[squid-users] cache this request
Hi, I need to cache in our proxy a request such this one, acl adiservlet urlpath_regex /adi/servlet/Web?nexus= no_cache allow adiservlet This acl is before the no_cache directives from squid default, but i don't know if this can work because the parameter after the "?". Is this correct? Currently with this directive the log is showing this: orfeo.unav.es - - [28/Sep/2006:11:47:23 +0200] "GET http://www.unav.es/adi/servlet/Web? HTTP/1.0" 200 6276 TCP_MISS:DIRECT dynamicIP.rima-tde.net - - [28/Sep/2006:11:47:33 +0200] "GET http://www.unav.es/adi/servlet/Web? HTTP/1.1" 200 7577 TCP_MISS:DIRECT dynamicIP.rima-tde.net - - [28/Sep/2006:11:47:47 +0200] "GET http://www.unav.es/adi/servlet/Web? HTTP/1.1" 200 6867 TCP_MISS:DIRECT dynamicIP.rima-tde.net - - [28/Sep/2006:11:48:09 +0200] "GET http://www.unav.es/adi/servlet/Web? HTTP/1.1" 302 305 TCP_MISS:DIRECT (This log is from a reverse proxy) so i think that isn't working. Any help? -- Thanks. Emilio C
Re: [squid-users] cache this request
On 28.09.06 11:55, Emilio Casbas wrote: > I need to cache in our proxy a request such this one, > > acl adiservlet urlpath_regex /adi/servlet/Web?nexus= > no_cache allow adiservlet > > This acl is before the no_cache directives from squid default, but i > don't know if this can work because the parameter after the "?". > Is this correct? Requests containing '?' generally can be cached, but default squid config contains directives that prevents it: #acl QUERY urlpath_regex cgi-bin \? #no_cache deny QUERY > orfeo.unav.es - - [28/Sep/2006:11:47:23 +0200] "GET > http://www.unav.es/adi/servlet/Web? HTTP/1.0" 200 6276 TCP_MISS:DIRECT > dynamicIP.rima-tde.net - - [28/Sep/2006:11:47:33 +0200] "GET > http://www.unav.es/adi/servlet/Web? HTTP/1.1" 200 7577 TCP_MISS:DIRECT > dynamicIP.rima-tde.net - - [28/Sep/2006:11:47:47 +0200] "GET > http://www.unav.es/adi/servlet/Web? HTTP/1.1" 200 6867 TCP_MISS:DIRECT > dynamicIP.rima-tde.net - - [28/Sep/2006:11:48:09 +0200] "GET > http://www.unav.es/adi/servlet/Web? HTTP/1.1" 302 305 TCP_MISS:DIRECT > (This log is from a reverse proxy) > > so i think that isn't working. However, the query string must be the same to cache it, you have query strings stripped off probably (it's also default) At last, query result must be cacheable (search for cacheability of http://www.unav.es/adi/servlet/Web?... , there's checking engine somewhere) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Where do you want to go to die?" [Microsoft]
[squid-users] Problem defining external_acl_type
My squid.conf looks like this around the "crucial lines": external_acl_type is_cacheable_type children=20 %{Cookie:__ac} %{Cookie:;__ac} %\ {Cookie:_ZopeId} %{Cookie:;_ZopeId} %{Authorization} %{If-None-Match} /etc/squid\ /squidAcl.py acl is_cacheable external is_cacheable_type no_cache allow is_cacheable If I comment these lines out, squid starts but obviously without this setting. This is the error I get: # squid -N -d1 FATAL: Bungled squid.conf line 165: external_acl_type is_cacheable_type children=20 %{Cookie:__ac} %{Cookie:;__ac} %{Cookie:_ZopeId} %{Cookie:;_ZopeId} %{Authorization} %{If-None-Match} /etc/squid/squidAcl.py Squid Cache (Version 2.5.STABLE3): Terminated abnormally. I got this setting from Plone's CacheFu product which (using a script) created this squid.conf for me. Any idea anyone? # squid -v Squid Cache: Version 2.5.STABLE3 configure options: --host=i386-redhat-linux --build=i386-redhat-linux --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid --enable-poll --enable-snmp --enable-removal-policies=heap,lru --enable-storeio=aufs,coss,diskd,null,ufs --enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools --enable-linux-netfilter --with-pthreads --enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB,SASL,MSNT,winbind --enable-ntlm-auth-helpers=SMB,winbind,fakeauth --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group --enable-auth=basic,ntlm --enable-useragent-log --enable-referer-log --enable-fd-config -- Peter Bengtsson, work www.fry-it.com home www.peterbe.com hobby www.issuetrackerproduct.com
[squid-users] disable ntlm_auth for java
