[squid-users] COSS improvements

[Adrian Chadd]

Hi everyone,

Steven Wilton has contributed a whole swath of COSS fixes which
provide even more dramatic performance fixes and some stability
fixes to the codebase.

Those who are trialing out COSS in Squid-2.6 should grab tomorrow's
snapshot and give it a whirl. I suggest you read and re-read the
COSS comments in the squid configuration file to get an idea
of the newly available "knobs".




Adrian

[squid-users] unable to cache_peer

[S t i n g r a y]

here is the line specifying my ISP cache server.

cache_peer parent 61.5.131.2 8080 0 default no-query


seems ok but its gives out this error 

WARNING: Unknown neighbor type: 61.5.131.2

whats wrong ?


*º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤
  



__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[squid-users] loading acl client ips from a file ?

[S t i n g r a y]

is it possible to load list of client ips from a text
file ? in squid ?



*º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤
  



__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: [squid-users] unable to cache_peer

[Jim Christy]

You might need a colon between the IP and the port


cache_peer parent 61.5.131.2:8080 0 default no-query



On 8/3/06, S t i n g r a y <[EMAIL PROTECTED]> wrote:

here is the line specifying my ISP cache server.

cache_peer parent 61.5.131.2 8080 0 default no-query


seems ok but its gives out this error

WARNING: Unknown neighbor type: 61.5.131.2

whats wrong ?


*º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤




__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Re: [squid-users] unable to cache_peer

[S t i n g r a y]

no that is not it , specifying : increase errors


--- Jim Christy <[EMAIL PROTECTED]> wrote:

> You might need a colon between the IP and the port
> 
> >> cache_peer parent 61.5.131.2:8080 0 default
> no-query
> 
> 
> On 8/3/06, S t i n g r a y <[EMAIL PROTECTED]>
> wrote:
> > here is the line specifying my ISP cache server.
> >
> > cache_peer parent 61.5.131.2 8080 0 default
> no-query
> >
> >
> > seems ok but its gives out this error
> >
> > WARNING: Unknown neighbor type: 61.5.131.2
> >
> > whats wrong ?
> >
> >
> > *º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤
> >
> >
> >
> >
> > __
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> >
> 


*º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤
  



__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: [squid-users] unable to cache_peer

[Jim Christy]

Looking at the docs actually you may have "parent" in the wrong place:

#   cache_peer parent.foo.net   parent3128  3130  [proxy-only]
#   cache_peer sib1.foo.net sibling   3128  3130  [proxy-only]
#   cache_peer sib2.foo.net sibling   3128  3130  [proxy-only]

try:

cache_peer 61.5.131.2 parent 8080 0 default no-query



On 8/3/06, S t i n g r a y <[EMAIL PROTECTED]> wrote:

no that is not it , specifying : increase errors


--- Jim Christy <[EMAIL PROTECTED]> wrote:

> You might need a colon between the IP and the port
>
> >> cache_peer parent 61.5.131.2:8080 0 default
> no-query
>
>
> On 8/3/06, S t i n g r a y <[EMAIL PROTECTED]>
> wrote:
> > here is the line specifying my ISP cache server.
> >
> > cache_peer parent 61.5.131.2 8080 0 default
> no-query
> >
> >
> > seems ok but its gives out this error
> >
> > WARNING: Unknown neighbor type: 61.5.131.2
> >
> > whats wrong ?
> >
> >
> > *º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤
> >
> >
> >
> >
> > __
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> >
>


*º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤




__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Re: [squid-users] loading acl client ips from a file ?

[Christoph Haas]

On Thursday 03 August 2006 15:26, S t i n g r a y wrote:
> is it possible to load list of client ips from a text
> file ? in squid ?

Y e s,  i t   i s.

See the documentation on ACLs. The text file needs to be specified in 
quotes ("").

 Christoph

RE: [squid-users] Squid restarted with error tried to dup a NULL pointer

[Mehmet, Levent \(Accenture\)]

Thanks

Does anyone have a rough guide as to how I can update to the new
Squid-2.6stable2 safely. Not done this before, but getting desperate as
squid is crashing 4 times a day

thanks

-Original Message-
From: Adrian Chadd [mailto:[EMAIL PROTECTED] 
Sent: 31 July 2006 13:23
To: Mehmet, Levent (Accenture)
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid restarted with error tried to dup a
NULL pointer

Hiya,

upgrade to the latest 2.6-stable snapshot. I believe that bug has been
fixed and Squid-2.6stable2 won't suffer from it.



adrian


On Mon, Jul 31, 2006, Mehmet, Levent (Accenture) wrote:
>  
> All
> 
> Current version 2.6.Stable1
> 
> FATAL: xstrdup:tried to dup a NULL pointer
> 
> Terminated abnormally
> 
> 
> 
> Levent Mehmet
> Network Analyst
> Server and Network Team
> [EMAIL PROTECTED] Operate Unit
> Market Towers, 20th Floor
> 1 Nine Elms Lane
> London
> SW8 5NQ
> 
> E-mail: [EMAIL PROTECTED]
> Phone: +44 20 7084 3517 
> Fax:   +44 20 7084 2536 
> 
> 
> 
> This email and any files transmitted with it are confidential. If you
are not the intended recipient, any reading, printing, storage,
disclosure, copying or any other action taken in respect of this email
is prohibited and may be unlawful. 
> 
> If you are not the intended recipient, please notify the sender
immediately by using the reply function and then permanently delete what
you have received.Incoming and outgoing email messages are routinely
monitored for compliance with the Department of Healths policy on the
use of electronic communications. 
> 
> For more information on the Department of Healths email policy, click 
> http;//www.doh.gov.uk/emaildisclaimer.htm
> 
> The original of this email was scanned for viruses by Government
Secure Intranet (GSi)  virus scanning service supplied exclusively by
Cable & Wireless in partnership with MessageLabs.
> On leaving the GSI this email was certified virus free.
> The MessageLabs Anti Virus Service is the first managed service to 
> achieve the CSIA Claims Tested Mark (CCTM Certificate Number 
> 2006/04/0007), the UK Government quality mark initiative for 
> information security products and services.  For more information 
> about this please visit www.cctmark.gov.uk

PLEASE NOTE: THE ABOVE MESSAGE WAS RECEIVED FROM THE INTERNET.
On entering the GSI, this email was scanned for viruses by the
Government Secure Intranet (GSi) virus scanning service supplied
exclusively by Cable & Wireless in partnership with MessageLabs.
In case of problems, please call your organisational IT Helpdesk.
The MessageLabs Anti Virus Service is the first managed service to
achieve the CSIA Claims Tested Mark (CCTM Certificate Number
2006/04/0007), the UK Government quality mark initiative for information
security products and services.  For more information about this please
visit www.cctmark.gov.uk



The original of this email was scanned for viruses by Government Secure 
Intranet (GSi)  virus scanning service supplied exclusively by Cable & Wireless 
in partnership with MessageLabs.
On leaving the GSI this email was certified virus free.
The MessageLabs Anti Virus Service is the first managed service to achieve the 
CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK 
Government quality mark initiative for information security products and 
services.  For more information about this please visit www.cctmark.gov.uk

Re: [squid-users] (111) connection refused ERROR FOR SITES REQUIRING LOGIN

[Visolve Squid]

vinayan K P wrote:


Hello,

Hope someone could help me.

