[squid-users] R: [squid-users] Problem with squid
Below I've report the free mem We have a problem with Squid, every 2/3 days we are forced to restart the demon. [...] 1 CPU P4 2.8GHz 1GB RAM 80GB Sata cache_mem 128 MB high_memory_warning 256 MB cache_dir ufs /var/spool/squid 10240 16 256 what does the following commands say free -m total used free sharedbuffers cached Mem: 1007996 11 0 2 4 -/+ buffers/cache:989 18 Swap: 1686 1685 0 uptime 09:28:52 up 6 days, 19:01, 2 users, load average: 7.59, 8.90, 7.03 vmstat 2 10 procs memoryswap io system cpu r b w swpd free buff cache si sobibo incs us sy id 0 8 0 1725444 13448 2556 3344 9 241635 2418 4 1 21 0 6 0 1723612 13620 2568 2892 8228 424 8446 488 591 837 6 2 91 0 7 0 1722828 12916 2572 2900 7240 1058 7262 1062 608 626 4 1 95 0 6 0 1723356 13308 2588 2896 5796 876 5856 984 589 497 2 2 96 0 6 0 1721092 12652 2600 2916 6994 768 7048 772 607 572 2 2 96 0 6 0 1723496 13492 2600 2908 5128 2004 5128 2010 670 437 4 2 94 0 6 0 1722600 13460 2604 2904 5254 586 5258 666 563 446 3 2 96 0 6 0 1721532 12512 2616 2908 6980 1200 6994 1206 619 550 5 1 94 1 5 0 1720612 13860 2620 2896 6932 1278 6938 1284 594 557 3 2 95 0 7 0 1720520 13460 2636 2904 6710 1482 6734 1538 579 550 7 1 92 In this moment we have swap a mail realy in the same server :( Andrea
Re: [squid-users] R: [squid-users] Problem with squid
Below I've report the free mem We have a problem with Squid, every 2/3 days we are forced to restart the demon. cache_mem 128 MB high_memory_warning 256 MB cache_dir ufs /var/spool/squid 10240 16 256 what does the following commands say free -m On 07.11 09:47, Balzi Andrea wrote: total used free sharedbuffers cached Mem: 1007996 11 0 2 4 -/+ buffers/cache:989 18 Swap: 1686 1685 0 Oh! you have completely overloaded machine, swapping to hell. No wonder your squid looks like it stopped working. In this moment we have swap a mail realy in the same server :( look at top or ps output to see what eats most of memory. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them
[squid-users] characters in access.log
Hi, I'm using ntlm authentication and some users (french) have characters like ë,é in their login. In access.log this gives something like %c3%a. Does squid support such characters ? I'm using FreeBSD and have correct characters under my shell. thanks
RE: [squid-users] Squid unreachable every hour and 6 minutes.
