGuard.log .. but now the problem is then also squid (whitout redirect to squidguard) not start !!??? :-((( .. in the my previous mail I have writed the actual situation of permission !! still thanks. Salvatore.
Re: [squid-users] mount options for cache_dir
On Thu, 26 May 2005, Matus UHLAR - fantomas wrote: However, some researches documented that reiserfs is not good FS for things like squid cache and that ext3 is faster... On 27.05 07:51, Henrik Nordstrom wrote: And several has the exact opposite results.. Of course, for example there are people that do not know the 'notail' option for reisersfs ;) I just want to say that some people prefer ext3 over reiserfs. basically, used options were well-tuned for squid cache directory. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them
[squid-users] HttpRequestHeader If-None-Match problem with Squid
Hi, I am again fighting with caching my dynamic content via web proxy. I noticed a *strange* behaivor. I started now debuging my http request headers and saw that (on using Squid) I allways got no If-None-Match header. My application sets ETag inside of the response header, so I am wondering, why my application doesn't *see* that header when we use Squid? I tested the stuff without Squid, then all works like expected. My appliction sets in first Response the ETag and on second request, we see the correct If-None-Match value for the generated ETag value. am I still missing something? BTW. I am using squid/2.5.STABLE7-NT Thanks for any ideas regarding that.
Re: [squid-users] Permission denied on squidguard
On Fri, 27 May 2005, sasa wrote: .. but now the problem is then also squid (whitout redirect to squidguard) not start What error(s) do you see? /usr/local/squid/sbin/squid -DNYCd3 Regards Henrik
RE: [squid-users] Blocking all IP sites
The problem is that it works when i am testing it with squidclient, but not in production. Please elaborate with sample logs? It will work. How it is differing from testing and production? == Best Regards, Squid Runner Support squidrunner_dev at yahoo dot com Web: http://geocities.com/squidrunner_dev/ Support: runnersupport at gmail dot com SquidRunner - An Automatic Squid Builder == __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[squid-users] SQUID and LDAP.
Hello, I've configured my squid to authenticate with ldap, but when browser prompt the user and password window i write it and get no answer, the squid access.log file shows it: 1116840548.325 6 10.0.20.113 TCP_DENIED/407 1706 GET http://www.google.es/ pprueba3 NONE/- text/html and when I write in shell this command # /usr/lib/squid/squid_ldap_auth -b ou=People,dc=prueba,dc=com 10.0.21.100 pprueba3 ERR That is what i get. Can you help me? These are the options I have in squid.conf acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param basic program /usr/lib/squid/squid_ldap_auth -b ou=People,dc=prueba,dc=com 10.0.21.100 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl password proxy_auth REQUIRED acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow password http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src 10.0.16.0/20 http_access allow our_networks http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid THANKS. -- Angel Prieto [EMAIL PROTECTED] SINERGIA TECNOLÓGICA C/ Almirante Churruca 30007 Murcia TEL. 968 270 624Fax. 968 231 501 www.sinergiatec.com __ La información incluida en el presente correo electrónico es CONFIDENCIAL, siendo para el uso exclusivo del destinatario arriba mencionado. Si usted lee este mensaje y no es el destinatario señalado, el empleado o el agente responsable de entregar el mensaje al destinatario, o ha recibido esta comunicación por error, le informamos que está totalmente prohibida cualquier divulgación, distribución o reproducción de esta comunicación, y le rogamos que nos lo notifique, nos devuelva el mensaje original a la dirección arriba mencionada y borre el mensaje. Gracias. __
AW: [squid-users] HttpRequestHeader If-None-Match problem with Squid
If-Modified-Since is also missing note, the requests are against a Servlet that generates dynamic content. But when I request static content (that is stored in a folder of my web app) If-Modified-Since request header was sent? I used a ServletFilter to *debug* that, so I saw that the If-Modified-Since was set. So I have now no idea, why the static content is cacheable, but not my dynamic. I use something like that to access the dynamic stuff: http://server/application/contentID/index.html (for dymamic html creation) http://server/application/contentID/index.pdf (for dymamic pdf creation) Is it not possible, to cache dynamic content ? (I don't use Http Request parameters) I read that paper and I guess, it should be able to do so: http://www.mnot.net/cache_docs/ Thanks, Matthias -Ursprüngliche Nachricht- Von: Matthias Wessendorf [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 27. Mai 2005 11:18 An: squid-users@squid-cache.org Betreff: [squid-users] HttpRequestHeader If-None-Match problem with Squid Hi, I am again fighting with caching my dynamic content via web proxy. I noticed a *strange* behaivor. I started now debuging my http request headers and saw that (on using Squid) I allways got no If-None-Match header. My application sets ETag inside of the response header, so I am wondering, why my application doesn't *see* that header when we use Squid? I tested the stuff without Squid, then all works like expected. My appliction sets in first Response the ETag and on second request, we see the correct If-None-Match value for the generated ETag value. am I still missing something? BTW. I am using squid/2.5.STABLE7-NT Thanks for any ideas regarding that.