I am using a squid proxy (squid-2.5.STABLE13-1.FC4) behind another
squid proxy and firewall.


Hello Vinayan,

If you are behind a firewall then you can't make direct connections to 
the outside world, so you *must* use a parent cache. Squid doesn't use 
ICP queries for a request if it's behind a firewall or if there is only 
one parent.


You can use the /never_direct/ access list in /squid.conf/ to specify 
which requests must be forwarded to your parent cache outside the 
firewall, and the /always_direct/ access list to specify which requests 
must not be forwarded. For example, if Squid must connect directly to 
all servers that end with /mydomain.com/, but must use the parent for 
all others, you would write:


acl INSIDE dstdomain .mydomain.com
always_direct allow INSIDE
never_direct allow all

For more Details visit: 
http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-f7c4c667d4154ec5a9619044ef7d8ab94dfda39b

--
Thanks,
Visolve Squid Team,
http://squid.visolve.com

Re: [squid-users] New to Squid and Linux

[mjmcgraw]

Now it works from the local machine that is actually running squid,  
but when I try to SSH using Putty into the squid host I get nothing. I  
am forwarding port 3128 with Putty and setting the brower to use  
localhost:3128 for proxy.


Maybe I'm understanding this wrong but I thought if I used SSH to  
connect to the squid host it would appear as a local connection and  
the acl for localhost for work.


Did I totally miss that?

Thanks, Michael

Quoting Christoph Haas <[EMAIL PROTECTED]>:


On Wednesday 02 August 2006 22:16, [EMAIL PROTECTED] wrote:

This is what my squid.conf looks like. Does it look broke?


Not at all. Just read and understand the documentation on "http_access"
and "acl". Everything else is fine.

 Christoph

Re: [squid-users] New to Squid and Linux

[Christoph Haas]

On Thursday 03 August 2006 16:46, [EMAIL PROTECTED] wrote:
> Now it works from the local machine that is actually running squid,
> but when I try to SSH using Putty into the squid host I get nothing. I
> am forwarding port 3128 with Putty and setting the brower to use
> localhost:3128 for proxy.

Just point your browser to the proxy server on port 3128. SSH is not 
needed.

> Maybe I'm understanding this wrong but I thought if I used SSH to
> connect to the squid host it would appear as a local connection and
> the acl for localhost for work.

SSH supports port forwarding. But that's surely not the normal mode of 
operation and proxy surfing.

I hope it's clear that Squid is a HTTP proxy which is not at all connected 
to SSH.

 Christoph

Re: [squid-users] New to Squid and Linux

[mjmcgraw]

I'm trying to use SSH to tunnel my traffic to the machine that is  
running squid. The machines are not on the same network.


Michael

Quoting Christoph Haas <[EMAIL PROTECTED]>:


On Thursday 03 August 2006 16:46, [EMAIL PROTECTED] wrote:

Now it works from the local machine that is actually running squid,
but when I try to SSH using Putty into the squid host I get nothing. I
am forwarding port 3128 with Putty and setting the brower to use
localhost:3128 for proxy.


Just point your browser to the proxy server on port 3128. SSH is not
needed.


Maybe I'm understanding this wrong but I thought if I used SSH to
connect to the squid host it would appear as a local connection and
the acl for localhost for work.


SSH supports port forwarding. But that's surely not the normal mode of
operation and proxy surfing.

I hope it's clear that Squid is a HTTP proxy which is not at all connected
to SSH.

 Christoph

[squid-users] Accelerator Question

[Pablo García]

Hi, I was running a Squid in accelerator mode, for a bunch of web sites I own.
The setup was very basic : Client ---Internet--- Squid --Local Lan-- Web servers
the squid decides wich web server to access for the content based on /etc/hosts
so, my settings in the squid.conf were :

httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Now, I changed to Squid 2.6 Stable 2, and since the configuration
changes for this scenario I'm not sure how to configure it right.
Is this the right configuration option ?
"http_port 80 vhost vport"
or is this other ?
"http_port 80 transparent"

Thanks, Pablo

Re: [squid-users] Accelerator Question

[Visolve Squid]

Pablo García wrote:

Hi, I was running a Squid in accelerator mode, for a bunch of web 
sites I own.
The setup was very basic : Client ---Internet--- Squid --Local Lan-- 
Web servers
the squid decides wich web server to access for the content based on 
/etc/hosts

so, my settings in the squid.conf were :

httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Now, I changed to Squid 2.6 Stable 2, and since the configuration
changes for this scenario I'm not sure how to configure it right.
Is this the right configuration option ?
"http_port 80 vhost vport"
or is this other ?
"http_port 80 transparent"


Hello Pablo,

Transparent Proxy setup for squid-2.6Stable 2 can be done by using the 
following configuration directive in squid.conf file.


   "http_port 3128 transparent"


Reverse proxy setup can be done by using the following directives

   http_port 80 vhost
   cache_peer virtual parent  0 no-query originserver


-Server  listen port

--
Thanks,
Visolve Squid Team,
http://squid.visolve.com

Re: [squid-users] loading acl client ips from a file ?

[S t i n g r a y]

sir i did this according to the docs it should be like
this 

acl packb "/home/admin/packb"  

but its giving errors

bash-3.1# /usr/local/sbin/squid -k reconfigure
2006/08/04 02:00:49| aclParseAclLine: Invalid ACL type
'"/home/admin/packb"'
FATAL: Bungled squid.conf line 19: acl packb
"/home/admin/packb"
Squid Cache (Version 2.5.STABLE12): Terminated
abnormally.


any ideas ?
 

