[squid-users] slow browsing
i am getting slow response from proxy, after a month of newly installed linux fc 4, each time, i am not using any anti-virius. i have dsl modem 512 kbps link, these days i am getting same response (slow browsing). i have 120 workstations. i removed all users, and for test purpose1 workstation and proxy server (squid). getting 1-1.5 kbps. i dont know whats problem. acl mew src 10.0.0.0/255.0.0.0 delay_pools 1 delay_class 1 2 delay_parameters 1 58000/58000 5000/5000 delay_access 1 allow mew
[squid-users] transparent proxy without client DNS setting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi List, My connection to the internet is only through a remote proxy server. I have been using squid to connect to this remote proxy server using the cache_peer option ( cache_peer xx.xx.xx.xx parent 8080 0 no-query default ) and it is working fine if specified manually in the client's browser setting. In my attempt to configure a transparent squid using PF, ( squid is running on the openbsd gateway ) I have found out that the client is trying to connect to the internet using the DNS server configured in the client, which does not work, because the DNS server specified in the client is only internal. This is why squid is working if specified manually in the browser, it does not use the DNS setting of the client, but it directs the request to the parent proxy specified in cache_peer. I think I have correctly configured squid and PF to work in transparent mode since I can see the traffic being redirected if a site can be accessed by the internal DNS server, ( example, websites located in WAN ). any suggestions for transparent squid to work without the client having a true DNS server configured? I hope i have explained this correctly. regards, - -- Kenneth P. Oncinian Panasonic Communications Philippines Corporation Information Systems Division - Network and Infrastructure Department - -- PGP Public Key: http://m.1asphost.com/koncinian/koncinian.gnupg.key -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD+W7n9MTaiXoaMBgRAsVcAKCJ7w2V0KlkG7pjJ3da2W7fllAS3wCfSBuM i/GC7cmvl152XU2HSMXWrXM= =sGlp -END PGP SIGNATURE-
[squid-users] Certain header not authenticating
Hey, I am running squid/squidGuard with NTLM authentication. Everything works perfectly, except there is a site that some employees use for interactive training. It seems when these employees go to this site they are continually prompted for username/password with wpad.domainname.com as the realm. After investigating, the useragent log is showing this: 192.168.12.102 - - [15/Feb/2006:15:30:49 -0500] "GET /wpad.dat HTTP/1.1" 200 251 "-" "NSPlayer/9.00.00.2980" It seems that the NSPlayer header is somehow not retrieving the wpad file correctly? If the users click cancel nothing happens - they can continue, but it pops up when they click to go to the next page. This is a major annoyance for some users, and has become a headache for me. I haven't explicitly set anything in squid.conf to only allow certain headers, im not even sure if you can. I have searched hell and high-water, but to no avail. Does anyone have any ideas? I really appreciate it. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date: 2/17/2006
[squid-users] blocking all but one site from a machine
Hello, I've got a unique situation. I've got squid acting as a transparent proxy. I want to block all outgoing http requests from a single machine with the exception of a single site, let that through. In other words if machine x goes to any other site other than the one i've designated they get an access denied msg. Is this doable? Thanks. Dave. - Original Message - From: "Fernando Rodriguez" <[EMAIL PROTECTED]> To: Sent: Friday, February 17, 2006 10:33 AM Subject: [squid-users] Redirecting users to a login screen How can i redirect users to a login screen ? Fernando Rodriguez V. [EMAIL PROTECTED]
Re: [squid-users] Problem with intercept squid and boinc
