[squid-users] Re: Squid "stalling" downloads
> > I tried "bypassing" que proxy and so download was fine, keeping > > all other elements equals( router, firewall, network, etc). > > Which still does not rule out those equipments.. there is very many broken > firewalls around where problems is only seen when using a more modern > TCP/IP implementation. I second that. I have been searching for a https related Problem for *weeks* last year and it turned out to be a missing tickmark in some Checkpoint Option... For the Original Poster: Are you using your squid in Combination with Antivirus Software like Trend Micro? Regards Maik
[squid-users] problem with squid
Hi My system is: FreeBSD 4.11p11 squid 2.5.stable11 with transparent proxy After upgrade squid web pages on some computers become to download paticulary, IE and Opera report "Done". If Refresh is pressed it is possible to get a full download. That is interesting what some machines have no such problem and the sites download normally. If download directly, without squid, there are now any problems. What could be a reason of such behaviour?
Re: [squid-users] problem with squid
On 27.09 11:30, virt wrote: > From: virt <[EMAIL PROTECTED]> > Date: Tue, 27 Sep 2005 11:30:17 +0400 > Subject: [squid-users] problem with squid > To: squid-users@squid-cache.org > > Hi My system is: FreeBSD 4.11p11 squid 2.5.stable11 with transparent > proxy After upgrade squid web pages on some computers become to download > paticulary, IE and Opera report "Done". If Refresh is pressed it is possible > to get a full download. That is interesting what some machines have no such > problem and the sites download normally. If download directly, without > squid, there are now any problems. What could be a reason of such behaviour? oh god, does gmail really send such broken messages? VT (ascii 11) character instead of CR-LF (ascii 13-10) pair? who has to read such messages? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
[squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x
Hi Im running FreeBSD 4.9 and 4.11. What im trying to do is setup squid-2.5-Stable10 to allow authentication using the Negotiate patch. http://devel.squid-cache.org/projects.html#negotiate. The patch applies fine, the compile completes no errors, everything on squid side seems to work fine. I have Samba 3.0.10 installed, winbindd works fine, wbinfo -u produces all the correct results. The problem comes in that, wb_authntlm cannot contact winbindd. I get this error. "wb_ntlmauth[466](wb_ntlm_auth.c:414): Can't contact winbindd. Dying". I spent some time reading the mailing lists, and I see they talk about the samba winbindd interface changing quite a lot. I was wondering if this interface changed, and squid-2.5-Stable10 was updated to use a new version of Samba 3 than I am currently running? If so, what is the furtherest back samba-3.x that squid-2.5-StableX will work with, cause I ran into another problem trying to use the very latest samba 3 release from ports. ===> samba-3.0.20,1 Broken dependency between OpenSSL, OpenLDAP and Heimdal for FreeBSD 4.x. Disable ADS support. Which is a problem cause I am actually trying to use squid to auth using Negotiate against a Windows 2003 AD/KDC. Any suggestions or help or information would be gladly appreciated. Regards /Cole
[squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x
Hi Im running FreeBSD 4.9 and 4.11. What im trying to do is setup squid-2.5-Stable10 to allow authentication using the Negotiate patch. http://devel.squid-cache.org/projects.html#negotiate. The patch applies fine, the compile completes no errors, everything on squid side seems to work fine. I have Samba 3.0.10 installed, winbindd works fine, wbinfo -u produces all the correct results. The problem comes in that, wb_authntlm cannot contact winbindd. I get this error. "wb_ntlmauth[466](wb_ntlm_auth.c:414): Can't contact winbindd. Dying". I spent some time reading the mailing lists, and I see they talk about the samba winbindd interface changing quite a lot. I was wondering if this interface changed, and squid-2.5-Stable10 was updated to use a new version of Samba 3 than I am currently running? If so, what is the furtherest back samba-3.x that squid-2.5-StableX will work with, cause I ran into another problem trying to use the very latest samba 3 release from ports. ===> samba-3.0.20,1 Broken dependency between OpenSSL, OpenLDAP and Heimdal for FreeBSD 4.x. Disable ADS support. Which is a problem cause I am actually trying to use squid to auth using Negotiate against a Windows 2003 AD/KDC. Any suggestions or help or information would be gladly appreciated. Regards /Cole
[squid-users] problem about squid exhaust all memory
hi,everyone: I encount a problem , I need help from someone . Squid use more and more memory continuously during it's running ,and it will restart when all physical memory is exhausted ,so my squid restart many times a day . It's boring ,how can I solve the prolem ? every time it restart ,the following information is logged: FATAL: xcalloc: Unable to allocate 1 blocks of 4104 bytes! Squid Cache (Version 2.5.STABLE6): Terminated abnormally. CPU Usage: 61.889 seconds = 33.408 user + 28.481 sys Maximum Resident Size: 323524 KB Page faults with physical i/o: 1725 2005/09/27 17:03:57| Not currently OK to rewrite swap log. 2005/09/27 17:03:57| storeDirWriteCleanLogs: Operation aborted. 2005/09/27 17:04:00| Starting Squid Cache version 2.5.STABLE6 for i386-unknown-freebsd5.0... 2005/09/27 17:04:00| Process ID 7561 2005/09/27 17:04:00| With 7232 file descriptors available 2005/09/27 17:04:00| DNS Socket created at 0.0.0.0, port 49428, FD 4 2005/09/27 17:04:00| Adding nameserver 202.99.23.252 from /etc/resolv.conf 2005/09/27 17:04:00| Unlinkd pipe opened on FD 9 2005/09/27 17:04:00| Swap maxSize 512 KB, estimated 393846 objects 2005/09/27 17:04:00| Target number of buckets: 19692 2005/09/27 17:04:00| Using 32768 Store buckets 2005/09/27 17:04:00| Max Mem size: 262144 KB 2005/09/27 17:04:00| Max Swap size: 512 KB 2005/09/27 17:04:00| Store logging disabled 2005/09/27 17:04:00| Rebuilding storage in /cms/squidcache (DIRTY) 2005/09/27 17:04:00| Using Least Load store dir selection 2005/09/27 17:04:00| chdir: /usr/local/squid/var/cache: (2) No such file or directory 2005/09/27 17:04:00| Current Directory is /cms/squidcache 2005/09/27 17:04:00| Loaded Icons. 2005/09/27 17:04:00| Accepting HTTP connections at 0.0.0.0, port 80, FD 8. 2005/09/27 17:04:00| Accepting ICP messages at 0.0.0.0, port 3130, FD 10. 2005/09/27 17:04:00| WCCP Disabled. 2005/09/27 17:04:00| Ready to serve requests. 2005/09/27 17:04:02| comm_accept: FD 8: (53) Software caused connection abort 2005/09/27 17:04:02| httpAccept: FD 8: accept failure: (53) Software caused connection abort 2005/09/27 17:04:02| comm_accept: FD 8: (53) Software caused connection abort 2005/09/27 17:04:02| httpAccept: FD 8: accept failure: (53) Software caused connection abort 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused connection abort 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) Software caused connection abort 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused connection abort 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) Software caused connection abort 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused connection abort 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) Software caused connection abort 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused connection abort 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) Software caused connection abort 2005/09/27 17:04:07| comm_accept: FD 8: (53) Software caused connection abort 2005/09/27 17:04:07| httpAccept: FD 8: accept failure: (53) Software caused connection abort
Re: [squid-users] Re: Squid "stalling" downloads
Hi, >> I tried "bypassing" que proxy and so download was fine, >> keepingall other elements equals( router, firewall, network, etc). >> >> Which still does not rule out those equipments.. there is very >> many broken firewalls around where problems is only seen when using >> a more modern TCP/IP implementation. > > I second that. I have been searching for a https related Problem for > *weeks* last year and it turned out to be a missing tickmark in some > Checkpoint Option... I am trying to convince Squid to allow me to run cachemgr or squidclient. There is a rule blocking me. I am trying to collect the data suggested by Henrik. Actually my "firewall" is just a Linux machine with iptables. It has Slackware 10.1, kernel 2.6.12.2 and iptables 1.3.2 and was working fine until now. But, I have already included it back in my "blacklist". I am wondering about connection tracking feature. > For the Original Poster: Are you using your squid in Combination > with Antivirus Software like Trend Micro? No, just common ACLs for src, dst and regex. I am using ldap auth too. I really thank you for your attention. Regards, Cássio
[squid-users] Squid, Dansguardian & cache_peer
I am trying to configure a squid/dansguardian proxy with NTLM auth I currently have working on one machine and one squid process, |---| |squid (with NTLM no-cache) | | | | | | | | dansguardian | | | | | | | | Squid with cache| |---| I would now like to forward all http/https queries from this machine to another upstream proxy on a different network. Is this configuration possible within one squid process as I am already using the cache_peer directive to forward to dansguardian. Or do I need to run another squid process? Thanks Dean Plant
[squid-users] smb_auth with Windows2003 Server
Hi to the list, we are using smb_auth with squid 2.x and a Win2000 ADS-Domain. It works very fine. But after upgrading Win2000 ADS to the Win2003 ADS, the smb_auth does not work. A debug of the problem showes the following: /usr/sbin/smb_auth -W testdom -U 123.123.123.123 -d username pwd Domain name: testdom Pass-through authentication: no Query address options: -U 123.123.123.123 -R Domain controller IP address: 123.123.123.123 Domain controller NETBIOS name: testsrvr Contents of //TESTSRVR/NETLOGON/proxyauth: ERR The file proxyauth exists and its content is: allow. All rights are ok. So does anybody know how I can fix the problem with W2k3 ? Or is there no way to use smb_auth furhter on with W2k3 ? -- Regards, Jens Strohschnitter - *!!!LINUX LINUX LINUX LINUX LINUX!!!* * http://www.jens-strohschnitter.de * - Set the controls for the heart of the sun -
[squid-users] Squid proxying NTLM authentication servers
Hi,
I read the squid FAQ's and it says that
" We cannot proxy connections to a origin server that use NTLM
authentication".
