Re: [squid-users] WCCPv2 current instructions?
Hiya, I've written up a couple of example WCCPv2 situations (ie, my home deployment) at http://wiki.squid-cache.org/ConfigExamples/. I use a different iptables ruleset (gre rather than eth0, DNAT rather than REDIRECT) and it seems to work fine for me. Adrian On Thu, Sep 14, 2006, Shaun Skillin (home) wrote: > > > Hello, > > I've been looking for quite some time for instructions on using WCCPv2. > squid-cache.org docs section points to visolve, and their site has nothing > on WCCPv2 that I can find. I've read sooo many posts regarding how to set it > up, but most of the posts have to do with version 1, which virtually NO Cisco > device supports anymore. For ver2, the Cisco docs are at least clear, so I > think I have that side set up correctly. From what I have gleaned, I should > do the following: > > I'm using CENTOS 4.3 and SQUID-2.6STABLE3 > > Modprobe ip_gre > > iptunnel add gre1 mode gre remote local > dev eth0 ifconfig gre1 127.0.0.2 up > > from /etc/sysctl.conf: > > net.ipv4.ip_forward =3D 1 > net.ipv4.conf.all.rp_filter =3D 1 > kernel.sysrq =3D 0 > > iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT > --to-ports 3128 > > Are these the correct steps? This info was from a doc on version 1. > What's missing? Is there a current HOWTO for today's most current builds > (Sept 14, 2006 as of this writing)? > > I am seeing WCCP packets flow just fine, the cache is registered with the > router, I see the SYN packets inside the GRE tunnel redirected from the > router, but Squid never attempts to actually send a SYN out to the world to > get content. > > Thanks very much for any help! > > Shaun Skillin?
[squid-users] WCCPv2 current instructions?
Hello, I've been looking for quite some time for instructions on using WCCPv2. squid-cache.org docs section points to visolve, and their site has nothing on WCCPv2 that I can find. I've read sooo many posts regarding how to set it up, but most of the posts have to do with version 1, which virtually NO Cisco device supports anymore. For ver2, the Cisco docs are at least clear, so I think I have that side set up correctly. From what I have gleaned, I should do the following: I'm using CENTOS 4.3 and SQUID-2.6STABLE3 Modprobe ip_gre iptunnel add gre1 mode gre remote local dev eth0 ifconfig gre1 127.0.0.2 up from /etc/sysctl.conf: net.ipv4.ip_forward =3D 1 net.ipv4.conf.all.rp_filter =3D 1 kernel.sysrq =3D 0 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 Are these the correct steps? This info was from a doc on version 1. What's missing? Is there a current HOWTO for today's most current builds (Sept 14, 2006 as of this writing)? I am seeing WCCP packets flow just fine, the cache is registered with the router, I see the SYN packets inside the GRE tunnel redirected from the router, but Squid never attempts to actually send a SYN out to the world to get content. Thanks very much for any help! Shaun Skillin
[squid-users] Fw: Re: (110) Connection timed out, but Privoxy can?
I'm sorry you didn't get this earlier. Thanks Joost for prodding me towards tcpdump. Regards Fog_Watch. Begin forwarded message: Date: Thu, 14 Sep 2006 11:50:40 +1000 From: Ian <[EMAIL PROTECTED]> To: Ian <[EMAIL PROTECTED]> Subject: Re: (110) Connection timed out, but Privoxy can? Actually, cancel that. I strongly suspect that Henrik's post (http://www.mail-archive.com/squid-users@squid-cache.org/msg12596.html) will solve the problem. So that is section 4.8 of http://www.squid-cache.org/Doc/FAQ/FAQ_long.html. Sorry for the bother. Regards Fog_Watch. On Thu, 14 Sep 2006 11:11:08 +1000 Ian <[EMAIL PROTECTED]> wrote: > On my Gentoo box are a chrooted Squid-2.5.STABLE14 and a Privoxy. I can use > both to browse with almost no problem. > > If I perform a search at "http://www.linuxquestions.org/questions/search.php"; > using Squid the error returned is "(110) Connection timed out". The Privoxy > on the same box, and an IPCop Squid on a different box, perform the search > without fault. After clicking on "Search" at linuxquestions nothing is > logged in /var/log/squid. > > I cannot see how the problem is not Squid. Nor can I see how Squid is the > problem. Yes, I have good eye sight, and I'll let you be the judge of the > thing between my ears. > > The squid.conf that achieves the error is as follows: > shutdown_lifetime 5 seconds > chroot /chroot/squid/ > cache_mem 50 MB > visible_hostname my-proliant > cache_dir ufs /var/cache/squid/ 100 16 256 > cache_peer miss-whoops.fogwatch.com.au parent 800 0 default no-query > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY > cache_effective_user squid > cache_effective_group squid > maximum_object_size 102400 KB > log_mime_hdrs off > forwarded_for off > acl my_network src 192.168.1.0/24 > acl all src 0.0.0.0/0.0.0.0 > http_access allow my_network > http_access deny all > request_body_max_size 0 KB > reply_body_max_size 0 allow all > > Any help that you are able to allocate to this problem will be much > appreciated. Thank you. > > Regards > > Fog_Watch.
