Re: [squid-users] Load Balancing
what about caching in your setup? this info will surely help you to design your setup. I am using one proxy server and two caching proxy servers and the total number of users in my setup are much more than yours. I would like to ask you one question here as you have done with transparent proxy. How are you dealing with https(port 443) request from your transparent proxy setup? -- Sushil. On Sat, 22 Oct 2005, Paras pradhan wrote: hi: Currently i have a network running squid as a transparent proxy server serving around 500 users. Around 40% of the users ie ( 200 users) use the network and the performance is good with very very little problem.. now my network is about to increse and almost 1200 Users will be using the proxy server. Presenly i am running a PIII Xeon processor Server with SCSI Hard Drives and 1GB of RAM. Now i need some suggestions for 1200 users. Do i need to: Upgrade or Purchase a new server OR use load balancing using 3 or 4 another servers OR just tune the currnet server for the best performance. What is the best option for my case assuming 50% of my 1200 users(ie 600) will be using the internet at the same time.. Thanks Paras.
RE: [squid-users] WCCP: Web Cache ID 0.0.0.0
On Fri, 21 Oct 2005, Shoebottom, Bryan wrote: Henrik, One question I'd like a firm answer to, I have heard to install the ip_wccp module and not to. Which should I be doing? The purpose of the ip_wccp module is to decapsulate those GRE packets carrying the redirected packets from the router, transforming them back to normal TCP/IP packets. If your router is sending you plain packets then ip_wccp is not needed. My understand is that the 2.6 kernel includes WCCP in the gre module. Yes, since 2.6.9 or something like thath. I also understand that the 2.4 kernel started to include it, but I'm not sure when. Not that I know of. 2.4.31 does not. With all of my testing, I have only been using the ip_gre module included in the kernel source. ip_gre is generally preferred as it has at least a moderate level of security. ip_wccp is very insecure unless you properly firewall your server to not accept untrusted GRE traffic. Regards Henrik
Re: [squid-users] Https redirection
On Fri, 21 Oct 2005, Matus UHLAR - fantomas wrote: Redirect users connecting via HTTP to other address using acl and deny_info (acl will disable HTTP connection, deny_info will send redirection to HTTPS page) or redirector: http://www.squid-cache.org/Doc/FAQ/FAQ.html#toc15.5 And to detect the http_port you use the myport acl. acl httpport myport 80 http_access deny httpport deny_info https://www.example.com/ httpport Regards Henrik
Re: [squid-users] Installation Path
On Fri, 21 Oct 2005, Bonnici Daniel wrote: I installed Fedora Core 4 and then I installed squid 2.5rc12. The path for the squid.conf is /usr/local/squid/etc/squid.conf but I noticed that the squid that came with FC is under /etc/squid/squid.conf. How can I overwrite the squid that came with FC? Even I installed webmin and the defaults seems to point to the squid that FC came with. I know that I can change the paths but I would like to do it in the proper way.. The best way to keep everything compatible is to rebuild the RPM based on the new Squid version. Just grab the latest Fedora development SRPM, install it then edit /usr/src/redhat/SPECS/squid.spec to suit your needs and finally rpmbuild -ba /usr/src/redhat/SPECS/squid.spec to build the new RPM. Note: It is adviceable to use a release number of 0.something for homebrewed temporary upgrades. This way you won't collide too much with a later official upgrade. Regards Henrik
Re: [squid-users] wccp
On Thu, 20 Oct 2005, Ben wrote: ok, so I use ip_wccp with Wccp V1, but the cache don?t see the router or router don?t see cache Is your router supporting WCCP v1? Yes, My router supportWCCP v1 and support WCCP v2 2005/10/19 09:26:30| Ignoring WCCP_I_SEE_YOU from X.X.X.X with non-positive number of caches Odd.. tcpdump -X -s 1600 -n -i any -p port 2048 With tcpdump -X -s 1600 -n -i any -p port 2048 show: 13:32:07.890582 IP Y.Y.Y.Y.2048 X.X.X.X.2048: UDP, length 52 0x: 4500 0050 ae54 4000 4011 d6ea c85e 12a0 [EMAIL PROTECTED]@^.. 0x0010: c85e 1201 0800 0800 003c 3a0c 0007 .^...:. 0x0020: 0004 0x0030: 0x0040: 0001 WCCP_HERE_I_AM WCCPv1 ID 1 13:32:07.891233 IP X.X.X.X.2048 Y.Y.Y.Y.2048: UDP, length 64 0x: 4500 005c d8c5 ff11 2d6d c85e 1201 E..\..-m.^.. 0x0010: c85e 12a0 0800 0800 0048 5eef 0008 .^...H^. 0x0020: 0004 0002 0002 0001 0x0030: c85e 12a0 .^.. 0x0040: 0x0050: 0001 WCCP_I_SEE_YOU WCCPv1 Change number 2 ID 2 Cache servers: 1 Server 1: No assigned buckets, stale info Looks fine to me.. I see no reason why Squid should complain on this. Which Squid version are you using? The message does not match the current stable release. Regards Henrik
Re: [squid-users] Delay pool weirdness