I am using squid-2.5-STABLE2.
I removed the following code in file client_side.c,
routine: clientBuildReplyHeaders,
/* Filter unproxyable authentication types */
if (http->log_type != LOG_TCP_DENIED &&
(httpHeaderHas(hdr, HDR_WWW_AUTHENTICATE)
|| httpHeaderHas(hdr, HDR_PROXY_AUTHENTICATE))) {
/* code for removing NTLM headers from reply */
}
I removed the above code and NTLM auth seems to work for me.
With firefox, it works for both transparent mode as well as proxy mode.
With IE, it works in transparent mode, but does not work in proxy mode.
I don't think this could be that simple???
Please guide me further in right direction.
Rgds,
Vinod Patel
[squid-users] Squid breaking on browsing. STABLE 11 Problem.
Hi, After upgrading to STABLE11 we are finding that users are complaining about partial page downloads (with the HTML code being displayed instead of the parsed output ). We have been able to replicate the problem however we find that hitting the refresh in the browser may allow the page to come down. Example site: http://kb.trendmicro.com/search/default.asp Both cache.log and access.log don't display any errors relating to this site. Anyone else experiencing this problem? (I did see a couple of emails around this but no fixes) Our configuration: Red Hat Advanced Server Squid Make - ./configure --enable-snmp --enable-delay-pools Thanks Steven --- Steven Sporen Network Manager Technical Office : 011 797 5994 Mobile : 082 441 6947 Fax : 011 209 5994 Email : [EMAIL PROTECTED] Website : http://www.exordia.co.za/ NOTICES: This message and any attachments are confidential and intended solely for the addressee. If you have received this message in error, please notify the sender immediately. Any unauthorised use, alteration or dissemination is prohibited.
Re: [squid-users] Squid proxying NTLM authentication servers
Hi,
please do not remove that code. NTLM is seriously broken and makes
incorrect assumptions. As
http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.14
states:
> Windows NT Challenge/Response authentication requires implicit
> end-to-end state and will not work through a proxy server.
Therefore the check should be left in. If you are responsible for the
service you should look at https + Basic Auth, otherwise you should
convince the host of the site to do that.
HTH,
Neil.
Vinod Patel wrote:
> Hi,
> I read the squid FAQ's and it says that
> " We cannot proxy connections to a origin server that use NTLM
> authentication".
>
> I am using squid-2.5-STABLE2.
>
> I removed the following code in file client_side.c,
> routine: clientBuildReplyHeaders,
>
>/* Filter unproxyable authentication types */
>if (http->log_type != LOG_TCP_DENIED &&
>(httpHeaderHas(hdr, HDR_WWW_AUTHENTICATE)
> || httpHeaderHas(hdr, HDR_PROXY_AUTHENTICATE))) {
>
> /* code for removing NTLM headers from reply */
>}
>
> I removed the above code and NTLM auth seems to work for me.
> With firefox, it works for both transparent mode as well as proxy mode.
> With IE, it works in transparent mode, but does not work in proxy mode.
>
> I don't think this could be that simple???
> Please guide me further in right direction.
>
> Rgds,
> Vinod Patel
--
Neil Hillard[EMAIL PROTECTED]
Westland Helicopters Ltd. http://www.whl.co.uk/
Disclaimer: This message does not necessarily reflect the
views of Westland Helicopters Ltd.
[squid-users] LDAP auhentication + transparent proxy
I've read somewhere in the archives that (LDAP) authentication won't work in combination with transparent proxy. I could not found the reason for this. Does someone know the reason? Met vriendelijke groet/Regards, Ruud Baart Prompt, Kerkstraat 173 5261 CW Vught, Netherlands Tel: +31 73 6567041 http://www.prompt.nl
Re: [squid-users] LDAP auhentication + transparent proxy
Ruud Baart wrote: > I've read somewhere in the archives that (LDAP) authentication won't work in combination with transparent proxy. I could not found the reason for this. Does someone know the reason? http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.16 HTH, Neil. -- Neil Hillard[EMAIL PROTECTED] Westland Helicopters Ltd. http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.
[squid-users] Having a strange problem - squid redirectin pages to freeservers . . .
Hello, my name is marcelo luda, im from argentina. I'm working for the city goverment in where we have an internet access trought an squid proxy. Some days ago the proxy started to work bad. When I ask for a page of my country dns ( .com.ar for example) the squid redirect it to freeservers.com (the address shown in the browser is what i wrote but the page that apperas is freeservers). The problem is not in the coneccion or in dns because from the proxy in direct connection to the internet all works perfect. The squid.conf was not toutched. I downloaded the squid 2.5 stable11 and compilled it to aboid posible bugs or vulnerabilities (thinking thas is posibly an attack), but the problñem continues. I deleted the cache folder and made it again ( sbin/squid -z) thinking in a cache problem but nothing works. Do anybody has had a similar problem? Can anybody suggest something? I have no more ideas. Thanyou for your help marceluda
[squid-users] squid-2.5.STABLE11-20050927 not available
Hello, Today I've tried to get squid-2.5.STABLE11-20050927 at http://www.squid-cache.org/Versions/v2/2.5/ Result: Not Found The requested URL /Versions/v2/2.5/squid-2.5.STABLE11-20050927.tar.gz was not found on this server. Apache/1.3.33 Server at www.squid-cache.org Port 80 Idem with RELEASENOTES.html or squid-2.5.STABLE11-20050927.tar.bz2 Hope it will be ok soon... TIA. -- __ A: Yes. Magali BERNARD >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting annoying in email?
[squid-users] Access Problems
Our company has a proxy server running on RH8.0. My job is to setup a second proxy server that will be acting as a primary proxy for another location. The OS I am using is CentOS 4.1, which came loaded with squid-2.5.STABLE6-3.4E.5. I copied the ACLs from the production proxy server. I am in the process of trying to see if everything is working properly, but it seems the squid.conf is not reading the users.txt, powerusers.txt, or anything with the acl [name] proxy_auth "" configuration. I am able to get to sites listed in the whitelist.txt. Outside of that, I cannot go anywhere (such as www.google.com). The production server allows this. I added .google.com to the whitelist.txt on the machine I am trying to setup, and then it works, but I do not understand why it is not working without being in the whitelist.txt. Below are my squid.conf acl settings. The part I thought would allow me to access google or other not whitelist.txt sites (other than blacklist, and sites for powerusers) was the acl AuthLimitedUsers proxy_auth REQUIRED What am I missing? --- acl DoNotCacheWebSites dstdomain "/etc/squid/rules/donotcachewebsites.txt" acl Freemarkets dstdomain .freemarkets.com acl MyTextron dstdomain .mytextron.com acl WComNet dstdomain .wcom.net acl Corrlink dstdomain .weyerhaeuser.com acl SchwabPlan dstdomain .schwabplan.com acl LindWaldock dstdomain .lind-waldock.com acl BrownListWebsites dstdomain "/etc/squid/rules/brownlist.txt" acl BlackListWebsites dstdomain "/etc/squid/rules/blacklist.txt" acl BlackListIpAddresses dst "/etc/squid/rules/blacklistipaddr.txt" acl BlackListIpAddress1 dst 64.73.35.120 acl OpenAccessWhiteListWebsites dstdomain "/etc/squid/rules/openaccesswhitelist.txt" acl OpenAccessWhiteListIpAddresses dst "/etc/squid/rules/openaccesswhitelistipaddr.txt" acl WhiteListWebsites dstdomain "/etc/squid/rules/whitelist.txt" acl WhiteListIPAddresses dst "/etc/squid/rules/whiteipaddr.txt" acl AuthLimitedUsers proxy_auth REQUIRED acl AuthPowerUsers proxy_auth "/etc/squid/rules/powerusers.txt" acl AuthIPAddresses src "/etc/squid/rules/poweripaddresses.txt" acl AuthSafeAccessUsers proxy_auth "/etc/squid/rules/users.txt" acl OverRideBrownListUsers proxy_auth "/etc/squid/rules/ovrdbrownlist.txt" #http_access allow manager all http_access allow manager our_networks #http_access allow all open_for_ip_address http_access allow all Freemarkets http_access allow all MyTextron http_access allow all Corrlink http_access allow all SchwabPlan http_access allow all WcomNet http_access allow all LindWaldock http_access allow all AuthSafeAccessUsers http_access allow all AuthPowerUsers http_access allow all AuthIPAddresses http_access allow all OpenAccessWhiteListWebsites http_access allow all OpenAccessWhiteListIpAddresses http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access deny !our_networks http_access allow BrownListWebsites OverRideBrownListUsers http_access deny all BrownListWebsites http_access deny all BlackListWebsites http_access deny all BlackListIpAddresses http_access deny all BlackListIpAddress1 #http_access allow all AuthSafeAccessUsers http_access allow WhiteListWebsites AuthLimitedUsers http_access allow WhiteListIPAddresses AuthLimitedUsers http_access deny all
Re: [squid-users] MSN
acl msn url_regex -i gateway.dll acl msnblocked src xxx.xxx.xxx.xxx/xx http_access deny msn msnblocked On 9/23/05, Christoph Haas <[EMAIL PROTECTED]> wrote: > On Fri, Sep 23, 2005 at 03:11:10PM +0500, kashif Mazhar wrote: > > i am using acl to control internet access to my users, now i want to > > block msn messenger to some specific users instead of all...can u plz > > tell me how could it be possible to stop specified user by using msn > > messenger in squid .. > > Combine the ACLs. See > http://squid.visolve.com/squid/squid24s1/access_controls.htm#http_access > or http://workaround.org/moin/HowSquidAclsWork > > Christoph > -- > ~ > ~ > ~ > ".signature" [Modified] 3 lines --100%--3,41 All > -- Syed Kashif Ali Bukhari Jr. Network Officer Beaconet
Re: [squid-users] Squid "stalling" downloads