--- Christoph Haas <[EMAIL PROTECTED]> wrote:

> On Thursday 03 August 2006 15:26, S t i n g r a y
> wrote:
> > is it possible to load list of client ips from a
> text
> > file ? in squid ?
> 
> Y e s,  i t   i s.
> 
> See the documentation on ACLs. The text file needs
> to be specified in 
> quotes ("").
> 
>  Christoph
> 


*º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤
  



__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: [squid-users] loading acl client ips from a file ?

[Christoph Haas]

On Thursday 03 August 2006 18:18, S t i n g r a y wrote:
> sir i did this according to the docs it should be like
> this
>
> acl packb "/home/admin/packb"

You forgot the type.

acl packb src "..."

 Christoph

RE: [squid-users] Squid + RHEL4 + ip_gre issue

[Arnold Wang]

[EMAIL PROTECTED] tmp]# ip addr show dev wccp0
4: [EMAIL PROTECTED]:  mtu 1476 qdisc noqueue
link/gre 10.17.2.146 peer 10.17.2.65
inet 192.168.1.6/31 scope global wccp0

Thanks again for your kind helps.

On Thu, 2006-08-03 at 08:44 +0200, Henrik Nordstrom wrote:
> ons 2006-08-02 klockan 22:22 -0700 skrev Arnold Wang:
> 
> > The configuration in the RHEL box:
> > [EMAIL PROTECTED] ~]# ip tunnel show
> > gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc
> > wccp0: gre/ip  remote 10.17.2.65  local 10.17.2.146  dev eth0  ttl
> > inherit 
> > sit0: ipv6/ip  remote any  local any  ttl 64  nopmtudisc
> 
> what does "ip addr show dev wccp0" say?
> 
> Regards
> Henrik

Re: [squid-users] New to Squid and Linux

[Tim Neto]

I think you have the wrong acronym.  Do you really want a SSL connection 
as in a "https" connection?  In reading this thread you keep typing SSH, 
but do you really need to use is SSL.


Tim

---
Timothy E. Neto
Computer Systems Engineer Komatsu Canada Limited
Ph#: 905-625-6292 x2651725B Sismet Road
Fax: 905-625-6348 Mississauga, Canada
E-Mail: [EMAIL PROTECTED]  L4W 1P9
---



[EMAIL PROTECTED] wrote:
I'm trying to use SSH to tunnel my traffic to the machine that is 
running squid. The machines are not on the same network.


Michael

Quoting Christoph Haas <[EMAIL PROTECTED]>:


On Thursday 03 August 2006 16:46, [EMAIL PROTECTED] wrote:

Now it works from the local machine that is actually running squid,
but when I try to SSH using Putty into the squid host I get nothing. I
am forwarding port 3128 with Putty and setting the brower to use
localhost:3128 for proxy.


Just point your browser to the proxy server on port 3128. SSH is not
needed.


Maybe I'm understanding this wrong but I thought if I used SSH to
connect to the squid host it would appear as a local connection and
the acl for localhost for work.


SSH supports port forwarding. But that's surely not the normal mode of
operation and proxy surfing.

I hope it's clear that Squid is a HTTP proxy which is not at all 
connected

to SSH.

 Christoph

RE: [squid-users] Squid + RHEL4 + ip_gre issue

[Henrik Nordstrom]

Looks fine.

And "cat /proc/sys/net/ipv4/conf/wccp0/rp_filter"?

(should be 0)

Regards
Henrik

tor 2006-08-03 klockan 10:34 -0700 skrev Arnold Wang:
> [EMAIL PROTECTED] tmp]# ip addr show dev wccp0
> 4: [EMAIL PROTECTED]:  mtu 1476 qdisc noqueue
> link/gre 10.17.2.146 peer 10.17.2.65
> inet 192.168.1.6/31 scope global wccp0
> 
> Thanks again for your kind helps.
> 
> On Thu, 2006-08-03 at 08:44 +0200, Henrik Nordstrom wrote:
> > ons 2006-08-02 klockan 22:22 -0700 skrev Arnold Wang:
> > 
> > > The configuration in the RHEL box:
> > > [EMAIL PROTECTED] ~]# ip tunnel show
> > > gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc
> > > wccp0: gre/ip  remote 10.17.2.65  local 10.17.2.146  dev eth0  ttl
> > > inherit 
> > > sit0: ipv6/ip  remote any  local any  ttl 64  nopmtudisc
> > 
> > what does "ip addr show dev wccp0" say?
> > 
> > Regards
> > Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

RE: [squid-users] Squid restarted with error tried to dup a NULL pointer

[Henrik Nordstrom]

tor 2006-08-03 klockan 15:22 +0100 skrev Mehmet, Levent (Accenture):
> Thanks
> 
> Does anyone have a rough guide as to how I can update to the new
> Squid-2.6stable2 safely. Not done this before, but getting desperate as
> squid is crashing 4 times a day

How did you install the earlier release?

Generally just follow the same procedure for installing the new version,
then restart Squid to activate the new version. This assuming you are
running 2.6.STABLE1.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

[squid-users] passwordattr option in squid_ldap_auth

[Ross Davis]

I am having a problem with the -U passwordattr option in squid_ldap_auth 
("Squid LDAP authentication helper"). Here is what I am trying to do:


1) Bind to LDAP server with a hard-coded user/pass (i.e., using -D 
binddn -w password)

2) Look up a given user's record using a filter (i.e., -f filter)
3) authenticate the user with a password attribute specified by me 
(i.e., -U passwordattr)


Looking at /var/log/messages, LDAP tells me that:

a) binding as the hard-coded user is successful
b) searching for the given user's record is successful
c) performing the compare on the passwordattr of the given user is 
successful

d) then squid_ldap_auth tries to bind as the given user.
e) binding as the given user fails and squid_ldap_auth returns ERR

I do not understand why squid_ldap_auth is trying to bind as the given 
user. After step (c), shouldn't the process be complete? The compare is 
successful so shouldn't I get an OK?


Thanks,
Ross

PS - here is my command line where 'testuser' is the hard-coded user, 
and the passwordattr is 'OXGroupID'


squid_ldap_auth \
-b "ou=Users,ou=OxObjects,dc=example,dc=com" \
-f "(&(objectClass=*)(uid=%s))" \
-d \
-v 3 \
-U OXGroupID \
-D "uid=testuser,ou=Users,ou=OxObjects,dc=example,dc=com" \
-w testpass \
localhost

RE: [squid-users] Squid + RHEL4 + ip_gre issue

[Arnold Wang]

Yes, I did change those system settings mentioned in FAQ, including
enabling routing, etc.