> Hi, > I have configured a squid httpd proxy cache in intercept/transparent mode. > > The problem I have is that the boinc client from setiathome have problem > connecting to its server. - Is boinc configured to use a http proxy (I presume it is) - What are the messages displayed in it's messages window, when the problems appear. - What's in squid's access.log for thes boinc requests ? - Anything further in cache.log > If I disable squid interception, all works fine. My usual anti-interception bible , not that one of the topics mentioned my have bitten you : - Intercepting HTTP breaks TCP/IP standards because user agents think they are talking directly to the origin server. - It causes path-MTU to fail. Possibly making the website not accessible. - As a result for instance on older IE versions ; "reload" did not work as expected. - You can't use proxy authentication - You can't use IDENT lookups - Intercepting proxies are incompatible with IP filtering designed to prevent address spoofing. - Clients are still expected to have full Internet DNS resolving capabilities , when in certain Intranet/Firewalling setups , this is not always wanted. - Related to above : because of transp. proxy setup : suppose a browser connects to a site which is down.HOWEVER , due to the transparant proxying setup. It gets a connected state to the interceptor. The end user may get wrong error messages or a browser, seemingly doing nothing anymore. > > I see in the access_log from squid that the last request its a POST > > Anyone have seen this problem? How can I debug it. > > Thanks > Oliver >
Re: [squid-users] Recommendations for log analyzer
Also sprach Chris Mason <[EMAIL PROTECTED]> (Fri, 17 Feb 2006 21:26:12 -0400): > I'm using Squid to control staff access to the net and I'd like to > find a reasonable log analyzer package to monitor the efficiency and > to report usage. I've explored the links on > http://www.squid-cache.org/ but most of what I found isn't very > polished. Any suggestions? http://cord.de/tools/squid/calamaris/ > Chris sl ritch
[squid-users] Problem with intercept squid and boinc
Hi, I have configured a squid httpd proxy cache in intercept/transparent mode. The problem I have is that the boinc client from setiathome have problem connecting to its server. If I disable squid interception, all works fine. I see in the access_log from squid that the last request its a POST Anyone have seen this problem? How can I debug it. Thanks Oliver -- Oliver Schulze L. <[EMAIL PROTECTED]>
[squid-users] Recommendations for log analyzer
I'm using Squid to control staff access to the net and I'd like to find a reasonable log analyzer package to monitor the efficiency and to report usage. I've explored the links on http://www.squid-cache.org/ but most of what I found isn't very polished. Any suggestions? Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [squid-users] parent cache information
Once again thank you very much. Just curious if your child proxy is not caching why would you have child parent hierarchy. Anyway much appreciated for your help and your valuable time. On 2/18/06, Chris Robertson <[EMAIL PROTECTED]> wrote: > > -Original Message- > > From: Raj [mailto:[EMAIL PROTECTED] > > Sent: Friday, February 17, 2006 2:46 PM > > To: Chris Robertson > > Cc: squid-users@squid-cache.org > > Subject: Re: [squid-users] parent cache information > > > > > > Chris, > > > > Once again thanks heaps. You were absolutely spot on. We have total 4 > > proxies (2 child & 2 parent proxies). > > > > Server A & Server C - parent proxies (2nd tier) > > Server B & Server D - Child proxies (1st tier) > > > > 1st Tier uses NTLM authentication via the the Samba WINBIND process. > > 2nd Tier is located in the DMZ with no authentication required. > > > > This is the main reason we are using 1st tier and 2nd tier proxies. > > For this type of setup could you please recommend whether to configure > > both proxy's to cache or just 2nd tier proxies as cache and 1st tiers > > as proxy only. Basically I want to achieve better performance than > > what we have now. At the moment as explained to you before both 1st > > tier and 2nd tier are caching. > > > > Once again thanks a million. > > > > Regards. > > > > Well, I think you will see your best improvement by recompiling and including > aufs. > > In any case, for a different reason I have a child-parent hierarchy on a > single LAN segment. My cache_peer line on one child (proxy1) is: > > cache_peer proxy2 sibling 8080 3130 proxy-only no-digest > cache_peer proxy3 parent 8080 3130 proxy-only round-robin no-digest > cache_peer proxy3 parent 8081 3131 proxy-only round-robin no-digest > > Both my request hit and byte hit ratio on the child proxy are low (but > non-zero) numbers. Perhaps that indicates that only cached requests fetched > from the parent proxy are not cached on the child, vs. all requests. Then > again, due to other quirks with my setup that metric may not be indicative of > anything. As for myself, I can perceive no difference between surfing with > or without the proxy. Anecdotal evidence at best. > > Chris >