Henrik, >> If I try do download big files ( 18MB, 4MB, 38MB ), it starts >> downloading, but suddenly the browser stalls and stops >> downloading. >> What kind of information could I give here to clarify things? > > The information from the ongoing request in cachemgr, and netstat showing both the client and server connections. I tried to get the information correctly. Could you please tell me what options from cachemgr.cgi menu do you need? I finally got it working but couldn't conclude what information to send. I was not sure about sending a lot of text here, so I attached a little text. I noticed that, in some cases, when a download is ocurring, if we try to use another window to browse the internet, the connection(downloading) just drop down. In other cases, it doesn't occur. I didn't noticed a relation. Sometimes, even wget is broken, but, just now, it is downloading for a long time, without broken connections. I am really "stucked". I will make more tests, with delay pools deactivated. The results I sent were collected with delay pools ON. My squid.conf lines, about delay pools, are in the attached file. What more can I do to help you to help me? I really thank you for your attention. Regards Cassio Message with konqueror. Firefox doesn't give any message. - Connection to host www.slackware.at is broken Message, with the same URL, with wget - 2500K .. .. .. .. .. 0%8.22 KB/s 2550K .. .. .. .. .. 0%7.21 KB/s 2600K .. 0% 57.53 KB/s 14:50:17 (17.05 KB/s) - Connection closed at byte 2669338. Retrying. --14:50:18-- http://www.slackware.at/data/slackware-10.2-iso/slackware-10.2-in (try: 2) => `www.slackware.at/data/slackware-10.2-iso/slackware-10.2-install- Connecting to 192.168.6.254:3128... connected. Proxy request sent, awaiting response... 1 HTTP/1.0 206 Partial Content 2 Date: Tue, 27 Sep 2005 17:40:51 GMT 3 Server: Boa/0.94.14rc21 4 Accept-Ranges: bytes 5 Last-Modified: Tue, 13 Sep 2005 20:10:13 GMT 6 Content-Length: 665990374 7 Content-Type: application/x-iso9660-image 8 Content-Range: bytes 2669338-668659711/668659712 9 X-Cache: MISS from UNIPAM 10 Proxy-Connection: close [ skipping 2600K ] 2600K ,, .. .. .. .. 0%7.19 KB/s 2650K .. .. .. .. .. 0%8.19 KB/s 2700K .. .. .. .. .. 0%6.25 KB/s 2750K .. .. .. .. .. 0%7.15 KB/s 2800K .. .. .. .. .. 0%8.24 KB/s 2850K .. .. .. .. ... 0%7.27 KB/s 14:51:00 (7.32 KB/s) - Connection closed at byte 2962830. Retrying. Netstat, for the client 192.168.16.6 ( netstat -n | grep 192.168.16.6 ) --- tcp0 0 192.168.6.254:3128 192.168.16.6:1856 ESTABLISHED tcp0 0 192.168.6.254:3128 192.168.16.6:1765 TIME_WAIT tcp0 0 192.168.6.254:3128 192.168.16.6:1764 TIME_WAIT tcp0 0 192.168.6.254:3128 192.168.16.6:1766 TIME_WAIT tcp0 0 192.168.6.254:3128 192.168.16.6:1763 TIME_WAIT tcp0 0 192.168.6.254:3128 192.168.16.6:1762 TIME_WAIT for the server 81.223.20.35 ( netstat -n | grep 192.168.16.6 ) -- tcp66988 0 10.0.0.2:48614 81.223.20.35:80 ESTABLISHED vmstat 5 from proxy --- procs ---memory-- ---swap-- -io --system-- cpu r b swpd free buff cache si sobibo incs us sy id wa 1 0 0 6228 130376 215608004395 383 209 4 4 89 3 0 0 0 5608 130548 21598000 9 182 1556 250 7 8 82 4 0 0 0 5856 130496 2155560016 202 1635 266 6 8 81 5 0 0 0 6352 130400 2148360010 203 1610 288 5 8 86 1 0 0 0 6228 130492 2152880049 131 1563 288 6 8 82 4 0 0 0 6104 130560 2151520044 190 1572 305 7 8 79 5 0 0 0 6476 130660 2144400026 280 1524 220 8 7 73 12 0 0 0 5956 130776 2146640019 202 1501 263 6 7 83 3 0 0 0 5824 130824 2148880014 229 1546 259 5 6 85 4 Extract from squid.conf --- delay_pools 2 delay_class 1 2 delay_class 2 1 delay_access 1 allow laboratorios !fromdmz delay_access 1 deny all delay_access 2 allow fromdmz delay_access 2 deny all delay_parameters 1 -1/-1 8000/150 delay_parameters 2 -1/-1
RE: [squid-users] Access Problems
I have since worked on this issue some more, and I have come to find the information from my first email must work correctly. Here is another section of my squid.conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate off auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off If I comment out the section "auth_param ntlm ...", I am able to see my ACLs working as they should. I have uncommented the "auth_aram ntlm .." settings, and am back at square 1. From the command prompt, basic works fine, but does not: (see below) #ntlm_auth --helper-protocol=squid-2.5-ntlmssp domain\user password utils/ntlm_auth.c:manage_squid_ntlmssp_request(576) BH After reading the man on ntlm_auth, I checked winbindd_privileged and the settings for it is root:squid and permissions 750. This seems to be the proper setting. I am not sure what else I need to be doing in order to get this going. Any help would be appreciated Casey Our company has a proxy server running on RH8.0. My job is to setup a second proxy server that will be acting as a primary proxy for another location. The OS I am using is CentOS 4.1, which came loaded with squid-2.5.STABLE6-3.4E.5. I copied the ACLs from the production proxy server. I am in the process of trying to see if everything is working properly, but it seems the squid.conf is not reading the users.txt, powerusers.txt, or anything with the acl [name] proxy_auth "" configuration. I am able to get to sites listed in the whitelist.txt. Outside of that, I cannot go anywhere (such as www.google.com). The production server allows this. I added .google.com to the whitelist.txt on the machine I am trying to setup, and then it works, but I do not understand why it is not working without being in the whitelist.txt. Below are my squid.conf acl settings. The part I thought would allow me to access google or other not whitelist.txt sites (other than blacklist, and sites for powerusers) was the acl AuthLimitedUsers proxy_auth REQUIRED What am I missing? --- acl DoNotCacheWebSites dstdomain "/etc/squid/rules/donotcachewebsites.txt" acl Freemarkets dstdomain .freemarkets.com acl MyTextron dstdomain .mytextron.com acl WComNet dstdomain .wcom.net acl Corrlink dstdomain .weyerhaeuser.com acl SchwabPlan dstdomain .schwabplan.com acl LindWaldock dstdomain .lind-waldock.com acl BrownListWebsites dstdomain "/etc/squid/rules/brownlist.txt" acl BlackListWebsites dstdomain "/etc/squid/rules/blacklist.txt" acl BlackListIpAddresses dst "/etc/squid/rules/blacklistipaddr.txt" acl BlackListIpAddress1 dst 64.73.35.120 acl OpenAccessWhiteListWebsites dstdomain "/etc/squid/rules/openaccesswhitelist.txt" acl OpenAccessWhiteListIpAddresses dst "/etc/squid/rules/openaccesswhitelistipaddr.txt" acl WhiteListWebsites dstdomain "/etc/squid/rules/whitelist.txt" acl WhiteListIPAddresses dst "/etc/squid/rules/whiteipaddr.txt" acl AuthLimitedUsers proxy_auth REQUIRED acl AuthPowerUsers proxy_auth "/etc/squid/rules/powerusers.txt" acl AuthIPAddresses src "/etc/squid/rules/poweripaddresses.txt" acl AuthSafeAccessUsers proxy_auth "/etc/squid/rules/users.txt" acl OverRideBrownListUsers proxy_auth "/etc/squid/rules/ovrdbrownlist.txt" #http_access allow manager all http_access allow manager our_networks #http_access allow all open_for_ip_address http_access allow all Freemarkets http_access allow all MyTextron http_access allow all Corrlink http_access allow all SchwabPlan http_access allow all WcomNet http_access allow all LindWaldock http_access allow all AuthSafeAccessUsers http_access allow all AuthPowerUsers http_access allow all AuthIPAddresses http_access allow all OpenAccessWhiteListWebsites http_access allow all OpenAccessWhiteListIpAddresses http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access deny !our_networks http_access allow BrownListWebsites OverRideBrownListUsers http_access deny all BrownListWebsites http_access deny all BlackListWebsites http_access deny all BlackListIpAddresses http_access deny all BlackListIpAddress1 #http_access allow all AuthSafeAccessUsers http_access allow WhiteListWebsites AuthLimitedUsers http_access allow WhiteListIPAddresses AuthLimitedUsers http_access deny all
RE: [squid-users] slower connections using squid (squid is slowing down all connections)
> -Original Message- > From: Alex [mailto:[EMAIL PROTECTED] > Sent: Sunday, September 25, 2005 2:54 AM > > On Saturday 24 September 2005 21:15, Matus UHLAR - fantomas wrote: > > > > Okay... These look pretty good. Hits are fast, misses are okay, DNS > > > > requests are about what I would expect... I'm a bit perplexed. What > > > > are the symptoms of slow connections? Is it throughput on large > > > > downloads, pages with lots of connections (msn.com with it's thousands > > > > of images), does it just take forever for a connection to get started, > > > > or is it something else entirely? > > > > On 24.09 15:21, Alex wrote: > > > NO, the situation is very simple: not matter content of page. Even if > > > www.google.com is accesed, it take more then 20-30s to load/display it > > > correctly. Without squid, www.google.com is loaded instantly! > > > > ehm, this might be caused by: > > > > 1. clients connect from IP's not in DNS, and your squid checks for their > >reverse (and probably direct) DNS informations > > I don't think so... Indeed, for our clients, i haven't > configured 10.0.0.rev > zone in our DNS (i am using split view dns configuration and > all our clients > queries are comming from: 10.0.x.0/24 subnets, where x = 1 up to 10), > but If you are right, why in the morning or in the > afternoon, squid is > working ok? Something is being overloaded at mid day. From the statistics you have provided, it's not Squid. You stated that a connection to Google takes 20-30 seconds to complete, but don't give details on what happens during the wait. Do parts of the page load (i.e. the text but not the logo), or is it a long wait and then the page suddenly appears? > > > 2. you are requiring ident for them, they are firewalled and don't support > >ident requests > > no, we are in a vpn and for our internal IP address we are > passing almost all > traffic... What's the name of squid directive which > enable/disable ident > requests? As far as I recall, ident lookups have to be compiled into Squid. Looking at the squid.conf.default I find "By default, ident lookups are not performed for any requests", and looking at your squid.conf I don't see you requesting ident info. I also don't see