[EMAIL PROTECTED] awang]
$cat /proc/sys/net/ipv4/conf/wccp0/rp_filter
0


 
On Thu, 2006-08-03 at 20:06 +0200, Henrik Nordstrom wrote:
> Looks fine.
> 
> And "cat /proc/sys/net/ipv4/conf/wccp0/rp_filter"?
> 
> (should be 0)
> 
> Regards
> Henrik
> 
> tor 2006-08-03 klockan 10:34 -0700 skrev Arnold Wang:
> > [EMAIL PROTECTED] tmp]# ip addr show dev wccp0
> > 4: [EMAIL PROTECTED]:  mtu 1476 qdisc noqueue
> > link/gre 10.17.2.146 peer 10.17.2.65
> > inet 192.168.1.6/31 scope global wccp0
> > 
> > Thanks again for your kind helps.
> > 
> > On Thu, 2006-08-03 at 08:44 +0200, Henrik Nordstrom wrote:
> > > ons 2006-08-02 klockan 22:22 -0700 skrev Arnold Wang:
> > > 
> > > > The configuration in the RHEL box:
> > > > [EMAIL PROTECTED] ~]# ip tunnel show
> > > > gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc
> > > > wccp0: gre/ip  remote 10.17.2.65  local 10.17.2.146  dev eth0  ttl
> > > > inherit 
> > > > sit0: ipv6/ip  remote any  local any  ttl 64  nopmtudisc
> > > 
> > > what does "ip addr show dev wccp0" say?
> > > 
> > > Regards
> > > Henrik

RE: [squid-users] Squid + RHEL4 + ip_gre issue

[Henrik Nordstrom]

If you run tcpdump -n -i wccp0, do you see any traffic?

Regards
Henrik

tor 2006-08-03 klockan 12:03 -0700 skrev Arnold Wang:
> Yes, I did change those system settings mentioned in FAQ, including
> enabling routing, etc.
> 
> [EMAIL PROTECTED] awang]
> $cat /proc/sys/net/ipv4/conf/wccp0/rp_filter
> 0



signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] passwordattr option in squid_ldap_auth

[Henrik Nordstrom]

tor 2006-08-03 klockan 14:26 -0400 skrev Ross Davis:

> I do not understand why squid_ldap_auth is trying to bind as the given 
> user. After step (c), shouldn't the process be complete? The compare is 
> successful so shouldn't I get an OK?

Which version of squid_ldap_auth are you using?

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] Accelerator Question

[Henrik Nordstrom]

tor 2006-08-03 klockan 12:10 -0300 skrev Pablo García:

> Now, I changed to Squid 2.6 Stable 2, and since the configuration
> changes for this scenario I'm not sure how to configure it right.
> Is this the right configuration option ?
> "http_port 80 vhost vport"

http_port 80 defaultsite=your.main.website vhost

you most likely do not want vport.

and cache_peer + cache_peer_access/domain to route the requests to the
correct server, alternatively always_direct if you want to route
by /etc/hosts like before..

> or is this other ?
> "http_port 80 transparent"

nope, not for accelerators. This is for transparently intercepting
proxies.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

RE: [squid-users] New to Squid and Linux

[Michael J McGraw]

No, I really meant SSH. I'm using Putty from work to my home linux box.

Michael

-Original Message-
From: Tim Neto [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 03, 2006 1:57 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] New to Squid and Linux

I think you have the wrong acronym.  Do you really want a SSL connection 
as in a "https" connection?  In reading this thread you keep typing SSH, 
but do you really need to use is SSL.

Tim

---
Timothy E. Neto
Computer Systems Engineer Komatsu Canada Limited
Ph#: 905-625-6292 x2651725B Sismet Road
Fax: 905-625-6348 Mississauga, Canada
E-Mail: [EMAIL PROTECTED]  L4W 1P9
---



[EMAIL PROTECTED] wrote:
> I'm trying to use SSH to tunnel my traffic to the machine that is 
> running squid. The machines are not on the same network.
>
> Michael
>
> Quoting Christoph Haas <[EMAIL PROTECTED]>:
>
>> On Thursday 03 August 2006 16:46, [EMAIL PROTECTED] wrote:
>>> Now it works from the local machine that is actually running squid,
>>> but when I try to SSH using Putty into the squid host I get nothing. I
>>> am forwarding port 3128 with Putty and setting the brower to use
>>> localhost:3128 for proxy.
>>
>> Just point your browser to the proxy server on port 3128. SSH is not
>> needed.
>>
>>> Maybe I'm understanding this wrong but I thought if I used SSH to
>>> connect to the squid host it would appear as a local connection and
>>> the acl for localhost for work.
>>
>> SSH supports port forwarding. But that's surely not the normal mode of
>> operation and proxy surfing.
>>
>> I hope it's clear that Squid is a HTTP proxy which is not at all 
>> connected
>> to SSH.
>>
>>  Christoph
>>
>
>
>
>

Re: [squid-users] passwordattr option in squid_ldap_auth

[Ross Davis]

Henrik Nordstrom wrote:


Which version of squid_ldap_auth are you using?


Whichever version comes with SuSE 9.3 package squid-2.5.STABLE9-4.6. I 
don't see a way to get squid_ldap_auth to report its version number...


Thanks,
Ross

RE: [squid-users] Squid + RHEL4 + ip_gre issue

[Arnold Wang]

Yes. I included in my original post. I include my read on it as well.
 
- begin of the trace --

  1 0.00192.168.1.6   192.168.1.7   WCCP
1.0 Here I am

-> Squid tries to register with the router.

  2 0.000960192.168.1.7   192.168.1.6   WCCP
1.0 I see you

-> Router sees it and registers it.

  3 3.40843110.17.11.20   209.131.36.158TCP
34121 > http [SYN] Seq=0 Len=0 MSS=1460 TSV=100191619 TSER=0 WS=2

-> Client tries to access a web site and the router forwards it to
the Squid machine.

  4 3.408469192.168.1.6   204.146.97.xx ICMP
Destination unreachable (Protocol unreachable)

-> Here I think indicates the problem which is the ip_gre doesn't
know how to decapsulate the gre-ed WCCP packet. It send an ICMP packet
back to the router with Protocol unreachable error.
 
- end of the trace --

Thanks again for your help.