On Fri, 21 Oct 2005, Gerhardus Geldenhuis wrote: The strange part is that when I decrease these values again and do a squid -k reconfigure the download speed shown in firefox does not decrease at all. From the Squid-2.5 release notes: 3. Known issues and limitations Bug #219 url:http://www.squid-cache.org/bugs/show_bug.cgi?id=219 delay_pools stops working on -k reconfigure Regards Henrik
Re: [squid-users] mime block
On Fri, 21 Oct 2005, Anders Larsson wrote: Hi! im trying to block this mime and another below in acl.. DIRECT/62.181.238.210 application/vnd.ms.wms-hdr.asfv1 i got this in squid.conf ## reply acl streaming_rep rep_mime_type -i ^application/x-mms-framed$ ^application/vnd.ms.wms-hdr.asfv1$ acl msn_rep rep_mime_type -i ^application/x-msn-messenger$ #request acl streaming_req req_mime_type -i ^application/x-mms-framed$ ^application/vnd.ms.wms-hdr.asfv1$ acl msn_req req_mime_type -i ^application/x-msn-messenger$ http_access deny streaming_req msn_req http_reply_access deny msn_rep streaming_rep The above won't mach.. the same request can't match both streaming_req and msn_req.. http://www.squid-cache.org/Doc/FAQ/FAQ-10.html What you want is either to join the msn/streaming acls as one single acl, or split your access lines like http_reply_access deny msn_rep http_reply_access deny streaming_rep Read the above document for details. Regards Henrik
Re: [squid-users] squid_ldap_auth from shell
On Fri, 21 Oct 2005, John Halfpenny wrote: My basic authenticator works fine, in the form /usr/lib/squid/squid_ldap_auth -b ou=Users,dc=my,dc=domain myname mypassword OK Ok. I have noticed that my LDAP group doesn't have a 'member' attribute, but it does have 'memberUid'. On my LDAPBrowser I can query like this with the desired group as the result: ((objectclass=posixGroup)(cn=mygroup)(memberUid=myname)) Ok. If I put someone elses name in who isn't a member of mygroup then nothing is returned. However, creating the following command string gives me errors! /usr/lib/squid/squid_ldap_group -b ou=Groups,dc=my,dc=domain -f ((objectclass=posixGroup)(cn=%a)(memberUid=%v)) -B ou=Users,dc=my,dc=domain -F uid=%s myname mygroup ERR You should not specify -B or -F as your membership is not based on the LDAP DN of the user like it is done in most LDAP trees, only the login. And I'd recommend using the much clearer %g/%u codes rather than the now obsolete %a/%v ones... Try the following: /usr/lib/squid/squid_ldap_group -b ou=Groups,dc=my,dc=domain -f ((objectclass=posixGroup)(cn=%g)(memberUid=%u)) Regards Henrik
Re: [squid-users] Squid + WCCP + ip_gre + ip_wccp
On Fri, 21 Oct 2005, Senthil Murugan wrote: Hi, I have a question on configuring squid with wccp. I have a setup with squid-2.5s10 on linux 2.4.20. I have ip_gre and ip_wccp kernel modules installed. I followed the setup from squid archives. The steps are, 1. installing kernel module ip_wccp 2. installing kenel module ip_gre You should only select one of the above. ip_wccp is simpler as it does not require any tunnel configuration, but also much less secure for the exact same reasons.. but on the other hand not all versions of ip_gre supports WCCP. In fact only one of the two can be active at the same time. I do not remember it it's the first or last loaded however.. (loading more than one GRE module is not officially supported) Regards Henrik
Re: [squid-users] Squid won't start with 2 cache_dirs configured
On Fri, 21 Oct 2005, Daniel A. Ramaley wrote: 2005/10/21 10:14:38| /cache/squid: (13) Permission denied This is a pretty good hint to where your error is.. Regards Henrik
Re: [squid-users] New Squid Installation
On Fri, 21 Oct 2005, Tim Neto wrote: One thought to resolve the single threading of Squid, use a virtual machine software/system like VMware. The virtual machine software would handle the processor allocation. Much easier and more efficient to just run more than one Squid on the same server.. Regards Henrik
Re: [squid-users] WARNING: Cannot run '/usr/lib/squid/msnt_auth' process
On Fri, 21 Oct 2005, Fabio Gomes Baptista wrote: 2005/10/21 15:15:00| WARNING: Cannot run '/usr/lib/squid/msnt_auth' process. This error is usually seen if you have firewalled traffic over the loopback interface (lo). Regards Henrik
Re: [squid-users] Patch problem: Delay pool class 3 fails on clients in network 255 (ip X.X.255.X)
On Fri, 21 Oct 2005 [EMAIL PROTECTED] wrote: After the patch, delay pools became weird. My configuration is following. Before patch, when reached 100 bytes, downloads were limited do 8000 bytes/s. After the patch, the control started to limit this access do 2.7KB/s. Suddenly it rised to 38KB/s and just few seconds after this it was doing 27KB/s and so. Very odd. The patch does not change the code used for class 1 or 2 pools at all, only codepaths used by class 3 pools. Regards Henrik
Re: [squid-users] getting up to (basic) speed with Squid v3 ... conf examples?
