Re: [squid-users] how to disable squid access log
sön 2006-05-21 klockan 19:53 -0700 skrev Juntao Gao: the Access log file in my system increase quickly. how to disable it? From squid.conf: # TAG: cache_access_log # Logs the client request activity. Contains an entry for # every HTTP and ICP queries received. To disable, enter none. In either case you must make sure you have configured log rotation properly. http://wiki.squid-cache.org/SquidFaq/SquidLogs Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Tunning cache and memory dedicated
On 21.05.06 19:22, Aguiar Magalhaes wrote: I'm using squid 2.5 and everything looks well. The pages are downloadind quickly, I'm blocking some bad pages and sites, etc. I'd like to know if the cache and memory dedicated are correct for my LAN.. I've at about 200 hosts and the squid and the firewall are installed in the same machine, with 01 GB RAM and the partition has 08 GB. I'm using: cache_mem 512 MB cache_dir ufs /usr/data/squid/cache 5120 16 256 I'd say 512MB is too much for such host. I use 128MB and decreased it from 256MB, while I have ~42GB in two cache_dirs. Note that only objects fetched from remote servers stay in the memory cache, obnjects that were cached and are sent from disk, are not stored in memory cache. By using that huge memory cache you decrease amount of memory useable by system, which means disk cache, buffers, etc. for network with 200 hosts, I'd buy dedicated disk drive for caching. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody
Re: [squid-users] Transperent Proxy and Block Ports
On 22.05.06 10:44, Harish Pokharel wrote: I am using a Transperent Proxy using port redirection through iptables and I am Unable to block ports. Cant I block ports using a transperent proxy? Actually, you can, but it's probably useless. With transparent proxy, YOU decide what traffic (hosts, ports etc) to redirect to the proxy, what to pass and what to block. So it's useless to redirect the traffic to the proxy just to block it, unless you want to have customised error pages. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
[squid-users] Restrict Access based on time
Hi All How can I restrict a particular ip to access for a certain duration of time? I am using a transparent proxy. I have done following #--- acl testuser src 192.168.2.100/255.255.255.255 acl testtime time D 07:00-08:55 http_access allow testuser testtime #-- -- Harish Pokharel
[squid-users] Unknown error/warning in cache.log
Hello, I found an error or warning in my cache.log: temporary disabling (Bad Gateway) digest from localhost Squid is configured to use an other (Anti-virus-)Proxy on localhost. Where can I start searching for the reason of this log-entry? What exactly does it mean? Thanks a lot! -- ) .--. )#=+ ' /## | .+. Greetings, ,,/###,|,,|Michael
Re: [squid-users] Restrict Access based on time
On Mon, May 22, 2006 at 03:54:45PM +0545, Harish Pokharel wrote: How can I restrict a particular ip to access for a certain duration of time? I am using a transparent proxy. I have done following #--- acl testuser src 192.168.2.100/255.255.255.255 acl testtime time D 07:00-08:55 http_access allow testuser testtime #-- Add a: http_access deny testuser I assume you are allowing access anyway below this line. So if the user is not caught by your http_access line it would be granted access later. Kindly Christoph -- Please reply to the list - not to me personally. Personal replies are ignored.