Re: [squid-users] Permission denied on squidguard
.. but now the problem is then also squid (whitout redirect to squidguard) not start !!??? :-((( .. in the my previous mail I have writed the actual situation of permission !! Hello, Nothing much would be known if you send a mail that squid is not starting. Reply back with the error that you're getting so that we know what's the actual problem is -- The future is uncertain and the end is always near
Re: [squid-users] Permission denied on squidguard
squidrunner support wrote: You are changed squid.conf to root but changed permission of binary to another squid:squid?? ..now I have: [EMAIL PROTECTED] ~]# ls -l /etc/squid/ totale 604 -rw-r- 1 root squid367 16 mag 21:59 cachemgr.conf lrwxrwxrwx 1 root root 22 20 mag 17:40 icons - /usr/share/squid/icons -rw-r--r-- 1 root root 26104 16 mag 21:59 mib.txt -rw-r--r-- 1 root root 11651 16 mag 21:59 mime.conf -rw-r--r-- 1 root root 11651 16 mag 21:59 mime.conf.default -rwxr-xr-x 1 root root 296 18 mag 17:01 mp3.txt -rw-r--r-- 1 root root 421 16 mag 21:59 msntauth.conf -rw-r--r-- 1 root root 421 16 mag 21:59 msntauth.conf.default -rw-r- 1 root root 111215 27 mag 11:42 squid.conf -rw-r--r-- 1 root root 111213 26 mag 18:50 squid.conf~ -rw-r--r-- 1 root root 118251 16 mag 21:59 squid.conf.default -rw-r- 1 root squid 118251 16 mag 21:59 squid.conf.rpmnew -rw-r--r-- 1 root root2569 23 mag 15:24 squidguard.conf -rw-r--r-- 1 root root2515 18 mag 16:30 squidguard.conf~ [EMAIL PROTECTED] ~]# ls -l /usr/sbin/squid -rwxr-xr-x 1 root root 646564 16 mag 21:59 /usr/sbin/squid [EMAIL PROTECTED] ~]# ls -l /usr/bin/squidGuard -rwxr-xr-x 1 root root 70758 12 gen 21:20 /usr/bin/squidGuard .. I must change to: [EMAIL PROTECTED] ~]# ls -l /usr/sbin/squid -rwxr-xr-x 1 squid squid 646564 16 mag 21:59 /usr/sbin/squid [EMAIL PROTECTED] ~]# ls -l /usr/bin/squidGuard -rwxr-xr-x 1 squid squid 70758 12 gen 21:20 /usr/bin/squidGuard .. it's just ?.. sorry for my banal question but the situation (for me !) is much confuse ! Configure squid as cache_effective_user and group. Change all permissions of var/log/* amd squidguard file. chown -R squid:squid var/ ..ok ! [EMAIL PROTECTED] ~]# ls -l /var/log/ drwxr-x--- 2 squid squid 4096 22 mag 04:02 squid drwxr-xr-x 2 squid squid 4096 18 mag 17:15 squidguard Start squid in debug mode to know the problem as ./squid -NCd10 #/usr/sbin/squid -NCd10 Abortito ..thanks. Salvatore.
Re: [squid-users] SQUID and LDAP.
Hi Your ldap authentication statement is incomplete. Please have a look at the examples and before you put them into squid.conf, please make sure they are fine by running them from a shell prompt as how you did and you must get OK instead of ERR. From your statement it#8217;s missing the -h option and a binding user/password options too (if the ldap server doesn#8217;t allow anonymous queries) please have a look at the following examples http://kb.papercutsoftware.com/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory Regards Babs --- Ángel Prieto [EMAIL PROTECTED] wrote: Hello, I've configured my squid to authenticate with ldap, but when browser prompt the user and password window i write it and get no answer, the squid access.log file shows it: 1116840548.325 6 10.0.20.113 TCP_DENIED/407 1706 GET http://www.google.es/ pprueba3 NONE/- text/html and when I write in shell this command # /usr/lib/squid/squid_ldap_auth -b ou=People,dc=prueba,dc=com 10.0.21.100 pprueba3 ERR That is what i get. Can you help me? These are the options I have in squid.conf acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param basic program /usr/lib/squid/squid_ldap_auth -b ou=People,dc=prueba,dc=com 10.0.21.100 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl password proxy_auth REQUIRED acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow password http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src 10.0.16.0/20 http_access allow our_networks http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid THANKS. -- Angel Prieto [EMAIL PROTECTED] SINERGIA TECNOLÓGICA C/ Almirante Churruca 30007 Murcia TEL. 968 270 624Fax. 968 231 501 www.sinergiatec.com __ La información incluida en el presente correo electrónico es CONFIDENCIAL, siendo para el uso exclusivo del destinatario arriba mencionado. Si usted lee este mensaje y no es el destinatario señalado, el empleado o el agente responsable de entregar el mensaje al destinatario, o ha recibido esta comunicación por error, le informamos que está totalmente prohibida cualquier divulgación, distribución o reproducción de esta comunicación, y le rogamos que nos lo notifique, nos devuelva el mensaje original a la dirección arriba mencionada y borre el mensaje. Gracias. __ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[squid-users] True transparent proxying
Hi list, so, I managed to get transparent proxying (transparent or vhost) working, but the parent squid logs the IP of the intermediate proxy, not the client. Can Squid3 spoof the IP when it connects to the parent cache? This would work in practice, because the network is laid out for such, that all packets have to pass the intermediate squid. Jan Engelhardt --
Re: [squid-users] Permission denied on squidguard
#/usr/sbin/squid -DNYCd3 Abortito To help you out on this, just start your squid binary as, ./squid -NCd10 What you are getting out there. 1. You have configured cache_effective_user and cache_effective_group as squid 2. Change all permissions under var/log directory squid to squid:squid 3. Su to squid and startup squid as ./squid -NCd10 Post the full messages you are getting to list (Don't add user names again and again.) wishing best. == Best Regards, Squid Runner Support squidrunner_dev at yahoo dot com Web: http://geocities.com/squidrunner_dev/ Support: runnersupport at gmail dot com SquidRunner - An Automatic Squid Builder == __ Do you Yahoo!? Yahoo! Small Business - Try our new Resources site http://smallbusiness.yahoo.com/resources/
Re: [squid-users] SQUID and LDAP.