RE: [squid-users] parent cache information
> -Original Message- > From: Raj [mailto:[EMAIL PROTECTED] > Sent: Friday, February 17, 2006 2:46 PM > To: Chris Robertson > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] parent cache information > > > Chris, > > Once again thanks heaps. You were absolutely spot on. We have total 4 > proxies (2 child & 2 parent proxies). > > Server A & Server C - parent proxies (2nd tier) > Server B & Server D - Child proxies (1st tier) > > 1st Tier uses NTLM authentication via the the Samba WINBIND process. > 2nd Tier is located in the DMZ with no authentication required. > > This is the main reason we are using 1st tier and 2nd tier proxies. > For this type of setup could you please recommend whether to configure > both proxy's to cache or just 2nd tier proxies as cache and 1st tiers > as proxy only. Basically I want to achieve better performance than > what we have now. At the moment as explained to you before both 1st > tier and 2nd tier are caching. > > Once again thanks a million. > > Regards. > Well, I think you will see your best improvement by recompiling and including aufs. In any case, for a different reason I have a child-parent hierarchy on a single LAN segment. My cache_peer line on one child (proxy1) is: cache_peer proxy2 sibling 8080 3130 proxy-only no-digest cache_peer proxy3 parent 8080 3130 proxy-only round-robin no-digest cache_peer proxy3 parent 8081 3131 proxy-only round-robin no-digest Both my request hit and byte hit ratio on the child proxy are low (but non-zero) numbers. Perhaps that indicates that only cached requests fetched from the parent proxy are not cached on the child, vs. all requests. Then again, due to other quirks with my setup that metric may not be indicative of anything. As for myself, I can perceive no difference between surfing with or without the proxy. Anecdotal evidence at best. Chris
Re: [squid-users] parent cache information
Chris, Once again thanks heaps. You were absolutely spot on. We have total 4 proxies (2 child & 2 parent proxies). Server A & Server C - parent proxies (2nd tier) Server B & Server D - Child proxies (1st tier) 1st Tier uses NTLM authentication via the the Samba WINBIND process. 2nd Tier is located in the DMZ with no authentication required. This is the main reason we are using 1st tier and 2nd tier proxies. For this type of setup could you please recommend whether to configure both proxy's to cache or just 2nd tier proxies as cache and 1st tiers as proxy only. Basically I want to achieve better performance than what we have now. At the moment as explained to you before both 1st tier and 2nd tier are caching. Once again thanks a million. Regards. On 2/18/06, Chris Robertson <[EMAIL PROTECTED]> wrote: > > -Original Message- > > From: Raj [mailto:[EMAIL PROTECTED] > > Sent: Thursday, February 16, 2006 6:08 PM > > To: Chris Robertson > > Cc: squid-users@squid-cache.org > > Subject: Re: [squid-users] parent cache information > > > > > > Thanks a lot for that. I can only specify proxy-only option on server > > B right? Because I am not using cache_peer option on server A which is > > facing the internet. > > Well, there is a no-cache directive that works independently of cache_peer > lines... > > > If I use proxy-only option on Server B, then Server B just acts as > > proxy and it will cache only non-duplicate content. Are there any > > benifits in using 1st tier and 2nd tier proxys. Please reply. > > > > Actually, I think that using the proxy-only option will prevent Server B from > caching ANY content it retrieves from Server A (which in your case would mean > ALL content not cached on Server B, a catch 22). Cache hierarchies are > usually used when there are many disparate child proxies (branch offices > proxy through the main hub) or there is a bottle neck at each point (small > pipe between child and parent proxy, medium pipe between parent and > internet). Other times, an other type of proxy is used as a parent > (DansGuardian, virus scanner, etc.). I'm not sure of the reason for the > set-up you describe. Perhaps access to the proxy in the DMZ is limited to > one specific IP address (the child proxy) by the firewall. Perhaps the child > proxy was at some point going to perform authentication from a source not > available from the DMZ. Perhaps the DMZ proxy was going to be acting as an > accelerator, and the only way to allow access to the accelerated website from > within the LAN was to pass all traffic through the parent. > > Chris >