RE: [squid-users] squid performance epoll. 350req/sec 100% cpu
Hello, I did the same, but CPU load did not decrease significantly, Why? King Regards, Graziano ELSAG DOI - Divisione Outsourcing Informatico Graziano Sommariva ICT Network Manager * +39-10-658.3921 * +39-348-8558742 * [EMAIL PROTECTED] NOTA : Questo messaggio e-mail e ogni documento ad esso eventualmente allegato può avere carattere riservato ed essere tutelato da segreto. Esso,comunque, è ad esclusivo utilizzo del destinatario in indirizzo. Qualora non foste il destinatario del messaggio vi preghiamo di volerci avvertire immediatamente per e-mail o telefono e di cancellare il presente messaggio e ogni eventuale allegato dal vostro sistema. E' vietata la duplicazione o l'utilizzo per qualunque fine del messaggio e di ogni allegato, nonché la loro divulgazione, distribuzione o inoltro a terzi senza l'espressa autorizzazione del mittente. In ragione del mezzo di trasmissione utilizzato, il mittente non assume alcuna responsabilità sulla segretezza/riservatezza delle informazioni contenute nel messaggio e nei relativi allegati. NOTE : This e-mail and any file transmitted with it may contain material that is confidential, privileged and/or attorney work product for the sole use of the intended recipient. If you are not the intended recipient of this e-mail, please do not read it, notify us immediately by e-mail or by telephone and then delete this message and any file attached from your system. You should not copy or use it for any purpose, disclose the contents of the same to any other person or forward it without express permission.Considering the means of transmission, we do not undertake any liability with respect to the secrecy and confidentiality of the information contained in this e-mail and its attachments. -Original Message- From: Michal Mihalik [mailto:[EMAIL PROTECTED] Sent: mercoledì 29 marzo 2006 9.03 To: 'Chris Robertson' Cc: Squid Users Subject: RE: [squid-users] squid performance epoll. 350req/sec 100% cpu Hi, At the end I did get it running. The load dropped massively. To about 16%cpu at 400req/sec. (originaly 100%cpu). If there are no other problems with it. I would realy suggest it to everyone who has CPU problem. Thanks to people in this list. Mike -Original Message- From: Chris Robertson [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 28, 2006 10:05 PM To: Michal Mihalik Subject: Re: [squid-users] squid performance epoll. 350req/sec 100% cpu Michal Mihalik wrote: Hi ok I learned the strace and it does call select (99% of time) looks like my epoll is not active :-(( and I did found that I didn't compile it as I should. But now I am unable to compile because of this errors. I don't have automake 1.5 (only 1.4 1.6 1.7 1.9) And autoconf too I do have debian stable... And added to it apt sources - testing(to get latest squid) Can someone help tu run this? I don't understand this whole think of automake autoconf SNIP Thanks Mike Did you ever get epoll working? If not, read the messages at http://www.squid-cache.org/mail-archive/squid-users/200602/060 9.html and http://www.squid-cache.org/mail-archive/squid-users/200602/061 1.html. If so, how has it been working for you? Chris
[Fwd: Re: [squid-users] Restrict Access based on time]
Original Message Subject: Re: [squid-users] Restrict Access based on time From:Christoph Haas [EMAIL PROTECTED] Date:Mon, May 22, 2006 4:15 pm To: squid-users@squid-cache.org -- On Mon, May 22, 2006 at 03:54:45PM +0545, Harish Pokharel wrote: How can I restrict a particular ip to access for a certain duration of time? I am using a transparent proxy. I have done following #--- acl testuser src 192.168.2.100/255.255.255.255 acl testtime time D 07:00-08:55 http_access allow testuser testtime #-- Add a: http_access deny testuser I assume you are allowing access anyway below this line. So if the user is not caught by your http_access line it would be granted access later. Kindly Christoph -- Please reply to the list - not to me personally. Personal replies are ignored. Thanks, Hurray -- Harish Pokharel
Re: [squid-users] how to disable squid access log
Hello, If your squid version is 2.4,you can use cache_acces_log /dev/null If your Squid version is 2.5, You can use cache_access_log none to disable the access log file. Thanks, Visolve Squid Team, http://squid.visolve.com On Sun, 2006-05-21 at 19:53 -0700, Juntao Gao wrote: Hi, the Access log file in my system increase quickly. how to disable it? use /dev/null ? the access log file seems is not recycled. Thanks Ted __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[squid-users] Authentication Prompt on one blocked acl
I'm using NTLM authentication and it works fine but I have an acl blocking browser regexp windows mediaplayer. Everytime I pull up a page with the media player embedded it prompts for authentication. Other than that it never prompts. Any ideas? Steve Wilson Jr Loxias IT Solutions 513-605-2726 [EMAIL PROTECTED]
[squid-users] Ldap authentication question