Hello, Here is : /proc/meminfo: [EMAIL PROTECTED]:/root$ more /proc/meminfo total:used:free: shared: buffers: cached: Mem: 1058295808 1040723968 175718400 125198336 713523200 Swap: 1048645632 12443648 1036201984 MemTotal: 1033492 kB MemFree: 17160 kB MemShared: 0 kB Buffers:122264 kB Cached: 696028 kB SwapCached:772 kB Active: 137096 kB Inactive: 829072 kB HighTotal: 131056 kB HighFree: 2044 kB LowTotal: 902436 kB LowFree: 15116 kB SwapTotal: 1024068 kB SwapFree: 1011916 kB Here is /etc/profile : [EMAIL PROTECTED]:/root$ more /etc/profile # /etc/profile: system-wide .profile file for the Bourne shell (sh(1)) # and Bourne compatible shells (bash(1), ksh(1), ash(1), ...). PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games if [ $PS1 ]; then if [ $BASH ]; then PS1='[EMAIL PROTECTED]:\w\$ ' else if [ `id -u` -eq 0 ]; then PS1='# ' else PS1='$ ' fi fi fi export PATH umask 022 proxy1:~# su squid [EMAIL PROTECTED]:/root$ ulimit unlimited and : [EMAIL PROTECTED]:/root$ more /etc/default/squid # # /etc/default/squidConfiguration settings for the Squid proxy server. # # Max. number of filedescriptors to use. You can increase this on a busy # cache to a maximum of (currently) 4096 filedescriptors. Default is 1024. SQUID_MAXFD=4096 I can't realy find where could be the mistake. L.G. -Original Message- From: Robert Borkowski [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 3. November 2005 16:38 To: Gix, Lilian (CI/OSR) * Cc: Henrik Nordstrom; squid-users@squid-cache.org Subject: Re: [squid-users] Squid unreachable every hour and 6 minutes. Gix, Lilian (CI/OSR) * wrote: The server has 1G of RAM (only 100M for squid) 2005/11/02 10:07:05| Max Mem size: 102400 KB ^^ I asked about memory because of this line... Two possibilities 1) The kernel is killing off squid because there's no VM left. What's in /proc/meminfo ? 2) There's a process ulimit that squid hits and it gets killed off that way. Check for ulimit in /etc/profile or the squid startup script In either case, you need to lower the amount of memory used by squid to below whatever the limit is. I was hoping for some 'out of memory', or 'OOM killer', or 'zero order allocation' errors in the dmesg output. If they're not there then the second (ulimit) possibility is most likely. -- Robert Borkowski
[squid-users] Strange disk full in FreeBSD
Hi, My squids ran into trouble after it startup for some period of time. Squid stop accepting new connections. When I login to that machine and ran df, it show out that there's 100% space usage in the cache_dir . I tried to stop squid and re-newfs . But I just can't umount it ! The only way I can fix it is to reboot the machine to let it be fscked. And after the reboot, I df again and got about 20% disk usage in the cache_dir . I met the same problem in FreeBSD from 4.3 to 4.9 with cache_dir of UFS+SoftUpdate。 I check the google for UFS problem and got some advice on changing the time optimize to space optimize. But I just don't think that's the problem I met, coz if all the blocks are used up, then it can't be fix after a simple reboot (with a fsck ?), right ? Did anyone have some experience about the problem ? Thanks. Forgetful Tan.
[squid-users] TCP_MISS/000
Hi all I am running squid 2.5 stable 11 on a freebsd box running 5.1 RELEASE. When trying to access http://www.eibtm.com I get the following message. 1131348201.489 110218 xx.xx.xx.xx TCP_MISS/000 0 GET http://www.eibtm.com/ - NONE/- - 1131348297.182 95613 xx.xx.xx.xx TCP_MISS/000 0 GET http://www.eibtm.com/ - NONE/- - If I restart the squid process the site is then accessible and the following entries show in the log 1131348352.906201 xx.xx.xx.xx TCP_MISS/304 238 GET http://www.eibtm.com/images/100427/Pics/19.jpg - DIRECT/12.47.198.167 - 1131348353.043227 xx.xx.xx.xx TCP_MISS/304 238 GET http://www.eibtm.com/images/100427/Pics/01.jpg - DIRECT/12.47.198.167 - 1131348353.100187 xx.xx.xx.xx TCP_MISS/304 238 GET http://www.eibtm.com/images/100427/Pics/05.jpg - DIRECT/12.47.198.167 - However after a couple of hours the site becomes inaccessible again. The site is always accessible when not using the proxy and the squid.conf file is configured to go DIRECT for this site. I have tried changing timeout values etc with no success. Any help gratefully accepted. Pat -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.12.8/162 - Release Date: 05/11/2005
Re: [squid-users] Strange disk full in FreeBSD
On 07.11 20:18, forgetful tan wrote: My squids ran into trouble after it startup for some period of time. Squid stop accepting new connections. When I login to that machine and ran df, it show out that there's 100% space usage in the cache_dir . Read: http://www.squid-cache.org/Doc/FAQ/FAQ.html#toc4.14 maybe you configured cache_dir too big. I tried to stop squid and re-newfs . But I just can't umount it ! There's probably process having opened something on that filesystem (e.g. it's current directory is on it) The only way I can fix it is to reboot the machine to let it be fscked. And after the reboot, I df again and got about 20% disk usage in the cache_dir . did you rm -rf everything in that directory? I met the same problem in FreeBSD from 4.3 to 4.9 with cache_dir of UFS+SoftUpdate?? I check the google for UFS problem and got some advice on changing the time optimize to space optimize. But I just don't think that's the problem I met, coz if all the blocks are used up, then it can't be fix after a simple reboot (with a fsck ?), right ? there may be process having open files which were removed, but as long as they are open, they still take space on the disk. After reboot they get physically removed. Where do you store your logs? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
Re: [squid-users] syntax to test ldap groups?