RE: [squid-users] parent cache information
> -Original Message- > From: Raj [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 16, 2006 6:08 PM > To: Chris Robertson > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] parent cache information > > > Thanks a lot for that. I can only specify proxy-only option on server > B right? Because I am not using cache_peer option on server A which is > facing the internet. Well, there is a no-cache directive that works independently of cache_peer lines... > If I use proxy-only option on Server B, then Server B just acts as > proxy and it will cache only non-duplicate content. Are there any > benifits in using 1st tier and 2nd tier proxys. Please reply. > Actually, I think that using the proxy-only option will prevent Server B from caching ANY content it retrieves from Server A (which in your case would mean ALL content not cached on Server B, a catch 22). Cache hierarchies are usually used when there are many disparate child proxies (branch offices proxy through the main hub) or there is a bottle neck at each point (small pipe between child and parent proxy, medium pipe between parent and internet). Other times, an other type of proxy is used as a parent (DansGuardian, virus scanner, etc.). I'm not sure of the reason for the set-up you describe. Perhaps access to the proxy in the DMZ is limited to one specific IP address (the child proxy) by the firewall. Perhaps the child proxy was at some point going to perform authentication from a source not available from the DMZ. Perhaps the DMZ proxy was going to be acting as an accelerator, and the only way to allow access to the accelerated website from within the LAN was to pass all traffic through the parent. Chris
RE: [squid-users] Squid - Ldap
> -Original Message- > From: Franco, Battista [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 16, 2006 11:19 PM > To: Chris Robertson; squid-users@squid-cache.org > Subject: Re: [squid-users] Squid - Ldap > > > I tried "setenforce 0" and now it's OK. :o > But another question: everytime I restart server should i > need repeat "setenforce 0"? > You have three options as I see it: 1) Figure out how to give Squid permission to run squid_ldap_auth within the SELINUX environment (http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#faq-div-resolving-problems) 2) Disable SELINUX just for Squid (http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#using-s-c-securitylevel) 3) Disalbe SELINUX permanently system-wide (http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2825880) Chris
[squid-users] Redirecting users to a login screen
How can i redirect users to a login screen ? Fernando Rodriguez V. [EMAIL PROTECTED]
Re: [squid-users] premium proxy services
> > If anyone else on this list has set up a two proxies (one as main proxy and > another as a premium proxy service) using cache_peer and acl options for > premium destinations and has it working, please assist if you can. > > To summarise, I want all my clients to point to the main proxy (PROXY A) > as they currently do. On PROXY A i will have a list of domains that must be > handled by PROXY B so that if a user wants to access one of these domains, > the reqeust will seamlessly be passed to PROXY B. On my bandwdith management > tool, I will then give PROXY B higher priority. and I will restrict PROXY B > to only go to sites that I deem high priority . > > > I need to get this working. > Hmm, perhaps this is relevant, from squid.conf.default : #use 'login=PASS' if users must authenticate against #the upstream proxy. This will pass the users credentials #as they are to the peer proxy. This only works for the #Basic HTTP authentication scheme. Note: To combine this #with proxy_auth both proxies must share the same user #database as HTTP only allows for one proxy login. # ^^ #Also be warned this will expose your users proxy #password to the peer. USE WITH CAUTION Note the remark, that apparently, only one of the 2 can use auth. If the 2 proxies need auth, you can login=PASS on the cache_peer argument, provided they use the same user database. M.
Re: [squid-users] premium proxy services
> > Have tested. > > The premium server is currently my live server through which my entire > organisation, including myself are surfing so I know that it is working. > If one correct username/pw is used on the cache_peer line as login params, then it should work. M.
