[squid-users] Caching of responses for a small group of clients not using the cache themselves
Hi, I have the following situation: Although I want all clients' responses to be cached (if applicable), the cache should not be used to handle the requests of a small group of clients. Group A: Few users whom should not use the cache. Group B: Majority of users whom should use the cache. Note that I would like to cache the responses for clients in Group A, so any clients in Group B may access these objects (originally requested by any client regardless of belonging to group A or B) directly from cache. Hence clients in group B have access to the entire cache, whilst no clients in group A should ever access the cache (but nevertheless contribute to filling it). This may possibly be regarded as a silent cache miss for all clients in Group A, i.e. never a cache hit, resulting in a forwarded request to the origin server and caching of the response. For group B, all use of the cache is normal (i.e. use cache for requests and responses). The distinction between group A and B may be done in several ways (e.g. src, myip, myport etc). Is this possible and if so, how should this be configured? Any help or pointers would be greatly appreciated! Thnx! Best regards Bjorn Erik _ MSN Music http://music.msn.no Finn din favorittmusikk blant nesten 1 million låter
[squid-users] Authentication issue
I have Squid setup so that it performs NTLM authentication from a Windows 2003 Active Directory domain controller. It currently works without issue, allowing only properly authenticated users web browsing access and denying others. What I would like to do is block certain accounts from web browsing. When I implement such a block the users are presented with an authentication dialog box, and then ultimately receive the proper deny message in the browser. The problem is that I do not want them to be prompted for valid credentials; they should be immediately denied access. Here is the appropriate areas of my configuration: acl authenticated_users proxy_auth REQUIRED acl denied_admin proxy_auth_regex -i /etc/squid/denied_admin acl denied_users proxy_auth_regex -i /etc/squid/denied_users http_access deny denied_users http_access deny denied_admin deny_info ERR_ACCESS_DENIED_ADMIN denied_admin http_access allow authenticated_users http_access allow localhost http_access allow local_network http_access deny all Any ideas how I can get rid of the authentication dialog box that pops up and just have the deny message issued immediately? -- Scott Jarkoff
RE: [squid-users] squid performance epoll. 350req/sec 100% cpu
Chris, Thanks a lot, now everythung work as expected, the CPU usage is drastcally reduced. Kind Regards, Graziano ELSAG DOI - Divisione Outsourcing Informatico Graziano Sommariva ICT Network Manager * +39-10-658.3921 * +39-348-8558742 * [EMAIL PROTECTED] NOTA : Questo messaggio e-mail e ogni documento ad esso eventualmente allegato può avere carattere riservato ed essere tutelato da segreto. Esso,comunque, è ad esclusivo utilizzo del destinatario in indirizzo. Qualora non foste il destinatario del messaggio vi preghiamo di volerci avvertire immediatamente per e-mail o telefono e di cancellare il presente messaggio e ogni eventuale allegato dal vostro sistema. E' vietata la duplicazione o l'utilizzo per qualunque fine del messaggio e di ogni allegato, nonché la loro divulgazione, distribuzione o inoltro a terzi senza l'espressa autorizzazione del mittente. In ragione del mezzo di trasmissione utilizzato, il mittente non assume alcuna responsabilità sulla segretezza/riservatezza delle informazioni contenute nel messaggio e nei relativi allegati. NOTE : This e-mail and any file transmitted with it may contain material that is confidential, privileged and/or attorney work product for the sole use of the intended recipient. If you are not the intended recipient of this e-mail, please do not read it, notify us immediately by e-mail or by telephone and then delete this message and any file attached from your system. You should not copy or use it for any purpose, disclose the contents of the same to any other person or forward it without express permission.Considering the means of transmission, we do not undertake any liability with respect to the secrecy and confidentiality of the information contained in this e-mail and its attachments. -Original Message- From: Chris Robertson [mailto:[EMAIL PROTECTED] Sent: lunedì 22 maggio 2006 21.50 To: Squid Users Subject: Re: [squid-users] squid performance epoll. 350req/sec 100% cpu Sommariva Graziano wrote: This is the result odf bootstrap.sh: WARNING: Cannot find autoconf version 2.13 Trying autoconf (GNU Autoconf) 2.59 SNIP autoconf failed Autotool bootstrapping failed. You will need to investigate and correct before you can develop on this source tree See http://www.squid-cache.org/mail-archive/squid-users/200602/0609.html and http://www.squid-cache.org/mail-archive/squid-users/200602/0611.html. Chris