Just following up on this, all is working except I'm not sure what I need for syntax in referring to an AD group with a space in the name, i've tried: Internet Access 'Internet Access' `Internet Access` Internet%20Access all without working and Internet Access refers to an external file. What have I missed?
[squid-users] Large Solaris (2.8) Squid Server Advice Needed
Hello; I have searched the archives, but I was unable to find any recent answers. I have a Sparc/Solaris 2.8 server which has the following: Squid-2.5.STABLE11 Solaris 2.8 (w/4 CPU's) 4X Network ports (one listens on a switch for requests as well as connections to the Internet, the other I wish to configure on a private VLAN for ICP.) 64GB of space available for Squid use. (+ 1GB Swap) 1GB of memory available for Squid use. I am not sure if I am using both my hardware resources and my squid.conf properly, especially with regards to: cache_dir ufs /usr/squidcache 8192 16 256 I have attached both my /etc/system and my squid.conf at the end. I am hoping that this thread helps both myself as well as others with similiar concerns on large servers like mine. Many apologies for such a long email, but I have done my best to be as informative as possible. Thank you very much for such a great software package, and many, many thanks in advance for the assistance of all. vp. Vadim Anatoly Pushkin /etc/system: -- set msgsys:msginfo_msgmax=2048 set msgsys:msginfo_msgmnb=8192 set msgsys:msginfo_msgmni=40 set msgsys:msginfo_msgssz=64 set msgsys:msginfo_msgtql=2048 set shmsys:shminfo_shmmax=2097152 set shmsys:shminfo_shmmni=32 set shmsys:shminfo_shmseg=16 /usr/bin/squid/current/etc/squid.conf --- http_port 8080 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_dir ufs /usr/squidcache 8192 16 256 cache_access_log /usr/bin/squid/current/var/logs/access.log cache_store_log /usr/bin/squid/current/var/logs/store.log ftp_user ftp@ diskd_program /usr/bin/squid/current/libexec/diskd request_body_max_size 50 MB refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl all src 192.9.65.0/255.255.255.0 192.9.64.0/255.255.255.0 acl all src 10.90.0.0-10.95.0.0/255.255.0.0 172.16.0.0-172.19.0.0/255.255.0.0 192.168.0.0/255.255.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all http_reply_access allow all cache_mgr [EMAIL PROTECTED] cache_effective_user nobody visible_hostname squidproxy-1 logfile_rotate 5 coredump_dir /usr/bin/squid/current/var/cache cache_effective_group nobody
Re: [squid-users] Large Solaris (2.8) Squid Server Advice Needed
I am not sure if I am using both my hardware resources and my squid.conf properly, especially with regards to: cache_dir ufs /usr/squidcache 8192 16 256 In terms of cache_dir, it looks fine. (assuming you're not using veritas volume manager on the partition from which you're running your squid cache.) I have some issues with other portions of squid.conf, but they're noted below. Many apologies for such a long email, but I have done my best to be as informative as possible. Quite honestly better than the latter. I personally prefer too much information. :-) acl all src 192.9.65.0/255.255.255.0 192.9.64.0/255.255.255.0 acl all src 10.90.0.0-10.95.0.0/255.255.0.0 172.16.0.0-172.19.0.0/255.255.0.0 192.168.0.0/255.255.0.0 No offense at all, but this is hideous. acl all src needs to be exactly that. Something that pertains to everything. In fact, the default acl for all is really what should be left there. ie: acl all src 0.0.0.0/255.255.255.255 This accounts for everything. The idea is that you deny anything that matches the all acl entry. The deny statement goes at the very bottom of your ACL. It states: If you haven't matched any of my allow acl's, you are denied access to my cache. As an example, consider the following: acl one_nine_two src 192.9.64.0/23 acl ten_ninety src 10.90.0.0/16 acl ten_ninety_five src 10.95.0.0/16 acl one_seven_two src 172.16.0.0/14 acl one_six_eight src 192.168.0.0/16 acl all src 0.0.0.0/255.255.255.255 http_access allow one_nine_two http_access allow ten_ninety http_access allow ten_ninety_five http_access allow one_seven_two http_access allow one_six_eight http_access deny all Concatenating all of your subnets into one acl makes for a real trouble-shooting nightmare. Plus, seeing the http_access deny all missing from any squid config really makes me cringe. I personally don't want people to be able