anything that should cause reverse DNS lookups. > > > > > for 99% it's the first case. turn off dns checking in squid, or better, fix > > your internal DNS. > > HOW CAN I TURN OFF DNS CHECKING IN SQUID ... log_fqdn > directive is turned off > by default Don't use acls such as srcdomain or srcdom_regex. You aren't so I don't think this is the issue here. At a busy point (when requests are blocking) check the "Internal DNS Statistics" page. That should show you which DNS servers are being queried. Output of "netstat -tapn" might be helpful as well. Lastly, running "squid -k debug" while under high load waiting a few seconds and then running "squid -k debug" again (to turn debugging off) and then checking cache_log for details can reveal other problems. It's sounding very much like a DNS server being overloaded or a problem with creating outgoing requests (firewall, OS limitation, etc). > > Here comes my squid.conf > > http_port 3128 > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY > cache_mem 256 MB > maximum_object_size 32768 KB > maximum_object_size_in_memory 64 KB > cache_replacement_policy heap GDSF > memory_replacement_policy heap GDSF > cache_dir aufs /var/spool/squid 20480 16 256 > cache_store_log none > ftp_user [EMAIL PROTECTED] > auth_param basic children 100 > auth_param basic realm Squid proxy-caching server > auth_param basic program /usr/lib/squid/pam_auth > auth_param basic credentialsttl 2 hours > auth_param basic casesensitive off > refresh_pattern ^ftp: 144020% 10080 > refresh_pattern ^gopher:14400% 1440 > refresh_pattern . 0 20% 4320 > half_closed_clients off > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl lanpass proxy_auth REQUIRED > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 563 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost > http_access allow lanpass > http_access deny all > http_reply_access allow all > icp_access allow all > cache_mgr [EMAIL PROTECTED]
RE: [squid-users] Parent Authentication request problem
> -Original Message- > From: Szarka Zoltán [mailto:[EMAIL PROTECTED] > Sent: Monday, September 26, 2005 10:30 PM > To: 'Squid' > Subject: [squid-users] Parent Authentication request problem > > > Hi All! > > I have a squid proxy without authentication request, there is > a Netscape > proxy with authenticaton request for each user > (unfortunatelly I have no > administrator right for that server.) > > What I want is forward all local http request to Netscape > proxy over my > Squid. > > I have try it with the following conf setting , but netscape > proxy doesnt > accept any user/password. (why?) > > cache_peer parent 3130 default no_query > > Then I have used login= option for cache_peer with a static > username:password. It has worked very well, but only with > that user's right. > It is possible to forward authentication request for each user? I have > already try with login=PASS , login=PROXYPASS the netscape > proxy doesnt > accept authentications. > > thanks > > Zoltan > login=PASS only works for the Basic HTTP authentication scheme. It's likely that the Netscape parent is using Digest. Assuming this is the case, I'm not sure if there is anything you can do. Chris
RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x
> -Original Message- > From: Cole [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 27, 2005 12:41 AM > To: squid-users@squid-cache.org > Subject: [squid-users] Squid 2.5-Stable10 With Negotiate > Patch and Sambe > 3.x > > > Hi > > Im running FreeBSD 4.9 and 4.11. What im trying to do is > setup squid-2.5-Stable10 to allow > authentication using the Negotiate patch. > http://devel.squid-cache.org/projects.html#negotiate. > > The patch applies fine, the compile completes no errors, > everything on squid side seems to work > fine. Did you run bootstrap.sh? http://www.squid-cache.org/mail-archive/squid-users/200506/0102.html Beyond that I can be no help... > I have Samba 3.0.10 installed, winbindd works fine, wbinfo -u > produces all the correct results. > > The problem comes in that, wb_authntlm cannot contact > winbindd. I get this error. > "wb_ntlmauth[466](wb_ntlm_auth.c:414): Can't contact > winbindd. Dying". > > I spent some time reading the mailing lists, and I see they > talk about the samba winbindd interface > changing quite a lot. I was wondering if this interface > changed, and squid-2.5-Stable10 was updated > to use a new version of Samba 3 than I am currently running? > > If so, what is the furtherest back samba-3.x that > squid-2.5-StableX will work with, cause I ran into > another problem trying to use the very latest samba 3 release > from ports. > ===> samba-3.0.20,1 Broken dependency between OpenSSL, > OpenLDAP and Heimdal for FreeBSD 4.x. > Disable ADS support. > > Which is a problem cause I am actually trying to use squid to > auth using Negotiate against a Windows > 2003 AD/KDC. > > Any suggestions or help or information would be gladly appreciated. > > Regards > /Cole > > Chris
RE: [squid-users] problem about squid exhaust all memory
> -Original Message- > From: djx [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 27, 2005 1:18 AM > To: squid-users@squid-cache.org > Subject: [squid-users] problem about squid exhaust all memory > > > hi,everyone: > I encount a problem , I need help from someone . > > Squid use more and more memory continuously during it's > running ,and it will restart when all physical memory is > exhausted ,so my squid restart many times a day . It's boring > ,how can I solve the prolem ? > How much physical memory does your Squid box have? Is it doing anything but Squid? Are you perhaps suffering from http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-client_db_gc? Upgrading would not be a bad course of action in any case... > every time it restart ,the following information is logged: > > > FATAL: xcalloc: Unable to allocate 1 blocks of 4104 bytes! > > Squid Cache (Version 2.5.STABLE6): Terminated abnormally. > CPU Usage: 61.889 seconds = 33.408 user + 28.481 sys > Maximum Resident Size: 323524 KB > Page faults with physical i/o: 1725 > 2005/09/27 17:03:57| Not currently OK to rewrite swap log. > 2005/09/27 17:03:57| storeDirWriteCleanLogs: Operation aborted. > 2005/09/27 17:04:00| Starting Squid Cache version 2.5.STABLE6 > for i386-unknown-freebsd5.0... > 2005/09/27 17:04:00| Process ID 7561 > 2005/09/27 17:04:00| With 7232 file descriptors available > 2005/09/27 17:04:00| DNS Socket created at 0.0.0.0, port 49428, FD 4 > 2005/09/27 17:04:00| Adding nameserver 202.99.23.252 from > /etc/resolv.conf > 2005/09/27 17:04:00| Unlinkd pipe opened on FD 9 > 2005/09/27 17:04:00| Swap maxSize 512 KB, estimated 393846 objects > 2005/09/27 17:04:00| Target number of buckets: 19692 > 2005/09/27 17:04:00| Using 32768 Store buckets > 2005/09/27 17:04:00| Max Mem size: 262144 KB > 2005/09/27 17:04:00| Max Swap size: 512 KB > 2005/09/27 17:04:00| Store logging disabled > 2005/09/27 17:04:00| Rebuilding storage in /cms/squidcache (DIRTY) > 2005/09/27 17:04:00| Using Least Load store dir selection > 2005/09/27 17:04:00| chdir: /usr/local/squid/var/cache: (2) > No such file or directory > 2005/09/27 17:04:00| Current Directory is /cms/squidcache > 2005/09/27 17:04:00| Loaded Icons. > 2005/09/27 17:04:00| Accepting HTTP connections at 0.0.0.0, > port 80, FD 8. > 2005/09/27 17:04:00| Accepting ICP messages at 0.0.0.0, port > 3130, FD 10. > 2005/09/27 17:04:00| WCCP Disabled. > 2005/09/27 17:04:00| Ready to serve requests. > 2005/09/27 17:04:02| comm_accept: FD 8: (53) Software caused > connection abort > 2005/09/27 17:04:02| httpAccept: FD 8: accept failure: (53) > Software caused connection abort > 2005/09/27 17:04:02| comm_accept: FD 8: (53) Software caused > connection abort > 2005/09/27 17:04:02| httpAccept: FD 8: accept failure: (53) > Software caused connection abort > 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused > connection abort > 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) > Software caused connection abort > 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused > connection abort > 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) > Software caused connection abort > 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused > connection abort > 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) > Software caused connection abort > 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused > connection abort > 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) > Software caused connection abort > 2005/09/27 17:04:07| comm_accept: FD 8: (53) Software caused > connection abort > 2005/09/27 17:04:07| httpAccept: FD 8: accept failure: (53) > Software caused connection abort > As for these messages: http://www.squid-cache.org/mail-archive/squid-users/200401/0239.html Chris
RE: [squid-users] problem about squid exhaust all memory