I get this now when I write: [EMAIL PROTECTED] ~]# /usr/lib/squid/squid_ldap_auth -R -b dc=prueba,dc=com -D cn=root,ou=People,dc=prueba,dc=com -w hello -f sAMAccountName=%s -h 10.0.21.100 ERR -- Angel Prieto [EMAIL PROTECTED] SINERGIA TECNOLÓGICA C/ Almirante Churruca 30007 Murcia TEL. 968 270 624Fax. 968 231 501 www.sinergiatec.com __ La información incluida en el presente correo electrónico es CONFIDENCIAL, siendo para el uso exclusivo del destinatario arriba mencionado. Si usted lee este mensaje y no es el destinatario señalado, el empleado o el agente responsable de entregar el mensaje al destinatario, o ha recibido esta comunicación por error, le informamos que está totalmente prohibida cualquier divulgación, distribución o reproducción de esta comunicación, y le rogamos que nos lo notifique, nos devuelva el mensaje original a la dirección arriba mencionada y borre el mensaje. Gracias. __
Re: AW: [squid-users] HttpRequestHeader If-None-Match problem with Squid
On Fri, 27 May 2005, Matthias Wessendorf wrote: If-Modified-Since is also missing Do your responses have a Last-Modified? If not there isn't anything to relate If-Modified-Since to.. So I have now no idea, why the static content is cacheable, but not my dynamic. What does the cacheability check engine say about your dynamic content? Is it not possible, to cache dynamic content ? There is no difference in caching as such. Most dynamic content however does not have any information telling how long it may be cached or when the content was last modified so caches assume the content is dynamically generated for each request and should not be cached.. For something to be cached caches must have some reasonable means of knowing the response may be reused for another request. The Expires/Last-Modifed/Cache-Control max-age response headers play a crucial role in this. In addition your refresh_pattern rules is used when no explicit expiry is known (Expires/max-age) Regards Henrik
Re: [squid-users] Permission denied on squidguard
On Fri, 27 May 2005, sasa wrote: /usr/local/squid/sbin/squid -DNYCd3 #/usr/sbin/squid -DNYCd3 Abortito Nothing more? If not something is wrong with your binary. Reinstall Squid. What about /usr/sbin/squid -v Regards Henrik
Re: [squid-users] SQUID and LDAP.
On Fri, 27 May 2005, [ISO-8859-1] Ángel Prieto wrote: I get this now when I write: [EMAIL PROTECTED] ~]# /usr/lib/squid/squid_ldap_auth -R -b dc=prueba,dc=com -D cn=root,ou=People,dc=prueba,dc=com -w hello -f sAMAccountName=%s -h 10.0.21.100 ERR This is normal. A blank line is not a valid login. After starting squid_ldap_auth you need to provide a loginname password as input. Regards Henrik
AW: AW: [squid-users] HttpRequestHeader If-None-Match problem with Squid
I added Expires and it works now as aspected Thanks for your hints. Matthias -Ursprüngliche Nachricht- Von: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 27. Mai 2005 13:51 An: Matthias Wessendorf Cc: squid-users@squid-cache.org Betreff: Re: AW: [squid-users] HttpRequestHeader If-None-Match problem with Squid On Fri, 27 May 2005, Matthias Wessendorf wrote: If-Modified-Since is also missing Do your responses have a Last-Modified? If not there isn't anything to relate If-Modified-Since to.. So I have now no idea, why the static content is cacheable, but not my dynamic. What does the cacheability check engine say about your dynamic content? Is it not possible, to cache dynamic content ? There is no difference in caching as such. Most dynamic content however does not have any information telling how long it may be cached or when the content was last modified so caches assume the content is dynamically generated for each request and should not be cached.. For something to be cached caches must have some reasonable means of knowing the response may be reused for another request. The Expires/Last-Modifed/Cache-Control max-age response headers play a crucial role in this. In addition your refresh_pattern rules is used when no explicit expiry is known (Expires/max-age) Regards Henrik
[squid-users] Re: SquidGuard vs. Dansguardian
Hi! We are using squid with ntlm authentication, wich then forwards the user name do DansGuardian, and it is working very well, with no problems at all ... Regards, Carlos. -- Dansguardian is very stable but can slow down network traffic depending on the size of your network. The low down is Dansguardian does everything squidguard does and more. But if you use squid_NTLM or something like that would will have problems doing this with dans. I have read that it is now possible but have yet to try it out as I haven't bin playing in the test lab lattly.