On Fri, 21 Oct 2005, OpenMacNews wrote: while i dig for up-to-date/relevant v3 docs -- a bit of a challenge, it seems. at least for me :-/ -- can someone kindly point to / offer a config example(s) for a simple site? It's the same as for 2.5. Only if you are doing transparent interception then the config differ slightly, and is much simpler now. See release notes and squid.conf comments. Regards Henrik
Re: [squid-users] Delay pool weirdness
Hi, At 15.06 21/10/2005, Gerhardus Geldenhuis wrote: What I am trying to achieve is to limit our WSUS server downloads during the day with a delay pool. However everyone else must still be able to access the You can do something on Windows side: WSUS uses BITS for file transfer, so you can adjust the bandwidth usage with a Windows Group Policy. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Patch problem: Delay pool class 3 fails on clients in network 255 (ip X.X.255.X)
On Sat, October 22, 2005 06:22, Henrik Nordstrom wrote: After the patch, delay pools became weird. My configuration is following. Before patch, when reached 100 bytes, downloads were limited do 8000 bytes/s. After the patch, the control started to limit this access do 2.7KB/s. Suddenly it rised to 38KB/s and just few seconds after this it was doing 27KB/s and so. Very odd. The patch does not change the code used for class 1 or 2 pools at all, only codepaths used by class 3 pools. Yes. I was reading about Bug 219, but as I made a shutdown, this is not the problem. I will apply the patch again and make more tests, just for confirmation. Thank you for your attention. Regards Cassio Freitas
AW: [squid-users] New Squid Installation
Von: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 22. Oktober 2005 10:21 On Fri, 21 Oct 2005, Tim Neto wrote: One thought to resolve the single threading of Squid, use a virtual machine software/system like VMware. The virtual machine software would handle the processor allocation. Much easier and more efficient to just run more than one Squid on the same server.. In such a configuration you link the different squids as squid cache cascade were one is the gateway for the Users? And alle squids have it´s own cache dir? Thanks Christian
[squid-users] Can't get reverse proxy to redirect
I cannot get a reverse proxy to redirect requests to save my life. I'm simply trying to redirect http requests from the squid proxy to several web servers like this: www.squidproxy.com - www.somehost.com | - www.someotherhost.com Can you please show me an example configuration? -Thanks!
Re: [squid-users] Can't get reverse proxy to redirect
On 10/22/05, Bernard Barton [EMAIL PROTECTED] wrote: I cannot get a reverse proxy to redirect requests to save my life. I'm simply trying to redirect http requests from the squid proxy to several web servers like this: www.squidproxy.com - www.somehost.com | - www.someotherhost.com Can you please show me an example configuration? http://www.squid-cache.org/Doc/FAQ/FAQ-20.html M.
[squid-users] acl and never_direct
I have a squid hierarchy consisting of a pair of load-balanced siblings and a parent that sits on the security perimeter. All three caches are configured to use cache digests. Load balancing is accomplished using a proxy.pac file that defines a simple hashing algorithm that selects one of the load-balanced siblings to service the request. To address the case where the selected sibling might be unavailable, the its sibling is defined as an alternate. There are approximately 80 locations in our corporate wide area network. The Squid hierarchy, described above, is located at my facility and it serves, primarily, only systems on the local area network. What I would like to happen is the following. (1) If the web site is located in my facility, I want the siblings to access the web site directly. (2) If the web site is connected to our corporate wide area network, I want the siblings to check each others cache for the URI and go directly the the web site if the content has not been cached. (3) If the web site is external to our corporate wide area network, I want the siblings to forward the request to the parent cache if the content has not been cached by the other sibling. Configuring squid to use the cache digest appears to solve the problem of checking whether or not the content has already been cached. It does have the effect of eliminating most of the ICP traffic. I've defined the following acls. (1) acl GDAIS_CATO dstdomain .cato.gd-ais.com (2) acl GDAIS_WAN dstdomain .gd-ais.com acl GDAIS_WAN dst 166.16.0.0/16 And, I have the following defined. (1) always_direct allow GDAIS_CATO (2) never_direct deny GDAIS_WAN never_direct allow all This appears to achieve my goals with the exception of the one internal location that insists on using IP addresses. They started doing this because their DNS servers wouldn't resolve the domain names correctly due to configuration errors. The problem that I am having is that HTTP requests that use an IP address are being forwarded to the parent cache. Can you not combine dstdomain and dst in the same acl? How does Squid process a request that uses an IP address? http://166.16.x.y/whatever/ Merton Campbell Crockett -- BEGIN: vcard VERSION:3.0 FN: Merton Campbell Crockett ORG:General Dynamics Advanced Information Systems; Intelligence and Exploitation Systems N: Crockett;Merton;Campbell EMAIL;TYPE=internet:[EMAIL PROTECTED] TEL;TYPE=work,voice,msg,pref: +1(805)497-5045 TEL;TYPE=work,fax: +1(805)497-5050 TEL;TYPE=cell,voice,msg:+1(805)377-6762 END:vcard