Hello, this is my first post, so be gentle ;-) I work for a public school system currently using novell bordermanger as a proxy, we are looking to move to squid, but I don't have alot of experience with squid to know if what we need is even possible with squid. Here is what we need: - User login page authenticated to Ldap, but *not in a popup box*, we need a bordermanger type login page with some sort of encryption. Plaintext passwords is not acceptable. - Once authenticated, the user should not have to authenticate again, (even with a browser closed and no traffic) from that ip until (A)The user logs off, or (B)the session times out(1 hour). (due to online testings that lasts several hours sometimes without any traffic) We have squid setup to work with the network, but ldap authentication with pam is not doing the job we need. As soon as the user closes the web browser the session expires, and a basic http auth would cause to much confusion for users that are used to a login page. Any help, even just pointing me in the right direction would be great. Thanks, Aaron. -- -Aaron- [EMAIL PROTECTED]
Re: [squid-users] Unknown error/warning in cache.log
mån 2006-05-22 klockan 11:53 +0200 skrev Michael Liebl: temporary disabling (Bad Gateway) digest from localhost Squid is configured to use an other (Anti-virus-)Proxy on localhost. Where can I start searching for the reason of this log-entry? The cache_peer directive in squid.conf.. What exactly does it mean? That your Squid is build with support for cache digests, and it's peer doesn't support digest but you have not told this to Squid.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] squid performance epoll. 350req/sec 100% cpu
mån 2006-05-22 klockan 12:53 +0200 skrev Sommariva Graziano: Hello, I did the same, but CPU load did not decrease significantly, Why? Did you bootstrap the sources? Did you enable the epoll support in your configure line? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] make errors after applying customlog-2_5.patch
Works like a charm! Thanks for taking care of this so quickly. All hail Squid! All hail Squid! On May 21, 2006, at 7:56 PM, Henrik Nordstrom wrote: lör 2006-05-20 klockan 22:32 -0400 skrev Gary Kahn: Hello Everybody, I am getting make errors after applying the customlog-2_5.patch. logfile.c: In function ‘syslog_ntoa’: logfile.c:49: error: syntax error before ‘_symbols’ Should be fixed in the next version of the patch available in a few hours.. Regards Henrik
RE: [squid-users] squid performance epoll. 350req/sec 100% cpu
Did you bootstrap the sources? What Do You mean? I applyed the patch. Did you enable the epoll support in your configure line? Yes. ELSAG DOI - Divisione Outsourcing Informatico Graziano Sommariva ICT Network Manager * +39-10-658.3921 * +39-348-8558742 * [EMAIL PROTECTED] NOTA : Questo messaggio e-mail e ogni documento ad esso eventualmente allegato può avere carattere riservato ed essere tutelato da segreto. Esso,comunque, è ad esclusivo utilizzo del destinatario in indirizzo. Qualora non foste il destinatario del messaggio vi preghiamo di volerci avvertire immediatamente per e-mail o telefono e di cancellare il presente messaggio e ogni eventuale allegato dal vostro sistema. E' vietata la duplicazione o l'utilizzo per qualunque fine del messaggio e di ogni allegato, nonché la loro divulgazione, distribuzione o inoltro a terzi senza l'espressa autorizzazione del mittente. In ragione del mezzo di trasmissione utilizzato, il mittente non assume alcuna responsabilità sulla segretezza/riservatezza delle informazioni contenute nel messaggio e nei relativi allegati. NOTE : This e-mail and any file transmitted with it may contain material that is confidential, privileged and/or attorney work product for the sole use of the intended recipient. If you are not the intended recipient of this e-mail, please do not read it, notify us immediately by e-mail or by telephone and then delete this message and any file attached from your system. You should not copy or use it for any purpose, disclose the contents of the same to any other person or forward it without express permission.Considering the means of transmission, we do not undertake any liability with respect to the secrecy and confidentiality of the information contained in this e-mail and its attachments. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: lunedì 22 maggio 2006 16.36 To: Sommariva Graziano Cc: Squid Users Subject: RE: [squid-users] squid performance epoll. 350req/sec 100% cpu mån 2006-05-22 klockan 12:53 +0200 skrev Sommariva Graziano: Hello, I did the same, but CPU load did not decrease significantly, Why? Did you bootstrap the sources? Did you enable the epoll support in your configure line? Regards Henrik
RE: [squid-users] squid performance epoll. 350req/sec 100% cpu
