Re: [squid-users] Strange Problems with redirector
Hi Philipp, > I'm trieing to configure Squid (2.5.STABLE12) to use squidGuard (1.2.0 ) > on a OpenSuSE 10.1. > > But it doesn't work. Squid without a redictor starts up, but configured > with a redirector (even if I use "cat") crashes on startup. Please check, if AppArmor is running. It is started by default and there is a profile for Squid which limits using redirectors and authentication. To check if AppArmor is protecting Squid, do: cat /sys/kernel/security/apparmor/profiles | grep squid If this returns a line like /usr/sbin/squid (enforce) there is an AppArmor profile for Squid activated. To de-activate this profile, you can a) Remove the AppArmor Squid profile and reload AppArmor: rm /etc/apparmor.d/usr.sbin.squid rcapparmor reload (or /etc/init.d/apparmor reload) Please use "reload", not "restart". If you restart, AppArmor will only protect services which are started after AppArmor. Already running processes will not be protected any longer. b) Disable AppArmor completely: rcapparmor stop insserv -r apparmor Regards, Peter -- Peter Albrecht, Novell Training Services, [EMAIL PROTECTED]
Re: [squid-users] Strange Problems with redirector
ons 2006-05-17 klockan 16:44 +0200 skrev Philipp Neuhaus: > But it doesn't work. Squid without a redictor starts up, but configured > with a redirector (even if I use "cat") crashes on startup. Make sure traffic is allowed on the loopback interface. Squid uses TCP/IP over the loopback interface to talk to it's helpers.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] restart authentication helpers
ons 2006-05-17 klockan 10:30 -0400 skrev Michael W. Lucas: > I'd like to restart helpers without kicking the whole cache -- say, > every 5 minutes, or after answering 100 requests. Is there a way to > do this? squid -k rotate is a somewhat quicker method to restart helpers. But the optimal would be to find the cause to your problems with the helper and fix that.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] Authentication Prompt on one blocked acl
I'm using NTLM authentication and it works fine but I have an acl blocking browser regexp windows mediaplayer. Everytime I pull up a page with the media player embedded it prompts for authentication. Other than that it never prompts. Any ideas? Steve Wilson Jr Loxias IT Solutions 513-605-2726 [EMAIL PROTECTED]
[squid-users] thoughts about squidGuard?
Hi. I've setup squid-2.5.STABLE6 running on CentOS 4.3 and I'm considering adding squidGuard [ http://www.squidguard.org/ ] to the mix to block possible inappropriate web usage. I've hesitated since there appears to be little recent development work or maintenance except for a handful of patches which were not incorporated into a release. Has anyone else used or is using squidGuard? Thoughts/comments? Thanks, Philip Hachey
Re: [squid-users] Use a parent proxy for https connexions
Hello Julien, If you use never_direct and you have multiple parent caches, then you probably want to mark one of them as a default choice in case Squid can't decide which one to use. That is done with the default keyword on a cache_peer line. never_direct allow all If you have only one parent,nothing is sent to the parent.Simply adding default to a parent does not force all requests to be sent to that parent.If you want to force all requests to your parent cache(s), use the never_direct option. Squid does not know what to do with an https request to handle such a request, Squid would need to speak the SSL protocol. Thanks, Visolve Squid Team, http://squid.visolve.com On Wed, 2006-05-17 at 15:36 +0200, Julien Cabillot wrote: > Hi, > (excuse my English, I'm a frenchie :)) > I try to install squid on my network, but I have a simple problem with > the HTTPS part. > I need to pass by an external proxy (I can't do nothing about this), > but I want a local cache. > I add the parent cache: > cache_peer 10.122.1.5 parent8080 0 no-query default > My ftp and http request pass by this proxy BUT (il y a toujours un > but): squid try to connect directly for https sites. > It's possible to pass by the external proxy for https request ? > > Thx
Re: [squid-users] restart authentication helpers