On Thu, 2006-08-03 at 22:00 +0200, Henrik Nordstrom wrote:
> If you run tcpdump -n -i wccp0, do you see any traffic?
> 
> Regards
> Henrik
> 
> tor 2006-08-03 klockan 12:03 -0700 skrev Arnold Wang:
> > Yes, I did change those system settings mentioned in FAQ, including
> > enabling routing, etc.
> > 
> > [EMAIL PROTECTED] awang]
> > $cat /proc/sys/net/ipv4/conf/wccp0/rp_filter
> > 0
> 

Re: [squid-users] New to Squid and Linux

[Brian Gregory]

- Original Message - 
From: "Michael J McGraw" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, August 03, 2006 9:18 PM
Subject: RE: [squid-users] New to Squid and Linux


> No, I really meant SSH. I'm using Putty from work to my home linux box.
> 
> Michael

In what way do you believe that squid might be involved with this process.

--

Brian Gregory.
[EMAIL PROTECTED]

Computer Room Volunteer.
Therapy Centre.
Prospect Park Hospital.

RE: [squid-users] Squid + RHEL4 + ip_gre issue

[Henrik Nordstrom]

tor 2006-08-03 klockan 13:33 -0700 skrev Arnold Wang:
> Yes. I included in my original post.

That traffic was on eth0, not on wccp0.

> > If you run tcpdump -n -i wccp0, do you see any traffic?

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] passwordattr option in squid_ldap_auth

[Henrik Nordstrom]

tor 2006-08-03 klockan 16:19 -0400 skrev Ross Davis:
> Henrik Nordstrom wrote:
> 
> > Which version of squid_ldap_auth are you using?
> 
> Whichever version comes with SuSE 9.3 package squid-2.5.STABLE9-4.6. I 
> don't see a way to get squid_ldap_auth to report its version number...

Please try with the current STABLE version. i.e. 2.6.STABLE2. Problems
with vendor packaged versions is best reported to the vendor.

The -U option was broken for some time in Squid-2.5 around STABLE9..
(was fixed in STABLE11 I think..). Anyway, current version should work.

Regards
Henrik



signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] New to Squid and Linux

[Henrik Nordstrom]

tor 2006-08-03 klockan 10:46 -0400 skrev [EMAIL PROTECTED]:
> Now it works from the local machine that is actually running squid,  
> but when I try to SSH using Putty into the squid host I get nothing. I  
> am forwarding port 3128 with Putty and setting the brower to use  
> localhost:3128 for proxy.

Should work. Have done that many times.

Just make sure you use the correct forwarding method, local port to
remote host. Not the opposite..

local port 3128
local address 127.0.0.1 (if it can be specified)
remote host 127.0.0.1
remote port 3128

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] New to Squid and Linux

[Henrik Nordstrom]

tor 2006-08-03 klockan 22:03 +0100 skrev Brian Gregory:

> > No, I really meant SSH. I'm using Putty from work to my home linux box.
> > 
> > Michael
> 
> In what way do you believe that squid might be involved with this process.

He is trying to set up a port forward of the Squid port via SSH,
allowing him to connect to the Squid proxy port over SSH as he can't (or
won't) connect to it directly from his station.

Nothing strange, just a bit odd, but perfectly normal use of SSH the
swiss army knife of networking.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

RE: [squid-users] Squid + RHEL4 + ip_gre issue

[Arnold Wang]

I'm sorry I forgot it's from the eth0 packet. I do see traffics on wccp0
as well.

 [EMAIL PROTECTED] local]# tethereal -i wccp0
tethereal: WARNING: arptype 778 not supported by libpcap - falling back
to cooked socket.
Capturing on wccp0
  0.00  192.168.1.6 -> 192.168.1.7  WCCP 1.0 Here I am
  0.000967  192.168.1.7 -> 192.168.1.6  WCCP 1.0 I see you
 10.435223  192.168.1.6 -> 192.168.1.7  WCCP 1.0 Here I am
 10.436387  192.168.1.7 -> 192.168.1.6  WCCP 1.0 I see you
 14.871173  10.17.11.20 -> 209.131.36.158 TCP 33340 > http [SYN] Seq=0
Ack=0 Win=5840 Len=0 MSS=1460 TSV=77188263 TSER=0 WS=2

The reason I didn't post this was it didn't show the ICMP packet. When
you asked for trace from wccp0, I forgot the one I posted was from eth0.
I apologize again.


On Thu, 2006-08-03 at 23:07 +0200, Henrik Nordstrom wrote:
> tor 2006-08-03 klockan 13:33 -0700 skrev Arnold Wang:
> > Yes. I included in my original post.
> 
> That traffic was on eth0, not on wccp0.
> 
> > > If you run tcpdump -n -i wccp0, do you see any traffic?
> 
> Regards
> Henrik

[squid-users] LDAP_auth

[squid]

Hello,
Unfortunatly i have to call for aid. I’ve read every mail discussion thread
available on google.com about using squid with LDAP authentication. 

I did have configured my ldap_auth module correctly and it gives me the
following responses when run from command line .


/usr/local/squid/libexec/squid_ldap_auth -R -b "DC=editora,DC=ess" -D
"cn=Usuario Internet,ou=Internet,dc=editora,dc=ess" -w 123456 -f
sAMAccountName=%s 1-v3 192.168.0.252
 

Of course “Usuario Internet” is the canonical name of [EMAIL PROTECTED]
witch has 123456 as his password and 192.168.0.252 is DC Apollo.editora.ess 

This [EMAIL PROTECTED] also has rights to search LDAP directory in
windows 2003. (given by ADSIEDIT.msc)

 

·When given and existing account name and correct password the
helper answers an OK in a new line

·When given unexisting account name, the helper answers an ERR in a
new line

·When given existing account name and incorrect password, the helper
answer “ERR Success” in a new line


My squid.conf is configured like this:

acl all src 0.0.0.0/0.0.0.0

auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R -b
"DC=editora,DC=ess" -D "cn=Usuario Internet,ou=Internet,dc=editora,dc=ess"
-w 123456 -f sAMAccountName=%s -v3 -d 192.168.0.252

auth_param basic children 3

auth_param basic casesensitive off

auth_param basic credentialsttl 15 minutes

acl ess proxy_auth REQUIRED

http_access allow ess

http_access deny all

 

When I try and access the proxy server from a client workstation I do get an
authentication dialog, on witch I fill in valid username and password.

After submitting the authentication dialog I get and DNS error.

 

In tail –f /var/log/squid/access.log the following line is logged.

 

1154497781.871  0 192.168.0.3 TCP_DENIED/407 1697 GET
http://www.google.com/ - NONE/- text/html

 

Trying to explain it better, have 2 linux boxes running squid. one of them
is my production server, and runs quite smoothly (as it has ran for the last
few years) using ncsa authentication.