This is the result odf bootstrap.sh: WARNING: Cannot find autoconf version 2.13 Trying autoconf (GNU Autoconf) 2.59 autoheader: WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot' autoheader: WARNING: and `config.h.top', to define templates for `config.h.in' autoheader: WARNING: is deprecated and discouraged. autoheader: autoheader: WARNING: Using the third argument of `AC_DEFINE' and autoheader: WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without autoheader: WARNING: `acconfig.h': autoheader: autoheader: WARNING: AC_DEFINE([NEED_FUNC_MAIN], 1, autoheader: [Define if a function `main' is needed.]) autoheader: autoheader: WARNING: More sophisticated templates can also be produced, see the autoheader: WARNING: documentation. configure.in:13: warning: do not use m4_patsubst: use patsubst or m4_bpatsubst aclocal.m4:628: AM_CONFIG_HEADER is expanded from... configure.in:13: the top level configure.in:1555: warning: AC_CHECK_TYPE: assuming `u_short' is not a type autoconf/types.m4:234: AC_CHECK_TYPE is expanded from... configure.in:1555: the top level configure.in:2552: warning: do not use m4_regexp: use regexp or m4_bregexp aclocal.m4:641: _AM_DIRNAME is expanded from... configure.in:2552: the top level configure.in:13: warning: do not use m4_patsubst: use patsubst or m4_bpatsubst aclocal.m4:628: AM_CONFIG_HEADER is expanded from... configure.in:13: the top level configure.in:1555: warning: AC_CHECK_TYPE: assuming `u_short' is not a type autoconf/types.m4:234: AC_CHECK_TYPE is expanded from... configure.in:1555: the top level configure.in:2552: warning: do not use m4_regexp: use regexp or m4_bregexp aclocal.m4:641: _AM_DIRNAME is expanded from... configure.in:2552: the top level configure.in:2365: error: do not use LIBOBJS directly, use AC_LIBOBJ (see section `AC_LIBOBJ vs LIBOBJS' If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoconf failed Autotool bootstrapping failed. You will need to investigate and correct before you can develop on this source tree ELSAG DOI - Divisione Outsourcing Informatico Graziano Sommariva ICT Network Manager * +39-10-658.3921 * +39-348-8558742 * [EMAIL PROTECTED] NOTA : Questo messaggio e-mail e ogni documento ad esso eventualmente allegato può avere carattere riservato ed essere tutelato da segreto. Esso,comunque, è ad esclusivo utilizzo del destinatario in indirizzo. Qualora non foste il destinatario del messaggio vi preghiamo di volerci avvertire immediatamente per e-mail o telefono e di cancellare il presente messaggio e ogni eventuale allegato dal vostro sistema. E' vietata la duplicazione o l'utilizzo per qualunque fine del messaggio e di ogni allegato, nonché la loro divulgazione, distribuzione o inoltro a terzi senza l'espressa autorizzazione del mittente. In ragione del mezzo di trasmissione utilizzato, il mittente non assume alcuna responsabilità sulla segretezza/riservatezza delle informazioni contenute nel messaggio e nei relativi allegati. NOTE : This e-mail and any file transmitted with it may contain material that is confidential, privileged and/or attorney work product for the sole use of the intended recipient. If you are not the intended recipient of this e-mail, please do not read it, notify us immediately by e-mail or by telephone and then delete this message and any file attached from your system. You should not copy or use it for any purpose, disclose the contents of the same to any other person or forward it without express permission.Considering the means of transmission, we do not undertake any liability with respect to the secrecy and confidentiality of the information contained in this e-mail and its attachments. -Original Message- From: Sommariva Graziano [mailto:[EMAIL PROTECTED] Sent: lunedì 22 maggio 2006 12.54 To: Michal Mihalik; Chris Robertson Cc: Squid Users Subject: RE: [squid-users] squid performance epoll. 350req/sec 100% cpu Hello, I did the same, but CPU load did not decrease significantly, Why? King Regards, Graziano ELSAG DOI - Divisione Outsourcing Informatico Graziano Sommariva ICT Network Manager * +39-10-658.3921 * +39-348-8558742 * [EMAIL PROTECTED] NOTA : Questo messaggio e-mail e ogni documento ad esso eventualmente allegato può avere carattere riservato ed essere tutelato da segreto. Esso,comunque, è ad esclusivo utilizzo del destinatario in indirizzo. Qualora non foste il destinatario del messaggio vi preghiamo di volerci avvertire immediatamente per e-mail o telefono e di cancellare il presente messaggio e ogni eventuale allegato dal vostro sistema. E' vietata la duplicazione o l'utilizzo per qualunque fine del messaggio e di ogni allegato, nonché la loro divulgazione, distribuzione o inoltro a terzi senza l'espressa autorizzazione del mittente. In ragione del mezzo di trasmissione utilizzato, il mittente non assume alcuna responsabilità
RE: [squid-users] squid performance epoll. 350req/sec 100% cpu
mån 2006-05-22 klockan 16:40 +0200 skrev Sommariva Graziano: Did you bootstrap the sources? What Do You mean? I applyed the patch. Did you run the bootstrap.sh script after applying the patch? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] Re: Unknown error/warning in cache.log