Hello, We authenticate our users over ntlm_auth. The problem is if the load a Java-Applet which is implemented on a Secure Site (www.netbanking.at), Java pops up a Windows and force the users to enter their username, password and domain to load the Applet. Is there a way to disable authentication for Java-Applets or for some sites? Same shit on Windows Update Site. Site is searching for needing updates when suddenly an error apears. authentication lines in squid.conf looks something like this: auth_param ntlm program /usr/lib/squid/ntlm_auth DOMAIN/PDC auth_param ntlm children 10 auth_param ntlm max_challenge_lifetime 2 minutes Would be realy greate if somebody can help me out of this problem! Thanks and best regards Siegfried
Re: [squid-users] Problem defining external_acl_type
Peter Bengtsson wrote: # squid -N -d1 FATAL: Bungled squid.conf line 165: external_acl_type is_cacheable_type children=20 %{Cookie:__ac} %{Cookie:;__ac} %{Cookie:_ZopeId} %{Cookie:;_ZopeId} %{Authorization} %{If-None-Match} /etc/squid/squidAcl.py Squid Cache (Version 2.5.STABLE3): Terminated abnormally. Hello Bengtsson, TAG: external_acl_type This option defines external acl classes using a helper program to look up the status external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] Thanks, Visolve Squid Team, www.visolve.com/squid/
Re: [squid-users] Smart way to Block Streaming Video/audio websites
Siju George wrote: Hi, Cond some one please tell me what is the effective way for blocking streaming media from websites like 1) http://video.google.com/ 2) http://www.youtube.com/ Or atleast is there a place where I can get a list of such popular streaming websites so that I can block them? Hello Siju, The list of sites can be blocked by using the following configuration in squid.conf. acl blocked_sites dstdom_regex "/usr/local/sites.txt" http_access deny blocked_sites Thanks, Visolve Squid Team www.visolve.com/squid/
Re: [squid-users] Problem defining external_acl_type
On 9/28/06, Visolve Squid <[EMAIL PROTECTED]> wrote: Peter Bengtsson wrote: > # squid -N -d1 > FATAL: Bungled squid.conf line 165: external_acl_type > is_cacheable_type children=20 %{Cookie:__ac} %{Cookie:;__ac} > %{Cookie:_ZopeId} %{Cookie:;_ZopeId} %{Authorization} %{If-None-Match} > /etc/squid/squidAcl.py > Squid Cache (Version 2.5.STABLE3): Terminated abnormally. Hello Bengtsson, TAG: external_acl_type This option defines external acl classes using a helper program to look up the status external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] Isn't that what I've done? -- Peter Bengtsson, work www.fry-it.com home www.peterbe.com hobby www.issuetrackerproduct.com
[squid-users] Cannot access .com sites
Hello, Suddenly my squid stopped working for .com sites, any other .co.uk is fine. I just cannot access the .com, recompiled, check my name servers, using the latest 2.4 stable 4. Anybody can help why a sudden change ! Rgds,
Re: [squid-users] Stream audio/video
2006/9/25, Tino Reichardt <[EMAIL PROTECTED]>: * Marcel Werner <[EMAIL PROTECTED]> wrote: > Hi *, > > I have to block all audio / video streams. > > I have createt rules to block the download of *pls|mp3| > Thats worked. > > But when the user go to a website like : > > http://www.liveradio.de/ > > and klick to the link a php download opend and squid doesnt filter that > think. > > Ok now I have readed about a acl like browser but the download is no > mimetype video or audio, its like a normal file. Suggestion 1: Just use Squidwall and set up an banner filter with regex.7 expressions on the content (bcfilter). The squidwall filter would look like: ^Content-Type: application/x-shockwave-flash ^Content-Type: audio/.* ^Content-Type: video/.* Every Video/Audiostream will be replaced with an 1x1 pixel ;) Suggestion 2: If you want to show some deny page, you have to choose the crfilter - content regex filter. Every attempt to load some video will be redirected to your "Hey, YOU SHOULDN'T DO THAT" page ;) -- regards, TR Hello *, thanks for the request. I have solve the problem I have blocked all Ports >1025 and I have created a lot of rules (I will pasted after my holydays) for mime-type block. The last problem was that the browser acl not known that RMA (RelaMedia) is a *video or * *audio content type. Now I have created a rule RealMedia and now on can watch TV Now the problem is solved for me :-) Mfg Marcel