Re: [squid-users] Squid Transparent mode amd delay pools on FreeBSD 5.4
On 5/27/05, Henrik Nordstrom [EMAIL PROTECTED] wrote: On Thu, 26 May 2005, Abu Khaled wrote: I found this in the FAQ's delay pools are incompatible with slow aborts; quick abort should be set fairly low to prevent objects being retrived at full speed once there are no clients requesting them (as the traffic allocation is based on the current clients, and when there are no clients attached to the object there is no way to determine the traffic allocation). Is it somehow releated to this and how can I deal with it? No, this describes a different problem. Plesae file a bug report for your problem. Please also mention the slow aborts faq entry in thatbug report. Regards Henrik I found this in the Bug List. http://www.squid-cache.org/bugs/show_bug.cgi?id=500 Seems I'll have to wait for it to be fixed. I'll use DUMMYNET on my router to control the bandwidth for a while. Thaks Henrik for your help. -- Kind regards Abu Khaled
Re: [squid-users] data jerks after 53 days
no problum is not solved it giving jerks squid stop responding after 60 minut and nothing is log files and squid sarts after 1 minut without adding any log On 5/26/05, Henrik Nordstrom [EMAIL PROTECTED] wrote: On Tue, 24 May 2005, Kashif Ali Bukhari wrote: i get very strange problem since last day i were getting data jerks in squid box i could not find any thing in system message log and squid logs after restarting this box data jerks were stop ed why its happened any idea Most often this is caused by memory shortage. May also be a unrelated cronjob such as updatedb or similar emporarily hogging down the server, top, vmstat etc while the problem is observed is good tools. But it is very hard to say what the problem may have been if your server has been reboted and is now running fine. Regards Henrik -- Syed Kashif Ali Bukhari Network Associate Asia Net Cell :- +92-345-4244813 , +92-300-4295604 Ph +92-42-111-111-202 Fax +92-42-5840905 MSN:- [EMAIL PROTECTED] ; [EMAIL PROTECTED] http://asia.net.pk , http://asiatec.biz
Re: [squid-users] Permission denied on squidguard
Henrik Nordstrom wrote: Nothing more? If not something is wrong with your binary. Reinstall Squid. I have installed squid and squidguard from rpm file, pheraps this is a problem ?? What about /usr/sbin/squid -v ..nothing. thanks. Salvatore.
Re: [squid-users] Permission denied on squidguard
squidrunner support wrote: To help you out on this, just start your squid binary as, ./squid -NCd10 ..but I have installed with rpm file What you are getting out there. 1. You have configured cache_effective_user and cache_effective_group as squid yes 2. Change all permissions under var/log directory squid to squid:squid ok 3. Su to squid and startup squid as ./squid -NCd10 #su - squid This account is currently not available. thanks. Salvatore.
Re: [squid-users] delay pool help
On 5/27/05, Jigar Raval [EMAIL PROTECTED] wrote: Hello, We have 2MBPS leased line for internet connectivity. I would like to configure delay pools to allocate a bandwidth to various department. I would like to assign BW to two department so that the department will get only speed 6Kbps, the other will 8kpbs and the rest of the network can utilize rest of BW i.e. can download with the speed of more than 15Kbps. How to configure delay pool for the same ? Thanks in advance.. Jigar ACL is what you need. Can you provide more information. Do you want to assign for the hole department just 8KB/s or each client in the Department.Anyways here is an example that I used once. # these go in the ACL's # dpeA 10 IP's ACL depA src 10.0.0.5-10.0.0.14 # depB 10 IP's ACL depB src 10.0.0.15-10.0.0.24 # restNET 30 IP's ACL restNET src 10.0.0.25-10.0.0.54 # end of ACL for delay pools # delay pools are for 3 groups delay_pools 3 # delay pools for deparetment A 6 KB/s per client delay_class 1 2 deay_parameters 1 -1/-1 6000/6000 delay_access 1 allow depA delay_access 1 deny all # delay pools for deparetment B 8 KB/s per client delay_class 2 2 deay_parameters 1 -1/-1 8000/8000 delay_access 1 allow depB delay_access 1 deny all # delay pools for restNET B 15 KB/s per client delay_class 3 2 deay_parameters 1 -1/-1 15000/15000 delay_access 1 allow restNET delay_access 1 deny all # end Also this might be usefull if you want for eg. to assign 32KB/s for depA with each client a maximum 8KB/s and a burst of 256KB then you need to modify delay_parameters. eg. delay_parameters 1 32000/32000 8000/256000 Check the FAQ for more http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#ss19.8 Please excuse my english and if you need more help/examples I well gladly provide it ( if my boss would allow me to surf the web that is ) -- Kind regards Abu Khaled
[squid-users] Content Filtering Solutions
I work in the security assessment field and currently utilize Websense for content monitoring. My license for websense will be up in a month and would like to replace it with an open source solution. Are there any open source solutions that will allow me to use a spanned (mirrored) port on a switch to monitor traffic, specifically web traffic and match that traffic against a blacklist, such as urlblacklist.com's list. I just want to monitor the traffic and be able to provide a report based on what users within an organization are looking at by passively sniffic the traffic on the spanned port. I know this isn't directly related to squid, but I would like to then recommend squid/dansguardian to be used for content filtering in some cases. Any ideas?