Am Montag, den 22. Mai 2006 schrubte Henrik: temporary disabling (Bad Gateway) digest from localhost The cache_peer directive in squid.conf.. That your Squid is build with support for cache digests, and it's peer doesn't support digest but you have not told this to Squid.. I added the option no-digest and the message disappeared. Thank you! -- ) .--. )#=+ ' /## | .+. Greetings, ,,/###,|,,|Michael
[squid-users] Trying to block IM's
I'm trying to block IM's like MSN, Yahoo..etc...etc I've taken acl's from this list but it doesn't seem to be working. acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 22 # ssh acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 4156 acl CONNECT method CONNECT acl usit src 10.133.0.0/16 10.1.0.0/16 acl ICQ url_regex -i .icq.com acl MSN req_mime_type ^application/x-msn-messenger$ acl YAHOO url_regex .msg.yahoo.com acl CHAT url_regex -i webmessenger .webmessenger .messenger.* messenger.yahoo gateway.dll messenger.msn mirc icq.com go.icq miranda-im.org acl WEBMSN url_regex -i .webmessenger.msn.com acl EMESS url_regex -i .e-messenger.net .webmessenger.msn.com/* iloveim.com acl TALK url_regex -i .google.com/talk talk.google.com .google.com/talk* .google.*/talk* http_access allow manager usit http_access deny manager http_access deny !Safe_ports http_access allow CONNECT http_access allow localhost http_access allow usit http_access deny MSN http_access deny ICQ http_access deny YAHOO http_access deny CHAT http_access deny WEBMSN http_access deny EMESS http_access deny TALK http_access deny all - This email message is intended only for the addressee(s) and contains information that may be confidential and/or copyrighted. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email by anyone other than the intended recipient(s) is strictly prohibited. USIT has scanned this email for viruses and dangerous content and believes it to be clean. However, virus scanning is ultimately the responsibility of the recipient. -
Re: [squid-users] Trying to block IM's
Nor will it. Those IM applications are designed to work around firewalls and blocking mechanisms. They'll even use port 80 to communicate, if they have to. If you really want to block IMs (it's debatable whether doing so is truly worth the effort), you need to use an Intrustion Detection System like snort. The snort community has already developed the definitions/signatures to use for blocking IMs. There is a learning curve with setting up snort, but it's an incredibly sophisticated and powerful tool. Hope this helps. Tim Rainier Chris Boyd [EMAIL PROTECTED] wrote on 05/22/2006 11:47:29 AM: I'm trying to block IM's like MSN, Yahoo..etc...etc I've taken acl's from this list but it doesn't seem to be working. acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 22 # ssh acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 4156 acl CONNECT method CONNECT acl usit src 10.133.0.0/16 10.1.0.0/16 acl ICQ url_regex -i .icq.com acl MSN req_mime_type ^application/x-msn-messenger$ acl YAHOO url_regex .msg.yahoo.com acl CHAT url_regex -i webmessenger .webmessenger .messenger.* messenger.yahoo gateway.dll messenger.msn mirc icq.com go.icq miranda-im.org acl WEBMSN url_regex -i .webmessenger.msn.com acl EMESS url_regex -i .e-messenger.net .webmessenger.msn.com/* iloveim.com acl TALK url_regex -i .google.com/talk talk.google.com .google. com/talk* .google.*/talk* http_access allow manager usit http_access deny manager http_access deny !Safe_ports http_access allow CONNECT http_access allow localhost http_access allow usit http_access deny MSN http_access deny ICQ http_access deny YAHOO http_access deny CHAT http_access deny WEBMSN http_access deny EMESS http_access deny TALK http_access deny all - This email message is intended only for the addressee(s) and contains information that may be confidential and/or copyrighted. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email by anyone other than the intended recipient(s) is strictly prohibited. USIT has scanned this email for viruses and dangerous content and believes it to be clean. However, virus scanning is ultimately the responsibility of the recipient. -
Re: [squid-users] Re: Unknown error/warning in cache.log
It's simply telling you that the peer squid box was not compiled to support digest mode, but this squid box was and you have digest mode enabled for it. If you really need digest mode, recompile your digest squid box to support digest mode. :-) Tim Rainier news [EMAIL PROTECTED] wrote on 05/22/2006 10:51:14 AM: Am Montag, den 22. Mai 2006 schrubte Henrik: temporary disabling (Bad Gateway) digest from localhost The cache_peer directive in squid.conf.. That your Squid is build with support for cache digests, and it's peer doesn't support digest but you have not told this to Squid.. I added the option no-digest and the message disappeared. Thank you! -- ) .--. )#=+ ' /## | .+. Greetings, ,,/###,|,,|Michael
[squid-users] How Do I Drop Object From Cache?