Re: [squid-users] disable ntlm_auth for java
Hello! I had the same problem and I did the same thing you are thinking about. I bypassed authentication for java stuff. I've read many things including the sun knowledge base and there are many issues regarding authentication with the jvm, especially with ntlm! You can solve this by creating an acl like this: acl java_jvm browser Java/1.4 Java/1.5 http_access allow java_jvm Remember to keep it in front of any http_access lines regarding authentication, otherwise it won't work. I haven't worked out the windows update issue since I only do it in my servers and when I do I make a NAT rule in my firewall, but I think it has something to do with 443 port (ssl). Cheers, André Hitzler, Siegfried (Exchange) wrote: > Hello, > > We authenticate our users over ntlm_auth. The problem is if the load a > Java-Applet which is implemented on a Secure Site (www.netbanking.at), Java > pops up a Windows and force the users to enter their username, password and > domain to load the Applet. Is there a way to disable authentication for > Java-Applets or for some sites? > > Same shit on Windows Update Site. Site is searching for needing updates when > suddenly an error apears. > > authentication lines in squid.conf looks something like this: > > auth_param ntlm program /usr/lib/squid/ntlm_auth DOMAIN/PDC auth_param ntlm > children 10 auth_param ntlm max_challenge_lifetime 2 minutes > > Would be realy greate if somebody can help me out of this problem! > > Thanks and best regards > > Siegfried > > >
AW: [squid-users] disable ntlm_auth for java
Yes, that was what I read and implemented. But it didn't work ... ... until now !!! :D That was also my second thought - The order in the file! I placed the files before this acl and now it works ! acl ACLAUTH proxy_auth REQUIRED Squid config looks something like this: -- acl Java browser Java/1.4 Java/1.5 acl Windows-Update dstdomain .microsoft.com .windowsupdate.com http_access allow Java http_access allow Windows-Update acl usrauth proxy_auth REQUIRED acl DenyWindowsGroups external Domain_Group "/etc/squid/DeniedWindowsGroups" acl otatwrk src xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx acl local-servers dstdomain DOMAINSUFFIX -- Thanks for your help! Have a nice day ;) -Ursprüngliche Nachricht- Von: Andre Fernando Goldacker [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 28. September 2006 15:42 An: squid-users@squid-cache.org Cc: Hitzler, Siegfried (Exchange) Betreff: Re: [squid-users] disable ntlm_auth for java Hello! I had the same problem and I did the same thing you are thinking about. I bypassed authentication for java stuff. I've read many things including the sun knowledge base and there are many issues regarding authentication with the jvm, especially with ntlm! You can solve this by creating an acl like this: acl java_jvm browser Java/1.4 Java/1.5 http_access allow java_jvm Remember to keep it in front of any http_access lines regarding authentication, otherwise it won't work. I haven't worked out the windows update issue since I only do it in my servers and when I do I make a NAT rule in my firewall, but I think it has something to do with 443 port (ssl). Cheers, André Hitzler, Siegfried (Exchange) wrote: > Hello, > > We authenticate our users over ntlm_auth. The problem is if the load a > Java-Applet which is implemented on a Secure Site (www.netbanking.at), > Java pops up a Windows and force the users to enter their username, > password and domain to load the Applet. Is there a way to disable > authentication for Java-Applets or for some sites? > > Same shit on Windows Update Site. Site is searching for needing > updates when suddenly an error apears. > > authentication lines in squid.conf looks something like this: > > auth_param ntlm program /usr/lib/squid/ntlm_auth DOMAIN/PDC auth_param > ntlm children 10 auth_param ntlm max_challenge_lifetime 2 minutes > > Would be realy greate if somebody can help me out of this problem! > > Thanks and best regards > > Siegfried > > >
[squid-users] Reverse Proxy Cipher
On my reverse proxy https server I need to only allow 128bit or better cipher. What do I need to use after cipher= to only allow 128bit or better? Thanks for any help.