This is the (proxy generated) dns error I expect when using proxy and the
address is really not resolvable


The requested URL could not be retrieved




While trying to retrieve the URL: http://fgdfsg/   

The following error was encountered: 

Unable to determine IP address from host name for fgdfsg 

The dnsserver returned: 

Name Error: The domain name does not exist. 

This means that: 

 The cache was not able to resolve the hostname presented in the URL. 
 Check if the address is correct. 

Your cache administrator is webmaster  . 




Generated Mon, 24 Jul 2006 19:55:58 GMT by access.ess.com.br
(Squid/2.4.STABLE7)

 

But this is the error I get when using ldap_auth, and only when using
ldap_auth on my new linux box with my new  squid-2.6.STABLE2. (when I do not
use ldap_auth, the proxy works perfectly.)

 


A página não pode ser exibida

 


A página que você procura não está disponível no momento. Talvez o site
esteja passando por dificuldades técnicas ou você precise ajustar as
configurações do navegador.





Tente o seguinte:

*   Clique no botão Atualizar ou tente novamente mais tarde. 
*   Se você digitou o endereço da página na barra de endereços,
certifique-se de que ele foi digitado corretamente. 
*   Para verificar as configurações da conexão, clique no menu
Ferramentas e em Opções da Internet. Na guia Conexões, clique em
Configurações. As configurações devem coincidir com as fornecidas pelo
administrador da rede local (LAN) ou pelo provedor de serviços de Internet. 
*   Veja se suas configurações de conexão da Internet estão sendo
detectadas. Você pode configurar o Microsoft Windows para examinar sua rede
e descobrir automaticamente configurações de rede (caso seu administrador de
rede tenha habilitado esta configuração). 

1.   Clique no menu Ferramentas e em Opções da Internet. 

2.   Na guia Conexões, clique em Configurações de LAN. 

3.   Selecione Detectar configurações automaticamente e clique em OK. 

*   Alguns sites requerem conexão com segurança de 128 bits. Clique no
menu Ajuda e em Sobre o Internet Explorer para determinar o nível de
segurança instalado. 
*   Se você está tentando acessar um site seguro, certifique-se de que
suas configurações de segurança oferecem suporte ao site. Clique no menu
Ferramentas e em Opções da Internet. Na guia 'Avançado', vá para a seção
'Segurança' e verifique as configurações de SSL 2.0, SSL 3.0, TLS 1.0, PCT
1.0. 
*   Clique no botão Voltar   para tentar
outro link. 

 


Servidor não encontrado ou erro de DNS
Internet Explorer 



Despite the fact that the error message is in portuguese (very natural since
i live in brazil), it’s easily recognizable as the default IE6.0 dns error.
Opera and firefox gives me similar messages.

Re: [squid-users] squid -> squidGuard: Redirect_children best practice?

[Dave Mullen]

I did play around with that squidGuard -C all command before.  I ran into an
issue where it would finish and shutdown all the squidGuard processes when it
completed, or so I was led to believe in the log.  I'm sure it was some odd
timing issue where I had multiple processes starting before it actually
completed.  

How does one schedule that?  The -C all command, do you run that before squid
starts as a differeint init script?  Also, if you have them prebuilt, how do
you 'rebuild' them again and not take down all the squidGuard proccesses?

--
Dave Mullen

"He who would sacrafice liberty for safety deserves neither liberty nor
safety." -Benjamin Franklin

-- Original Message ---
From: "Brian Gregory" <[EMAIL PROTECTED]>
To: "Dave Mullen" <[EMAIL PROTECTED]>, 
Sent: Wed, 2 Aug 2006 22:57:11 +0100
Subject: Re: [squid-users] squid -> squidGuard: Redirect_children best practice?

> - Original Message - 
> From: "Dave Mullen" <[EMAIL PROTECTED]>
> To: 
> Sent: Wednesday, August 02, 2006 8:32 PM
> Subject: [squid-users] squid -> squidGuard: Redirect_children best practice?
> 
> > Hey folks,
> > 
> > I'm finding people with different opinions talking about the 
> > redirect_children
> > option from within squid.
> > 
> > One is to set it to something like 5, so that you have plenty of ability to
> > answer ( like apache? ) and the second is to limit squidGuard children to 
> > have
> > an equal amount of processes as CPU's in the box.
> > 
> > I've got a company with ~500 employees that this will be blocking with a
> > fairly large blacklist.  My big concern to this is time from post to proxy. 
> > With multiple processes starting it seems to dramatically build the time up 
> > it
> > needs to get to full start.
> > 
> > Thoughts?
> 
> Are you "pre-compiling" your domainlists and urllists into *.db 
> files by doing:
> 
> squidGuard -C all
> 
> ??
> 
> If not that will greatly speed up the start-up time when there are 
> many squidguard processes starting up.
> 
> How are you blocking with https:// URLs??
> 
> I find blocked https:// URLs just cause a messy can't access 
> http:443 message when they are blocked. Have you found any way to 
> tidy that up??
> 
> --
> 
> Brian Gregory.
> [EMAIL PROTECTED]
> 
> Computer Room Volunteer.
> Therapy Centre.
> Prospect Park Hospital.
--- End of Original Message ---

RE: [squid-users] Squid + RHEL4 + ip_gre issue

[Henrik Nordstrom]

tor 2006-08-03 klockan 14:40 -0700 skrev Arnold Wang:
> I'm sorry I forgot it's from the eth0 packet. I do see traffics on wccp0
> as well.
> 
>  [EMAIL PROTECTED] local]# tethereal -i wccp0
> tethereal: WARNING: arptype 778 not supported by libpcap - falling back
> to cooked socket.
> Capturing on wccp0
>   0.00  192.168.1.6 -> 192.168.1.7  WCCP 1.0 Here I am
>   0.000967  192.168.1.7 -> 192.168.1.6  WCCP 1.0 I see you
>  10.435223  192.168.1.6 -> 192.168.1.7  WCCP 1.0 Here I am
>  10.436387  192.168.1.7 -> 192.168.1.6  WCCP 1.0 I see you

Odd.. I would not expect the WCCP chatter to be seen here...

>  14.871173  10.17.11.20 -> 209.131.36.158 TCP 33340 > http [SYN] Seq=0
> Ack=0 Win=5840 Len=0 MSS=1460 TSV=77188263 TSER=0 WS=2

This looks like an intercepted packet. So the GRE probably works..
(maybe... the WCCP stuff above worries me..)