to anonymously access my squid proxy (I don't care what kind of firewalls or physical securities are in place). Cisco routers, for example, have an assumed deny all at the botton of their acls (it's not over-rideable either) to serve the same purpose. The only other issue I have, that's worth noting, deals with my history and experience with solaris. I have multiple vendors that have written products that run on solaris. Three of them (names are not important here) have complained countless times about inconsistencies with how solaris terminates tcp sessions. At a mere glance of the problem, I've seen sockets opened for connections in solaris and those specific sockets remained open until the duration of the machines uptime. The sympton suggests that solaris or the application are not terminating the tcp connection properly (fin, fin-ack, etc). Regardless, I've seen a few vendors that have complained about this and wanted to warn you of that. Speaking of, anyone en-list experienced anything like this with squid on Solaris? I've a couple sparc machines here at work and wouldn't mind tinkering with squid if I found it to be worth my while. I guess that's enough for today. :-) Tim Rainier
Re: [squid-users] syntax to test ldap groups?
On Mon, 7 Nov 2005, Derrick MacPherson wrote: Just following up on this, all is working except I'm not sure what I need for syntax in referring to an AD group with a space in the name, For this to work you need to place the group in an external file. In external files each line is read as a group name, including any spaces or other odd characters.. Regards Henrik
[squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi, We are having problems setting up a squid cache server to use NTLMv2 authentication to authenticate users against AD. We have narrowed the problems down to being a problem between samba and squid when using NTLMv2. It constantly moans about the password being wrong when using squid, but doing a direct samba auth works fine. We have (believedly) narrowed it down to this: the domain requires client ntlmv2 = yes in samba to work - however it seems ntlm_auth does not support this! Our process was as follows: On the domain controller, we set the Network Security: LAN Manager authentication level properties option to be Send Send NTLM response only. We then set smb.conf to look something like this: [global] winbind separator = + winbind cache time = 10 workgroup = DOMAIN security = ads winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes #realm = S058DS1001001.DOMAIN.COM #client ntlmv2 auth = yes log file = /var/log/log.%m That works, when joining the domain we can see the users, groups etc. Some of the commands we ran: [EMAIL PROTECTED] ~ # wbinfo -a Proxy2%Password_1 plaintext password authentication succeeded challenge/response password authentication succeeded [EMAIL PROTECTED] ~ # wbinfo -t checking the trust secret via RPC calls succeeded All worked fine, and squid could auth the user as could a wbinfo -a. We then switched the option in AD to Send NTLMv2 response only\refuse LM NTLM and the smb.conf to the following: [global] winbind separator = + winbind cache time = 10 workgroup = DOMAIN security = ads winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes realm = S058DS1001001.DOMAIN.COM client ntlmv2 auth = yes log file = /var/log/log.%m When we join the domain, it joins fine, we run winbindd and nmbd and we can then lookup the users and groups. We can do a net ads testjoin which works fine aswell [EMAIL PROTECTED] ~ # net ads testjoin Join is OK Note that client ntlmv2 is on now. The problem comes in when trying to use squid to do the authentication. We get the following error in the squid log file if we set the authenticators debugging to level 9: [2005/11/07 13:36:35, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[Proxy4] domain=[DOMAIN] workstation=[ianb] len1=24 len2=24 [2005/11/07 13:36:35, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] If we type in a username that doesn't exist, it complains that the username is invalid, so we know that it has todo with the password. We also know that the password is correct as we tried this numerous times and we also tried copy pasting the password into the required field. Our squid.conf looks like this: auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -d9 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2 