[squid-users] complete AD integration of squid
I want to setup squid (on Linux) in a windows environment. Basic ADS authentication has been completed successfully. I have different classes of users - managers, assistant managers, executives, agents etc. I want to know if this is possible: If a user belongs to a group called SQUID-MANAGERS on the ADS, can he get manager internet privileges through squid? I mean I would define the policy for the group SQUID-MANAGERS in squid. The purpose of doing this would be that I do not need to update squid config files regularly and SQUID- rights a given/revoked when I UserID is created/deleted. I plan to install dansguardian also over squid. (Though I don't know the specifics of dansguardian, I wanted to know the possibilities before I go ahead) Thanks, Navin J. Disclaimer: Information transmitted by this e-mail is proprietary to Adventity and/ or its Customers, intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at [EMAIL PROTECTED] and delete this mail from your records.
[squid-users] Sarg account reset
I am running squid 2.5 stable 9 on with sarg Mandrake.. I have root access to the box, but do not have the ability to connect to sarg. How can I verify connection to sarg and then from the shell create/rest an account? Victor
[squid-users] Squid account synchronization
I am running squid 2.5 stable 9. Is there anyway with LDAP I can sync accounts with my windows domain? In addition to that I want to be able to have users account info passed to proxy without forcing them the "sing in". I have a group policy that configures their Internet Explorer to use proxy server, but wanted to know if using either the automatic configuration script can work. Basic question... Is this possible? Victor
Re: [squid-users] Sarg account reset
Victor Fansler schrieb: I am running squid 2.5 stable 9 on with sarg Mandrake.. I have root access to the box, but do not have the ability to connect to sarg. How can I verify connection to sarg and then from the shell create/rest an account? You are talking aboute the Squid Logfile Analysis Generator (http://sarg.sourceforge.net/sarg.php)? You cannot connect to sarg. sarg generates HTML pages and puts them in the file system. To access these via a Webserver you have to install one or transfer the HTML page tree on a machine with a webserver. Yours, Jakob Curdes
Re: [squid-users] complete AD integration of squid
If a user belongs to a group called SQUID-MANAGERS on the ADS, can he get manager internet privileges through squid? I mean I would define the policy for the group SQUID-MANAGERS in squid. The purpose of doing this would be that I do not need to update squid config files regularly and SQUID- rights a given/revoked when I UserID is created/deleted. What do you mean by "define the policy for the group SQUID-MANAGERS" ? It is possible to have different user groups that are defined on the AD and use these in squid config ACLS. What you cannot do is change the ACLs themselves without touching the config file. Yours, Jakob Curdes
Re: [squid-users] Problem defining external_acl_type
Peter Bengtsson wrote: My squid.conf looks like this around the "crucial lines": external_acl_type is_cacheable_type children=20 %{Cookie:__ac} %{Cookie:;__ac} %\ {Cookie:_ZopeId} %{Cookie:;_ZopeId} %{Authorization} %{If-None-Match} /etc/squid\ /squidAcl.py # Compatibility Note: The children= option was named concurrency= in # Squid-2.5.STABLE3 and earlier and such syntax is still accepted to # keep compatibility within the Squid-2.5 release. However, the meaning # of concurrency= option has changed in Squid-3 and the old syntax of # the directive is therefore deprecated from Squid-2.5.STABLE4 and later. # If you want to be able to easily downgrade to earlier Squid-2.5 # releases you may want to continue using the old name, if not # please use the new name. Try "concurrency" instead of "children". Or upgrade to a recent version of Squid, as 2.5STABLE3 was released more than three years ago (http://www.squid-cache.org/mail-archive/squid-users/200305/0998.html). A lot of improvements have been made since then... acl is_cacheable external is_cacheable_type no_cache allow is_cacheable If I comment these lines out, squid starts but obviously without this setting. This is the error I get: # squid -N -d1 FATAL: Bungled squid.conf line 165: external_acl_type is_cacheable_type children=20 %{Cookie:__ac} %{Cookie:;__ac} %{Cookie:_ZopeId} %{Cookie:;_ZopeId} %{Authorization} %{If-None-Match} /etc/squid/squidAcl.py Squid Cache (Version 2.5.STABLE3): Terminated abnormally. I got this setting from Plone's CacheFu product which (using a