Re: [squid-users] premium proxy services
> When i try and now go to my premium site, i still get authentication > windows comin up. > > access.log shows > > 1140183757.308 39 146.141.77.33 TCP_MISS/407 1746 GET > http://www.cnn.com/ cns.hementg FIRST_UP_PARENT/athena.wits.ac.za text/html > 1140183757.339 31 146.141.77.33 TCP_MISS/407 1746 GET > http://www.cnn.com/ cns.hementg FIRST_UP_PARENT/athena.wits.ac.za text/html > > From : http://www.squid-cache.org/Doc/FAQ/FAQ-6.html#ss6.8 407 Proxy Authentication Required It still means your local proxy doesn't provide the auth. data and or they are incorrect. If possible you should test the premium, with a local browser and double verify the neede auth. params (correct username and password) M.
Re: [squid-users] premium proxy services
Mark Elsen wrote: Hi Mark The only error I now get after sorting out the other is the ff:- 2006/02/17 15:24:52| aclParseIpData: Bad host/IP: '-i' 2006/02/17 15:24:52| aclParseIpData: Bad host/IP: '-i' 2006/02/17 15:24:52| Store logging disabled 2006/02/17 15:24:52| User-Agent logging is disabled. 2006/02/17 15:24:52| DNS Socket created at 0.0.0.0, port 32821, FD 5 How can I tell which lines in squid.conf are generating these two error? Good question, it would be handy if 'squid -k parse' would tell that, I guess you can only start looking for '-i' using find in your editor. Hoping that you get a meaningfull erroroneous line soon. M. Hi MArk I've now gotten rid of all error (-i option was from acl aclname src -i "/usr/local/squid/etc/xxx.txt" options. seems like the src and -i was the problem. So all errors are now removed. When i try and now go to my premium site, i still get authentication windows comin up. access.log shows 1140183757.308 39 146.141.77.33 TCP_MISS/407 1746 GET http://www.cnn.com/ cns.hementg FIRST_UP_PARENT/athena.wits.ac.za text/html 1140183757.339 31 146.141.77.33 TCP_MISS/407 1746 GET http://www.cnn.com/ cns.hementg FIRST_UP_PARENT/athena.wits.ac.za text/html Rgds, Hement
Re: [squid-users] premium proxy services
> Hi Mark > > The only error I now get after sorting out the other is the ff:- > > 2006/02/17 15:24:52| aclParseIpData: Bad host/IP: '-i' > 2006/02/17 15:24:52| aclParseIpData: Bad host/IP: '-i' > 2006/02/17 15:24:52| Store logging disabled > 2006/02/17 15:24:52| User-Agent logging is disabled. > 2006/02/17 15:24:52| DNS Socket created at 0.0.0.0, port 32821, FD 5 > > > How can I tell which lines in squid.conf are generating these two error? > > Good question, it would be handy if 'squid -k parse' would tell that, I guess you can only start looking for '-i' using find in your editor. Hoping that you get a meaningfull erroroneous line soon. M.