I'd be interested in seeing your squid.conf as well. Tim Rainier Information Services, Kalsec, INC [EMAIL PROTECTED] "Chris Robertson" <[EMAIL PROTECTED]> 09/27/2005 04:11 PM To cc Subject RE: [squid-users] problem about squid exhaust all memory > -Original Message- > From: djx [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 27, 2005 1:18 AM > To: squid-users@squid-cache.org > Subject: [squid-users] problem about squid exhaust all memory > > > hi,everyone: > I encount a problem , I need help from someone . > > Squid use more and more memory continuously during it's > running ,and it will restart when all physical memory is > exhausted ,so my squid restart many times a day . It's boring > ,how can I solve the prolem ? > How much physical memory does your Squid box have? Is it doing anything but Squid? Are you perhaps suffering from http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-client_db_gc? Upgrading would not be a bad course of action in any case... > every time it restart ,the following information is logged: > > > FATAL: xcalloc: Unable to allocate 1 blocks of 4104 bytes! > > Squid Cache (Version 2.5.STABLE6): Terminated abnormally. > CPU Usage: 61.889 seconds = 33.408 user + 28.481 sys > Maximum Resident Size: 323524 KB > Page faults with physical i/o: 1725 > 2005/09/27 17:03:57| Not currently OK to rewrite swap log. > 2005/09/27 17:03:57| storeDirWriteCleanLogs: Operation aborted. > 2005/09/27 17:04:00| Starting Squid Cache version 2.5.STABLE6 > for i386-unknown-freebsd5.0... > 2005/09/27 17:04:00| Process ID 7561 > 2005/09/27 17:04:00| With 7232 file descriptors available > 2005/09/27 17:04:00| DNS Socket created at 0.0.0.0, port 49428, FD 4 > 2005/09/27 17:04:00| Adding nameserver 202.99.23.252 from > /etc/resolv.conf > 2005/09/27 17:04:00| Unlinkd pipe opened on FD 9 > 2005/09/27 17:04:00| Swap maxSize 512 KB, estimated 393846 objects > 2005/09/27 17:04:00| Target number of buckets: 19692 > 2005/09/27 17:04:00| Using 32768 Store buckets > 2005/09/27 17:04:00| Max Mem size: 262144 KB > 2005/09/27 17:04:00| Max Swap size: 512 KB > 2005/09/27 17:04:00| Store logging disabled > 2005/09/27 17:04:00| Rebuilding storage in /cms/squidcache (DIRTY) > 2005/09/27 17:04:00| Using Least Load store dir selection > 2005/09/27 17:04:00| chdir: /usr/local/squid/var/cache: (2) > No such file or directory > 2005/09/27 17:04:00| Current Directory is /cms/squidcache > 2005/09/27 17:04:00| Loaded Icons. > 2005/09/27 17:04:00| Accepting HTTP connections at 0.0.0.0, > port 80, FD 8. > 2005/09/27 17:04:00| Accepting ICP messages at 0.0.0.0, port > 3130, FD 10. > 2005/09/27 17:04:00| WCCP Disabled. > 2005/09/27 17:04:00| Ready to serve requests. > 2005/09/27 17:04:02| comm_accept: FD 8: (53) Software caused > connection abort > 2005/09/27 17:04:02| httpAccept: FD 8: accept failure: (53) > Software caused connection abort > 2005/09/27 17:04:02| comm_accept: FD 8: (53) Software caused > connection abort > 2005/09/27 17:04:02| httpAccept: FD 8: accept failure: (53) > Software caused connection abort > 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused > connection abort > 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) > Software caused connection abort > 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused > connection abort > 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) > Software caused connection abort > 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused > connection abort > 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) > Software caused connection abort > 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused > connection abort > 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) > Software caused connection abort > 2005/09/27 17:04:07| comm_accept: FD 8: (53) Software caused > connection abort > 2005/09/27 17:04:07| httpAccept: FD 8: accept failure: (53) > Software caused connection abort > As for these messages: http://www.squid-cache.org/mail-archive/squid-users/200401/0239.html Chris
[squid-users] Re: problem about squid exhaust all memory
> Squid use more and more memory continuously during it's running ,and it > will restart when all physical memory is exhausted ,so my squid restart > many times a day . It's boring ,how can I solve the prolem ? How much memory does your machine have? You have a 5G cache and 256M memory cache, perhaps this is too much for your machine. Joost
Re: [squid-users] Re: Squid "stalling" downloads
On Tue, 27 Sep 2005 [EMAIL PROTECTED] wrote: I am trying to convince Squid to allow me to run cachemgr or squidclient. There is a rule blocking me. I am trying to collect the data suggested by Henrik. The default ruleset suggested in the squid.conf shipped by Squid allows cachemgr access from localhost and localhost only, but if you have inserted your rules in another order than suggested then it may be possible that you have unintentionally overridden these rules. What does your http_acces rules look like? It shoul look somehting like the following: # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # Deny users to proxy to localhost http_access deny to_localhost # your http_access rules http_access http_access http_access # And finally deny all other access to this proxy http_access deny all Actually my "firewall" is just a Linux machine with iptables. It has Slackware 10.1, kernel 2.6.12.2 and iptables 1.3.2 and was working fine until now. But, I have already included it back in my "blacklist". I am wondering about connection tracking feature. The Linux iptables firewall is very good, but there has been some reports about the TCP window tracking introduced in recent versions perhaps not always getting things correct. If you suspect this may be the case then you can try echo 1 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal on the firewall. This marginally reduces the security of the TCP window tracking making it behave more like the connection tracking in earlier kernels. but I doubt this is your problem. Regards Henrik
Re: [squid-users] Squid "stalling" downloads
On Tue, 27 Sep 2005 [EMAIL PROTECTED] wrote: I tried to get the information correctly. Could you please tell me what options from cachemgr.cgi menu do you need? I finally got it working but couldn't conclude what information to send. I need the data from "Objects being sent to clients" and "Client-side Active Requests" about the specific request only (both). squidclient mgr:active_request squidclient mgr:client_objects (filter out only the block for the specific object from the above lists, the rest is not interesting). In addition the netstat info about the connection to the client and the connection to the server is also very useful. Especially if it is suspected the problem may be related to delay pools. netstat -n | egrep "ip.of.client:|ip.of.server:" and if you think it is delay pools related the "Delay Pool Levels" output for the delay pool assigned to the request is also interesting. squidclient mgr:delay Regards Henrik
Re: [squid-users] Error in STABLE11
On Tue, 27 Sep 2005, Awie wrote: I found message below after upgrading the Squid to version STABLE11 (it was not happen in version S10). [EMAIL PROTECTED] root]# squid -k shutdown squid: ERROR: Could not send signal 15 to process 637: (1) Operation not permitted Would you tell me how can I fix it? Odd.. seems to work fine for me. What OS are you using? Are you using the chroot squid.conf directive? Regards Henrik
Re: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x
On Tue, 27 Sep 2005, Cole wrote: The problem comes in that, wb_authntlm cannot contact winbindd. I get this error. "wb_ntlmauth[466](wb_ntlm_auth.c:414): Can't contact winbindd. Dying". wb_ntlmauth is for Samba-2.2.X only. For Samba-3.X you should use ntlm_auth shipped with Samba. For Negotiate support you probably will need Samba4. I do not think the required support is in Samba-3.X yet. If so, what is the furtherest back samba-3.x that squid-2.5-StableX will work with, cause I ran into another problem trying to use the very latest samba 3 release from ports. Starting with Samba-3.X there no longer is any versioning dependency between Squid and Samba. Which is a problem cause I am actually trying to use squid to auth using Negotiate against a Windows 2003 AD/KDC. Do you have clients willing to use Negotiate in this setup? As far as I know MSIE does not support Negotiate to proxies, only web servers (including reverse proxies). Is there any reason you do not want to use NTLM? NTLM is supported by AD unless explicitly disabled in the AD. Regards Henrik
Re: [squid-users] smb_auth with Windows2003 Server
On Tue, 27 Sep 2005, Jens Strohschnitter wrote: The file proxyauth exists and its content is: allow. All rights are ok. So does anybody know how I can fix the problem with W2k3 ? Or is there no way to use smb_auth furhter on with W2k3 ? smb_auth relies on smbclient from Samba. To make smb_auth work to your W2K3 setup you first need to figure out how to make Samba smbclient work.. smb_auth runs the following: env USER="login%password" smbclient '//dchostname/NETLOGON' -I ip.of.dc -d 0 -E -W "domainname" -d "get proxyauth -" where login is the login name password is the password dchostname is the host name of your login server ip.of.dc is the IP address of the above domainname is the Windows domain name Regards Henrik
Re: [squid-users] Squid proxying NTLM authentication servers
On Tue, 27 Sep 2005, Vinod Patel wrote: /* code for removing NTLM headers from reply */ I removed the above code and NTLM auth seems to work for me. No it does not. If you remove this code the following result will be seen: - In light testing as a single user it may appear to work at first - After more indepth testing you will notice random authentication popups as the first sign of trouble - After more testing with multiple users you will notice the random authentication popups a lot more - And if you look more closely at the web server logs or what permissions is given to each user you will notice that the server "randomly" assings another user to the requests when an authentication popup is not given. With firefox, it works for both transparent mode as well as proxy mode. The fact that Firefox works in proxy mode can to a remote extent be argued to be a bug in Firefox not implementing NTLM in the same manner as MSIE. With IE, it works in transparent mode, but does not work in proxy mode. As it should. Microsoft is well aware of the problems. See Internet draft draft-jaganathan-kerberos-http-01 for details on what is required to use NTLM and Negotiate over HTTP proxies. Regards Henrik
Re: [squid-users] squid-2.5.STABLE11-20050927 not available
On Tue, 27 Sep 2005, Magali Bernard wrote: Today I've tried to get squid-2.5.STABLE11-20050927 at http://www.squid-cache.org/Versions/v2/2.5/ I noticed this a few minutes ago. Should be fixed later today when the next snapshot is run. There has not yet been a single change after 2.5.STABLE11 so the current nightly snapshot is identical to 2.5.STABLE11 except that it is packaged as a snapshot rather than a stable release. Regards Henrik
Re: [squid-users] Having a strange problem - squid redirectin pages to freeservers . . .