Re: [squid-users] Stuck - Tproxy+WCCPv2 Layer2
On Fri, Sep 15, 2006, Henrik Nordstrom wrote: > tor 2006-09-14 klockan 17:43 -0400 skrev Errol Neal: > > Henrik wrote: > > >It means your switch-router is not (yet) supported by Squid. See the > > last page of bug 1696 for details. > > > > Thanks for the reply. I guess I'll go back to the drawing board.. > > Don't forget that one option on that drawing board is to make your > switch-router supported by Squid.. Shouldn't be that complicated. > Everything is documented in the WCCP2 draft, only that no one has > implemented the needed code in Squid yet. Funnily enough, Steven Wilton is working on this. I've acquired a pair of older Cisco Cache Engines which I -hope- will speak the mask assignment protocol. Steven and I will then figure out why it isn't working and get it going. (Of course, I'm hoping that my Cisco 3550 here actually speaks the mask assignment stuff rather than the hash map. If anyone here has a Cisco 7600 or a Catalyst 6500 in a test lab somewhere then please let me know. I'd really, really appreciate it..) Adrian
RE: [squid-users] Stuck - Tproxy+WCCPv2 Layer2
tor 2006-09-14 klockan 17:43 -0400 skrev Errol Neal: > Henrik wrote: > >It means your switch-router is not (yet) supported by Squid. See the > last page of bug 1696 for details. > > Thanks for the reply. I guess I'll go back to the drawing board.. Don't forget that one option on that drawing board is to make your switch-router supported by Squid.. Shouldn't be that complicated. Everything is documented in the WCCP2 draft, only that no one has implemented the needed code in Squid yet. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] Stuck - Tproxy+WCCPv2 Layer2
Henrik wrote: >It means your switch-router is not (yet) supported by Squid. See the last page of bug 1696 for details. Thanks for the reply. I guess I'll go back to the drawing board..
Re: [squid-users] Setup questionnaire ?? Was : Re: [squid-users] System Config
tor 2006-09-14 klockan 21:38 +0200 skrev Jakob Curdes: > Wouldn't it be a good idea to make a document in the WiKi/FAQ describing > some setups of different sizes ? We have had such collections in the past. A problem is that time flies very fast and what was reported last year generally isn't very valuable next year.. Yes, it would help making people confident that they don't really need that big resources to run Squid in small setups. But it would not help larger setups much I am afraid. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Is LDAP better than NTLM?
tor 2006-09-14 klockan 16:41 -0400 skrev Terry Dobbs: > Hey, > > I am familiar with configuring squid with NTLM_Auth using winbindd. I am > familiar with wbinfo, and squid ACL's. See the wbinfo_group acl helper. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Stuck - Tproxy+WCCPv2 Layer2
tor 2006-09-14 klockan 14:29 -0400 skrev Errol Neal: > 2006/09/14 14:26:28| wccp2HandleUdp: fatal error - A WCCP router has > specified a different assignment method 2, expected 1 > 2006/09/14 14:26:28| FD 18 Closing WCCP socket > > Not sure whats the deal here.. It means your switch-router is not (yet) supported by Squid. See the last page of bug 1696 for details. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Is LDAP better than NTLM?