script) created this squid.conf for me. Any idea anyone? # squid -v Squid Cache: Version 2.5.STABLE3 configure options: --host=i386-redhat-linux --build=i386-redhat-linux --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid --enable-poll --enable-snmp --enable-removal-policies=heap,lru --enable-storeio=aufs,coss,diskd,null,ufs --enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools --enable-linux-netfilter --with-pthreads --enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB,SASL,MSNT,winbind --enable-ntlm-auth-helpers=SMB,winbind,fakeauth --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group --enable-auth=basic,ntlm --enable-useragent-log --enable-referer-log --enable-fd-config Love those RPM builds... :o) Chris
Re: [squid-users] Cannot access .com sites
abdock wrote: Hello, Suddenly my squid stopped working for .com sites, any other .co.uk is fine. I just cannot access the .com, recompiled, check my name servers, using the latest 2.4 stable 4. Anybody can help why a sudden change ! Rgds, I'll go under the assumption that was a typo. The latest Squid 2.4 is actually STABLE7, and is more than four years old... Post a snippet of your access log (preferably showing some attempted accesses to .com sites, and give us an idea of what your setup looks like. Are you using interception? Are you using parent proxies? Do you have a firewall? Can you reach .com sites using a browser (or wget) from the server running Squid? Chris
Re: [squid-users] Regular Expression Content Changes
* Rob Gunther <[EMAIL PROTECTED]> wrote: > I would like to use squid for a project I'm working on. > > What I basically want to do is have all HTML pages that are pulled > through squid have some search & replace filters run on them before > being fed back to the client and stored in the cache. > > I skimmed the manual, and see there are some plugins to do this to > actual URL's themselves but does anyone have a suggestion how this > could be done on actual HTML content? Maybe this will work for you: http://sites.inka.de/~bigred/devel/squid-filter.html -- regards, TR pgppDcJT8d1Mb.pgp Description: PGP signature
RE: [squid-users] Sarg account reset
Jakob, I already have the "web server" running.. I need to from a shell access reset the accounts so that I can login to the log analysis viewer. Thanks, Victor -Original Message- From: Jakob Curdes [mailto:[EMAIL PROTECTED] Sent: Thursday, September 28, 2006 9:13 AM To: Victor Fansler Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Sarg account reset Victor Fansler schrieb: >I am running squid 2.5 stable 9 on with sarg Mandrake.. I have root access >to the box, but do not have the ability to connect to sarg. How can I >verify connection to sarg and then from the shell create/rest an account? > You are talking aboute the Squid Logfile Analysis Generator (http://sarg.sourceforge.net/sarg.php)? You cannot connect to sarg. sarg generates HTML pages and puts them in the file system. To access these via a Webserver you have to install one or transfer the HTML page tree on a machine with a webserver. Yours, Jakob Curdes
[squid-users] access log file size limitation
Does anyone know if squid has a limit on the access log file size, everytime my squid access log hit 2g, squid dies, although the file system supports largefiles. Thanks. James Zhao Email: [EMAIL PROTECTED] -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.407 / Virus Database: 268.12.9/458 - Release Date: 9/27/2006
Re: [squid-users] access log file size limitation
James Zhao wrote: Does anyone know if squid has a limit on the access log file size, everytime my squid access log hit 2g, squid dies, although the file system supports largefiles. Thanks. James Zhao Email: [EMAIL PROTECTED] $ cd /usr/src/squid-2.5.STABLE13 $ ./configure --help Usage: configure [options] [host] Options: [defaults in brackets after descriptions] Configuration: SNIP --with-large-files Enable support for large files (logs etc). --enable-large-cache-files Enable support for large cache files (>2GB). WARNING: on-disk cache format is changed by this option Chris
Re: [squid-users] Sarg account reset
Victor Fansler schrieb: Jakob, I already have the "web server" running.. I need to from a shell access reset the accounts so that I can login to the log analysis viewer. I still am in doubt that we are talking about the same thing. You cannot login to sarg. The HTML pages generated by sarg can be viewed in any browser. If you need credentials to access these this comes from the configuration of the web server an has nothing to do with squid or sarg. Yours, Jakob Curdes
Re: [squid-users] Peer with http_accel?