On Tue, 27 Sep 2005, marceluda wrote: Some days ago the proxy started to work bad. When I ask for a page of my country dns ( .com.ar for example) the squid redirect it to freeservers.com (the address shown in the browser is what i wrote but the page that apperas is freeservers). The problem is not in the coneccion or in dns because from the proxy in direct connection to the internet all works perfect. The squid.conf was not toutched. I downloaded the squid 2.5 stable11 and compilled it to aboid posible bugs or vulnerabilities (thinking thas is posibly an attack), but the problñem continues. What does access.log say about the last TCP_MISS for the requested URL when the problem is seen? Regards Henrik
RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x
Hi. I may have gotten a few things wrong, so please let me know where my understanding is totally flawed/mis-whatever. I understand SPNEGO to be the Kerberos Authentication Method that is being built into the latest browsers? Like firefox and IE 5.5+? The main problem stopping us from using ntlm is that we have multiple levels of cache. The top level cache is responsible for user auth and acls. According to your previous posts, this cannot be done with ntlm. What we dont want to do is send username/passwords as clear text. So thats why Ive been looking into SPNEGO. But from all the mails ive read and articles ive tried to find, I think I may be a bit confused in my understanding of the protocol. So im trying to use a Firefox client to auth with a AD via squid using SPNEGO as the protocol. I read in the patch this: + "program" cmdline + Specify the command for the external SPNEGO authenticator. Such a + program participates in the SPNEGO exchanges between Squid and the + client and reads commands according to the Squid ntlmssp helper + protocol. See helpers/ntlm_auth/ for details. Recommended SPNEGO + authenticator is ntlm_auth from Samba-3.X. Thats why I was trying to use a Samba-3.x, but I used the wrong helper obviously. Is there a specific Samba-3.x that I would have to use here, that has SPNEGO built into it? Or are all the Samba-3.x SPNEGO enabled? Anyway, if I am totally wrong somewhere, please let me know, or even just send me to read a link, so that I can understand where im going wrong. I dont wish to waste your time, im sure you are more than busy. But any information would be great. Thanks /Cole -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 27, 2005 11:26 PM To: Cole Cc: Squid Users Subject: Re: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x On Tue, 27 Sep 2005, Cole wrote: > The problem comes in that, wb_authntlm cannot contact winbindd. I get this > error. > "wb_ntlmauth[466](wb_ntlm_auth.c:414): Can't contact winbindd. Dying". wb_ntlmauth is for Samba-2.2.X only. For Samba-3.X you should use ntlm_auth shipped with Samba. For Negotiate support you probably will need Samba4. I do not think the required support is in Samba-3.X yet. > If so, what is the furtherest back samba-3.x that squid-2.5-StableX will work > with, cause I ran into > another problem trying to use the very latest samba 3 release from ports. Starting with Samba-3.X there no longer is any versioning dependency between Squid and Samba. > Which is a problem cause I am actually trying to use squid to auth using > Negotiate against a Windows > 2003 AD/KDC. Do you have clients willing to use Negotiate in this setup? As far as I know MSIE does not support Negotiate to proxies, only web servers (including reverse proxies). Is there any reason you do not want to use NTLM? NTLM is supported by AD unless explicitly disabled in the AD. Regards Henrik
RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x
Hi. I may have gotten a few things wrong, so please let me know where my understanding is totally flawed/mis-whatever. I understand SPNEGO to be the Kerberos Authentication Method that is being built into the latest browsers? Like firefox and IE 5.5+? The main problem stopping us from using ntlm is that we have multiple levels of cache. The top level cache is responsible for user auth and acls. According to your previous posts, this cannot be done with ntlm. What we dont want to do is send username/passwords as clear text. So thats why Ive been looking into SPNEGO. But from all the mails ive read and articles ive tried to find, I think I may be a bit confused in my understanding of the protocol. So im trying to use a Firefox client to auth with a AD via squid using SPNEGO as the protocol. I read in the patch this: + "program" cmdline + Specify the command for the external SPNEGO authenticator. Such a + program participates in the SPNEGO exchanges between Squid and the + client and reads commands according to the Squid ntlmssp helper + protocol. See helpers/ntlm_auth/ for details. Recommended SPNEGO + authenticator is ntlm_auth from Samba-3.X. Thats why I was trying to use a Samba-3.x, but I used the wrong helper obviously. Is there a specific Samba-3.x that I would have to use here, that has SPNEGO built into it? Or are all the Samba-3.x SPNEGO enabled? Anyway, if I am totally wrong somewhere, please let me know, or even just send me to read a link, so that I can understand where im going wrong. I dont wish to waste your time, im sure you are more than busy. But any information would be great. Thanks /Cole -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 27, 2005 11:26 PM To: Cole Cc: Squid Users Subject: Re: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x On Tue, 27 Sep 2005, Cole wrote: > The problem comes in that, wb_authntlm cannot contact winbindd. I get this > error. > "wb_ntlmauth[466](wb_ntlm_auth.c:414): Can't contact winbindd. Dying". wb_ntlmauth is for Samba-2.2.X only. For Samba-3.X you should use ntlm_auth shipped with Samba. For Negotiate support you probably will need Samba4. I do not think the required support is in Samba-3.X yet. > If so, what is the furtherest back samba-3.x that squid-2.5-StableX will work > with, cause I ran into > another problem trying to use the very latest samba 3 release from ports. Starting with Samba-3.X there no longer is any versioning dependency between Squid and Samba. > Which is a problem cause I am actually trying to use squid to auth using > Negotiate against a Windows > 2003 AD/KDC. Do you have clients willing to use Negotiate in this setup? As far as I know MSIE does not support Negotiate to proxies, only web servers (including reverse proxies). Is there any reason you do not want to use NTLM? NTLM is supported by AD unless explicitly disabled in the AD. Regards Henrik
[squid-users] Fixed: Truncated objects when using delay pools
I now managed to reproduce the truncated objects problem when using delaypools in the lab. It turned out the error was introduced on the 11/9 by the patch for Bug #500. A patch to correct this new problem is available from the patches page. A 2.5.STABLE12 will be released shortly with this fix. If there is any other odd things seen with 2.5.STABLE11 please file bug reports as soon as possible. I am very sorry this bug was not understood before 2.5.STABLE11 was released, but I only had one single slightly dim report of the problem during the release candidate test period.. Regards Henrik
RE: [squid-users] Parent Authentication request problem
On Tue, 27 Sep 2005, Chris Robertson wrote: login=PASS only works for the Basic HTTP authentication scheme. It's likely that the Netscape parent is using Digest. Assuming this is the case, I'm not sure if there is anything you can do. In theory login=PASS should work for Digest as well, but you can't run local authentication on this Squid proxy in that case. I have never tested this however. Regards Henrik