Re: [squid-users] premium proxy services
Mark Elsen wrote: Auth details are correct but here are some errors. they are errors but squid runs fine with them (??) 2006/02/17 15:07:22| aclParseIpData: Bad host/IP: '-i' 2006/02/17 15:07:22| aclParseIpData: Bad host/IP: '-i' 2006/02/17 15:07:22| parseConfigFile: line 2130 unrecognized: 'testproxy.wits.ac.za' 2006/02/17 14:46:32| WARNING: rejecting 'localhost' as a name server, because it is not a numeric IP address 2006/02/17 14:46:32| Adding nameserver x.x.x.x from /etc/resolv.conf 2006/02/17 14:46:32| helperOpenServers: Starting 25 'ncsa_auth' processes 2006/02/17 14:46:34| Accepting HTTP connections at 0.0.0.0, port 80, FD 6. 2006/02/17 14:46:34| Accepting ICP messages at 0.0.0.0, port 3130, FD 33. 2006/02/17 14:46:34| Accepting SNMP messages on port 3401, FD 35. I would advise trying to correct everything; then look at the state of your current issues. M. Hi Mark The only error I now get after sorting out the other is the ff:- 2006/02/17 15:24:52| aclParseIpData: Bad host/IP: '-i' 2006/02/17 15:24:52| aclParseIpData: Bad host/IP: '-i' 2006/02/17 15:24:52| Store logging disabled 2006/02/17 15:24:52| User-Agent logging is disabled. 2006/02/17 15:24:52| DNS Socket created at 0.0.0.0, port 32821, FD 5 How can I tell which lines in squid.conf are generating these two error? Rgds, Hement
Re: [squid-users] premium proxy services
> Auth details are correct > > but here are some errors. they are errors but squid runs fine with them (??) > > > 2006/02/17 15:07:22| aclParseIpData: Bad host/IP: '-i' > 2006/02/17 15:07:22| aclParseIpData: Bad host/IP: '-i' > 2006/02/17 15:07:22| parseConfigFile: line 2130 unrecognized: > 'testproxy.wits.ac.za' > 2006/02/17 14:46:32| WARNING: rejecting 'localhost' as a name server, > because it is not a numeric IP address > 2006/02/17 14:46:32| Adding nameserver x.x.x.x from /etc/resolv.conf > 2006/02/17 14:46:32| helperOpenServers: Starting 25 'ncsa_auth' processes > 2006/02/17 14:46:34| Accepting HTTP connections at 0.0.0.0, port 80, FD 6. > 2006/02/17 14:46:34| Accepting ICP messages at 0.0.0.0, port 3130, FD 33. > 2006/02/17 14:46:34| Accepting SNMP messages on port 3401, FD 35. > > I would advise trying to correct everything; then look at the state of your current issues. M.
Re: [squid-users] premium proxy services
Mark Elsen wrote: O Hi mark I still get asked for authentication here are my cache_peer inserts acl wits src X.X.0.0/255.255.0.0 acl premium-sites url_regex -i "/usr/local/squid/etc/premium-sites.txt" cache_peer XXX.domain.ac.za parent 80 3130 proxy-only no-query no-digest login=user:password cache_peer_access xxx.domain.ac.za allow premium-sites cache_peer_access xxx.domain.ac.za deny wits and my access.log entries. for testing, i've put cnn.com as a premium site. s.hementg FIRST_UP_PARENT/xxx.domain.ac.za text/html 1140180422.032806 146.141.77.33 TCP_MISS/407 1746 GET http://www.cnn.com/ cns.hementg FIRST_UP_PARENT/xxx.domain.ac.za text/html 1140180423.861835 146.141.77.33 TCP_MISS/407 1746 GET http://www.cnn.com/ cns.hementg FIRST_UP_PARENT/xxx.domain.ac.za text/html 407 is access denied. - Are the auth. data correct ? - does : % squid -k parse give any info and or errors ? M. Hi Mark Auth details are correct but here are some errors. they are errors but squid runs fine with them (??) 2006/02/17 15:07:22| aclParseIpData: Bad host/IP: '-i' 2006/02/17 15:07:22| aclParseIpData: Bad host/IP: '-i' 2006/02/17 15:07:22| parseConfigFile: line 2130 unrecognized: 'testproxy.wits.ac.za' 2006/02/17 14:46:32| WARNING: rejecting 'localhost' as a name server, because it is not a numeric IP address 2006/02/17 14:46:32| Adding nameserver x.x.x.x from /etc/resolv.conf 2006/02/17 14:46:32| helperOpenServers: Starting 25 'ncsa_auth' processes 2006/02/17 14:46:34| Accepting HTTP connections at 0.0.0.0, port 80, FD 6. 2006/02/17 14:46:34| Accepting ICP messages at 0.0.0.0, port 3130, FD 33. 2006/02/17 14:46:34| Accepting SNMP messages on port 3401, FD 35.