Re: [squid-users] OT gui for squidguard
Em Qui, 2005-05-26 às 17:52 -0400, Matt Benjamin escreveu: Paulo, Hi Matt Don't know of one, but we've done bugfixes on the Webmin module, though it is still imperfect (error handling), added a config backup feature, and have used it as recently as Webmin-1.8.0. Fwiw and no warranty: https://secure.linuxbox.com/tiki/tiki-download_file.php?fileId=72 thanks Matt I'm trying to use, as I use debian I have to arrange some archives to work. BTW can you provide me an example of webmin-squidguard config ?? best regards Matt Paulo Ricardo Bruck wrote: Hi guys Does anyone know a GUI to configure squidguard ? I have already tried webmin but it's deprecated... ( http://www.niemueller.de/webmin/modules/squidguard/ ) thanks in advanced -- Paulo Ricardo Bruck - consultor Contato Global Solutions tel 011 5031-4932 fone/fax 011 5034-1732 cel 011 9235-4327 signature.asc Description: Esta =?ISO-8859-1?Q?=E9?= uma parte de mensagem assinada digitalmente
RE: [squid-users] Blocking all IP sites
well If i am testing with squid-client, i've got 127.0.0.1 - - [27/May/2005:16:48:43 +0200] GET http://1.2.3.4 HTTP/1.0 403 1398 TCP_DENIED:NONE If i am testing from my browser, i've got x.x.x.x - - [27/May/2005:16:46:54 +0200] GET http://1.2.3.4/ HTTP/1.0 0 0 TCP_MISS:NONE For information, the request forwards through an internal proxies before being treated by the parent proxy --
RE: [squid-users] Content Filtering Solutions
I'm not sure about an Open-source solution, but SurfControl (www.surfcontrol.com) is a great alternative product. We have done numerous Corporate installations of it, including some icap integrations with squid - although there is still continual development for this support. Ali -Original Message- From: Mark Maxey [mailto:[EMAIL PROTECTED] Sent: Friday, May 27, 2005 4:19 PM To: squid-users@squid-cache.org Subject: [squid-users] Content Filtering Solutions I work in the security assessment field and currently utilize Websense for content monitoring. My license for websense will be up in a month and would like to replace it with an open source solution. Are there any open source solutions that will allow me to use a spanned (mirrored) port on a switch to monitor traffic, specifically web traffic and match that traffic against a blacklist, such as urlblacklist.com's list. I just want to monitor the traffic and be able to provide a report based on what users within an organization are looking at by passively sniffic the traffic on the spanned port. I know this isn't directly related to squid, but I would like to then recommend squid/dansguardian to be used for content filtering in some cases. Any ideas? --- This message was scanned for viruses by the Real Image Anti-virus filters --- This message was scanned for viruses by the Real Image Anti-virus filters
[squid-users] unable to start squid using diskd
Hi, We are having problem in running squid with diskd with squid 2.5.10 it exits with message storeDiskdInit: msgget: (28) No space left on device cache_dir diskd /var/squid/disk1 4 73 256 cache_dir diskd /var/squid/disk2 4 73 256 cache_dir diskd /var/squid/disk3 4 73 256 cache_dir diskd /var/squid/disk4 4 73 256 But the same thing runs when i change cache_dir ufs /var/squid/disk1 4 73 256 cache_dir ufs /var/squid/disk2 4 73 256 cache_dir ufs /var/squid/disk3 4 73 256 cache_dir ufs /var/squid/disk4 4 73 256 Below is detail of system and messages from startup. Kindly help to fix this problem. The squid(2.5.9) precompiled from suse pro 9.3 works on this machine with diskd. But when i tried to run the complied squid Is it some mistake with my config options ?? The compilation went clean. RGDS SK linux12:/usr/local/src/squid-2.5.STABLE10 # uname -a Linux linux12 2.6.11.4-20a-bigsmp #1 SMP Wed Mar 23 21:52:37 UTC 2005 i686 i686 i386 GNU/Linux linux12:/usr/local/src/squid-2.5.STABLE10 # /usr/local/squid/sbin/squid -v Squid Cache: Version 2.5.STABLE10 configure options: --sysconfdir=/etc/squid --with-dl --enable-snmp --enable-carp --en able-useragent-log '--enable-auth=basic digest ntlm' '--enable-basic-auth-helpers=LDAP MSNT NCSA PAM SMB YP getpwnam multi-domain-NTLM' --enable-digest-auth-helpers=password '--enable-external-acl-helpers=ip_user ldap_group unix_group wbinfo_group' --enable-ntlm-fail-open --enable-referer-log --enable-arp-acl --enable-htcp --enable-underscores --enable-stacktraces --enable-delay-pools --enable-cache-digests --enable-storeio=aufs,ufs,diskd,null --enable-linux- netfilter --enable-removal-policies=heap,lru --enable-x-accelerator-vary May 27 22:00:49 linux12 squid[14746]: Starting Squid Cache version 2.5.STABLE10 for i686-pc-linux-gnu... May 27 22:00:49 linux12 squid[14746]: Process ID 14746 May 27 22:00:49 linux12 squid[14746]: With 1024 file descriptors available May 27 22:00:49 linux12 squid[14746]: DNS Socket created at 0.0.0.0, port 32770, FD 5 May 27 22:00:49 linux12 squid[14746]: Adding nameserver 203.189.128.2 from squid.conf May 27 22:00:49 linux12 squid[14746]: Adding nameserver 203.189.128.1 from squid.conf May 27 22:00:49 linux12 squid[14746]: Adding nameserver 219.127.89.37 from squid.conf May 27 22:00:49 linux12 squid[14746]: User-Agent logging is disabled. May 27 22:00:49 linux12 squid[14746]: Referer logging is disabled. May 27 22:00:49 linux12 squid[14746]: Unlinkd pipe opened on FD 10 May 27 22:00:49 linux12 squid[14746]: Swap maxSize 16384 KB, estimated 12603076 objects May 27 22:00:49 linux12 squid[14746]: Target number of buckets: 630153 May 27 22:00:49 linux12 squid[14746]: Using 1048576 Store buckets May 27 22:00:49 linux12 squid[14746]: Max Mem size: 307200 KB May 27 22:00:49 linux12 