Henrik - Thanks! That worked great! So, a semi-related question: If I have machines set up like this now: Inet <- cache01 <- www01 ^ | v Inet <- cache02 <- www02 Q: if one of my www boxes dies will the associated squid proxy do all queries through it's peer proxy or will it just return valid data for anything in either cache, but fail on all fetches from the dead machine? Q: if the above answer is it won't query through the peer proxy, is there a way to enable that to happen on a www machine failure? - Steve On Mon, 25 Sep 2006, Henrik Nordstrom wrote: Date: Mon, 25 Sep 2006 10:02:52 +0200 (CEST) From: Henrik Nordstrom <[EMAIL PROTECTED]> To: Steve Webb <[EMAIL PROTECTED]> Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Peer with http_accel? I added: cache_peer squid02 sibling 80 3130 [proxy-only] Should be no brakets around proxy-only. The brakets in the documentation only indicates that the options are optional.. Regards Henrik -- Steve Webb - Sr. Linux System Administrator Email: [EMAIL PROTECTED] Cell: 303-564-4269, Office: 303-497-9368 YIM: scumola
[squid-users] Load Balancing Squids
Hey Guys, I have a situation here. I have a load balancer sending the requests to two differents squids. I tryied to use cache_peer with proxy only option, but I get TCP Denied. What should I do on both confs? Add both as parents with proxy only option or what? Thanxs in advance, JOC
Re: [squid-users] Load Balancing Squids
I've got the same kind of thing going and I have it working with sibling-mode (not parent). Might want to check your firewall stuff and make sure that each squid is listening on 3130 for peer requests (forget what the option is). My problem is what happens when the real server behind the proxies dies? How does squid handle a failure like that? - Steve On Thu, 28 Sep 2006, Jose Octavio de Castro Neves Jr wrote: Date: Thu, 28 Sep 2006 19:00:52 -0300 From: Jose Octavio de Castro Neves Jr <[EMAIL PROTECTED]> To: squid-users@squid-cache.org Subject: [squid-users] Load Balancing Squids Hey Guys, I have a situation here. I have a load balancer sending the requests to two differents squids. I tryied to use cache_peer with proxy only option, but I get TCP Denied. What should I do on both confs? Add both as parents with proxy only option or what? Thanxs in advance, JOC -- Steve Webb - Sr. Linux System Administrator Email: [EMAIL PROTECTED] Cell: 303-564-4269, Office: 303-497-9368 YIM: scumola
Re: [squid-users] Squid wbinfo_group.pl are multi-group ?
mån 2006-09-25 klockan 18:38 +0200 skrev Noc Phibee: > on squid-2.5.STABLE9 with wbinfo_group.pl version 2002-07-05 Upgrade. Current version is 2.6.STABLE4, and your problem is corrected there. Multi-group support was added to wbinfo_group 2005-06-29, and many other small fixes to wbinfo_group have been done over the years.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] can referer logging be filtered by acl?