Hey, I am familiar with configuring squid with NTLM_Auth using winbindd. I am familiar with wbinfo, and squid ACL's. However, I have never seen an example of someone using a ACL to restrict access based on NT Groups. I would be grateful if someone has a simple example to show me, or if someone with better google skills than I can point me in the correct direction. - Original Message - From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Terry Dobbs" <[EMAIL PROTECTED]> Cc: Sent: Thursday, September 14, 2006 2:45 PM Subject: Re: [squid-users] Is LDAP better than NTLM? -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.12.3/447 - Release Date: 9/13/2006
Re: [squid-users] Problem starting squid
Robert Shatford schrieb: FATAL: Failed to make swap directory /usr/local/var/cache: (13) cache_dir ufs /usr/local/squid/cache 100 16 256 The you probably are editing the wrong config file or the setting is overridden on the command line (init scipt?) Jakob Curdes
[squid-users] Setup questionnaire ?? Was : Re: [squid-users] System Config
Wouldn't it be a good idea to make a document in the WiKi/FAQ describing some setups of different sizes ? That would perhaps help novice users to estimate what they need for a given user base. I would be willing to put things together; however before requesting information from cache operators the first question is what we need to know. My suggestions would be (please comment and add your own favorites): a) Hardware : - CPU - Memory - Cache HD b) System - OS - Cache FS - other tasks beside squid c) Squid - version - type and no. of authenticators - no. of ACLs - delay pools d) users - max number of users - typical simultaneous users e) connection - type of conn - upload and download speed - bandwidth management limits f) performance - typical no of HTTP requests / day or hour - typical system load g) remarks Yours, Jakob Curdes
Re: [squid-users] Can Squid Intercept Certain Pages and Display a Warning Page Before Redirecting
tor 2006-09-14 klockan 13:34 -0400 skrev Steven Weintraut: > Rather than take the severe route of just blocking those sites, I was > trying to think of a way to use Squid as a proxy and when they visit > the login for one of those email sites that it would first display a > reminder page reminding them to limit the amount of time they spend > doing personal stuff during work hours, and then allow them to > continue on as they normally would either via a timed redirect and/or > a hyperlink they could click on You can do this with the help of the session helper in squid-2.6 plus deny_info redirecting to a web page with the reminder.. Unfortunately documentation is a bit thin yet. > Once the warning was display we would want to turn off the warning so > that it didn't come back up everytime they went to read a message or > click on some other url during the same session The above mentioned helper can start the session on first request making this automatic.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] i got "Failed to select source..." at cache.log
tor 2006-09-14 klockan 21:16 +0800 skrev SSCR Internet Admin: > well, i am configuring both.. You need to split the two functions on different http_port to keep sanity.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] System Config
Zahir schrieb: I have 60 clients attached to the squid server. squid server is celeron 2.4 ghz and 512 ram having 200K dedicated bandwidth do u think the server configuration is ok for 60 PCs From the FAQ : "How big of a system do I need to run Squid? There are no hard-and-fast rules. The most important resource for Squid is physical memory, so put as much in your Squid box as you can. Your processor does not need to be ultra-fast. We recommend buying whatever is economical at the time. Your disk system will be the major bottleneck, so fast disks are important for high-volume caches. SCSI disks generally perform better than ATA, if you can afford them. Serial ATA (SATA) performs somewhere between the two. Your system disk, and logfile disk can probably be IDE without losing any cache performance. The ratio of memory-to-disk can be important. We recommend that you have at least 32 MB of RAM for each GB of disk space that you plan to use for caching." For low-end installations this is the only parameter you really have to care about. CPU is not quite as impportant as RAM (and the link speed). What do you mean by "200 k" ?? 200 kbits/sec ? That would not be very much for 60 users if they are all "in". Hint : don't make the cache too large, the only thing that happens is that you need more RAM; with a small installation it never fills up anyway because objects expire faster than new different objects are requested. Yours, Jakob Curdes
RE: [squid-users] Stuck - Tproxy+WCCPv2 Layer2
Sorry for the screwy config file.. Don't know how that happened acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 48 MB cache_replacement_policy heap LFUDA memory_replacement_policy heap LFUDA maximum_object_size 150096 KB minimum_object_size 0 KB access_log /usr/local/squid-2.6/var/logs/access.log cache_log none cache_store_log none half_closed_clients off cache_swap_high 95 cache_swap_low 90 cache_dir aufs /var/squid/cache1 1 25 256 cache_dir aufs /var/squid/cache2 1 25 256 buffered_logs on http_port 80 tproxy transparent wccp2_router 172.16.103.1 wccp2_return_method 2 wccp2_forwarding_method 2 wccp2_version 4 #wccp2_service standard 0 wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 acl localnet src 172.16.100.0/255.255.252.0 acl localhost src 127.0.0.1/255.255.255.255 acl CONNECT method CONNECT acl all src 0.0.0.0/0.0.0.0 http_access allow localnet http_access allow localhost http_access deny all
[squid-users] Problem starting squid
Hey guys, I don't know if I missed something in the setup of my server, but I cannot get the squid -z command to work. When I type it out, I get the message FATAL: Failed to make swap directory /usr/local/var/cache: (13) Permission denied Squid Cache (Version 2.6.STABLE3): Terminaled abnormally. CPU Usage: 0.000 seconds = 0.000 user + 0.000 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 What I think is weird about this is the fact that my cache_dir is set to cache_dir ufs /usr/local/squid/cache 100 16 256 What setting am I missing to make my squid start? Anything else I should look at that I might be missing? Thanks for any help you guys can give. Bob Shatford
Re: [squid-users] Is LDAP better than NTLM?