squid[14746]: Max Swap size: 16384 KB May 27 22:00:49 linux12 squid[14746]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec May 27 22:00:49 linux12 squid[14746]: Store logging disabled May 27 22:00:49 linux12 squid[14746]: storeDiskdInit: msgget: (28) No space left on device May 27 22:00:49 linux12 squid[14746]: msgget failed May 27 22:00:49 linux12 squid[14741]: Squid Parent: child process 14746 exited due to signal 6 May 27 22:00:52 linux12 squid[14741]: Squid Parent: child process 14749 started May 27 22:00:52 linux12 squid[14749]: Starting Squid Cache version 2.5.STABLE10 for i686-pc-linux-gnu... May 27 22:00:52 linux12 squid[14749]: Process ID 14749 May 27 22:00:52 linux12 squid[14749]: With 1024 file descriptors available May 27 22:00:52 linux12 squid[14749]: DNS Socket created at 0.0.0.0, port 32770, FD 5 May 27 22:00:52 linux12 squid[14749]: Adding nameserver 203.189.128.2 from squid.conf May 27 22:00:52 linux12 squid[14749]: Adding nameserver 203.189.128.1 from squid.conf May 27 22:00:52 linux12 squid[14749]: Adding nameserver 219.127.89.37 from squid.conf May 27 22:00:52 linux12 squid[14749]: User-Agent logging is disabled. May 27 22:00:52 linux12 squid[14749]: Referer logging is disabled. May 27 22:00:52 linux12 squid[14749]: Unlinkd pipe opened on FD 10 May 27 22:00:52 linux12 squid[14749]: Swap maxSize 16384 KB, estimated 12603076 objects May 27 22:00:52 linux12 squid[14749]: Target number of buckets: 630153 May 27 22:00:52 linux12 squid[14749]: Using 1048576 Store buckets May 27 22:00:52 linux12 squid[14749]: Max Mem size: 307200 KB May 27 22:00:52 linux12 squid[14749]: Max Swap size: 16384 KB May 27 22:00:52 linux12 squid[14749]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec May 27 22:00:52 linux12 squid[14749]: Store logging disabled May 27 22:00:52 linux12 squid[14749]: storeDiskdInit: msgget: (28) No space left on device May 27 22:00:52 linux12 squid[14749]: msgget failed May 27 22:00:52 linux12 squid[14741]: Squid Parent: child process 14749 exited due to signal 6 May 27 22:00:55 linux12 squid[14741]: Squid Parent: child process 14752 started May 27
Re: [squid-users] Content Filtering Solutions
Sorry for breaking into the thread, but I though that'd be related: Does anybody know of any good filtering solution (possibly to go along with squid) with capabilities to filter out not only based on content but also by type of request divided into classes. Something like: machine A has permission to do HEAD on sites B,C,D machine X has permission to request only application/rdf+xml content from sites Z,W,Y. Any pointers are deeply appreciated. -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 pgpI3iTbgrqdA.pgp Description: PGP signature
Re: [squid-users] Chain SSL Cert files
Applied the patch and all is well. Thanks ! Dan - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Dan DeLong [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Friday, May 27, 2005 4:30 AM Subject: Re: [squid-users] Chain SSL Cert files On Thu, 26 May 2005, Dan DeLong wrote: Hello, I am running 2.5.STABLE4 as a reverse proxy. I would like to know how to use SSL Chain certs. I currently am using SSL certs from Thawte and can use them with the following line in my conf file https_port 10.10.1.1:443 cert =/certfile key=/keyfile version=1 Now I am in need of using chain certs but don't know how to incorporate both the domain and the CA cert. The SSL update patch for Squid-2.5 adds certificate chain support. With this patch just add the CA cert to your domain cert file after the domain cert. There is also a one-line patch floating around for this. Should be available in the squid-users archives. But I recommend the SSL update. Regards Henrik
Re: [squid-users] unable to start squid using diskd
On 27.05 22:29, sk wrote: We are having problem in running squid with diskd with squid 2.5.10 it exits with message storeDiskdInit: msgget: (28) No space left on device you must configure enough of message queues and probably shared memory too. http://www.squid-cache.org/Doc/FAQ/FAQ-22.html#ss22.6 http://www.squid-cache.org/Doc/FAQ/FAQ-22.html#ss22.7 -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are
Re: [squid-users] Content Filtering Solutions
On May 27, 2005 10:01 am, Hunter, Jess wrote: I do not know what type of enterprise you will be using the content filtering for, however depending on your type of organization. DansGaurdian just might be a good fit Yeah, it looks like it might do the trick except that I haven't found detailed instructions on how to set it up with all things that I need... I guess I'll have to dig in sources. -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 pgp5dCocFtvX6.pgp Description: PGP signature
Re: [squid-users] Re: SquidGuard vs. Dansguardian Help with ntlm
I have been working all week to try and get ntlm with squid to work. I have recompiled squid, samba, and kerberos with the appropriate flags but to no avail. Does anyone have a How-to that actually works as the ones that I have been using obviously don¹t. Thanks Gary On 5/27/05 8:53 AM, zottmann [EMAIL PROTECTED] wrote: Hi! We are using squid with ntlm authentication, wich then forwards the user name do DansGuardian, and it is working very well, with no problems at all ... Regards, Carlos. -- Dansguardian is very stable but can slow down network traffic depending on the size of your network. The low down is Dansguardian does everything squidguard does and more. But if you use squid_NTLM or something like that would will have problems doing this with dans. I have read that it is now possible but have yet to try it out as I haven't bin playing in the test lab lattly.