RE: [squid-users] Showing squid version
Although it is a tedious process, you can add the version info to all the actual error pages in a comment and squid will not insert it by default. Add this: !--%s-- Thanks, Bryan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: May 19, 2006 7:13 PM To: Aguiar Magalhaes Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Showing squid version fre 2006-05-19 klockan 10:47 + skrev Aguiar Magalhaes: Where can i disable the message showing the squid version at the bottom of the error pages, denied pages and others ? You can in the upcoming Squid-2.6 release, and in Squid-3. Regards Henrik
[squid-users] slow on a specific site
hi, this is a problem that has been bothering me for so long now.. my users connect to my squid machine, all sites that they visit are 'returned' ok and fast except for a particular site. the site is www.esri.com. it is very slow when connecting to that site.. when i try to connect to that site from the squid machine itself, it is fast. the problem only comes when the computers connected to the squid machine are to access that site. any kind of help will be much appreciated. Thanks! -- knowelle
[squid-users] Further diagnosis on squid/radius auth problems
Hi, I've had a whole series of issues with Squid and radius, and I believe that at last I have some meat for diagnosis. The problem seems to be with squid_auth_radius, but this seems to be the only related mailing list. I'm using: Squid Cache: Version 2.5.STABLE13 configure options: --prefix=/usr/local/squid --enable-snmp --disable-internal-dns on RHEL 4 with squid_radius_auth 1.08. At times it has seemed that clients attempting to authenticate are being rejected despite having good passwords. Similarly, users have been able to get out to the Internet without a legitimate username and password. Squid's debugging output shows that the authenticator was returning an ok response for these nonexistent usernames and passwords. At the time this happened, we would see Warning: Received invalid reply digest from server errors. A squid -k reconfigure made those go away by restarting the authenticator children, of course, but running that once a minute is not an ideal solution. I'm not comfortable doing random debugging in C, so I made an alternate authenticator out of Perl, based on authen::radius, that logged via syslogd whenever it attempted authentication and the results of that authentication attempt. Either the problem would go away, or I'd have some debugging output. :-) The problem persisted, but I now logged requests that did and didn't match and could compare them to the Radius logs. The Radius authenticator returned an error when the Radius server had returned OK. At the time of the error, netstat -na -u on the RHEL box shows: Proto Recv-Q Send-Q Local Address Foreign Address State ... udp0 0 10.184.1.94:33006 10.184.1.56:1812 ESTABLISHED udp0 0 10.184.1.94:33007 10.184.1.56:1812 ESTABLISHED udp0 0 10.184.1.94:33008 10.184.1.56:1812 ESTABLISHED udp 2352 0 10.184.1.94:33009 10.184.1.56:1812 ESTABLISHED udp0 0 10.184.1.94:33010 10.184.1.56:1812 ESTABLISHED lsof shows that the process with the big recv queue is the authenticator. This happens with both squid_radius_auth and my perl applet. I see a couple of possibilities: a) Red Hat ties up the buffer somehow b) problem in the radius routines in squid_rad_auth c) problem with squid taking the data back from authenticator, or interaction between squid and squid_rad_auth Surely someone out there has experienced this? Any pointers on where to look further? On a related note, should Squid use the same authenticator child most of the time? I have five running, but the log shows that the same child gets queried again and again. We rarely get busy enough to need the second child, however. ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP GPG -- http://www.pgpandgpg.com The cloak of anonymity protects me from the nuisance of caring. -Non Sequitur
Re: [squid-users] slow on a specific site
Hello, Check the delay_pools option Thanks, Visolve Squid Team, http://squid.visolve.com On Tue, 2006-05-23 at 16:14 +0400, Noel Manansala wrote: hi, this is a problem that has been bothering me for so long now.. my users connect to my squid machine, all sites that they visit are 'returned' ok and fast except for a particular site. the site is www.esri.com. it is very slow when connecting to that site.. when i try to connect to that site from the squid machine itself, it is fast. the problem only comes when the computers connected to the squid machine are to access that site. any kind of help will be much appreciated. Thanks!