Mark Elsen schrieb: >> >> Hi, >> >> I'm using Squid 2.5.stable13 on RHEL4 with the squid_radius_auth >> helper, and have checked Google, the squid FAQ, and the config guide. >> >> After a given squid_radius_auth has been running for a while it starts >> to generate errors. > > > What are these errors ? The server is not here. I thought I copied all the file onto my notebook. Ok, I just tried to use the squid and squidguard-Version of my ubuntu with that config. And it works. Does anybody know about bugs in the package of SuSE 10.1? Philipp signature.asc Description: PGP signature signature.asc Description: OpenPGP digital signature
Re: [squid-users] Latest Apple security update will not download through Squid cache
Brett, I had a similar experience when we moved some Squid instances behind a Cisco CSS for load balancing. The problem turned out to be a combination of gigabit ethernet, new cards, and some tweaks to /etc/sysctl.conf on our Debian Linux boxes. Apparently, the Cisco CSS were not configured to allow large TCP windows. Our squid and Apple's web server negotiated the connection to allow large frames, but when their web server tried sending one, it got stuck at our Cisco CSS. The transfer would predictably fail about 6K into the transfer. If you think this has any application for you, our settings are: # egrep "^[a-zA-Z]" /etc/sysctl.conf net/ipv4/icmp_echo_ignore_broadcasts=1 net/ipv4/tcp_syncookies=1 net.ipv4.tcp_no_metrics_save = 1 net.core.netdev_max_backlog = 2500 net.core.rmem_max = 105472 net.core.wmem_max = 105472 net.ipv4.tcp_rmem = 4096 87380 174760 net.ipv4.tcp_wmem = 4096 16384 131072 vm/min_free_kbytes = 65536 # uname -a Linux httpproxy1 2.6.15-1-686-smp #2 SMP Mon Mar 6 15:34:50 UTC 2006 i686 GNU/Linux # cat /etc/debian_version testing/unstable Good luck, -John Reddy A user just complained to me that he could not download the latest Apple security update. On a hunch, I bypassed the transparent Squid proxy and the update installed properly. The Squid developers may want to investigate why this problem occurred. The version of Squid that's running is 2.5STABLE5. --Brett Glass, LARIAT.NET
[squid-users] ASYNC IO Counters, close operation near zero.
Hello guys, that is my first post to this list. We are using aufs in a squid + dansguardian box, and thing go really slow around 4:00pm. We already dissmissed bandwidth bottlenecks, and we have a lot of RAM in this box (around 4GB). The ASYNC IO counters looks very different from what we supposed to see: ASYNC IO Counters: Operation # Requests open16466 close 1 cancel 16466 write 0 read20392 stat0 unlink 1128 check_callback 635129 queue 0 Threads Status: # ID # Requests 1 0x4247fbb0 2378 2 0x4227ebb0 2381 3 0x4207dbb0 2361 4 0x41e7cbb0 2358 5 0x41c7bbb0 2384 6 0x41a7abb0 2367 7 0x41879bb0 2352 8 0x41678bb0 2363 9 0x41477bb0 2380 10 0x41276bb0 2367 11 0x41075bb0 2371 12 0x40e74bb0 2365 13 0x40c73bb0 2398 14 0x40a72bb0 2394 15 0x40871bb0 2379 16 0x40670bb0 2389 Shoudn't the close requests be equal to the cancel requests? TIA
Re: [squid-users] Use a parent proxy for https connexions
Hi, (excuse my English, I'm a frenchie :)) I try to install squid on my network, but I have a simple problem with the HTTPS part. I need to pass by an external proxy (I can't do nothing about this), but I want a local cache. I add the parent cache: cache_peer 10.122.1.5 parent8080 0 no-query default My ftp and http request pass by this proxy BUT (il y a toujours un but): squid try to connect directly for https sites. It's possible to pass by the external proxy for https request ? You need : never_direct allow all in squid.conf. (See FAQ on using SQUID behind a Firewall) M.
Re: [squid-users] restart authentication helpers
Hi, I'm using Squid 2.5.stable13 on RHEL4 with the squid_radius_auth helper, and have checked Google, the squid FAQ, and the config guide. After a given squid_radius_auth has been running for a while it starts to generate errors. What are these errors ? Right now, I'm clearing those errors with a squid -k reconfigure, which appears to restart all the helper processes. I'd like to restart helpers without kicking the whole cache -- say, every 5 minutes, or after answering 100 requests. Is there a way to do this? M.