RE: [squid-users] Content Filtering Solutions
www.dansguardian.org From: Ali Resting [EMAIL PROTECTED] To: [EMAIL PROTECTED],squid-users@squid-cache.org Subject: RE: [squid-users] Content Filtering Solutions Date: Fri, 27 May 2005 17:17:59 +0200 I'm not sure about an Open-source solution, but SurfControl (www.surfcontrol.com) is a great alternative product. We have done numerous Corporate installations of it, including some icap integrations with squid - although there is still continual development for this support. Ali -Original Message- From: Mark Maxey [mailto:[EMAIL PROTECTED] Sent: Friday, May 27, 2005 4:19 PM To: squid-users@squid-cache.org Subject: [squid-users] Content Filtering Solutions I work in the security assessment field and currently utilize Websense for content monitoring. My license for websense will be up in a month and would like to replace it with an open source solution. Are there any open source solutions that will allow me to use a spanned (mirrored) port on a switch to monitor traffic, specifically web traffic and match that traffic against a blacklist, such as urlblacklist.com's list. I just want to monitor the traffic and be able to provide a report based on what users within an organization are looking at by passively sniffic the traffic on the spanned port. I know this isn't directly related to squid, but I would like to then recommend squid/dansguardian to be used for content filtering in some cases. Any ideas? --- This message was scanned for viruses by the Real Image Anti-virus filters --- This message was scanned for viruses by the Real Image Anti-virus filters _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
RE: [squid-users] Microsoft Updates
David, We had some problems with Windows Update too. We solved with: acl Microsoft_Windows_Update dstdom_regex .download.microsoft.com .windowsupdate.com .windowsupdate.microsoft.com .microsoft.com http_access allow Microsoft_Windows_Update []´s, Denis -Original Message- From: David Curtis [mailto:[EMAIL PROTECTED] Sent: Thursday, May 26, 2005 3:39 PM To: squid-users@squid-cache.org Subject: [squid-users] Microsoft Updates We are having problems running windows updates through our squid server. If we bypass squid we have not problems. Any idea where the problem might be. We are running Squid Cache: Version 2.5.STABLE1 on RH9. I see nothing in the access log that might indicate a problem. This email may contain information protected under the Family Educational Rights and Privacy Act (FERPA) or the Health Insurance Portability and Accountability Act (HIPAA). If this email contains confidential and/or privileged health or student information and you are not entitled to access such information under FERPA or HIPAA, federal regulations require that you destroy this email without reviewing it and you may not forward it to anyone.
[squid-users] Re: SquidGuard vs. Dansguardian
Hi Gary !! I have a how-to documented in portuguese Would you be able to read it? Regards, Carlos.
[squid-users] Re: Content Filtering Solutions
Hi !! These kind of filtering can be done with squid itself, with its built-in acls. You can combine it with traditional content-filtering solutions, like Dansguardian, that was pointed by someone at this list ... Regards, Carlos. -- Sorry for breaking into the thread, but I though that'd be related: Does anybody know of any good filtering solution (possibly to go along with squid) with capabilities to filter out not only based on content but also by type of request divided into classes. Something like: machine A has permission to do HEAD on sites B,C,D machine X has permission to request only application/rdf+xml content from sites Z,W,Y. Any pointers are deeply appreciated.
[squid-users] I get a ntlmauthenticator helpers are crashing too rapidly
I'm working here trying to get ntlm with squid working. I can get ntlm_auth --username to work and it asks for a password and that works. I mistype the password and it tells me so. So I think that part is working. When I fire up ./squid -NCd1 that is where I get the ntlmauthenticator helpers are crashing too rapidly. Thanks Gary
[squid-users] Squid without Perl. Is it possible?
Hi. I'm trying to add squid to a firewall-in-a-floppy little distribution called Coyote Linux. Coyote doen't have perl and I don't like to add it too. If I leave some squid resources out can I produce a perl independent version?
Re: [squid-users] Squid without Perl. Is it possible?
Please send link to working coyote. -Original Message- From: Claudio Roberto Cussuol [EMAIL PROTECTED] Sent: May 27, 2005 1:07 PM To: squid-users@squid-cache.org Subject: [squid-users] Squid without Perl. Is it possible? Hi. I'm trying to add squid to a firewall-in-a-floppy little distribution called Coyote Linux. Coyote doen't have perl and I don't like to add it too. If I leave some squid resources out can I produce a perl independent version?