tis 2006-09-26 klockan 12:41 -0400 skrev Lawrence Wang: > i want to do referer logging, but only for specific domains, not all > of my traffic. is this possible using acl's? i'm using squid 2.5 > stable 13. It's possible in 2.6 by using custom log formats + selective logging. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] BH Server Error on Squid.log
tis 2006-09-26 klockan 17:21 -0300 skrev Roberto Berlim Fonseca: > Hi! We have a squid+dansguardian box, Squid 2.5stable13, DansGuardian > 2.9.6.1. We are using the following config: for NTLM the users must connect to a Squid running the NTLM, not DansGuardian. You can run Squid->DansGuardian->Squid if you like. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] LDAP Group not working on Squid 2.6
ons 2006-09-27 klockan 11:07 +1000 skrev Vinyl Bne: > I started looking 'ignore-no-cache' feature and found that it has been > implemented in Squid-2.6. I have tried to migrate current Squid-2.5STABLE14 > to Squid-2.6, but I found a problem with LDAP Group identification. > > The squid_ldap_group is working fine on Squid-2.5, but not on > Squid-2.6. The external_acl_type > is configured as: > > external_acl_type ldap-group concurrency=6 %LOGIN /opt/oss/squid/libexec/squid > _ldap_group -b t=COMPANY -f > (&(objectClass=person)(groupMembership=%a)(cn=%v)) -D > cn=ldap-auth,o=system -w password -s sub -P -S ldap-1 Use children= instead of concurrency= This was changed in 2.5.STABLE4, and now with 2.6 concurrency= has a different meaning.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Fwd: Reverse Proxy for HTTPS
ons 2006-09-27 klockan 08:31 +0700 skrev Arief Kurniawan: > I'd like to accelerate our backend HTTPS Server, the SSL Cert. is held > by the backend server (IP 192.168.1.1) If you want Squid to server the content as https out to the Internet then there need to be an SSL cert installed on your Squid and you must use the https_port directive. > In squid.conf : > > http_port 443 vhost > cache_peer 192.168.1.1 parent 443 0 originserver name=myapps There need to be an ssl option on that cache_peer line if you want to use SSL between Squid and the backend. In either case the SSL connection will be terminated at your Squid. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] squid 2.6.4 diskd error
ons 2006-09-27 klockan 04:42 -0700 skrev hesmaile: > Hi > I have a squid system with 3 diskd partition with 20M > total bandwidth > Randomly (about 4 to 5 hours) my squid restart with > this error > assertion failed: cbdata.c:325: "c->locks > 0" > or > assertion failed: diskd/store_io_diskd.c:387: > "!diskdstate->flags.close_request" Most likely the known diskd instability... See the release notes. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] elapsed time accuracy
ons 2006-09-27 klockan 10:43 -0700 skrev Mark Nottingham: > I'm seeing some apparently impossible elapsed times in access.log, > e.g., TCP_MISSes DIRECT to servers that are 100+ms away showing 2ms > elapsed. > > I seem to remember someone saying that those numbers were sometimes > inaccurate, but can't find any more detail. What's the story? My > first thought was aborted requests, but it appears that about the > right number of bytes were written. The time logged by Squid is the time from where Squid has received the request until it has send the last octet of the response to the TCP connection. Measurement of this time is as accurate as your computer clock in gettimeofday(). Hmm.. maybe what you are seeing is merged requests to an already running fech of that URL? Do you have other requests for the same URL very close in time? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Reverse Proxy Cipher
tor 2006-09-28 klockan 10:46 -0400 skrev Brad Taylor: > On my reverse proxy https server I need to only allow 128bit or better > cipher. What do I need to use after cipher= to only allow 128bit or > better? DEFAULT:!EXPORT:!LOW is one alternative. Disables Export and low grade chiphers, leaving only 128bit or stronger ciphers. man ciphers for details. or play around with openssl ciphers -v 'string' Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid account synchronization
tor 2006-09-28 klockan 08:43 -0700 skrev Victor Fansler: > I am running squid 2.5 stable 9. Is there anyway with LDAP I can sync > accounts with my windows domain? Yes, assuming the windows domain is run by an Active Directory server. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] Squid account synchronization
OK, I am running an Active Directory windows 2003. Please point me in the right direction to integrate it. Thanks, Victor Fansler -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Thursday, September 28, 2006 3:30 PM To: Victor Fansler Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid account synchronization tor 2006-09-28 klockan 08:43 -0700 skrev Victor Fansler: > I am running squid 2.5 stable 9. Is there anyway with LDAP I can sync > accounts with my windows domain? Yes, assuming the windows domain is run by an Active Directory server. Regards Henrik
RE: [squid-users] Sarg account reset