For now assuming the GRE does work. What does your iptables rules look
like?

  iptables-save

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] LDAP_auth

[Henrik Nordstrom]

tor 2006-08-03 klockan 19:02 -0300 skrev squid:

>   ·When given and existing account name and correct password the
> helper answers an OK in a new line
> 
>   ·When given unexisting account name, the helper answers an ERR in a
> new line
> 
>   ·When given existing account name and incorrect password, the helper
> answer “ERR Success” in a new line

Good. The helper obviously works.

> My squid.conf is configured like this:
> 
> acl all src 0.0.0.0/0.0.0.0
> 
> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R -b
> "DC=editora,DC=ess" -D "cn=Usuario Internet,ou=Internet,dc=editora,dc=ess"
> -w 123456 -f sAMAccountName=%s -v3 -d 192.168.0.252

Looks fine..

> Generated Mon, 24 Jul 2006 19:55:58 GMT by access.ess.com.br
> (Squid/2.4.STABLE7)

Eum.. 2.4.STABLE7 is a bit old (4+ years). You may consider upgrading..
Current release is 2.6.STABLE2.

I have a vague memory of Squid not liking helper arguments with spaces
in old versions. Not sure if it applies to 2.4.STABLE7 but it probably
does. There is ways around it in such case, but I strongly recommend you
to consider upgrading first...  Before upgrading it's good to read the
release notes first, both for Squid-2.5 and 2.6.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] always_direct and never_direct confusion

[Henrik Nordstrom]

tor 2006-08-03 klockan 11:25 +0700 skrev Beast:
> Henrik Nordstrom wrote:
> > On Wed, 2006-08-02 at 16:40 +0700, Beast wrote:
> >
> >   
> >> This make all request direct, including special_domain.
> >> 
> >
> > Then triplecheck your special_domain definition, and "squid -k parse"
> > output if any.. (should be blank
> I do it once again, and it still correct to my knowledge.
> 
> acl special_domain dstdomain  .example.com .example.net
> 
> And i request page such as : www.example.com and webmail.example.com 
> (isn't it should be covered by ".example.com"?)
> 
> squid -k parse does output nothing (no error)

Should work..


I often use constructs like the following to force requests to a
specific parent:


cache_peer ip.of.other.proxy parent 80 0 no-query
acl specialsite dstdomain .domain.name
never_direct allow specialsite
cache_peer_access allow ip.of.other.proxy specialsite

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

RES: [squid-users] LDAP_auth

[squid]

 I believe i didn't explain me quite correctly, i do have 2 linux boxes
running squid. The one that runs 2.4 is very old, runs NCSA authentication
and works fine. I used it only to show what kind of DNS error i expected, if
it was really a problem of dns. I expected a proxy error page, the one in
/usr/local/squid/share/errors/English/ERR_DNS_FAIL that logically has the
squid version it came from written in it. This is the proxy that works.
The proxy that does not work is a 2.6STABLE2 , running ldap_auth. It gives
me a dns error, but not the proxy one. The default DNS error page from the
browser i am using, either opera,Firefox or dammit IE6.0. Instead of giving
me the proxy error dns page. 
Tks
Ciro
-Mensagem original-
De: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Enviada em: quinta-feira, 3 de agosto de 2006 19:27
Para: squid
Cc: squid-users@squid-cache.org
Assunto: Re: [squid-users] LDAP_auth

tor 2006-08-03 klockan 19:02 -0300 skrev squid:

>   .When given and existing account name and correct password the
helper 
> answers an OK in a new line
> 
>   .When given unexisting account name, the helper answers an ERR in a 
> new line
> 
>   .When given existing account name and incorrect password, the helper

> answer "ERR Success" in a new line

Good. The helper obviously works.

> My squid.conf is configured like this:
> 
> acl all src 0.0.0.0/0.0.0.0
> 
> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R 
> -b "DC=editora,DC=ess" -D "cn=Usuario
Internet,ou=Internet,dc=editora,dc=ess"
> -w 123456 -f sAMAccountName=%s -v3 -d 192.168.0.252

Looks fine..

> Generated Mon, 24 Jul 2006 19:55:58 GMT by access.ess.com.br
> (Squid/2.4.STABLE7)

Eum.. 2.4.STABLE7 is a bit old (4+ years). You may consider upgrading..
Current release is 2.6.STABLE2.

I have a vague memory of Squid not liking helper arguments with spaces in
old versions. Not sure if it applies to 2.4.STABLE7 but it probably does.
There is ways around it in such case, but I strongly recommend you to
consider upgrading first...  Before upgrading it's good to read the release
notes first, both for Squid-2.5 and 2.6.

Regards
Henrik

Re: [squid-users] New to Squid and Linux

[mjmcgraw]

It works when I am sitting at the linux box but when I try to SSH into  
it and use the squid proxy through the tunnel I can get no where.


I have my Putty tunnel setup for local port 3128 forwarded to remote  
port 3128.


L3128  ip.address.to.linuxbox:3128
L is for local port.

Should ip.address.to.linuxbox be 127.0.0.1 also?

Michael

Quoting Henrik Nordstrom <[EMAIL PROTECTED]>:


tor 2006-08-03 klockan 10:46 -0400 skrev [EMAIL PROTECTED]:

Now it works from the local machine that is actually running squid,
but when I try to SSH using Putty into the squid host I get nothing. I
am forwarding port 3128 with Putty and setting the brower to use
localhost:3128 for proxy.


Should work. Have done that many times.

Just make sure you use the correct forwarding method, local port to
remote host. Not the opposite..

local port 3128
local address 127.0.0.1 (if it can be specified)
remote host 127.0.0.1
remote port 3128

Regards
Henrik

RE: [squid-users] Squid + RHEL4 + ip_gre issue

[Arnold Wang]

1. Can you explain to me your concern on the WCCP chat you saw on wccp0
interface? I thought they're belong there.
2. The iptables rules look like this.
 [EMAIL PROTECTED] ~]# iptables-save
# Generated by iptables-save v1.2.11 on Thu Aug  3 17:17:18 2006
*filter
:INPUT ACCEPT [312:26614]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [226:28523]
COMMIT
# Completed on Thu Aug  3 17:17:18 2006
# Generated by iptables-save v1.2.11 on Thu Aug  3 17:17:18 2006
*nat
:PREROUTING ACCEPT [59:6147]
:POSTROUTING ACCEPT [4:352]
:OUTPUT ACCEPT [4:352]
-A PREROUTING -s 10.0.0.0/255.0.0.0 -d ! 10.0.0.0/255.0.0.0 -i wccp0 -p
tcp -m tcp --dport 80 -j DNAT --to-destination 10.17.2.146:3128 
COMMIT
# Completed on Thu Aug  3 17:17:18 2006
3. Take a look the following, if I read it correctly, I'm not family
with iptables/netfilter, it doesn't looks like the DNAT rule has ever
been triggered, which makes me further believe the encapsulated WCCP
packets were decapsulted properly. 
[EMAIL PROTECTED] ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source   destination 
DNAT   tcp  --  10.0.0.0/8  !10.0.0.0/8  tcp
dpt:http to:10.17.2.146:3128 