[squid-users] src vs. src_as
Hello all, Does anyone know if there is a speed difference between using src and listing 200 IP blocks and using src_as and listing 2 or 3 ASN's? Ryan Lamberton
Re: [squid-users] Permission denied on squidguard
On Fri, 27 May 2005, sasa wrote: I have installed squid and squidguard from rpm file, pheraps this is a problem ?? Which RPM on what distribution? What about /usr/sbin/squid -v ..nothing. Then /usr/sbin/squid is not a valid squid binary, or not for your OS. Regards Henrik
Re: AW: AW: [squid-users] HttpRequestHeader If-None-Match problem with Squid
On Fri, 27 May 2005, Matthias Wessendorf wrote: What does the cacheability check engine say about your dynamic content? do you mean the logfile ? No, I mean the cacheability check engine. http://www.mnot.net/cacheability/ I am setting the following: Cache-Control: public, must-revalidate ETag: a generated Value Last-Modified: date but I have no expires must-revalidate probably makes Squid not cache these. Is your Last-Modified a proper last modification date, or now? Regards Henrik
Re: [squid-users] Problem patching Squid 2.5 Stable 10 on Solaris 8 with Custom LogFormat
On Fri, 27 May 2005, squid squid wrote: However there is some garbagge parameters in the %tl field shown on the logfile. The %tl field is supposed to show date+time+800hrs but it showed date+time+%25z. Anyway the date and time is still readable and I think this should not caused much problem to the performance of squid. Looks like strftime on Solaris apparently does not support time zone offset (%z).. which is odd considering this is in both C and UNIX standards.. You can specify your own strftime format for %tl without the time zone offset if you like. %{%d/%b/%Y:%H:%M:%S}tl or hardcode it to your timezone offset %{%d/%b/%Y:%H:%M:%S +0800}tl Regards Henrik
RE: [squid-users] Blocking all IP sites
On Fri, 27 May 2005 [EMAIL PROTECTED] wrote: If i am testing with squid-client, i've got 127.0.0.1 - - [27/May/2005:16:48:43 +0200] GET http://1.2.3.4 HTTP/1.0 403 1398 TCP_DENIED:NONE If i am testing from my browser, i've got x.x.x.x - - [27/May/2005:16:46:54 +0200] GET http://1.2.3.4/ HTTP/1.0 0 0 TCP_MISS:NONE For information, the request forwards through an internal proxies before being treated by the parent proxy What does your http_access rules look like? Regards Henrik
Re: [squid-users] Squid without Perl. Is it possible?
On 5/27/05, Claudio Roberto Cussuol [EMAIL PROTECTED] wrote: I'm trying to add squid to a firewall-in-a-floppy little distribution called Coyote Linux. I'd assume this is similar to the BSD-based m0n0wall and pfSense, which use a floppy to store the firewall configuration (the above tools boot from CD). Coyote doen't have perl and I don't like to add it too. If I leave some squid resources out can I produce a perl independent version? The actual Squid-2.5 caching proxy binary application does not require you have perl; there are add-ons for cachemgr and log parsing and such which are entirely optional, which do use perl. Technically, all you really need to have a functional squid daemon are the squid.conf file, the squid and unlinkd binaries, plus the share directory containing the errors (HTML error files) and icons (graphics) subdirectories and files. When running the squid daemon on a diskless machine, you'll need to make some adjustments to how the cache server operates and where (or whether) it writes the logs. Kevin Kadow
Re: [squid-users] Bugs in IE digest proxy auth
Hi Henrik, On Fri, May 27, 2005 at 10:27:50AM +0200, Henrik Nordstrom wrote: Related question: What was the request-URI on the request line send by IE in the above? Was this escaped properly or where it using unescaped quote there as well? The request-URI was similarly unescaped. Uncertain. nonce reuse is quite dependent on the client having support for this. It may obviously be the case that IE do have support for nonce reuse but for some reason refuses to do so with Squid but it's very hard to know outside Microsoft. I wondered if there was some embrace-and-extended going on with Digest auth, but I've reproduced all of these bugs using ISA Server 2004 as well. Ethereal shows that it's all the same on the wire except for ISA using md5-sess. The only thing I can think of is to make sure there is persistent connections enabled. I could imagine that nonce reuse may be related to connection reuse in some clients. I have an experimental hack that turns digest auth into a per-connection authentication, a la NTLM. This cuts down on the excess 407 traffic. This ACL effectively downgrades the user to using basic proxy auth if using basic www auth. Interesting. So this worked around the problem for you? Kind of. The user sees the following: 1. User browses web normally with Digest proxy auth 2. User visits a site requiring 401 www-authentication 3. User is challenged and enters their 401 credentials 4. User is then re-challenged to enter their Basic proxy credentials 5. User then continues browsing, but for the remainder of that session IE is using basic proxy authentication for all requests. It's not an acceptable solution, because the password is now in the clear. Oddly, it doesn't happen with SSL. I'll work through this with MS. Notwithstanding the issues above, I have a six-figure userbase using Digest proxy auth successfully for 1200 requests/sec. At some point I'll seek authorisation to release our workarounds under the GPL. Joshua. -- Joshua Goodall as modern as tomorrow afternoon [EMAIL PROTECTED] - FW109