tor 2006-09-14 klockan 12:10 -0400 skrev Terry Dobbs: > Is there a guide somewhere that explains using NTLM Authentication via squid > and restricting based on Winbindd groups? Several. * The squid FAQ. * The Squid Boook * The Squid Wiki * Numerous third-party guides out there on the web and in the mail archives, just google for squid ntlm howto group Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] Stuck - Tproxy+WCCPv2 Layer2
I'm not sure what I'm missing. I have a system on the same subnet as a 6500 switch layer 3 (PFC2/MSFCII) running 12.2.18(SDX). I'm running squid 2.6 STABLE3 Here is my squid.conf file.. acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 48 MB cache_replacement_policy heap LFUDA memory_replacement_policy heap LFUDA maximum_object_size 150096 KB minimum_object_size 0 KB access_log /usr/local/squid-2.6/var/logs/access.log cache_log none cache_store_log none half_closed_clients off cache_swap_high 95 cache_swap_low 90 cache_dir aufs /var/squid/cache1 1 25 256 cache_dir aufs /var/squid/cache2 1 25 256 buffered_logs on http_port 80 tproxy transparent wccp2_router 172.16.103.1 wccp2_return_method 2 wccp_forwarding_method 2 wccp2_version 4 #wccp2_service standard 0 wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 acl localnet src 172.16.100.0/255.255.252.0 acl localhost src 127.0.0.1/255.255.255.255 acl CONNECT method CONNECT acl all src 0.0.0.0/0.0.0.0 http_access allow localnet http_access allow localhost http_access deny all Here is what's relevant for my router/switch. at6506_13LR#sh run int vlan 1 Building configuration... Current configuration : 175 bytes ! interface Vlan1 ip address 172.16.103.1 255.255.252.0 ip nat inside ip wccp 80 redirect in ip wccp 90 redirect out ip route-cache same-interface priority-group 1 end ip wccp 80 redirect-list 1 group-list 90 accelerated ip wccp 90 redirect-list 1 group-list 90 accelerated cat6506_13LR#sh access-list 90 Standard IP access list 90 10 permit 172.16.101.160 (11 matches) 20 deny any cat6506_13LR#sh access-list 1 Standard IP access list 1 10 permit 172.16.101.98 (354 matches) 20 deny any (5 matches) I start squid ./squid -d9 and here is the output: 2006/09/14 14:26:27| parseConfigFile: line 21 unrecognized: 'wccp2_version 4' 2006/09/14 14:26:27| parseConfigFile: line 21 unrecognized: 'wccp2_version 4' 2006/09/14 14:26:27| Starting Squid Cache version 2.6.STABLE3 for i686-pc-linux-gnu... 2006/09/14 14:26:27| Process ID 29091 2006/09/14 14:26:27| With 1024 file descriptors available 2006/09/14 14:26:27| Using epoll for the IO loop 2006/09/14 14:26:27| Performing DNS Tests... [EMAIL PROTECTED] sbin]# 2006/09/14 14:26:27| Successful DNS name lookup tests... 2006/09/14 14:26:27| DNS Socket created at 0.0.0.0, port 32768, FD 5 2006/09/14 14:26:27| Adding nameserver 172.16.101.105 from /etc/resolv.conf 2006/09/14 14:26:27| Adding nameserver 172.16.101.139 from /etc/resolv.conf 2006/09/14 14:26:27| Unlinkd pipe opened on FD 10 2006/09/14 14:26:27| Swap maxSize 2048 KB, estimated 1575384 objects 2006/09/14 14:26:27| Target number of buckets: 78769 2006/09/14 14:26:27| Using 131072 Store buckets 2006/09/14 14:26:27| Max Mem size: 49152 KB 2006/09/14 14:26:27| Max Swap size: 2048 KB 2006/09/14 14:26:27| Store logging disabled 2006/09/14 14:26:27| Rebuilding storage in /var/squid/cache1 (DIRTY) 2006/09/14 14:26:27| Rebuilding storage in /var/squid/cache2 (DIRTY) 2006/09/14 14:26:27| Using Least Load store dir selection 2006/09/14 14:26:27| Current Directory is /usr/local/squid-2.6/sbin 2006/09/14 14:26:27| Loaded Icons. 2006/09/14 14:26:27| ALERT: initgroups: unable to set groups for User nobody and Group 992006/09/14 14:26:27| Accepting transparently proxied HTTP connections at 0.0.0.0, port 80, FD 15. 2006/09/14 14:26:27| ALERT: initgroups: unable to set groups for User nobody and Group 992006/09/14 14:26:27| Accepting ICP messages at 0.0.0.0, port 3130, FD 16. 2006/09/14 14:26:27| ALERT: initgroups: unable to set groups for User nobody and Group 992006/09/14 14:26:27| Accepting SNMP messages on port 3401, FD 17. 2006/09/14 14:26:27| WCCP Disabled. 2006/09/14 14:26:27| Accepting WCCPv2 messages on port 2048, FD 18. 2006/09/14 14:26:27| Initialising all WCCPv2 lists 2006/09/14 14:26:27| ALERT: initgroups: unable to set groups for User nobody and Group 992006/09/14 14:26:27| Ready to serve requests. 2006/09/14 14:26:27| Done reading /var/squid/cache1 swaplog (0 entries) 2006/09/14 14:26:27| Done reading /var/squid/cache2 swaplog (0 entries) 2006/09/14 14:26:27| Finished rebuilding storage from disk. 2006/09/14 14:26:27| 0 Entries scanned 2006/09/14 14:26:27| 0 Invalid entries. 2006/09/14 14:26:27| 0 With invalid flags. 2006/09/14 14:26:27| 0 Objects loaded. 2006/09/14 14:26:27| 0 Objects expired. 2006/09/14 14:26:27| 0 Objects cancelled. 2006/09/14 14:26:27| 0 Duplicate URLs purged. 2006/09/14 14:26:27| 0 Swapfile clashes avoided. 2006/09/14 14:26:27| Took 0.3 seconds ( 0.0 objects/sec). 2006/09/14 14:26:27| Beginning Validation Procedure 2006/09/14 14:26:27| Completed Validation Procedure 2006/09/14 14:26:27| Validated 0 Entries 2006/09/14 14:26:27| stor