Hello. I have tried using: ./squidclient -h localhost -p 3030 -m PURGE http://www.cnn.com/URL-to-delete-from-cache And I get permission denied. Could someone please tell me what restricts this and how I can change it? How/what is the best way to delete things from cache when they have been found to be bad? Thanks again, .vp
Re: [squid-users] squid performance epoll. 350req/sec 100% cpu
Sommariva Graziano wrote: This is the result odf bootstrap.sh: WARNING: Cannot find autoconf version 2.13 Trying autoconf (GNU Autoconf) 2.59 SNIP autoconf failed Autotool bootstrapping failed. You will need to investigate and correct before you can develop on this source tree See http://www.squid-cache.org/mail-archive/squid-users/200602/0609.html and http://www.squid-cache.org/mail-archive/squid-users/200602/0611.html. Chris
Re: [squid-users] make errors after applying customlog-2_5.patch
mån 2006-05-22 klockan 10:39 -0400 skrev Gary Kahn: Works like a charm! Thanks for taking care of this so quickly. Thanks! Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] Re: How Do I Drop Object From Cache?
Thank you Joost, It works, and I've enabled my inside LAN as well. .vp From: Joost de Heer [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Vadim Pushkin [EMAIL PROTECTED] CC: squid-users@squid-cache.org Subject: [squid-users] Re: How Do I Drop Object From Cache? Date: Mon, 22 May 2006 22:36:45 +0200 (CEST) MIME-Version: 1.0 Received: from squid-cache.org ([206.168.0.9]) by bay0-mc1-f11.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 22 May 2006 13:39:21 -0700 Received: (qmail 54165 invoked by uid 1007); 22 May 2006 20:36:48 - Received: (qmail 54134 invoked by uid 1); 22 May 2006 20:36:48 - X-Message-Info: LsUYwwHHNt3660MmjhEvYg2f34OAemlKtU9j2Z7TuGo= Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Post: mailto:squid-users@squid-cache.org List-Help: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] Delivered-To: mailing list squid-users@squid-cache.org References: [EMAIL PROTECTED] User-Agent: SquirrelMail/1.4.5 X-Virus-Scanned: by XS4ALL Virus Scanner X-Greylist: Recipient e-mail whitelisted, not delayed by milter-greylist-2.0.2 (squid-cache.org [199.45.255.9]); Mon, 22 May 2006 14:36:48 -0600 (MDT) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 22 May 2006 20:39:22.0495 (UTC) FILETIME=[CEA840F0:01C67DDF] Vadim Pushkin wrote: Hello. I have tried using: ./squidclient -h localhost -p 3030 -m PURGE http://www.cnn.com/URL-to-delete-from-cache And I get permission denied. Could someone please tell me what restricts this and how I can change it? To allow purge from localhost: acl purge method purge acl localhost src 127.0.0.0/255.0.0.0 http_access allow purge localhost http_access deny purge Enabling purge for other hosts is left as exercise for the reader. Joost
Re: [squid-users] tcp_outgoing_address + Authentication
Shadi Almosri wrote: Hiya All, I have managed to get squid up and running and authenticating users that attempt to access it. Now my problem is this. I have 5 IP addresses, depending on which IP address the users use I ned the tcp_outgoing_address to be different. Here are the settings so far (might give you a better idea): acl 19_93_97_250 proxy_auth REQUIRED acl 19_93_97_251 proxy_auth REQUIRED acl 19_93_97_252 proxy_auth REQUIRED acl 19_93_97_253 proxy_auth REQUIRED acl 19_93_97_254 proxy_auth REQUIRED http_access allow 19_93_97_250 http_access allow 19_93_97_251 http_access allow 19_93_97_252 http_access allow 19_93_97_253 http_access allow 19_93_97_254 http_access deny all tcp_outgoing_address 19.93.97.250 19_93_97_250 tcp_outgoing_address 19.93.97.251 19_93_97_251 tcp_outgoing_address 19.93.97.252 19_93_97_252 tcp_outgoing_address 19.93.97.253 19_93_97_253 tcp_outgoing_address 19.93.97.254 19_93_97_254 All requests still seem to be going through the first ip unfortunately. Now the second dilemma I will also face is I would need only specific authenticated users to be able to use each IP, for example user_1 is authenticated but should only be able to access the proxy on IP 19.93.97.252 and none of the others. Any clues on how to get this going would be appreciated! Regards Shadi If I'm reading this correctly, you have five IP addresses that clients might use to access the cache, correct? If that's the case, look in to the myip acl for part of this puzzle. If this is wrong, ignore the rest of this message. Use the following as a guide... acl 19_93_97_250 myip 19.93.97.250/32 # ACL defining the incoming IP acl 250_users proxy_auth jim bob joe # Users allowed on this IP http_access allow 19_93_97_250 250_users # Putting the two together http_access deny 19_93_97_250 # deny all other access to this IP tcp_outgoing_address 19.93.97.250 19_93_97_250 # Traffic that comes in on this IP, goes out on this IP Chris