auth_param basic program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-basic -d9 auth_param basic children 2 auth_param basic realm Cache NTLM Authentication auth_param basic credentialsttl 2 hours Anyone have any idea as to why that would happen when only using squid? Is there an option that we need to set to make the authenticator use ntlmv2 only or something like we had to do for samba? Does ntlm_auth not understand the v2 protocol properly? Onto another question, when I join the domain for the first time, I get this error when trying to do anything besides a wbinfo -u or wbinfo -g. Here are a few examples: [EMAIL PROTECTED] ~ # wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret And this from the squid log if we try and auth a user: [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Access denied] [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600) NTLMSSP BH: NT_STATUS_ACCESS_DENIED The strange thing is these errors stop happening from anywhere between 5 and 15 minutes after joining the domain. Any ideas as to why they are occurring in the first place? Basically: We are able to list users, and groups - but wbinfo -t doesn't work until we've been logged on for 5-15 minutes (randomly)? Thanks in advance, Ian
[squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi, We are having problems setting up a squid cache server to use NTLMv2 authentication to authenticate users against AD. We have narrowed the problems down to being a problem between samba and squid when using NTLMv2. It constantly moans about the password being wrong when using squid, but doing a direct samba auth works fine. We have (believedly) narrowed it down to this: the domain requires client ntlmv2 = yes in samba to work - however it seems ntlm_auth does not support this! Our process was as follows: On the domain controller, we set the Network Security: LAN Manager authentication level properties option to be Send Send NTLM response only. We then set smb.conf to look something like this: [global] winbind separator = + winbind cache time = 10 workgroup = DOMAIN security = ads winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes #realm = S058DS1001001.DOMAIN.COM #client ntlmv2 auth = yes log file = /var/log/log.%m That works, when joining the domain we can see the users, groups etc. Some of the commands we ran: [EMAIL PROTECTED] ~ # wbinfo -a Proxy2%Password_1 plaintext password authentication succeeded challenge/response password authentication succeeded [EMAIL PROTECTED] ~ # wbinfo -t checking the trust secret via RPC calls succeeded All worked fine, and squid could auth the user as could a wbinfo -a. We then switched the option in AD to Send NTLMv2 response only\refuse LM NTLM and the smb.conf to the following: [global] winbind separator = + winbind cache time = 10 workgroup = DOMAIN security = ads winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes realm = S058DS1001001.DOMAIN.COM client ntlmv2 auth = yes log file = /var/log/log.%m When we join the domain, it joins fine, we run winbindd and nmbd and we can then lookup the users and groups. We can do a net ads testjoin which works fine aswell [EMAIL PROTECTED] ~ # net ads testjoin Join is OK Note that client ntlmv2 is on now. The problem comes in when trying to use squid to do the authentication. We get the following error in the squid log file if we set the authenticators debugging to level 9: [2005/11/07 13:36:35, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[Proxy4] domain=[DOMAIN] workstation=[ianb] len1=24 len2=24 [2005/11/07 13:36:35, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] If we type in a username that doesn't exist, it complains that the username is invalid, so we know that it has todo with the password. We also know that the password is correct as we tried this numerous times and we also tried copy pasting the password into the required field. Our squid.conf looks like this: auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -d9 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2 auth_param basic program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-basic -d9 auth_param basic children 2 auth_param basic realm Cache NTLM Authentication auth_param basic credentialsttl 2 hours Anyone have any idea as to why that would happen when only using squid? Is there an option that we need to