RE: [squid-users] Squid 2.5-Stable10 With Negotiate Patch and Sambe 3.x
On Wed, 28 Sep 2005, Cole wrote: I understand SPNEGO to be the Kerberos Authentication Method that is being built into the latest browsers? Like firefox and IE 5.5+? Firefox has experimental SPNEGO support available. By default disabled from what I have been told, but once enabled happily uses SPNEGO both to web servers and proxies. IE has support for SPNEGO to web servers only, not proxies. Why Microsoft has not added SPNEGO support to proxy connections is a mystery that only Microsoft can answer. The main problem stopping us from using ntlm is that we have multiple levels of cache. The top level cache is responsible for user auth and acls. According to your previous posts, this cannot be done with ntlm. And it cannot be done with Negotiate either. Both share the same design flaws causing breakage when run over HTTP compliant proxies. In setups requiring NTLM of Negotiate authentication you need to run the authentiction on the leaf caches closest to the client. With a little tinkering you can then have the login (but not password) forwarded in the proxy chain by using the login=*:secret cache_peer option if needed but this is extra bonus. The simpler path is to allow requests from trusted child caches without requiring authentication again. Thats why I was trying to use a Samba-3.x, but I used the wrong helper obviously. Is there a specific Samba-3.x that I would have to use here, that has SPNEGO built into it? Or are all the Samba-3.x SPNEGO enabled? The exact Samba versions needed to use SPNEGO over HTTP it still a bit uncertain. From what it looks Samba 4 may be required at this time, but maybe it works in current Samba-3.3.X as well. Regards Henrik
[squid-users] winbind --with-winbind-auth-challenge
hi there, I'm having some trouble getting squid to authenticate against ADS with ntlm authentication. basically what happens is no matter what browser i use (IE or firefox) i get a popup authentication box. from what i understand about this, is it's doing basic authentication and not NTLM. so something must be wrong with the NTLM helper (i think so anyway) if anyone has any idea on this please help me out, but for the time being i think i have a solution but i have to find out weather it's right first and i don't know how to. one website i've found that might be my answer. http://www.squid-cache.org/mail-archive/squid-dev/200206/0084.html it says i need to have '--with-winbind-auth-challenge' enabled on samba, how do i know weather it is enabled or not. if it is not enabled can someone tell me how to enable it? i'm using RHEL samba-common-3.0.9-1.3E.3 squid-2.5.STABLE3-6.3E.14 this is the read out of the following command. ./usr/sbin/smbd -b Build environment: Built by: [EMAIL PROTECTED] Built on: Thu Mar 3 19:33:02 EST 2005 Built using: i386-redhat-linux-gcc Build host: Linux bugs.build.redhat.com 2.4.21-23.ELsmp #1 SMP Thu Oct 28 20:10:03 EDT 2004 i686 i686 i386 GNU/Linux SRCDIR: /usr/src/build/532911-i386/BUILD/samba-3.0.9/source BUILDDIR: /usr/src/build/532911-i386/BUILD/samba-3.0.9/source Paths: SBINDIR: /usr/sbin BINDIR: /usr/bin SWATDIR: /usr/share/swat CONFIGFILE: /etc/samba/smb.conf LOGFILEBASE: /var/log/samba LMHOSTSFILE: /etc/samba/lmhosts LIBDIR: /usr/lib/samba SHLIBEXT: so LOCKDIR: /var/cache/samba PIDDIR: /var/run SMB_PASSWD_FILE: /etc/samba/smbpasswd PRIVATE_DIR: /etc/samba System Headers: HAVE_SYS_ACL_H HAVE_SYS_CAPABILITY_H HAVE_SYS_CDEFS_H HAVE_SYS_FCNTL_H HAVE_SYS_IOCTL_H HAVE_SYS_IPC_H HAVE_SYS_MMAN_H HAVE_SYS_MOUNT_H HAVE_SYS_PARAM_H HAVE_SYS_QUOTA_H HAVE_SYS_RESOURCE_H HAVE_SYS_SELECT_H HAVE_SYS_SHM_H HAVE_SYS_SOCKET_H HAVE_SYS_STATFS_H HAVE_SYS_STATVFS_H HAVE_SYS_STAT_H HAVE_SYS_SYSCALL_H HAVE_SYS_SYSLOG_H HAVE_SYS_SYSMACROS_H HAVE_SYS_TIME_H HAVE_SYS_TYPES_H HAVE_SYS_UNISTD_H HAVE_SYS_VFS_H HAVE_SYS_WAIT_H HAVE_SYS_XATTR_H Headers: HAVE_ARPA_INET_H HAVE_ASM_TYPES_H HAVE_ATTR_XATTR_H HAVE_COM_ERR_H HAVE_CTYPE_H HAVE_DIRENT_H HAVE_DLFCN_H HAVE_EXECINFO_H HAVE_FCNTL_H HAVE_GLOB_H HAVE_GRP_H HAVE_GSSAPI_GSSAPI_GENERIC_H HAVE_GSSAPI_GSSAPI_H HAVE_INTTYPES_H HAVE_KRB5_H HAVE_LANGINFO_H HAVE_LASTLOG_H HAVE_LBER_H HAVE_LDAP_H HAVE_LIMITS_H HAVE_LOCALE_H HAVE_MEMORY_H HAVE_MNTENT_H HAVE_NETINET_IN_SYSTM_H HAVE_NETINET_IP_H HAVE_NETINET_TCP_H HAVE_NET_IF_H HAVE_NSS_H HAVE_POLL_H HAVE_READLINE_HISTORY_H HAVE_READLINE_READLINE_H HAVE_RPCSVC_NIS_H HAVE_RPCSVC_YPCLNT_H HAVE_RPCSVC_YP_PROT_H HAVE_RPC_RPC_H HAVE_SECURITY_PAM_APPL_H HAVE_SECURITY_PAM_MODULES_H HAVE_SECURITY__PAM_MACROS_H HAVE_SHADOW_H HAVE_STDARG_H HAVE_STDINT_H HAVE_STDLIB_H HAVE_STRINGS_H HAVE_STRING_H HAVE_STROPTS_H HAVE_SYSCALL_H HAVE_SYSLOG_H HAVE_TERMIOS_H HAVE_TERMIO_H HAVE_UNISTD_H HAVE_UTIME_H UTMP Options: HAVE_GETUTMPX HAVE_UTMPX_H HAVE_UTMP_H HAVE_UT_UT_ADDR HAVE_UT_UT_EXIT HAVE_UT_UT_HOST HAVE_UT_UT_ID HAVE_UT_UT_NAME HAVE_UT_UT_PID HAVE_UT_UT_TIME HAVE_UT_UT_TV HAVE_UT_UT_TYPE HAVE_UT_UT_USER PUTUTLINE_RETURNS_UTMP WITH_UTMP HAVE_* Defines: HAVE_ADDRTYPE_IN_KRB5_ADDRESS HAVE_AP_OPTS_USE_SUBKEY HAVE_ASPRINTF HAVE_ASPRINTF_DECL HAVE_ATEXIT HAVE_BACKTRACE_SYMBOLS HAVE_BER_SCANF HAVE_C99_VSNPRINTF HAVE_CHMOD HAVE_CHOWN HAVE_CHROOT HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS HAVE_CONNECT HAVE_CREAT64 HAVE_CRYPT HAVE_CUPS HAVE_DEVICE_MAJOR_FN HAVE_DEVICE_MINOR_FN HAVE_DIRENT_D_OFF HAVE_DLCLOSE HAVE_DLERROR HAVE_DLOPEN HAVE_DLSYM HAVE_DUP2 HAVE_ENDMNTENT HAVE_ENDNETGRENT HAVE_ERRNO_DECL HAVE_EXECL HAVE_EXPLICIT_LARGEFILE_SUPPORT HAVE_FCHMOD HAVE_FCHOWN HAVE_FCNTL_LOCK HAVE_FCVT HAVE_FGETXATTR HAVE_FLISTXATTR HAVE_FOPEN64 HAVE_FREMOVEXATTR HAVE_FSEEKO64 HAVE_FSETXATTR HAVE_FSTAT HAVE_FSTAT64 HAVE_FSYNC HAVE_FTELLO64 HAVE_FTRUNCATE HAVE_FTRUNCATE64 HAVE_FTRUNCATE_EXTEND HAVE_FUNCTION_MACRO HAVE_GETCWD HAVE_GETDIRENTRIES HAVE_GETGRENT HAVE_GETGRNAM HAVE_GETMNTENT HAVE_GETNETGRENT HAVE_GETRLIMIT HAVE_GETSPNAM HAVE_GETTIMEOFDAY_TZ HAVE_GETXATTR HAVE_GLOB HAVE_GRANTPT HAVE_GSSAPI HAVE_GSS_DISPLAY_STATUS HAVE_ICONV HAVE_IFACE_IFCONF HAVE_IMMEDIATE_STRUCTURES HAVE_INITGROUPS HAVE_INNETGR HAVE_KERNEL_CHANGE_NOTIFY HAVE_KERNEL_OPLOCKS_LINUX HAVE_KERNEL_SHARE_MODES HAVE_KRB5 HAVE_KRB5_AUTH_CON_SETUSERUSERKEY HAVE_KRB5_C_ENCTYPE_COMPARE HAVE_KRB5_ENCRYPT_BLOCK HAVE_KRB5_ENCRYPT_DATA HAVE_KRB5_FREE_DATA_CONTENTS HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS HAVE_KRB5_FREE_KTYPES HAVE_KRB5_FREE_UNPARSED_NAME HAVE_KRB5_GET_PERMITTED_ENCTYPES HAVE_KRB5_KEYBLOCK_IN_CREDS HAVE_KRB5_KEYTAB_ENTRY_KEY HAVE_KRB5_KT_FREE_ENTRY HAVE_KRB5_LOCATE_KDC HAVE_KRB5_MK_REQ_EXTENDED HAVE_KRB5_PRINCIPAL2SALT HAVE_KRB5_PRINC_COMPONENT HAVE_KRB5_SET_DEFAULT_TGS_KTYPES HAVE_KRB5_SET_REAL_TIME HAVE_KRB5_STRING_TO_KEY HAVE_KRB5_TKT_ENC_PART2 HAVE_KRB5_USE_ENCTYPE HAVE_KV5M_KEYTAB HAVE_LDAP HAVE_LDAP_DOMAIN2HOSTLIST HAVE_LDAP_INIT HAVE_LDAP_INITIALIZE HAVE_LDAP_SET
Re: [squid-users] Confused user about squid accelerator
On Monday 26 September 2005 16:36, Henrik Nordstrom wrote: > On Mon, 26 Sep 2005, Jesus Salvo Jr. wrote: > > FYI The reason I am doing this is that after a webserver upgrade > > which includes an upgrade of the Java servlet / JSP engine for dynamic > > pages, the dynamic pages are now chunked ( Transfer-Encoding: chunked ). > > This works fine with desktop browsers ... but is a problem with i-mode > > phones as they seem to really rely on the Content-Length header ( and > > therefore no chunking ) for pages to be displayed. > > Are you saying that the i-mode phones are sending HTTP/1.1 queries and yet > does not understand chunking? Very bad move.. (support for chunked > transfer encoding is a MUST in the HTTP/1.1 specifications). > > Regards > Henrik Yes ... that appears to be the case. I know .. thankfully putting Squid as an accelarator worked-around this issue.