Re: [squid-users] premium proxy services
O > Hi mark > > I still get asked for authentication > > here are my cache_peer inserts > > acl wits src X.X.0.0/255.255.0.0 > acl premium-sites url_regex -i "/usr/local/squid/etc/premium-sites.txt" > cache_peer XXX.domain.ac.za parent 80 3130 proxy-only no-query no-digest > login=user:password > cache_peer_access xxx.domain.ac.za allow premium-sites > cache_peer_access xxx.domain.ac.za deny wits > > > > and my access.log entries. for testing, i've put cnn.com as a premium site. > > s.hementg FIRST_UP_PARENT/xxx.domain.ac.za text/html > 1140180422.032806 146.141.77.33 TCP_MISS/407 1746 GET > http://www.cnn.com/ cns.hementg FIRST_UP_PARENT/xxx.domain.ac.za text/html > 1140180423.861835 146.141.77.33 TCP_MISS/407 1746 GET > http://www.cnn.com/ cns.hementg FIRST_UP_PARENT/xxx.domain.ac.za text/html > > 407 is access denied. - Are the auth. data correct ? - does : % squid -k parse give any info and or errors ? M.
Re: [squid-users] premium proxy services
Mark Elsen wrote: Hi Mark I force authentication on both proxies. The authentication box that pops up is from the central proxy..not premium. You need to provide the auth. data fro the the premium cache server into the conf of the central proxy using : login=user:password as a parameter to the 'cache_peer' statement which defines the premium proxy. M. Hi mark I still get asked for authentication here are my cache_peer inserts acl wits src X.X.0.0/255.255.0.0 acl premium-sites url_regex -i "/usr/local/squid/etc/premium-sites.txt" cache_peer XXX.domain.ac.za parent 80 3130 proxy-only no-query no-digest login=user:password cache_peer_access xxx.domain.ac.za allow premium-sites cache_peer_access xxx.domain.ac.za deny wits and my access.log entries. for testing, i've put cnn.com as a premium site. s.hementg FIRST_UP_PARENT/xxx.domain.ac.za text/html 1140180422.032806 146.141.77.33 TCP_MISS/407 1746 GET http://www.cnn.com/ cns.hementg FIRST_UP_PARENT/xxx.domain.ac.za text/html 1140180423.861835 146.141.77.33 TCP_MISS/407 1746 GET http://www.cnn.com/ cns.hementg FIRST_UP_PARENT/xxx.domain.ac.za text/html
Re: [squid-users] premium proxy services
> Hi Mark > > I force authentication on both proxies. The authentication box that pops > up is from the central proxy..not premium. > You need to provide the auth. data fro the the premium cache server into the conf of the central proxy using : login=user:password as a parameter to the 'cache_peer' statement which defines the premium proxy. M.
Re: [squid-users] Squid - Ldap
I tried "setenforce 0" and now it's OK. :o But another question: everytime I restart server should i need repeat "setenforce 0"? -Messaggio originale- Da: Chris Robertson [mailto:[EMAIL PROTECTED] Inviato: giovedì 16 febbraio 2006 19.15 A: squid-users@squid-cache.org Oggetto: RE: [squid-users] Squid - Ldap > -Original Message- > From: Franco, Battista [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 16, 2006 7:34 AM > To: squid-users@squid-cache.org > Cc: Mark Elsen > Subject: [squid-users] R: [squid-users] R: [squid-users] Squid - Ldap > > > Hi > I understand it but why when do i use squid_ldap_auth from > command line it's work? > Another thing: > I tried to connect with LDAP Browser program; it work with > anonymous bind. 1) Try running /usr/lib/squid/squid_ldap_auth as the cache_effective_user. 2) Do you have SELINUX enabled? That could be the problem. Try running "setenforce 0" (without the quotes), and see if you can authenticate. Chris
Re: [squid-users] premium proxy services
Hi Mark I force authentication on both proxies. The authentication box that pops up is from the central proxy..not premium. Rgds, Hement Mark Elsen wrote: Hi I added the ff lines into my proxy acl premium-sites url_regex -i "/usr/local/squid/etc/premium-sites.txt" cache_peer athena.wits.ac.za parent 80 3130 cache_peer_access athena.wits.ac.za allow premium-sites For test purposes Athena is the premium proxy that i want to direct traffic to should the request be for a domain contained in the premium-sites.txt file. As soon as i try a site contained in the premium.txt file, an authentication box pops up (??) Any ideas? - Does the peer enforce authentication ? - You could test this by using it from a 'local' browser directly. M.