Re: [squid-users] Authentication problem
Scott Jarkoff wrote: I have Squid setup so that it performs NTLM authentication from a Windows 2003 Active Directory domain controller. It currently works without issue, allowing only properly authenticated users web browsing access and denying others. What I would like to do is block certain accounts from web browsing. When I implement such a block the users are presented with an authentication dialog box, and then ultimately receive the proper deny message in the browser. The problem is that I do not want them to be prompted for valid credentials; they should be immediately denied access. Here is the appropriate areas of my configuration: acl authenticated_users proxy_auth REQUIRED acl denied_admin proxy_auth_regex -i /etc/squid/denied_admin acl denied_users proxy_auth_regex -i /etc/squid/denied_users http_access deny denied_users http_access deny denied_admin deny_info ERR_ACCESS_DENIED_ADMIN denied_admin http_access allow authenticated_users http_access allow localhost http_access allow local_network http_access deny all Any ideas how I can get rid of the authentication dialog box that pops up and just have the deny message issued immediately? See http://www.squid-cache.org/mail-archive/squid-users/200603/0845.html and http://www.squid-cache.org/mail-archive/squid-users/200603/0851.html Chris
Re: [squid-users] Caching of responses for a small group of clients not using the cache themselves
� Erik � wrote: Hi, I have the following situation: Although I want all clients' responses to be cached (if applicable), the cache should not be used to handle the requests of a small group of clients. Group A: Few users whom should not use the cache. Group B: Majority of users whom should use the cache. Note that I would like to cache the responses for clients in Group A, so any clients in Group B may access these objects (originally requested by any client regardless of belonging to group A or B) directly from cache. Hence clients in group B have access to the entire cache, whilst no clients in group A should ever access the cache (but nevertheless contribute to filling it). This may possibly be regarded as a silent cache miss for all clients in Group A, i.e. never a cache hit, resulting in a forwarded request to the origin server and caching of the response. For group B, all use of the cache is normal (i.e. use cache for requests and responses). The distinction between group A and B may be done in several ways (e.g. src, myip, myport etc). Is this possible and if so, how should this be configured? Any help or pointers would be greatly appreciated! Thnx! Best regards Bjorn Erik You might look into the http_reply_access directive. I imagine that would let the clients make the request, but could be utilized to prevent them from receiving the response. Chris
[squid-users] cache storage problem? (squid 3)
Whenever I run squid, it seems to run fine until the cache memory becomes full. Once this happens, squid slows down to the point of becoming unusable. I decided to check the storage manager logs to see what was going on when the memory becomes full, and I see a lot of no valid swapdirs for this object error messages. The occurrence of these error messages correlate with a large jump in CPU usage by squid. Is there a known reason for this? Thanks. -- Dan Thomson Systems Engineer Peer1 Network 1600 555 West Hastings Vancouver, BC V6B 4N5 866-683-7747 http://www.peer1.com
RE: [squid-users] Authentication Prompt on one blocked acl
The acl: acl WMP browser -i Windows-Media-Player/* and the http_access list: http_access allow manager localhost http_access allow localhost http_access allow WhiteList http_access deny !ntlm http_access deny Explicitly_denied http_access deny BlockExt http_access deny WMP http_access deny reqMIME http_access deny repMIME http_access deny Anonymous_Proxy http_access deny !Safe_Ports http_access deny CONNECT !SSL_ports http_access deny manager http_access allow Clients http_access deny all when something gets blocked by BlockExt or Explicitly denied there is no auth prompt. Is there something with the browser acl type? Thanks in advance for any help! -Original Message- From: Chris Robertson [mailto:[EMAIL PROTECTED] Sent: Monday, May 22, 2006 7:12 PM To: Squid List Subject: Re: [squid-users] Authentication Prompt on one blocked acl Steve Wilson Jr wrote: I'm using NTLM authentication and it works fine but I have an acl blocking browser regexp windows mediaplayer. Everytime I pull up a page with the media player embedded it prompts for authentication. Other than that it never prompts. Any ideas? Steve Wilson Jr Loxias IT Solutions 513-605-2726 [EMAIL PROTECTED] What does the http_access line that performs the block (and the related ACL) look like? Chris