[squid-users] System Config
I have 60 clients attached to the squid server. squid server is celeron 2.4 ghz and 512 ram having 200K dedicated bandwidth do u think the server configuration is ok for 60 PCs
[squid-users] Can Squid Intercept Certain Pages and Display a Warning Page Before Redirecting
Hi We have a group of users who are being very excessive with their use of personal emails on google mail, yahoo mail etc, despite repeated reminders to limit the amount of time they spend doing that during the day Rather than take the severe route of just blocking those sites, I was trying to think of a way to use Squid as a proxy and when they visit the login for one of those email sites that it would first display a reminder page reminding them to limit the amount of time they spend doing personal stuff during work hours, and then allow them to continue on as they normally would either via a timed redirect and/or a hyperlink they could click on Once the warning was display we would want to turn off the warning so that it didn't come back up everytime they went to read a message or click on some other url during the same session I'm at a loss how to do this, but I would imaging someone has done something like this before, even it it's something we need to purchase versus download? any ideas? thanks!
Re: [squid-users] Is LDAP better than NTLM?
Is there a guide somewhere that explains using NTLM Authentication via squid and restricting based on Winbindd groups? - Original Message - From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Terry Dobbs" <[EMAIL PROTECTED]> Cc: Sent: Thursday, September 14, 2006 4:04 AM Subject: Re: [squid-users] Is LDAP better than NTLM? -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.12.3/447 - Release Date: 9/13/2006
[squid-users] header version question
im trying to mod the header version from source, after re-compiling/installing, i run a test with nessus, but it doesn't change the actual version squid/2.5.STABLE14, is this possible? thanks #ifndef SQUID_VERSION #define SQUID_VERSION"bogusversion" #endi
[squid-users] header version question
im trying to mod the header version from source, after re-compiling/installing, i run a test with nessus, but it doesn't change the actual version squid/2.5.STABLE14, is this possible? thanks #ifndef SQUID_VERSION #define SQUID_VERSION"bogusversion" #endi
Re: [squid-users] running Squid on DELL P4/512MB/40GB(IDE).
Matus UHLAR - fantomas schrieb: On 13.09.06 12:34, Joseph Opio wrote: I am currently setting up a small students� lab of about 100 PCs. I am planning on using a BSD 5.5REL running on a Dell machine with this spec: P4/512MB/40GB(IDE). For one hundred users I would not do anything special. Run it from the box and see what happens. If it's slow, add memory first. But I doubt that you need to do anything. JC
[squid-users] Re: (110) Connection timed out, but Privoxy can?
> If I perform a search at > "http://www.linuxquestions.org/questions/search.php"; using Squid the error > returned is "(110) Connection timed out". The Privoxy on the same box, > and an IPCop Squid on a different box, perform the search without fault. > After clicking on "Search" at linuxquestions nothing is logged in > /var/log/squid. Have you performed a tcpdump to see what traffic is generated? Joost
[squid-users] Re: blocking external users on a bridge when firewall is disabled
William Bohannan wrote: > Hi I currently have been running squid for a while now and it work > fantastic. On one problem when I disable my firewall I notice that squid > goes overtime on caching and external users start using it? Is there a > way > to make squid only accept connections from my internal interface? Bind Squid only to the internal interface: http_port internal.interface.ipaddress:port And deny access from non-internal clients: acl my_lan network/mask http_access allow my_lan http_access deny all Joost
[squid-users] Re: Illegal hostname
> 2006/09/13 07:50:21| urlParse: Illegal hostname > '.update.toolbar.yahoo.com' A hostname may not start with a ., so Squid rightfully says it's illegal. > The web access is very slow :( Which is unrelated to people provided invalid hostnames in requests. Joost
Re: [squid-users] Illegal hostname
* Matus UHLAR - fantomas <[EMAIL PROTECTED]>: > this has nothing to do with those messages. Just someone is still trying to > access http://.update.toolbar.yahoo.com/... maybe broken link somewhere. I'm seeing it here at charite.de as well, just for the record. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]
Re: [squid-users] running Squid on DELL P4/512MB/40GB(IDE).