OK, Well for starters, I do know that sarg is installed, apache is installed, and squid is installed... That said, if I browse to the box on Internet Explorer, even using what appears to be the correct "sub-path, I can not connect. So.. How do I find out the correct path to use, then we can better address if I even need to login.. Please keep in mind, I never used squid/sarg before now and was just "handed" over the system :) Thanks, Victor Fansler -Original Message- From: Jakob Curdes [mailto:[EMAIL PROTECTED] Sent: Thursday, September 28, 2006 1:58 PM To: Victor Fansler Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Sarg account reset Victor Fansler schrieb: >Jakob, >I already have the "web server" running.. I need to from a shell access >reset the accounts so that I can login to the log analysis viewer. > > > I still am in doubt that we are talking about the same thing. You cannot login to sarg. The HTML pages generated by sarg can be viewed in any browser. If you need credentials to access these this comes from the configuration of the web server an has nothing to do with squid or sarg. Yours, Jakob Curdes
RE: [squid-users] Sarg account reset
If you have 'root' access their should be a sarg.conf file. You can look there to see if the password is turned on. In addition you should have a httpd.conf file somewhere that controls who can access what. It should be a line there dealing with .htaccess files. .htaccess can control who access folders on your webserver. If you go to your webdirectory (usually /var/www/html depending on your dist) you can then do an ls -la. At this point you can edit the .htaccess and add your name to it. It is more than likely in the directory with sarg, assuming that the rest of the website is browsable by the public. Windows running apache is similiar, and so is Novell, and Apple. Directory structure varies, but the files are pretty much the same, and so is the syntax of the conf file. ddh Quoting Victor Fansler <[EMAIL PROTECTED]>: > OK, > Well for starters, I do know that sarg is installed, apache is installed, > and squid is installed... That said, if I browse to the box on Internet > Explorer, even using what appears to be the correct "sub-path, I can not > connect. So.. How do I find out the correct path to use, then we can > better address if I even need to login.. Please keep in mind, I never used > squid/sarg before now and was just "handed" over the system :) > > Thanks, > > Victor Fansler > > > > > -Original Message- > From: Jakob Curdes [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 28, 2006 1:58 PM > To: Victor Fansler > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] Sarg account reset > > Victor Fansler schrieb: > > >Jakob, > >I already have the "web server" running.. I need to from a shell access > >reset the accounts so that I can login to the log analysis viewer. > > > > > > > I still am in doubt that we are talking about the same thing. You cannot > login to sarg. > The HTML pages generated by sarg can be viewed in any browser. > If you need credentials to access these this comes from the > configuration of the web server an has nothing to do with squid or sarg. > > Yours, > Jakob Curdes > > -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools
Re: [squid-users] elapsed time accuracy
You mean with collapsed forwarding? That makes perfect sense, if collapsed requests are logged as TCP_MISS... Thanks! P.S. It would be cool if there was a separate log tag for collapsed requests... On 2006/09/28, at 3:20 PM, Henrik Nordstrom wrote: Hmm.. maybe what you are seeing is merged requests to an already running fech of that URL? Do you have other requests for the same URL very close in time? -- Mark Nottingham [EMAIL PROTECTED]
Re: [squid-users] Sarg account reset
Dwayne Hottinger schrieb: If you have 'root' access their should be a sarg.conf file. You can look there to see if the password is turned on. To my best knowledge there is no password option in sarg.conf nor would I know what effect it should have. In addition you should have a httpd.conf file somewhere that controls who can access what. It should be a line there dealing with .htaccess files. OK but this is way out of squid support. We are all here to help but without knowing which OS, Web server, Distribution etc. it is very hard to give help that is of any use. Even if you find the .htaccess file you know what to put in there, how to generate passwords and users etc pp. This is all OS and Web server dependent and it is a question that can best be answered on a webserver support mailing list, if not by reading the manuals for the webserver. If you do not want to work out how your http server protects these files there is an easy workaround : put everything in a TAR file, transfer them by sftp or ftp to a windows machine and view them there without webserver via the file dialog. You can automate this via cron and you do not have to dig into http configuration issues. (Naturally you can view these files on the sarg machine as well provded it has a graphic workspace and a browser). Yours, Jakob Curdes