[squid-users] A couple authentication questions
All, I'm trying to troubleshoot a few authentication problems. Firstly, understand I am running an NTLM setup. All my authentication is transparent to the user. That being said, on occasion my browser window pop for authentication. Canceling the prompt is usually sufficient to proceed. Does anyone know why this happens? Second issue. When a user is posting a yahoo email message they receive a Cache access denied and told they need to authenticate themselves. I'm looking mostly for some troubleshooting steps, as I'm not certain there is a clear solution to either issue. Thanks! Jason
Re: [squid-users] Authentication Prompt on one blocked acl
Steve Wilson Jr wrote: -Original Message- From: Chris Robertson [mailto:[EMAIL PROTECTED] Sent: Monday, May 22, 2006 7:12 PM To: Squid List Subject: Re: [squid-users] Authentication Prompt on one blocked acl Steve Wilson Jr wrote: I'm using NTLM authentication and it works fine but I have an acl blocking browser regexp windows mediaplayer. Everytime I pull up a page with the media player embedded it prompts for authentication. Other than that it never prompts. Any ideas? Steve Wilson Jr Loxias IT Solutions 513-605-2726 [EMAIL PROTECTED] What does the http_access line that performs the block (and the related ACL) look like? Chris The acl: acl WMP browser -i Windows-Media-Player/* and the http_access list: http_access allow manager localhost http_access allow localhost http_access allow WhiteList http_access deny !ntlm My guess would be that WMP is not providing authentication credentials and is being blocked by this rule here. Move the WMP block above this one, and see if that clears the problem. http_access deny Explicitly_denied http_access deny BlockExt http_access deny WMP http_access deny reqMIME http_access deny repMIME http_access deny Anonymous_Proxy http_access deny !Safe_Ports http_access deny CONNECT !SSL_ports http_access deny manager http_access allow Clients http_access deny all when something gets blocked by BlockExt or Explicitly denied there is no auth prompt. Is there something with the browser acl type? Thanks in advance for any help! Otherwise, you might remove the http_access deny !ntlm, and change the allow line to... http_access allow ntlm Clients ...which will block the non-authenticated without a pop up prompt for authentication. Chris
[squid-users] FIFO/multiple requests for uncached object question
Hello, I have a reverse proxy setup with Squid on some Linux servers and was wondering how squid handles multiple incoming requests for an uncached page? I have some heavy traffic sites that are using mod_expires for certain pages like the home page. If I have a page that gets called that has not been called before or is expired or stale Squid contacts my Apache server and pulls the page up but what happens if multiple calls come in at relatively the same time. Does Squid notice it is currently requesting that object and put the other calls on hold or does each one get passed on thru to the web server as misses and requests a fresh copy from Apache? Thanks, Nick Baronian
[squid-users] Questions about Squid read_timeout and retry behavior
Hi, I am using Squid of Version 2.5.STABLE5, and I have a few questions regarding the squid read_timeout behavior. I did some tests and I would first summarize my observation as following: Summary Start - When squid conf is read_timeout 1 minutes, if nothing at all has been received yet in 1 minutes, the request will be automatically retried. The number of times of re-try is 3. So the squid returns timeout error (504) in 3 minutes. When squid conf is read_timeout N minutes, where N=2 or 3, if nothing at all has been received yet in N minutes, the request will be automatically retried. The number of times of re-try is 2. So the squid returns timeout error (504) in 2*N minutes. When squid conf is read_timeout M minutes, where M=4, if nothing at all has been received in M minutes, the request will NOT be retried, and the squid returns timeout error (504). --- End -- My questions are: 1, Are the about behavior expected? If it is expected, can you provide more detailed explanation about the rule of re-trying. 2, Is there a way to configure the re-try behavior? e.g. the number of times to retry, or to disable retry. Thanks a lot, Katie Wang Software Development VoiceGenie Technologies Inc