Re: [squid-users] Strange Problems with redirector
Hi, I'm trieing to configure Squid (2.5.STABLE12) to use squidGuard (1.2.0 ) on a OpenSuSE 10.1. But it doesn't work. Squid without a redictor starts up, but configured with a redirector (even if I use "cat") crashes on startup. Should I post my squid.conf on this ML? Better : what's in cache.log ? Philipp
Re: [squid-users] encrypt password
ons 2006-05-17 klockan 12:43 +0200 skrev Žiga Dolher: > I would like that noone can read the squid.conf, because otherwise > anyone can get the password. Then set the permissions on squid.conf in such manner that it's only accessible by the user who starts Squid.. chmod og= /path/to/etc/squid.conf Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] Strange Problems with redirector
Hi, I'm trieing to configure Squid (2.5.STABLE12) to use squidGuard (1.2.0 ) on a OpenSuSE 10.1. But it doesn't work. Squid without a redictor starts up, but configured with a redirector (even if I use "cat") crashes on startup. Should I post my squid.conf on this ML? Philipp signature.asc Description: OpenPGP digital signature
[squid-users] restart authentication helpers
Hi, I'm using Squid 2.5.stable13 on RHEL4 with the squid_radius_auth helper, and have checked Google, the squid FAQ, and the config guide. After a given squid_radius_auth has been running for a while it starts to generate errors. Right now, I'm clearing those errors with a squid -k reconfigure, which appears to restart all the helper processes. I'd like to restart helpers without kicking the whole cache -- say, every 5 minutes, or after answering 100 requests. Is there a way to do this? Thanks, ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP & GPG -- http://www.pgpandgpg.com "The cloak of anonymity protects me from the nuisance of caring." -Non Sequitur
Re: [squid-users] Via: info
Hello Brent Clark, Yes it is possible.You can use header_access Via deny all Thanks, Visolve Squid Team, http://squid.visolve.com On Wed, 2006-05-17 at 09:33 +0200, Brent Clark wrote: > Hi all > > Im currently running nikto against my hosted box. > > In the audit file I see this > > Via: 1.0 my.machine.co.za:3128 (squid/2.5.STABLE13) > > Anyone know how I can switch this off, would it be possible to hide this > > Kind Regards > > Brent Clark >
[squid-users] Use a parent proxy for https connexions
Hi, (excuse my English, I'm a frenchie :)) I try to install squid on my network, but I have a simple problem with the HTTPS part. I need to pass by an external proxy (I can't do nothing about this), but I want a local cache. I add the parent cache: cache_peer 10.122.1.5 parent8080 0 no-query default My ftp and http request pass by this proxy BUT (il y a toujours un but): squid try to connect directly for https sites. It's possible to pass by the external proxy for https request ? Thx -- Julien Cabillot
Re: [squid-users] encrypt password
ons 2006-05-17 klockan 00:33 +0200 skrev Žiga Dolher: > cache_peer server parent 8080 0 no-query default login=aaa:bbb > > I would like to encrypt the aaa and the bbb. And where do you want the encryption key stored so Squid can decrypt the values? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] Squid / ident / dansguardian
Bonjour, Somebody advised me to position DansGuardian between Squid and Internet (instead of placing it between customers and Squid). That requires to configure Squid so that it makes call to DansGuardian as with a proxy relative. The stations will be connected then directly to Squid, it will allow to use all the functionalities of authentification and of ACLs de Squid. Do you have a small idea? Can you explain to me how to make? Thank you Hello, > I removed the file msntauth.allowusers. Only the users present in the ACL > UtilAutorises Ident are taken into account. > > If I go on Internet, that functions but when I stopped the service Ident, I > should not authenticate myself. It is always the same problem. What exactly do you mean: "It is always the same problem"? When you stop ident, Squid will of course deny access (as you only allow users which can be identified). I haven't used DansGuardian so far. Did you try to do the authentication with Squid alone (not involving DansGuardian at all)? I'd try something like this: ACL ServiceInfo ident /etc/squid/listeUtilisateurs ACL authenticate proxy_auth REQUIRED http_access allow ServiceInfo http_access allow authenticate http_access deny all Then configure your external authenticator (auth_param). Regards, Peter -- Peter Albrecht, Novell Training Services, [EMAIL PROTECTED]
Re: [squid-users] Hacking Squid
tis 2006-05-16 klockan 17:40 -0700 skrev David Neudorfer: > Example: User 123456 is proxied through 123456.squidproxy.com. Like > apache I want to set squid to pickup the fact that this user is > connecting to 123456.squidproxy.com and not 654321.squidproxy.com and > then forward this data in the header. Anyone have any ideas how this > might be done? First of all these must be unique IP addresses to be able to distinguish between the two. The proxy hostname is only used by the client for resolving into the IP to connect to, it's not forwarded to the proxy (the proxy is assumed to know who he is, and the proxy name not important or even relevant to HTTP operation..) Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] memory leaks