Chain POSTROUTING (policy ACCEPT)
target prot opt source   destination 

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination 
[EMAIL PROTECTED] ~]# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 182 packets, 20521 bytes)
 pkts bytes target prot opt in out source
destination 
0 0 DNAT   tcp  --  wccp0  any 10.0.0.0/8
!10.0.0.0/8  tcp dpt:http to:10.17.2.146:3128 

Chain POSTROUTING (policy ACCEPT 19 packets, 1291 bytes)
 pkts bytes target prot opt in out source
destination 

Chain OUTPUT (policy ACCEPT 19 packets, 1291 bytes)
 pkts bytes target prot opt in out source
destination

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 03, 2006 3:22 PM
To: Arnold Wang
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] Squid + RHEL4 + ip_gre issue

tor 2006-08-03 klockan 14:40 -0700 skrev Arnold Wang:
> I'm sorry I forgot it's from the eth0 packet. I do see traffics on
wccp0
> as well.
> 
>  [EMAIL PROTECTED] local]# tethereal -i wccp0
> tethereal: WARNING: arptype 778 not supported by libpcap - falling
back
> to cooked socket.
> Capturing on wccp0
>   0.00  192.168.1.6 -> 192.168.1.7  WCCP 1.0 Here I am
>   0.000967  192.168.1.7 -> 192.168.1.6  WCCP 1.0 I see you
>  10.435223  192.168.1.6 -> 192.168.1.7  WCCP 1.0 Here I am
>  10.436387  192.168.1.7 -> 192.168.1.6  WCCP 1.0 I see you

Odd.. I would not expect the WCCP chatter to be seen here...

>  14.871173  10.17.11.20 -> 209.131.36.158 TCP 33340 > http [SYN] Seq=0
> Ack=0 Win=5840 Len=0 MSS=1460 TSV=77188263 TSER=0 WS=2

This looks like an intercepted packet. So the GRE probably works..
(maybe... the WCCP stuff above worries me..)

For now assuming the GRE does work. What does your iptables rules look
like?

  iptables-save

Regards
Henrik

[squid-users] Squid profiling patch for Squid 2.6

[Pranav Desai]

Hello,

While searching for information on performance improvement of squid, I
found this patch by Alex Rousskov.

http://www.cs.ndsu.nodak.edu/~rousskov/research/cache/squid/profiling/patch.html

It basically records per-request measurements for disk and network activities.

The patch seems to be for really old versions of squid. Is this patch
also applicable to Squid 2.6-Stable1 ? Or are there other patches
available to do similar profiling.

Thanks for your time.

-- Pranav

--
http://pd.dnsalias.org

AW: [squid-users] squid -> squidGuard: Redirect_children best practice?

[Werner.Rost]

You have to perform "squidGuard -C all" once. This builds the database for 
squidguard. Dont perform "squidGuard -C all" before every starting of squid!

You should repeat "squidGuard -C all" rebuilding the database if the your 
blacklist changes.

Mit freundlichem Gruß/Yours sincerely
Werner Rost
GMT-FIR - Netzwerk
 
 ZF Boge Elastmetall GmbH
 Friesdorfer Str. 175
 53175 Bonn
 Deutschland/Germany 
 Telefon/Phone +49 228 3825 - 420
 Telefax/Fax +49 228 3825 - 398
 [EMAIL PROTECTED]



-Ursprüngliche Nachricht-
Von: Dave Mullen [mailto:[EMAIL PROTECTED] 
Gesendet: Freitag, 4. August 2006 00:20
An: squid-users@squid-cache.org
Betreff: Re: [squid-users] squid -> squidGuard: Redirect_children best practice?


I did play around with that squidGuard -C all command before.  I ran into an 
issue where it would finish and shutdown all the squidGuard processes when it 
completed, or so I was led to believe in the log.  I'm sure it was some odd 
timing issue where I had multiple processes starting before it actually 
completed.  

How does one schedule that?  The -C all command, do you run that before squid 
starts as a differeint init script?  Also, if you have them prebuilt, how do 
you 'rebuild' them again and not take down all the squidGuard proccesses?

--
Dave Mullen

"He who would sacrafice liberty for safety deserves neither liberty nor 
safety." -Benjamin Franklin

-- Original Message ---
From: "Brian Gregory" <[EMAIL PROTECTED]>
To: "Dave Mullen" <[EMAIL PROTECTED]>, 
Sent: Wed, 2 Aug 2006 22:57:11 +0100
Subject: Re: [squid-users] squid -> squidGuard: Redirect_children best practice?

> - Original Message -
> From: "Dave Mullen" <[EMAIL PROTECTED]>
> To: 
> Sent: Wednesday, August 02, 2006 8:32 PM
> Subject: [squid-users] squid -> squidGuard: Redirect_children best practice?
> 
> > Hey folks,
> > 
> > I'm finding people with different opinions talking about the 
> > redirect_children option from within squid.
> > 
> > One is to set it to something like 5, so that you have plenty of 
> > ability to answer ( like apache? ) and the second is to limit 
> > squidGuard children to have an equal amount of processes as CPU's in 
> > the box.
> > 
> > I've got a company with ~500 employees that this will be blocking 
> > with a fairly large blacklist.  My big concern to this is time from 
> > post to proxy. With multiple processes starting it seems to 
> > dramatically build the time up it needs to get to full start.
> > 
> > Thoughts?
> 
> Are you "pre-compiling" your domainlists and urllists into *.db
> files by doing:
> 
> squidGuard -C all
> 
> ??
> 
> If not that will greatly speed up the start-up time when there are
> many squidguard processes starting up.
> 
> How are you blocking with https:// URLs??
> 
> I find blocked https:// URLs just cause a messy can't access
> http:443 message when they are blocked. Have you found any way to 
> tidy that up??
> 
> --
> 
> Brian Gregory.
> [EMAIL PROTECTED]
> 
> Computer Room Volunteer.
> Therapy Centre.
> Prospect Park Hospital.
--- End of Original Message ---