Re: [squid-users] parent cache information
> > I don't have proxy-only option on the cache_peer line on Server B. > > Below is the cache_peer option on server B. > > > > cache_peer ServerA parent 3128 3130 weight=15 no-query no-digest > > cache_peer ServerC parent 3128 3130 weight=10 no-query no-digest > > > > Should I change the above lines to > > > > cache_peer ServerA parent 3128 3130 no-digest proxy-only > > cache_peer ServerC parent 3128 3130 no-digest proxy-only On 16.02 15:07, Chris Robertson wrote: > cache_peer ServerA parent 3128 3130 no-query no-digest proxy-only > cache_peer ServerC parent 3128 3130 no-query no-digest proxy-only > > Since I imagine Server B is prevented from accessing the internet directly > there is no point to performing ICP queries (hence the no-query) on the > parents. if ServerB can reach at least ServerA and ServerC via ICP queries, I'd better turn them on (not use no-query option) to speed up lookups. Also, turning on cache digests on ServerA and ServerC and turning off the no-digest options would speed up things a bit. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Re: [squid-users] Squid Slow Downloads problem
> > So: You 're downloading on the Squid box, without using the Squid > > proxy ..and that's also slow? Correct? > > > > If that's the case, it has nothing to do with Squid but with the box > > itself. (Network cable, Duplex settings) On 16.02 14:52, Hesham Shakil wrote: > No, all I am saying is that downloads are slower when using Squid proxy > and fast when not using squid proxy, on both the Squid box and other > machines on the network. So this is a Squid problem :). As you can read in > the original email, I used apache+mod_proxy+mod_cache on the Squid box > (thats what i am using for the time being till the problem solves) and its > working fine, its only using squid that slows down downloads to almost > half the available bandwidth. the squid proxy seems to be using proxy.saudi.net.sa as parent cache. did you try to turn this parent off? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller
Re: [squid-users] parent cache information
Thanks a lot for that. I can only specify proxy-only option on server B right? Because I am not using cache_peer option on server A which is facing the internet. If I use proxy-only option on Server B, then Server B just acts as proxy and it will cache only non-duplicate content. Are there any benifits in using 1st tier and 2nd tier proxys. Please reply. > > > > Thanks a lot for your help once again. If I add proxy-only option on > > the peer_cache line Server B wont cache anything right? Because Server > > A is facing the internet and it will cache everything. Lets say I > > access the website google.com, Server A will cache google.com. Since > > Server A has google.com in the cache Server B wont cache that web > > site. Then why should I enable cache_dir on Server B. I am a bit > > confused here about how the caching works. Please reply. > > > > That's quite right. Running a cache_dir on Server B would be senseless. > Guess that's what I get for posting without thinking... > > Either use a cache_dir on both servers without the proxy-only option (with > the hope that the two will cache SOME non-duplicate content), or use the > proxy-only option and let the cache_dir on Server B sit unused (compile in > the "null" storeio in the future). > > Chris >
Re: [squid-users] squid authentication issue
On Fri, 17 Feb 2006, Henrik Nordstrom wrote: Another thought: I have some pretty restrictive header_access lines in there (the "paranoid" set, I believe). Could that be removing one or more headers that would make the browser do the desired thing here? Quite possible. You need to allow the proxy authentication related headers.. Are those summarized someplace?