Re: [squid-users] problem about squid exhaust all memory
hi, Rainier, thanks for your reply. Can you tell me what's the probably reasons? and how can I handle my squid.conf correspondingly ? - 原始邮件 - 发件人: <[EMAIL PROTECTED]> 收件人: 发送时间: 2005年9月28日 4:36 主题: RE: [squid-users] problem about squid exhaust all memory > I'd be interested in seeing your squid.conf as well. > > Tim Rainier > Information Services, Kalsec, INC > [EMAIL PROTECTED] > > > > "Chris Robertson" <[EMAIL PROTECTED]> > 09/27/2005 04:11 PM > > To > > cc > > Subject > RE: [squid-users] problem about squid exhaust all memory > > > > > > >> -Original Message- >> From: djx [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, September 27, 2005 1:18 AM >> To: squid-users@squid-cache.org >> Subject: [squid-users] problem about squid exhaust all memory >> >> >> hi,everyone: >> I encount a problem , I need help from someone . >> >> Squid use more and more memory continuously during it's >> running ,and it will restart when all physical memory is >> exhausted ,so my squid restart many times a day . It's boring >> ,how can I solve the prolem ? >> > > How much physical memory does your Squid box have? Is it doing anything > but Squid? Are you perhaps suffering from > http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-client_db_gc? > > Upgrading would not be a bad course of action in any case... > >> every time it restart ,the following information is logged: >> >> >> FATAL: xcalloc: Unable to allocate 1 blocks of 4104 bytes! >> >> Squid Cache (Version 2.5.STABLE6): Terminated abnormally. >> CPU Usage: 61.889 seconds = 33.408 user + 28.481 sys >> Maximum Resident Size: 323524 KB >> Page faults with physical i/o: 1725 >> 2005/09/27 17:03:57| Not currently OK to rewrite swap log. >> 2005/09/27 17:03:57| storeDirWriteCleanLogs: Operation aborted. >> 2005/09/27 17:04:00| Starting Squid Cache version 2.5.STABLE6 >> for i386-unknown-freebsd5.0... >> 2005/09/27 17:04:00| Process ID 7561 >> 2005/09/27 17:04:00| With 7232 file descriptors available >> 2005/09/27 17:04:00| DNS Socket created at 0.0.0.0, port 49428, FD 4 >> 2005/09/27 17:04:00| Adding nameserver 202.99.23.252 from >> /etc/resolv.conf >> 2005/09/27 17:04:00| Unlinkd pipe opened on FD 9 >> 2005/09/27 17:04:00| Swap maxSize 512 KB, estimated 393846 objects >> 2005/09/27 17:04:00| Target number of buckets: 19692 >> 2005/09/27 17:04:00| Using 32768 Store buckets >> 2005/09/27 17:04:00| Max Mem size: 262144 KB >> 2005/09/27 17:04:00| Max Swap size: 512 KB >> 2005/09/27 17:04:00| Store logging disabled >> 2005/09/27 17:04:00| Rebuilding storage in /cms/squidcache (DIRTY) >> 2005/09/27 17:04:00| Using Least Load store dir selection >> 2005/09/27 17:04:00| chdir: /usr/local/squid/var/cache: (2) >> No such file or directory >> 2005/09/27 17:04:00| Current Directory is /cms/squidcache >> 2005/09/27 17:04:00| Loaded Icons. >> 2005/09/27 17:04:00| Accepting HTTP connections at 0.0.0.0, >> port 80, FD 8. >> 2005/09/27 17:04:00| Accepting ICP messages at 0.0.0.0, port >> 3130, FD 10. >> 2005/09/27 17:04:00| WCCP Disabled. >> 2005/09/27 17:04:00| Ready to serve requests. >> 2005/09/27 17:04:02| comm_accept: FD 8: (53) Software caused >> connection abort >> 2005/09/27 17:04:02| httpAccept: FD 8: accept failure: (53) >> Software caused connection abort >> 2005/09/27 17:04:02| comm_accept: FD 8: (53) Software caused >> connection abort >> 2005/09/27 17:04:02| httpAccept: FD 8: accept failure: (53) >> Software caused connection abort >> 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused >> connection abort >> 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) >> Software caused connection abort >> 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused >> connection abort >> 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) >> Software caused connection abort >> 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused >> connection abort >> 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) >> Software caused connection abort >> 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused >> connection abort >> 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) >> Software caused connection abort >> 2005/09/27 17:04:07| comm_accept: FD 8: (53) Software caused >> connection abort >> 2005/09/27 17:04:07| httpAccept: FD 8: accept failure: (53) >> Software caused connection abort >> > > As for these messages: > http://www.squid-cache.org/mail-archive/squid-users/200401/0239.html > > Chris > > >
RE: [squid-users] Parent Authentication request problem
> > It is possible to forward authentication request for each user? I have > > already try with login=PASS , login=PROXYPASS the netscape > > proxy doesnt > > accept authentications. > > > > thanks > > > > Zoltan > > > > login=PASS only works for the Basic HTTP authentication scheme. It's > likely that the Netscape parent is using Digest. Assuming this is the > case, I'm not sure if there is anything you can do. > > Chris > > I'm not sure, because the static usage of works > well with netscape proxy, but where is the difference if I use LOGIN=PASS > ? > > Zoltan > > > >
Re: [squid-users] problem about squid exhaust all memory
the following is a part of squid.conf cache_dir ufs /cms/squidcache 5000 16 256 maximum_object_size_in_memory 500 KB cache_mem 256 MB - 原始邮件 - 发件人: <[EMAIL PROTECTED]> 收件人: 发送时间: 2005年9月28日 4:36 主题: RE: [squid-users] problem about squid exhaust all memory > I'd be interested in seeing your squid.conf as well. > > Tim Rainier > Information Services, Kalsec, INC > [EMAIL PROTECTED] > > > > "Chris Robertson" <[EMAIL PROTECTED]> > 09/27/2005 04:11 PM > > To > > cc > > Subject > RE: [squid-users] problem about squid exhaust all memory > > > > > > >> -Original Message- >> From: djx [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, September 27, 2005 1:18 AM >> To: squid-users@squid-cache.org >> Subject: [squid-users] problem about squid exhaust all memory >> >> >> hi,everyone: >> I encount a problem , I need help from someone . >> >> Squid use more and more memory continuously during it's >> running ,and it will restart when all physical memory is >> exhausted ,so my squid restart many times a day . It's boring >> ,how can I solve the prolem ? >> > > How much physical memory does your Squid box have? Is it doing anything > but Squid? Are you perhaps suffering from > http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-client_db_gc? > > Upgrading would not be a bad course of action in any case... > >> every time it restart ,the following information is logged: >> >> >> FATAL: xcalloc: Unable to allocate 1 blocks of 4104 bytes! >> >> Squid Cache (Version 2.5.STABLE6): Terminated abnormally. >> CPU Usage: 61.889 seconds = 33.408 user + 28.481 sys >> Maximum Resident Size: 323524 KB >> Page faults with physical i/o: 1725 >> 2005/09/27 17:03:57| Not currently OK to rewrite swap log. >> 2005/09/27 17:03:57| storeDirWriteCleanLogs: Operation aborted. >> 2005/09/27 17:04:00| Starting Squid Cache version 2.5.STABLE6 >> for i386-unknown-freebsd5.0... >> 2005/09/27 17:04:00| Process ID 7561 >> 2005/09/27 17:04:00| With 7232 file descriptors available >> 2005/09/27 17:04:00| DNS Socket created at 0.0.0.0, port 49428, FD 4 >> 2005/09/27 17:04:00| Adding nameserver 202.99.23.252 from >> /etc/resolv.conf >> 2005/09/27 17:04:00| Unlinkd pipe opened on FD 9 >> 2005/09/27 17:04:00| Swap maxSize 512 KB, estimated 393846 objects >> 2005/09/27 17:04:00| Target number of buckets: 19692 >> 2005/09/27 17:04:00| Using 32768 Store buckets >> 2005/09/27 17:04:00| Max Mem size: 262144 KB >> 2005/09/27 17:04:00| Max Swap size: 512 KB >> 2005/09/27 17:04:00| Store logging disabled >> 2005/09/27 17:04:00| Rebuilding storage in /cms/squidcache (DIRTY) >> 2005/09/27 17:04:00| Using Least Load store dir selection >> 2005/09/27 17:04:00| chdir: /usr/local/squid/var/cache: (2) >> No such file or directory >> 2005/09/27 17:04:00| Current Directory is /cms/squidcache >> 2005/09/27 17:04:00| Loaded Icons. >> 2005/09/27 17:04:00| Accepting HTTP connections at 0.0.0.0, >> port 80, FD 8. >> 2005/09/27 17:04:00| Accepting ICP messages at 0.0.0.0, port >> 3130, FD 10. >> 2005/09/27 17:04:00| WCCP Disabled. >> 2005/09/27 17:04:00| Ready to serve requests. >> 2005/09/27 17:04:02| comm_accept: FD 8: (53) Software caused >> connection abort >> 2005/09/27 17:04:02| httpAccept: FD 8: accept failure: (53) >> Software caused connection abort >> 2005/09/27 17:04:02| comm_accept: FD 8: (53) Software caused >> connection abort >> 2005/09/27 17:04:02| httpAccept: FD 8: accept failure: (53) >> Software caused connection abort >> 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused >> connection abort >> 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) >> Software caused connection abort >> 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused >> connection abort >> 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) >> Software caused connection abort >> 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused >> connection abort >> 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) >> Software caused connection abort >> 2005/09/27 17:04:04| comm_accept: FD 8: (53) Software caused >> connection abort >> 2005/09/27 17:04:04| httpAccept: FD 8: accept failure: (53) >> Software caused connection abort >> 2005/09/27 17:04:07| comm_accept: FD 8: (53) Software caused >> connection abort >> 2005/09/27 17:04:07| httpAccept: FD 8: accept failure: (53) >> Software caused connection abort >> > > As for these messages: > http://www.squid-cache.org/mail-archive/squid-users/200401/0239.html > > Chris > > >
RE: [squid-users] Parent Authentication request problem
> On Tue, 27 Sep 2005, Chris Robertson wrote: > > > login=PASS only works for the Basic HTTP authentication scheme. It's > > likely that the Netscape parent is using Digest. Assuming this is the > > case, I'm not sure if there is anything you can do. > > In theory login=PASS should work for Digest as well, but you can't run > local authentication on this Squid proxy in that case. I have never > tested this however. > > Regards > Henrik > What login=PASS exactly do? If child proxy has no authentication, just the parent? Zoltan