set to make the authenticator use ntlmv2 only or something like we had to do for samba? Does ntlm_auth not understand the v2 protocol properly? Onto another question, when I join the domain for the first time, I get this error when trying to do anything besides a wbinfo -u or wbinfo -g. Here are a few examples: [EMAIL PROTECTED] ~ # wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret And this from the squid log if we try and auth a user: [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Access denied] [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600) NTLMSSP BH: NT_STATUS_ACCESS_DENIED The strange thing is these errors stop happening from anywhere between 5 and 15 minutes after joining the domain. Any ideas as to why they are occurring in the first place? Basically: We are able to list users, and groups - but wbinfo -t doesn't work until we've been logged on for 5-15 minutes (randomly)? Thanks in advance, Ian
Re: [squid-users] Urgent Samba / Squid NTLM Auth Problems
Hi, At 22.22 07/11/2005, Ian Barnes wrote: Our squid.conf looks like this: auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -d9 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2 Wonder, even you have done a very detailed report, you don't have read squid.conf comments before :-) From 2.5 STABLE12 squid.conf: # use_ntlm_negotiate on|off # Enables support for NTLM NEGOTIATE packet exchanges with the helper. # The configured ntlm authenticator must be able to handle NTLM # NEGOTIATE packet. See the authenticator programs documentation if # unsure. ntlm_auth from Samba-3.0.2 or later supports the use of this # option. # The NEGOTIATE packet is required to support NTLMv2 and a # number of other negotiable NTLMSSP options, and also makes it # more likely the negotiation is successful. So in squid.conf you need: auth_param ntlm use_ntlm_negotiate on Please note: auth_param ntlm children 2 It is a very too low value, on a loaded proxy you must set this value to a more higher value as 20, 30 or more. You must monitor the helpers usage to find the correct value. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
RE: [squid-users] Squid date and time acl question
-Original Message- From: David Lynum [mailto:[EMAIL PROTECTED] Sent: Monday, November 07, 2005 2:11 PM To: squid-users@squid-cache.org Subject: [squid-users] Squid date and time acl question Dear List, I'm running Dansguardian 2.8.0, Squid 2.5, and webmin 1.23 on Fedora Core 2. I need to create (2) acl's. One to block access to a specific website, and other to block internet access entirely. For both of these acl's, I only want to block access for a limited time. The reason for this is that I work for a youth development center. The youth tend to spend a lot of time on the internet, so I'd like to limit their access to both a specific website and to the internet as a whole at certain times of the day. The computers that the youth use are all configured to use dansguardian as their proxy. The computers that the staff use don't use a proxy. I know how to create an acl in webmin. I just don't know how to configure the proxy restrictions. Thanks, David The FAQ , section 10 (http://www.squid-cache.org/Doc/FAQ/FAQ-10.html), will likely have all the information you need. Check out subsection 17 (http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.17) for time-based specifics. Chris
[squid-users] Need help with httpd_accell
Hi All, I'm trying to use the httpd_accell to to allow squid to proxy an internal web server on the internet. Currently my squid.conf is set up like this:- acl our_networks src 192.168.5.0/24 192.168.3.0/24 http_access allow our_networks cache_access_log none cache_store_log none visible_hostname proxy acl accesses_to_apps dstdomain 192.168.3.101 proxy http_access allow accesses_to_apps !our_networks #Reverse Proxy http_port 80 httpd_accel_host 192.168.3.101 httpd_accel_port 80 httpd_accel_single_host on httpd_accel_with_proxy on httpd_accel_uses_host_header off But whenever I try to access the page http://proxy; While trying to retrieve the URL: 192.168.3.101 The following error was encountered: * *Access Denied. * Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect What acls am I missing? Basically I allowed dstdomain the IP of the internal webserver and the proxy server (hostname proxy)... I'm guessing I'm missing something here... Thanks!