On 13.09.06 12:34, Joseph Opio wrote: > I am currently setting up a small students lab of > about 100 PCs. I am planning on using a BSD 5.5REL > running on a Dell machine with this spec: > P4/512MB/40GB(IDE). + more memory + deditated extra HDD for squid cache (and, cache only on that hdd) > I also need to point to the main > campus Webserver as parent. > Anybody out there with similar setup or simply > knowledge to share with me on the basics in regard to: > 1)Configuring and recompiling the Kernel based on the > Dell hardware above > 2)Configuring and recompiling SQUID for this number > of users. you may optimize your kernel for that CPU, board, etc, however GENERIC kernel might work. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie)
Re: [squid-users] Illegal hostname
On 13.09.06 15:24, Aurélien Bras wrote: > my cache.log file give : > > 2006/09/13 07:50:21| urlParse: Illegal hostname '.update.toolbar.yahoo.com' [...] > 2006/09/13 09:56:14| urlParse: Illegal hostname '.update.toolbar.yahoo.com' > The web access is very slow :( this has nothing to do with those messages. Just someone is still trying to access http://.update.toolbar.yahoo.com/... maybe broken link somewhere. for web access check CPU, memory, disk usage, check FAQ for performance tuning. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton
Re: [squid-users] Re: Problem with ACL
> tis 2006-09-12 klockan 10:33 +0100 skrev Zahir: > > Now my question is how to allow the users to access that site, at the same > > time the squid should deny .exe files. On 12.09.06 20:37, Henrik Nordstrom wrote: > As you can not know if the .exe URL is a download of a .exe file or a > CGI running on the server it's not very easy, but to start with > whitelisting /cgi-bin/ from the .exe block is perhaps a good idea. Isn't this (blocking files by extension) still in the FAQ? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor.
RE: [squid-users] i got "Failed to select source..." at cache.log
well, i am configuring both.. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Thursday, September 14, 2006 8:35 PM To: SSCR Internet Admin Cc: squid-users@squid-cache.org Subject: Re: [squid-users] i got "Failed to select source..." at cache.log On Thu, 2006-09-14 at 18:36 +0800, SSCR Internet Admin wrote: > I just install squid 2.6STABLE3, but got this line at cache.log > "Failed to select source.." Probably you configured your Squid as an accelerator and not as an Internet proxy.. Regards Henrik -- All messages that are coming from this domain is certified to be virus and spam free. If ever you have received any virus infected content or spam, please report it to the internet administrator of this domain [EMAIL PROTECTED] -- All messages that are coming from this domain is certified to be virus and spam free. If ever you have received any virus infected content or spam, please report it to the internet administrator of this domain [EMAIL PROTECTED]
Re: [squid-users] i got "Failed to select source..." at cache.log
On Thu, 2006-09-14 at 18:36 +0800, SSCR Internet Admin wrote: > I just install squid 2.6STABLE3, but got this line at cache.log "Failed to > select source.." Probably you configured your Squid as an accelerator and not as an Internet proxy.. Regards Henrik
Re: [squid-users] Forwarding loop?
On Thu, 2006-09-14 at 11:46 +0200, Ralf Hildebrandt wrote: > I solved that by explicitly telling my clients to route the requests > for the icons via the same proxy chain and alas, the problem ist gone Yes.. clients must know how to request http:/// where visible_hostname is from the proxy generating the FTP listing.. So you must make sure visible_hostname is something the clients will be able to reach somehow (directly, or via proxies). Regards Henrik
Re: [squid-users] Forwarding loop?
On Thu, 2006-09-14 at 10:26 +0200, Ralf Hildebrandt wrote: > The proxy-chain looks like this: > intranet -> proxy-cbf-1.charite.de -> DansGuardian -> > proxy-cbf-1-nocache.charite.de -> Internet > > is there any way of making the INNERMOST Squid generate the FTP listing? Yes, just configure it to not send ftp to DansGuardian... Regarding the icons.. having visible_hostname equal on the two should work (unique_hostname must be unique). So should enabling the global_internal_static directive.. (default on). Regards Henrik
[squid-users] i got "Failed to select source..." at cache.log
Hi, I just install squid 2.6STABLE3, but got this line at cache.log "Failed to select source.." If im not mistaken squid is looking for a parent but couldn't find one. But I dont have parent caches... i just enable always_direct allow our_network to compensate.. strange 2.5 didnt have this prob.. just a thought... Nats -- All messages that are coming from this domain is certified to be virus and spam free. If ever you have received any virus infected content or spam, please report it to the internet administrator of this domain [EMAIL PROTECTED]
Re: [squid-users] Forwarding loop?