ons 2006-05-17 klockan 09:40 +0300 skrev Edvard Chitro: > Top and PS gives me nothing ... according to them my box only consumes > only ~ 100 MB ... Yes, got this impression as well.. so it's not Squid. > gw:~# cat /proc/slabinfo This accounts for ca 300MB... > inode_cache 451649 451892512 64554 645561 > dentry_cache 505383 505410128 16847 168471 and these two alone 280MB of those... Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Zero hit rate on reverse proxy server with Squid
tis 2006-05-16 klockan 18:19 -0700 skrev Michael T. Halligan: > > a) Authentication was used, and the server did not indicate the > > content > > is public (not requiring authentication). > > > Is there something special that I need to do in apache to make it > say that the data is "public" once > it's been authenticated? Data requiring authentication is per definition not public, it's limited access. Data which can be considered public (unlimited access) even if the server normally requires authentication can be marked as such by including a "Cache-Control: public" header in the HTTP response. This tells caches that the content is considered "unlimited access" even if the request which gave this content included authentication credentials. > > b) Reload request (max-age=0) > > > > c) If-Modified-Since can only be cached once the object as such has > > been > > cached. > > I'm rather squid illiterate here. Where do I begin to research these > two statements? b) Don't use the reload button when testing the cache. The reload button tells caches that the client wants a fresh copy by including the above mentioned criteria in it's request.. c) Start with a clean browser cache when testing. Squid can only cache content which has been seen by Squid. Positive cache validations of content not yet seen by Squid is not cached. A good document explaining how HTTP caching works and how to make proper use of it is "Caching Tutorial for Web Authors and Webmasters" http://www.mnot.net/cache_docs/>. It not only explains the concepts involved but also how this maps to several common HTTP servers and related technologies. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] tcp_outgoing_address + Authentication
tis 2006-05-16 klockan 23:46 +0100 skrev Shadi Almosri: > tcp_outgoing_address 19.93.97.250 19_93_97_250 > tcp_outgoing_address 19.93.97.251 19_93_97_251 > tcp_outgoing_address 19.93.97.252 19_93_97_252 > tcp_outgoing_address 19.93.97.253 19_93_97_253 > tcp_outgoing_address 19.93.97.254 19_93_97_254 > > This is the main issue that am not able to get working (the authentication > per IP can be done later) it's the fact that squid seems to use the first ip > for all outgoing connections and not the ip's specified. Unless you have changed the 19_93_97_25X acls into something more meaningful than "every authenticated user" the above won't work as all users are matched by the first rule.. You need to make ACLs which identifies the individual user (or groups of users) and use these ACLs in tcp_outgoing_address to select which IP is assigned to the user. The name of an acl has no impact on what the ACL matches, it's just a name. The acl matches what comes after the name. "proxy_auth REQUIRED" means authentication is required (proxy_auth) and that the acl matches every authenticated user (REQUIRED). Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Via: info
On Wed, May 17, 2006 at 09:33:38AM +0200, Brent Clark wrote: > Im currently running nikto against my hosted box. > > In the audit file I see this > > Via: 1.0 my.machine.co.za:3128 (squid/2.5.STABLE13) > > Anyone know how I can switch this off, would it be possible to hide this header_access Via deny all Kindly Christoph -- Please reply to the list - not to me personally. Personal replies are ignored.
Re: [squid-users] encrypt password
On Wed, May 17, 2006 at 12:33:50AM +0200, Žiga Dolher wrote: > does anyone know how can I hide the password in squid.conf for the > function cache_peer? You could use proper permissions so that only administrators get access to the squid.conf. Kindly Christoph -- Please reply to the list - not to me personally. Personal replies are ignored.
[squid-users] Via: info
Hi all Im currently running nikto against my hosted box. In the audit file I see this Via: 1.0 my.machine.co.za:3128 (squid/2.5.STABLE13) Anyone know how I can switch this off, would it be possible to hide this Kind Regards Brent Clark
[squid-users] Reverse proxy for availability
Hi list, We're planning to use Squid as a reverse proxy for availability purposes. The idea is to break some rules by setting the cache to be very aggressive and very persistent: refresh_pattern . 10080 100% 10080 ignore-reload override-lastmod override-expire Provided there is enough disk space: - Is it alright to assume that should the origin webserver be down for a long period of time, Squid will continue to serve all cached pages reliably for a time up to 10080 ? Cheers, Eb. -- EBB