Re: [squid-users] Authentication problem
On 5/24/06, Chris Robertson [EMAIL PROTECTED] wrote: See http://www.squid-cache.org/mail-archive/squid-users/200603/0845.html and http://www.squid-cache.org/mail-archive/squid-users/200603/0851.html Thanks very much Chris. Those links were exactly what I was looking for. Much appreciated! -- Scott Jarkoff
[squid-users] Unable to enable wccpv2 on rhes3
Hi i'm trying to build squid with wccpv2 support for some odd reason I'm unable to enable this feature. I'm using the latest stable version squid-2.5.STABLE14.tar.gz The WCCP patch I'm using is the one located at http://devel.squid- cache.org/cgi-bin/diff2/wccp2-2_5?s2_5 [EMAIL PROTECTED] proxysense]# patch -p0 wccp2-2_5.patch patching file squid/acconfig.h patching file squid/configure.in patching file squid/doc/README.wccpv2 patching file squid/src/Makefile.am patching file squid/src/cf.data.pre patching file squid/src/cf_gen_defines patching file squid/src/main.c patching file squid/src/protos.h patching file squid/src/structs.h patching file squid/src/wccp2.c I edit acconfig.h line 122 setting the following #define USE_WCCPv2 [EMAIL PROTECTED] squid]# ./configure --prefix=/opt/squid --enable- linux-netfilter --enable-wccpv2 [EMAIL PROTECTED] squid]# make make install http_port 192.168.100.3 80 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all http_reply_access allow all icp_access allow all coredump_dir /opt/squid/var/cache wccp2_router 192.168.100.1:2048 wccp2_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 Here is my squid conf just testing on port 80 for now Here is my problem ./squid 2006/05/24 07:41:23| parseConfigFile: line 27 unrecognized: 'wccp2_router 192.168.100.1:2048' 2006/05/24 07:41:23| parseConfigFile: line 28 unrecognized: 'wccp2_version 4' 2006/05/24 07:41:23| parseConfigFile: line 29 unrecognized: 'wccp2_forwarding_method 1' 2006/05/24 07:41:23| parseConfigFile: line 30 unrecognized: 'wccp2_return_method 1' 2006/05/24 07:41:23| parseConfigFile: line 31 unrecognized: 'wccp2_service standard 0' [EMAIL PROTECTED] squid]# find . -name \*wccp* ./src/wccp.c ./src/wccp2.c ./src/.deps/wccp.Po ./src/wccp.o ./doc/README.wccpv2 Looks like wccp2.c is never getting compiled anyone know how I can fix this ? Linux localhost.localdomain 2.4.21-37.EL #1 Wed Sep 7 13:37:20 EDT 2005 i686 athlon i386 GNU/Linux [EMAIL PROTECTED] squid]# cat /etc/issue Red Hat Enterprise Linux ES release 3 (Taroon Update 6)
[squid-users] Proxy on Solaris 10
__ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[squid-users] Proxy on Solaris 10
I am a newb to proxies and caching. What I am trying to do is use Squid to act as a server outside an IIS web server and accept all request to the IIS web server running on port 80 on a Windows 2003 server. THe server I have is a Sun v100 and I would like to know if squid will work on Solaris 10 and forward on all web server request onto the IIS server. Any help and or docs on this would be greatly appreciated. THanks in advance for your help. razor-- __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] Proxy on Solaris 10
Johns Doester wrote: THe server I have is a Sun v100 and I would like to know if squid will work on Solaris 10 and forward on all web server request onto the IIS server. Yup solaris10+v100 will run squid very nicely, I do so in a similar setup. The v100s don't have fantastic CPUs but as long as you are not running a very heavily accessed site then you should find that this combination works fine. -- Michael
[squid-users] when is a restart necessary instead of a reconfigure
Hi, I've been googling this, but haven't found a definitive answer - for what configuration (squid.conf) changes do we need to shutdown and startup squid? I'm talking about situations where reconfigures won't put the changes into effect. I've been trying to tune a set of 5 large squid servers and I'm making a lot of frequent changes. Thanks in advance, Aaron Chu