* Ralf Hildebrandt <[EMAIL PROTECTED]>: > The problem also (to some extent) occurs with Squid-generated FTP listings. > Have a look: > http://www.stahl.bau.tu-bs.de/~hildeb/broken_icons.png > > You can see that the page was generated by > proxy-cbf-1-nocache.charite.de > > The proxy-chain looks like this: > intranet -> proxy-cbf-1.charite.de -> DansGuardian -> > proxy-cbf-1-nocache.charite.de -> Internet > > is there any way of making the INNERMOST Squid generate the FTP listing? I solved that by explicitly telling my clients to route the requests for the icons via the same proxy chain and alas, the problem ist gone -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]
RE: [squid-users] blocking external users on a bridge whenfirewallis disabled
Thanks again, will review my dg acl. Kind Regards William -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 14 September 2006 08:47 To: William Bohannan Cc: squid-users@squid-cache.org Subject: RE: [squid-users] blocking external users on a bridge whenfirewallis disabled tor 2006-09-14 klockan 08:45 + skrev William Bohannan: > Thanks for the quick response. I have the following in my squid ACL it just > seems a bit strange that I am only letting in local traffic and external > traffic is getting in. I am using dansguardian as a content filter. If so then you need to configure the access controls in dansguardian. All Squid sees is the requests coming from dansguardian. Regards Henrik
RE: [squid-users] blocking external users on a bridge whenfirewall is disabled
Thanks for the quick response. I have the following in my squid ACL it just seems a bit strange that I am only letting in local traffic and external traffic is getting in. I am using dansguardian as a content filter. acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 http_access allow manager http_access allow localhost http_access deny all Kind Regards William -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 14 September 2006 08:10 To: William Bohannan Cc: squid-users@squid-cache.org Subject: Re: [squid-users] blocking external users on a bridge whenfirewall is disabled ons 2006-09-13 klockan 19:39 + skrev William Bohannan: > goes overtime on caching and external users start using it? Is there a way > to make squid only accept connections from my internal interface? I am > running two nics in bridge mode. Yes. The default squid.conf shipped with Squid reads: # TAG: http_access # Allowing or Denying access based on defined access lists [...] # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # Example rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed #acl our_networks src 192.168.1.0/24 192.168.2.0/24 #http_access allow our_networks # And finally deny all other access to this proxy http_access deny all Regards Henrik
RE: [squid-users] blocking external users on a bridge whenfirewall is disabled
tor 2006-09-14 klockan 08:45 + skrev William Bohannan: > Thanks for the quick response. I have the following in my squid ACL it just > seems a bit strange that I am only letting in local traffic and external > traffic is getting in. I am using dansguardian as a content filter. If so then you need to configure the access controls in dansguardian. All Squid sees is the requests coming from dansguardian. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Forwarding loop?
* Henrik Nordstrom <[EMAIL PROTECTED]>: > > How can I prevent the internal stuff from being forwarded to the > > parent_proxy? > > If it gets forwarded at all then Squid didn't recognise the URL as > belonging to him.. probably you did not use the correct hostname in the > requested URL, it needs to use visible_hostname (or none at all). The problem also (to some extent) occurs with Squid-generated FTP listings. Have a look: http://www.stahl.bau.tu-bs.de/~hildeb/broken_icons.png You can see that the page was generated by proxy-cbf-1-nocache.charite.de The proxy-chain looks like this: intranet -> proxy-cbf-1.charite.de -> DansGuardian -> proxy-cbf-1-nocache.charite.de -> Internet is there any way of making the INNERMOST Squid generate the FTP listing? -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]
Re: [squid-users] Caching Issue with accelerator mode
tis 2006-09-12 klockan 08:00 -0700 skrev Frank Hoang: > During offpeak times, caching will work and Age of page will always be > under 20seconds. This works the way its intended. > The page will always have an age under 20 seconds. > During Peak times, when traffic is high. the Age of the page will stay > cached by squid and have Page Age of ~120-300 seconds. Maybe your backend is a bit overloaded, taking time to compose the page? Have you perhaps set refresh_stale_hit? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] (110) Connection timed out, but Privoxy can?
tor 2006-09-14 klockan 11:11 +1000 skrev Ian: > If I perform a search at > "http://www.linuxquestions.org/questions/search.php"; using Squid the > error returned is "(110) Connection timed out". The Privoxy on the > same box, and an IPCop Squid on a different box, perform the search > without fault. After clicking on "Search" at linuxquestions nothing > is logged in /var/log/squid. Works here.. Who is giving the Connection timed out error? Note: If nothing at all gets logged in access.log then the request didn't even reach Squid. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] blocking external users on a bridge when firewall is disabled
ons 2006-09-13 klockan 19:39 + skrev William Bohannan: > goes overtime on caching and external users start using it? Is there a way > to make squid only accept connections from my internal interface? I am > running two nics in bridge mode. Yes. The default squid.conf shipped with Squid reads: # TAG: http_access # Allowing or Denying access based on defined access lists [...] # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # Example rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed #acl our_networks src 192.168.1.0/24 192.168.2.0/24 #http_access allow our_networks # And finally deny all other access to this proxy http_access deny all Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Authenticaton failure with dotnet 2.0 app
On Thu, Sep 14, 2006, Henrik Nordstrom wrote: > ons 2006-09-13 klockan 21:57 +0800 skrev Adrian Chadd: > > Squid-2.5 doesn't support the stuff required to properly proxy NTLM > > authentication. > > But he isn't. Just plain NTLM proxy authentication which should work > fine in 2.5. Cool. Well, I stand corrected. :) Adrian
Re: [squid-users] running Squid on DELL P4/512MB/40GB(IDE).