Re: [squid-users] Mixed environment performance
Nathan Bell wrote: Hello fellow squid wranglers, I'm running squid on a network with about 10 linux stations (with 15+ simultaneous users per station), and about 20 windows stations (with only one user per station). Top download speed is the same for both linux and windows boxes, but overall browsing is significantly slower on the windows boxes. At first I thought the problem was with the windows boxes not receiving the dns information quickly, but tests have shown otherwise. There is a delay of one to two seconds for each connection to squid. For instance, a page with several images would take 4 seconds to fully render, first two seconds to load the page, then two seconds as it concurrently downloads each image. If the user were to go to that page again I can watch the squid logs and see a TCP_HIT for each image and the web page, but the render time remains the same. If I allow the machine to directly connect to the internet (using the same dns servers) there is no such delay when rendering pages. Each windows box allowed through the proxy is listed in acl/pc_hosts and each linux box is listed in acl/unix_hosts with each user either in acl/allow_user or acl/deny_user. The pertinant parts of my squid.conf are such: acl allow_user ident/etc/squid/acl/allow_user acl deny_user ident /etc/squid/acl/deny_user acl unix_hosts srcdomain/etc/squid/acl/unix_hosts acl pc_hosts srcdomain /etc/squid/acl/pc_hosts Reverse the next two lines... http_access allow allow_user !deny_user unix_hosts http_access allow pc_hosts In other words... http_access allow pc_hosts http_access allow allow_user !deny_user unix_hosts ... as this will allow the pc_hosts without trying to do an ident lookup. Is there a performance penalty for having pc_hosts that don't authenticate along side unix_hosts that do? Is squid trying to access a non-existant ident server on the windows stations? Is there a better way to define access for pc_hosts? Any help with this matter would be greatly appreciated. Yes. Yes. See above. Otherwise, you could run an ident server on the PCs. The full squid.conf follows: http_port proxy:8080 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off request_body_max_size 0 refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl porn url_regex /etc/squid/acl/porn acl porn1 url_regex /etc/squid/acl/porn1 acl noporn url_regex/etc/squid/acl/noporn acl allow_user ident/etc/squid/acl/allow_user acl deny_user ident /etc/squid/acl/deny_user acl allow_sites dstdomain /etc/squid/acl/allow_sites acl unix_hosts srcdomain/etc/squid/acl/unix_hosts acl pc_hosts srcdomain /etc/squid/acl/pc_hosts http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow allow_sites http_access deny porn porn1 !noporn http_access allow allow_user !deny_user unix_hosts http_access allow pc_hosts http_access deny all http_reply_access allow all icp_access deny all cache_effective_user squid cache_effective_group squid coredump_dir /var/spool/squid Chris
Re: [squid-users] Accelerator and Chaining
Brian Klauss wrote: My organization has two geographical data centers with one in Germany the other in United States. Users in EMEA access the Germany Squid accelerator for all HTTP/HTTPS based requests for servers globally but within their own organizational domain. Those same users who wish to access the United States organizational domain are attempting to chain through our proxy here in the States but are receiving the following error: --- The following error was encountered: Unable to forward this request at this time. This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that: The cache administrator does not allow this cache to make direct connections to origin servers, and All configured parent caches are currently unreachable. --- Any ideas and/or suggestions would be greatly appreciated. If you need additional information from me please let me know. It looks to me like the Squid in the states is not allowing access from the German Squid (either by http_access rules on the US Squid or by fire walling). Solving this problem would require knowing a bit more about your network topology (is the US Squid accessible from the general Internet, or do you have some kind of tunneling/VPN set up between the offices?), and your US Squid http_access rules (are you allowing access from the German Squid either by IP address or by password?). Best regards, Brian Klauss Systems Integration Analyst, Specialist BAX Global - Denver Data Center email: [EMAIL PROTECTED] Chris
Re: [squid-users] Sibling can't send message to parent