Re: [squid-users] Need help with httpd_accell
Brian Phillips wrote: Shouldn't this acl accesses_to_apps dstdomain 192.168.3.101 proxy http_access allow accesses_to_apps !our_networks be: acl accesses_to_apps1 dst 192.168.3.101/32 acl accesses_to_apps2 dstdomain proxy http_access allow accesses_to_apps1 http_access allow accesses_to_apps2 http_access deny all ? I am not sure, but I don't think you do ip's with dstdomain... That's it! I didn't realize that I was using dstdomain and not dst Feeling like a moron now.. Seemed so obvious when you highlighted it. Thanks a bundle Brian debug_options ALL,1 33,2 is also helpful when tracking down ACLs Brian
Re: [squid-users] Strange disk full in FreeBSD
Matus UHLAR - fantomas wrote: On 07.11 20:18, forgetful tan wrote: My squids ran into trouble after it startup for some period of time. Squid stop accepting new connections. When I login to that machine and ran df, it show out that there's 100% space usage in the cache_dir . Read: http://www.squid-cache.org/Doc/FAQ/FAQ.html#toc4.14 maybe you configured cache_dir too big. I have 27g of disk space, I config that cache_dir to 8g . I tried to stop squid and re-newfs . But I just can't umount it ! There's probably process having opened something on that filesystem (e.g. it's current directory is on it) The only way I can fix it is to reboot the machine to let it be fscked. And after the reboot, I df again and got about 20% disk usage in the cache_dir . did you rm -rf everything in that directory? surely no! I met the same problem in FreeBSD from 4.3 to 4.9 with cache_dir of UFS+SoftUpdate?? I check the google for UFS problem and got some advice on changing the time optimize to space optimize. But I just don't think that's the problem I met, coz if all the blocks are used up, then it can't be fix after a simple reboot (with a fsck ?), right ? there may be process having open files which were removed, but as long as they are open, they still take space on the disk. After reboot they get physically removed. Where do you store your logs? Another problem is that when I tried to umount that directory, the umount process just hung up, even can respone to the ctrl + c signal ! It seems like a FS's problem.
Re: [squid-users] error pages on acl deny
On 10/27/05, Henrik Nordstrom [EMAIL PROTECTED] wrote: On Wed, 26 Oct 2005, Christoph Haas wrote: On Wednesday 26 October 2005 11:36, Metal Gear wrote: hi guys i am now using the following acls i.e. i want different error pages for different acls but i m always having a same error pages i.e. of 'ERR_ACCESS_DENIED'. i think its priority is higher than the second one. acl blockedsites url_regex /usr/local/squid/etc/sites/block http_access deny blockedsites mydomain deny_info ERR_ACCESS_DENIED blockedsites mydomain acl browserblocker browser -i 1.0.7 http_access deny !browserblocker mydomain deny_info ERR_OLD_BROWSER_DENIED !browserblocker mydomain http_access allow mydomain how will i get the different error page? deny_info looks for the very last acl of the http_access line which denied access. Nothing more, nothing less. If you list multiple acls on the same deny_info line then http_access deny lines ending in any of these acls will show the indicated error message. If you can not arrange your http_access deny statements in such manner that the last acl on each line is something meaningful to use in deny_info for selecting a suitable error message then it is possible to introduce dummy acls similar to the all acl to connect things together with deny_info. so how can i introduce dummy acls since i tried each and every thing but the situation remains. You need to define the deny_info before you use it in http_access. Just swap the lines. No, the ordering of deny_info in relation to http_access is not important. You can have all your deny_info lines first in squid.conf, or last if you prefer, or mixed with your http_access lines. Regards Henrik