ons 2006-09-13 klockan 12:34 -0700 skrev Joseph Opio: > I am currently setting up a small students’ lab of > about 100 PCs. I am planning on using a BSD 5.5REL > running on a Dell machine with this spec: > P4/512MB/40GB(IDE). Looks like fairly standard hardware with no odd things? > 1)Configuring and recompiling the Kernel based on the > Dell hardware above The default kernel should just work I think. Why compiling a new kernel? > 2)Configuring and recompiling SQUID for this number > of users. Not much to configure for so few users. Just the cache_dir and you access rules. See the QUICKSTART document. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Is LDAP better than NTLM?
ons 2006-09-13 klockan 13:29 -0400 skrev Terry Dobbs: > Currently I am using NTLM Authentication (with winbindd) to authenticate > users accessing the internet. This works pretty good after the initial > setup, however there are nuances like once the DC is restarted or loses > connectivity you need to restart the squid server (or winbindd) to get up > and running again. File a Samba bug report about that. It's not how it is supposed to be.. But first it may be a good idea to ensure you are running the current Samba release in case it's an old problem they have already fixed. Current Samba release is 3.0.23c. > My question is whether LDAP is a better option? Depends on your requirements. I think the better option for you would be to get winbind fixed. > Will using LDAP require a user to login to access the internet? Yes. LDAP is only possible with Basic authentication. > The thing I like about NTLM is it > using the currently logged on credentials so the users doesn't need to > login. Yes. > I assume that by using LDAP I wont need to reboot the squid server if > the connection to the DC is temporarily lost? Most likely not. But you shouldn't need this with Samba winbind either. But it's worth noting that basic authentication (using any method) has much less dependency on the AD as Squid can then cache the validity of the account and does not need to ask the AD on every request (or TCP connection). > It would also be nice to > restrict users based on their AD group which I will be able to do with LDAP. Thats equally possible when using NTLM for authentication. Using either the winbind group helper or the LDAP group helper. Group membership lookup is separate from authentication. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid+Cisco w/WCCP ---> multiple tcp ports?
ons 2006-09-13 klockan 18:41 +0800 skrev Adrian Chadd: > > - After I successfully redirect other ports like 8080, et. al. to > > squid, will it automagically use the original port number in its > > request? > > I don't think squid has the smarts to do this; It should by default if the Host header has a port or clientNatLookup() is doing it's job proper. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Authenticaton failure with dotnet 2.0 app
On Thu, Sep 14, 2006, Henrik Nordstrom wrote: > ons 2006-09-13 klockan 21:57 +0800 skrev Adrian Chadd: > > Squid-2.5 doesn't support the stuff required to properly proxy NTLM > > authentication. > > But he isn't. Just plain NTLM proxy authentication which should work > fine in 2.5. Hm, I read it as "authenticating NTLM through to the application" which wasn't working; that wont work in Squid-2.5.. Adrian
Re: [squid-users] Illegal hostname
ons 2006-09-13 klockan 15:24 +0200 skrev Aurélien Bras: > Hi, > > my cache.log file give : > > 2006/09/13 07:50:21| urlParse: Illegal hostname '.update.toolbar.yahoo.com' > 2006/09/13 07:50:59| urlParse: Illegal hostname '.update.toolbar.yahoo.com' Some client going nuts. See access.log to find who the client is.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Authenticaton failure with dotnet 2.0 app
ons 2006-09-13 klockan 21:57 +0800 skrev Adrian Chadd: > Squid-2.5 doesn't support the stuff required to properly proxy NTLM > authentication. But he isn't. Just plain NTLM proxy authentication which should work fine in 2.5. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] FATAL: Failed to make swap directory /cache1: (17) File exists
ons 2006-09-13 klockan 17:42 +0545 skrev Harish Pokharel: > 006/09/13 17:30:46| Creating Swap Directories > FATAL: Failed to make swap directory /cache1: (17) File exists /cache1 exists on your system and is not a directory. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] squid with ntlm + AD, without samba?
ons 2006-09-13 klockan 14:43 +0200 skrev Jakob Curdes: > But that unreliable tool works for me with 150+ users since years. Never > had any probs. I know it's different sometimes, but occasionally even > IT people have luck ! It works reasonably well in small setups. The problem is that it quickly breaks down in larger setups due to odd assumptions made by Microsoft SMB server... Appears it gets confused when there is concurrent logins with different users from the same IP or something like that. Also it's not very strong authentication protection, only LANMANAGER (easy to reverse into plaintext). This should be compared to the Samba helper using NTLMv2 when possible. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