bend chen wrote: hi squid-users who can help me? i used squid-2.5.STABLE13,i used this install my squid: ./configure --prefix=/usr/local/squid --sysconfdir=/etc/squid --enable-linux-netfilter --enable-pthreads --enable-err-language=Simplify_Chi nese --enable-default-err-language=Simplify_Chinese --enable-storeio=ufs,aufs,null --enable-underscore --enable-snmp --enable-async-io=30 --en able-removal-policies=heap,lru --enable-linux-netfilter --enable-gnuregex --enable-poll --enable-cache-digests --enable-icmp --enable-htcp --e nable-wccp and I add this into squid.conf cache_peer 192.168.18.144 parent 80 4827 htcp but I can't see any like this message in cache.log: Sep 20 20:43:52 denim squid[23638]: Detected DEAD Sibling: 192.168.91.1/8080/3130 I guess my squid can't send any messages to parent . how to resovle this problem? thanks your help. In sufficient information supplied. You have listed the cache_peer directive for 192.168.18.144, but shown a cache.log entry for an other peer. Unless you see a message stating Detected DEAD Parent: 192.168.18.144/80/4827, I would go under the assumption that communications between the two are working just fine. Chris
Re: [squid-users] Authentication Prompt on one blocked acl
Steve Wilson Jr wrote: I'm using NTLM authentication and it works fine but I have an acl blocking browser regexp windows mediaplayer. Everytime I pull up a page with the media player embedded it prompts for authentication. Other than that it never prompts. Any ideas? Steve Wilson Jr Loxias IT Solutions 513-605-2726 [EMAIL PROTECTED] What does the http_access line that performs the block (and the related ACL) look like? Chris
Re: [squid-users] Trying to block IM's
Chris Boyd wrote: I'm trying to block IM's like MSN, Yahoo..etc...etc I've taken acl's from this list but it doesn't seem to be working. acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 22 # ssh acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 4156 acl CONNECT method CONNECT acl usit src 10.133.0.0/16 10.1.0.0/16 acl ICQ url_regex -i .icq.com acl MSN req_mime_type ^application/x-msn-messenger$ acl YAHOO url_regex .msg.yahoo.com acl CHAT url_regex -i webmessenger .webmessenger .messenger.* messenger.yahoo gateway.dll messenger.msn mirc icq.com go.icq miranda-im.org acl WEBMSN url_regex -i .webmessenger.msn.com acl EMESS url_regex -i .e-messenger.net .webmessenger.msn.com/* iloveim.com acl TALK url_regex -i .google.com/talk talk.google.com .google.com/talk* .google.*/talk* http_access allow manager usit http_access deny manager http_access deny !Safe_ports http_access allow CONNECT http_access allow localhost http_access allow usit ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ Here all your traffic is allowed. Move this allow line to the bottom (just above the deny all line), and you will have much better luck. http_access deny MSN http_access deny ICQ http_access deny YAHOO http_access deny CHAT http_access deny WEBMSN http_access deny EMESS http_access deny TALK http_access deny all http://www.squid-cache.org/Doc/FAQ/FAQ-10.html Chris
[squid-users] Authentication problem
I have Squid setup so that it performs NTLM authentication from a Windows 2003 Active Directory domain controller. It currently works without issue, allowing only properly authenticated users web browsing access and denying others. What I would like to do is block certain accounts from web browsing. When I implement such a block the users are presented with an authentication dialog box, and then ultimately receive the proper deny message in the browser. The problem is that I do not want them to be prompted for valid credentials; they should be immediately denied access. Here is the appropriate areas of my configuration: acl authenticated_users proxy_auth REQUIRED acl denied_admin proxy_auth_regex -i /etc/squid/denied_admin acl denied_users proxy_auth_regex -i /etc/squid/denied_users http_access deny denied_users http_access deny denied_admin deny_info ERR_ACCESS_DENIED_ADMIN denied_admin http_access allow authenticated_users http_access allow localhost http_access allow local_network http_access deny all Any ideas how I can get rid of the authentication dialog box that pops up and just have the deny message issued immediately? -- Scott Jarkoff
[squid-users] caching compressed documents
We have a situation where we store documents in a compressed form on a particular storage solution. The clients access these documents via http. We would like to add a cache in front 1) on a cache miss, fetches the document from the original source 2) decompresses it 3) returns the decompressed doc to the client requesting it 4) stores it in the cache uncompressed Is there a plugin for converting the data from the original source to a particular format before storing it in the squid cache? If not, is there a way for me to write such a plugin? thanks bharath